1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219 |
- NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
- |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- = KEY ====================
- # Breaks back-compat
- ! Feature
- - Bugfix
- + Sub-comment
- . Internal change
- ==========================
- 4.11.0, released 2019-07-14
- # SafeScripting now matches case-sensitively against its whitelist (previously it was
- case-insensitive.) Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
- for reporting.
- ! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.
- Thanks M. Suzuki <msuzuki1986@gmail.com> for contributing the patch.
- ! purifyArray now supports multidimensional arrays. Thanks
- Sandro Miguel Marques <sandromiguel@sandromiguel.com> for contributing this patch.
- ! initial and inherit settings available for width, height, and the min-/max-
- versions thereof. Thanks Michael Kliewe <info@phpgansta.de> for contributing
- this patch.
- ! More color names are supported. Thanks Daijobou for contributing.
- - Compatibility fixes for PHP 7.3, including new CI for PHP 7.3
- (thank you Lukas Neumann <lksnmnn@gmail.com>) and removal of
- reserved words in our constants (thanks Darko Hrgovic <darko@darkodev.com>
- - Compatibility fixes for HHVM. Thanks Mateusz Turcza for contributing
- this fix.
- - HTML Purifier now never defines __autoload, fixing #196. Thanks
- Michael Kliewe for reporting.
- - In some situations, Config.php would report an undefined index: class
- error; this has been fixed. Thanks DiLong Fa for contributing
- this fix.
- - We no longer produce <script /> tags; we always explicitly write
- out the open and close tag. Thanks Dimitri Gritsajuk
- <gritsajuk.dimitri@gmail.com> for contributing this fix.
- - Better compatibility when IDNA constants are not present. Thanks
- Mateusz Turcza <xemlock@gmail.com> for contributing this fix.
- 4.10.0, released 2018-02-22
- # PHP 5.3 is no longer officially supported by HTML Purifier
- (we did not specifically break support, but we are no longer
- testing on PHP 5.3)
- ! Relative CSS length units are now supported
- - A few PHP 7.2 compatibility fixes, thanks John Flatness
- <john@zerocrates.org>
- - Improve portability with old versions of libxml which don't
- support accessing the data of a node
- - IDNA2008 is now used for converting domains to ASCII, fixing
- some rather strange bugs with international domains
- - Fix race condition resulting in E_WARNING when creating
- directories with Serializer
- 4.9.3, released 2017-06-02
- - Workaround PHP 7.1 infinite loop when opcode cache is enabled.
- Thanks @Xiphin (#134, #135)
- - Don't use autoloader when testing for DOMDocument. Hypothetically,
- this could cause your install to start using DirectLex if you had
- previously been monkeypatching in a custom, autoloaded implementation
- of DOMDocument. Don't do that. Thanks @Izumi-kun (#130)
- 4.9.2, released 2017-03-12
- - Fixes PHP 5.3 compatibility
- - Fix breakage when decoding decimal entities. Thanks @rybakit (#129)
- 4.9.1, released 2017-03-08
- ! %URI.DefaultScheme can now be set to null, in which case
- all relative paths are removed.
- ! New CSS properties: min-width, max-width, min-height, max-height (#94)
- ! Transparency (rgba) and hsl/hsla supported where color CSS is present.
- Thanks @fxbt for contributing the patch. (#118)
- - When idn_to_ascii is defined, we might accept malformed
- hostnames. Apply validation to the result in such cases.
- - Close directory when done in Serializer DefinitionCache (#100)
- - Deleted some asserts to avoid linters from choking (#97)
- - Rework Serializer cache behavior to avoid chmod'ing if possible (#32)
- - Embedded semicolons in strings in CSS are now handled correctly!
- - We accidentally dropped certain Unicode characters if there was
- one or more invalid characters. This has been fixed, thanks
- to mpyw <ryosuke_i_628@yahoo.co.jp>
- - Fix for "Don't truncate upon encountering </div> when using DOMLex"
- caused a regression with HTML 4.01 Strict parsing with libxml 2.9.1
- (and maybe later versions, but known OK with libxml 2.9.4). The
- fix is to go about handling truncation a bit more cleverly so that
- we can wrap with divs (sidestepping the bug) but slurping out the
- rest of the text in case it ran off the end. (#78)
- - Fix PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyle.
- Thanks @breathbath for contributing the report and fix (#120)
- - Fix entity decoding algorithm to be more conservative about
- decoding entities that are missing trailing semicolon.
