- Update html5ever to 0.27
- feature: change lifetimes on UrlRelative (breaking change)
- chore: use the
Displaytrait (andToString) instead of an inherentto_stringmethod (breaking change) - Security fixes are not backported to the 2.0 branch any more. Only the v3 and v4 branches are supported.
- chore: bump MSRV to 1.60.0
- docs: fix incorrect XSS example
- feature: add
UrlRelative::RewriteWithRoot
- chore: bump MSRV to 1.51.0 serde-rs/serde#2255
- chore: fix broken links in documentation
- chore: bump MSRV to 1.49.0
- chore: update to html5ever 0.26
- chore: switch from lazy_static to once_cell
- feature: add
Builder::empty()constructor
- chore: use
#[non_exhaustive]instead of hidden variant forUrlRelativepolicy - chore: remove unnecessary dependency on third-party
matches!macro
- fix: incorrect FF/CR handling in
clean_text - fix: split class name attribute by all ASCII whitespace, not just SP 0x20
- docs: fix incorrect English in
is_htmldocumentation
- fix: unexpected namespace switches can allow XSS via svg/mathml parsing
- fix: Crash on invalid URLs in some configurations (issue #136)
- feature: Whitelist generic attribute prefix
- chore: Update html5ever to 0.25
- feature: support adding attribute values to elements
- Add
clean_textfunction. - Updated to rust-url 2.0.
- Updated to the 2018 edition.
- fix: split class name attribute by all ASCII whitespace, not just SP 0x20 (backported from 3.1.3)
- fix: unexpected namespace switches can allow XSS via svg/mathml parsing (backported from 3.1.2)
- Fix a memory leak caused by certain node types.
- Update dependencies
- Bump minimum supported Rust version to 1.30.
- Fix a potential DoS attack from pathologically nested input.
- Add "script" and "style" to the default set of clean content tags
- Make all iterator-accepting APIs use
IntoIteratorandBorrow, so that you can pass slices directly to them.
- Recognize
action,formactionandpingas URL attributes for scheme and origin filtering - Add
Builder::url_filter_mapwhich allows URLs, both relative and absolute, to be pre-filtered
- Add
Builder::clean_content_tagswhich allows elements to be removed entirely instead of just having the tags removed
- Update dependencies
- Breaking change: The
Ammoniastruct is now calledBuilderand uses that pattern for better forward compatibility - Breaking change: The
Builder::clean()method now returns aDocumentstruct instead of aString. You can use theDocument::to_stringmethod to obtain aString. - Breaking change:
keep_cleaned_elementshas changed from being an off-by-default option to the only supported behavior - Breaking change: Using a tag with
allowed_classesmeans that the class attribute is banned fromtag_attributes(it used to be required) - Breaking change: The default set of allowed elements and attributes was expanded
- Added support for reading the input from a stream
- Added
UrlRelative::Custom, allowing you to write your own relative URL resolver - Changed
UrlRelative::RewriteWithBasetake a custom URL. This made theurlcrate a public dependency. - Added
id_prefix, which can be used to avoid elementidcollisions with the rest of the page - Added property getters to
Builder, to see what everything is currently set to - Added property modifiers, to change the existing whitelist (instead of completely replacing it)
- Add
allowed_classes, allowing the user to set only specific items that can go in the class attribute
- Fix a bug in the traversal code
- Resolve relative URLs with a given base (off by default, you need to specify that base URL)
- Add
rel="noreferrer noopener"to links, as a security measure - Avoid closing void tags, such as turning
<br>into<br></br> - Bump the html5ever version
- Switch to using docs.rs to host docs
- Bump html5ever to 0.18 (this updates serde from 0.9 to 1.0)
- Upgrade to html5ever 0.17
- Add an option to keep elements that had attributes removed
- Removed the strip option. Not a security problem, but it was wrong and looked stupid. I'm not going to reintroduce this until html5ever allows me to preserve the original text enough to have non-stripped tags come out exactly like they go in.
- Treat the data attribute of object as a URL. In non-default configurations, this could have been a leak.
- Update to the newest html5ever.