Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (52 sloc) 3.28 KB



  • Update dependencies


  • Bump minimum supported Rust version to 1.30.
  • Fix a potential DoS attack from pathologically nested input.


  • Add "script" and "style" to the default set of clean content tags
  • Make all iterator-accepting APIs use IntoIterator and Borrow, so that you can pass slices directly to them.




  • Update dependencies


  • Breaking change: The Ammonia struct is now called Builder and uses that pattern for better forward compatibility
  • Breaking change: The Builder::clean() method now returns a Document struct instead of a String. You can use the Document::to_string method to obtain a String.
  • Breaking change: keep_cleaned_elements has changed from being an off-by-default option to the only supported behavior
  • Breaking change: Using a tag with allowed_classes means that the class attribute is banned from tag_attributes (it used to be required)
  • Breaking change: The default set of allowed elements and attributes was expanded
  • Added support for reading the input from a stream
  • Added UrlRelative::Custom, allowing you to write your own relative URL resolver
  • Changed UrlRelative::RewriteWithBase take a custom URL. This made the url crate a public dependency.
  • Added id_prefix, which can be used to avoid element id collisions with the rest of the page
  • Added property getters to Builder, to see what everything is currently set to
  • Added property modifiers, to change the existing whitelist (instead of completely replacing it)


  • Add allowed_classes, allowing the user to set only specific items that can go in the class attribute


  • Fix a bug in the traversal code


  • Resolve relative URLs with a given base (off by default, you need to specify that base URL)
  • Add rel="noreferrer noopener" to links, as a security measure
  • Avoid closing void tags, such as turning <br> into <br></br>
  • Bump the html5ever version
  • Switch to using to host docs


  • Bump html5ever to 0.18 (this updates serde from 0.9 to 1.0)


  • Upgrade to html5ever 0.17


  • Add an option to keep elements that had attributes removed


  • Removed the strip option. Not a security problem, but it was wrong and looked stupid. I'm not going to reintroduce this until html5ever allows me to preserve the original text enough to have non-stripped tags come out exactly like they go in.
  • Treat the data attribute of object as a URL. In non-default configurations, this could have been a leak.
  • Update to the newest html5ever.
You can’t perform that action at this time.