From 8ea2500407d84aa05afb1220f4e1ccc797b92bc9 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 17 May 2023 10:43:26 -0400 Subject: [PATCH] doc: update CHANGELOG --- CHANGELOG.md | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7ff74a..5b13d09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,43 @@ ## next / unreleased -* `SafeListSanitizer` allows `time` tag and `lang` attribute by default. +* Sanitizers that use an HTML5 parser are now available on platforms supported by + Nokogiri::HTML5. These are available as: + + - `Rails::HTML5::FullSanitizer` + - `Rails::HTML5::LinkSanitizer` + - `Rails::HTML5::SafeListSanitizer` + + And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version + of Rails. + + Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical + to the vendor class methods on `Rails::HTML::Sanitizer`. *Mike Dalessio* -* `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the existing sanitizers, - and should have been a private constant all along anyway. +* Module namespaces have changed, but backwards compatibility is provided by aliases. + + The library defines three additional modules: + + - `Rails::HTML` for general functionality (replacing `Rails::Html`) + - `Rails::HTML4` containing sanitizers that parse content as HTML4 + - `Rails::HTML5` containing sanitizers that parse content as HTML5 + + The following aliases are maintained for backwards compatibility: + + - `Rails::Html` points to `Rails::HTML` + - `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer` + - `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer` + - `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer` *Mike Dalessio* -* `Rails::Html` has been renamed to `Rails::HTML`, but this module is aliased to `Rails::Html` for - backwards compatibility. +* `SafeListSanitizer` allows `time` tag and `lang` attribute by default. + + *Mike Dalessio* + +* `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the existing sanitizers, + and should have been a private constant all along anyway. *Mike Dalessio* @@ -24,6 +51,7 @@ *seyerian* + ## 1.4.4 / 2022-12-13 * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. @@ -69,6 +97,7 @@ *Mike Dalessio* + ## 1.4.2 / 2021-08-23 * Slightly improve performance. @@ -77,6 +106,7 @@ *Mike Dalessio* + ## 1.4.1 / 2021-08-18 * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber. @@ -89,6 +119,7 @@ *Mike Dalessio* + ## 1.4.0 / 2021-08-18 * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber @@ -101,12 +132,14 @@ *Mike Dalessio* + ## 1.3.0 * Address deprecations in Loofah 2.3.0. *Josh Goodall* + ## 1.2.0 * Remove needless `white_list_sanitizer` deprecation. @@ -121,6 +154,7 @@ *Kasper Timm Hansen* + ## 1.1.0 * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed @@ -138,10 +172,12 @@ *Kasper Timm Hansen* + ## 1.0.1 * Added support for Rails 4.2.0.beta2 and above + ## 1.0.0 * First release.