- To get old behavior, set %Core.LegacyEntityDecoder to true.
- (#119)
- - Workaround libxml bug when HTML tags are embedded inside
- script tags. To disable workaround set %Core.AggressivelyRemoveScript
- to false. (#83)
- # By default, when a link has a target attribute associated
- with it, we now also add rel="noopener" in order to
- prevent the new window from being able to overwrite
- the original frame. To disable this protection,
- set %HTML.TargetNoopener to FALSE.
- 4.9.0 was cut on Git but never properly released; when we did the
- real release we decided to skip this version number.
- 4.8.0, released 2016-07-16
- # By default, when a link has a target attribute associated
- with it, we now also add rel="noreferrer" in order to
- prevent the new window from being able to overwrite
- the original frame. To disable this protection,
- set %HTML.TargetNoreferrer to FALSE.
- ! Full PHP 7 compatibility, the test suite is ALL GO.
- ! %CSS.AllowDuplicates permits duplicate CSS properties.
- ! Support for 'tel' URIs.
- ! Partial support for 'border-radius' properties when %CSS.AllowProprietary is true.
- The slash syntax, i.e., 'border-radius: 2em 1em 4em / 0.5em 3em' is not
- yet supported.
- ! %Attr.ID.HTML5 turns on HTML5-style ID handling.
- - alt truncation could result in malformed UTF-8 sequence. Don't
- truncate. Thanks Brandon Farber for reporting.
- - Linkify regex is smarter, based off of Gruber's regex.
- - IDNA supported natively on PHP 5.3 and later.
- - Non all-numeric top-level names (e.g., foo.1f, 1f) are now
- allowed.
- - Minor bounds error fix to squash a PHP 7 notice.
- - Support non-/tmp temporary directories for data:// validation
- - Give a better error message when a user attempts to allow
- ul/ol without allowing li.
- - On some versions of PHP, the Serializer DefinitionCache could
- infinite loop when the directory exists but is not listable. (#49)
- - Don't match for <body> inside comments with
- %Core.ConvertDocumentToFragment. (#67)
- - SafeObject is now less case sensitive. (#57)
- - AutoFormat.RemoveEmpty.Predicate now correctly renders in
- web form. (#85)
- 4.7.0, released 2015-08-04
- # opacity is now considered a "tricky" CSS property rather than a
- proprietary one.
- ! %AutoFormat.RemoveEmpty.Predicate for specifying exactly when
- an element should be considered "empty" (maybe preserve if it
- has attributes), and modify iframe support so that the iframe
- is removed if it is missing a src attribute. Thanks meeva for
- reporting.
- - Don't truncate upon encountering </div> when using DOMLex. Thanks
- Myrto Christina for finally convincing me to fix this.
- - Update YouTube filter for new code.
- - Fix parsing of rgb() values with spaces in them for 'border'
- attribute.
- - Don't remove foo="" attributes if foo is a boolean attribute. Thanks
- valME for reporting.
- 4.6.0, released 2013-11-30
- # Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url, $secret).
- Please update any verification scripts you may have.
- # URI parsing algorithm was made more strict, so only prefixes which
- looks like schemes will actually be schemes. Thanks
- Michael Gusev <mgusev@sugarcrm.com> for fixing.
- # %Core.EscapeInvalidChildren is no longer supported, and no longer does
- anything.
- ! New directive %Core.AllowHostnameUnderscore which allows underscores
- in hostnames.
- - Eliminate quadratic behavior in DOMLex by using a proper queue.
- Thanks Ole Laursen for noticing this.
- - Rewritten MakeWellFormed/FixNesting implementation eliminates quadratic
- behavior in the rest of the purificaiton pipeline. Thanks Chedburn
- Networks for sponsoring this work.
- - Made Linkify URL parser a bit less permissive, so that non-breaking
- spaces and commas are not included as part of URL. Thanks nAS for fixing.
- - Fix some bad interactions with %HTML.Allowed and injectors. Thanks
- David Hirtz for reporting.
- - Fix infinite loop in DirectLex. Thanks Ashar Javed (@soaj1664ashar)
- for reporting.
- 4.5.0, released 2013-02-17
- # Fix bug where stacked attribute transforms clobber each other;
- this also means it's no longer possible to override attribute
- transforms in later modules. No internal code was using this
- but this may break some clients.
