2.25.2 / 2026-07-15
Security
- Ensure
Loofah::HTML5::Scrub.allowed_uri?recognizes numeric character references without semicolons (e.g.javascript:alert(1)), which browsers decode and execute, and rejects schemes split by them. See GHSA-5qhf-9phg-95m2. @flavorjones - Ensure
Loofah::HTML5::Scrub.allowed_uri?recognizes the named character references	and
, whichCGI.unescapeHTMLdoes not decode and browsers strip from URIs, and rejects schemes split by them (e.g.java	script:alert(1)). See GHSA-8whx-365g-h9vv. @flavorjones - Ensure that both
hrefandxlink:hrefattributes on SVG elements likeuseare restricted to local (same-document) references. Previously onlyxlink:hrefwas restricted, allowing the SVG 2hrefattribute to reference external documents. See GHSA-9wjq-cp2p-hrgf. @flavorjones
Improved
- Harden
data:URI mediatype parsing inLoofah::HTML5::Scrub.allowed_uri?. The mediatype is now parsed following the WHATWG data: URL spec and RFC 2397 instead of simply being split on a colon. Adata:URI with an omitted or malformed mediatype is now treated astext/plainand allowed, and one without the required comma is now rejected. #305 @flavorjones - Remove
feedfrom the default set of allowed protocols. The feed URI scheme was never accepted as a standard protocol, and no major browser supports it. Removing it reduces the attack surface particularly for non-browser contexts. #304 @flavorjones - Remove a vestigial
܊lternative fromLoofah::HTML5::SafeList::PROTOCOL_SEPARATOR. This appears to be an ancient typo dating back to pre-extraction Rails circa 2007. #305 @flavorjones