Rails::HTML5 - the Strange and Remarkable Three-Year Journey
Rails 7.1 improved Rails’s security posture and made Rails more friendly with modern browsers by shipping HTML5-compliant sanitizers by default.
This is the story of planning and executing a complex migration task on a major open-source project, a multi-year journey that started in 2015 with a security vulnerability and ended after coordinating major changes to Action View, Rails::HTML::Sanitizer, Loofah, and Nokogiri, and taking over maintenance of libgumbo.
Along the way two active open-source projects merged, an entire class of XSS vulnerabilities was rendered inert, and I came to admire the unlikely brilliance of the HTML5 parser specification.
- 11:45 - 12:15
- 6th October 2023
- Track 1
Session Speaker
Mike Dalessio
Director of Engineering, Shopify
Mike Dalessio is the Engineering Director for Shopify’s Ruby and Rails Infrastructure team. He maintains commonly-used gems like Nokogiri, SQLite3, and Rails::HTML::Sanitizer, and has contributed to many more.
He’s a member of the Rails Triage and Rails Security teams and has developed a very particular set of skills around C extensions, HTML sanitization, and debugging segfaults.
Previously he led the Cloud Foundry open source PaaS project for VMware and Pivotal. In 2009 he coined the phrase “WWSMD?” (IYKYK).
He likes coffee, intimate chats, and long walks, and has been known to combine all three.