- # We now use SHA-1 to identify cached definitions, instead of MD5.
- ! Support display:inline-block
- ! Support for more white-space CSS values.
- ! Permit underscores in font families
- ! Support for page-break-* CSS3 properties when proprietary properties
- are enabled.
- ! New directive %Core.DisableExcludes; can be set to 'true' to turn off
- SGML excludes checking. If HTML Purifier is removing too much text
- and you don't care about full standards compliance, try setting this to
- 'true'.
- - Use prepend for SPL autoloading on PHP 5.3 and later.
- - Fix bug with nofollow transform when pre-existing rel exists.
- - Fix bug where background:url() always gets lower-cased
- (but not background-image:url())
- - Fix bug with non lower-case color names in HTML
- - Fix bug where data URI validation doesn't remove temporary files.
- Thanks Javier Marín Ros <javiermarinros@gmail.com> for reporting.
- - Don't remove certain empty tags on RemoveEmpty.
- 4.4.0, released 2012-01-18
- # Removed PEARSax3 handler.
- # URI.Munge now munges URIs inside the same host that go from https
- to http. Reported by Neike Taika-Tessaro.
- # Core.EscapeNonASCIICharacters now always transforms entities to
- entities, even if target encoding is UTF-8.
- # Tighten up selector validation in ExtractStyleBlocks.
- Non-syntactically valid selectors are now rejected, along with
- some of the more obscure ones such as attribute selectors, the
- :lang pseudoselector, and anything not in CSS2.1. Furthermore,
- ID and class selectors now work properly with the relevant
- configuration attributes. Also, mute errors when parsing CSS
- with CSS Tidy. Reported by Mario Heiderich and Norman Hippert.
- ! Added support for 'scope' attribute on tables.
- ! Added %HTML.TargetBlank, which adds target="blank" to all outgoing links.
- ! Properly handle sub-lists directly nested inside of lists in
- a standards compliant way, by moving them into the preceding <li>
- ! Added %HTML.AllowedComments and %HTML.AllowedCommentsRegexp for
- limited allowed comments in untrusted situations.
- ! Implement iframes, and allow them to be used in untrusted mode with
- %HTML.SafeIframe and %URI.SafeIframeRegexp. Thanks Bradley M. Froehle
- <brad.froehle@gmail.com> for submitting an initial version of the patch.
- ! The Forms module now works properly for transitional doctypes.
- ! Added support for internationalized domain names. You need the PEAR
- Net_IDNA2 module to be in your path; if it is installed, ensure the
- class can be loaded and then set %Core.EnableIDNA to true.
- - Color keywords are now case insensitive. Thanks Yzmir Ramirez
- <yramirez-htmlpurifier@adicio.com> for reporting.
- - Explicitly initialize anonModule variable to null.
- - Do not duplicate nofollow if already present. Thanks 178
- for reporting.
- - Do not add nofollow if hostname matches our current host. Thanks 178
- for reporting, and Neike Taika-Tessaro for helping diagnose.
- - Do not unset parser variable; this fixes intermittent serialization
- problems. Thanks Neike Taika-Tessaro for reporting, bill
- <10010tiger@gmail.com> for diagnosing.
- - Fix iconv truncation bug, where non-UTF-8 target encodings see
- output truncated after around 8000 characters. Thanks Jörg Ludwig
- <joerg.ludwig@iserv.eu> for reporting.
- - Fix broken table content model for XHTML1.1 (and also earlier
- versions, although the W3C validator doesn't catch those violations).
- Thanks GlitchMr <glitch.mr@gmail.com> for reporting.
- 4.3.0, released 2011-03-27
- # Fixed broken caching of customized raw definitions, but requires an
- API change. The old API still works but will emit a warning,
- see http://htmlpurifier.org/docs/enduser-customize.html#optimized
- for how to upgrade your code.
- # Protect against Internet Explorer innerHTML behavior by specially
- treating attributes with backticks but no angled brackets, quotes or
- spaces. This constitutes a slight semantic change, which can be
- reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro
- and Mario Heiderich.
- # Protect against cssText/innerHTML by restricting allowed characters
- used in fonts further than mandated by the specification and encoding
- some extra special characters in URLs. Reported by Neike
- Taika-Tessaro and Mario Heiderich.
- ! Added %HTML.Nofollow to add rel="nofollow" to external links.
- ! More types of SPL autoloaders allowed on later versions of PHP.
- ! Implementations for position, top, left, right, bottom, z-index
- when %CSS.Trusted is on.
- ! Add %Cache.SerializerPermissions option for custom serializer
- directory/file permissions
- ! Fix longstanding bug in Flash support for non-IE browsers, and
- allow more wmode attributes.
- ! Add %CSS.AllowedFonts to restrict permissible font names.
- - Switch to an iterative traversal of the DOM, which prevents us
- from running out of stack space for deeply nested documents.
- Thanks Maxim Krizhanovsky for contributing a patch.
- - Make removal of conditional IE comments ungreedy; thanks Bernd
- for reporting.
- - Escape CDATA before removing Internet Explorer comments.
- - Fix removal of id attributes under certain conditions by ensuring
- armor attributes are preserved when recreating tags.
- - Check if schema.ser was corrupted.
- - Check if zend.ze1_compatibility_mode is on, and error out if it is.
- This safety check is only done for HTMLPurifier.auto.php; if you
- are using standalone or the specialized includes files, you're
- expected to know what you're doing.
- - Stop repeatedly writing the cache file after I'm done customizing a
- raw definition. Reported by ajh.
- - Switch to using require_once in the Bootstrap to work around bad
- interaction with Zend Debugger and APC. Reported by Antonio Parraga.
- - Fix URI handling when hostname is missing but scheme is present.
- Reported by Neike Taika-Tessaro.
- - Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro
- for reporting.
- - Fix harmless notice from indexing into empty string. Thanks Matthijs
- Kooijman <matthijs@stdin.nl> for reporting.
- - Don't autoclose no parent elements are able to support the element
- that triggered the autoclose. In particular fixes strange behavior
- of stray <li> tags. Thanks pkuliga@gmail.com for reporting and
- Neike Taika-Tessaro <pinkgothic@gmail.com> for debugging assistance.
- 4.2.0, released 2010-09-15
- ! Added %Core.RemoveProcessingInstructions, which lets you remove
- <? ... ?> statements.
- ! Added %URI.DisableResources functionality; the directive originally
- did nothing. Thanks David Rothstein for reporting.
- ! Add documentation about configuration directive types.
- ! Add %CSS.ForbiddenProperties configuration directive.
- ! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
- to utilize full-screen mode.
- ! Add optional support for the <code>file</code> URI scheme, enable
- by explicitly setting %URI.AllowedSchemes.
- ! Add %Core.NormalizeNewlines options to allow turning off newline
- normalization.
- - Fix improper handling of Internet Explorer conditional comments
- by parser. Thanks zmonteca for reporting.
- - Fix missing attributes bug when running on Mac Snow Leopard and APC.
- Thanks sidepodcast for the fix.
- - Warn if an element is allowed, but an attribute it requires is
- not allowed.
- 4.1.1, released 2010-05-31
- - Fix undefined index warnings in maintenance scripts.
- - Fix bug in DirectLex for parsing elements with a single attribute
- with entities.
- - Rewrite CSS output logic for font-family and url(). Thanks Mario
- Heiderich <mario.heiderich@googlemail.com> for reporting and Takeshi
- Terada <t-terada@violet.plala.or.jp> for suggesting the fix.
- - Emit an error for CollectErrors if a body is extracted
- - Fix bug where in background-position for center keyword handling.
- - Fix infinite loop when a wrapper element is inserted in a context
- where it's not allowed. Thanks Lars <lars@renoz.dk> for reporting.
- - Remove +x bit and shebang from index.php; only supported mode is to
- explicitly call it with php.
- - Make test script less chatty when log_errors is on.
- 4.1.0, released 2010-04-26
- ! Support proprietary height attribute on table element
- ! Support YouTube slideshows that contain /cp/ in their URL.
- ! Support for data: URI scheme; not enabled by default, add it using
- %URI.AllowedSchemes
- ! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed.
- ! Support for Internet Explorer compatibility with %HTML.SafeObject
- using %Output.FlashCompat.
- ! Handle <ol><ol> properly, by inserting the necessary <li> tag.
- - Always quote the insides of url(...) in CSS.
- 4.0.0, released 2009-07-07
- # APIs for ConfigSchema subsystem have substantially changed. See
- docs/dev-config-bcbreaks.txt for details; in essence, anything that
- had both namespace and directive now have a single unified key.
- # Some configuration directives were renamed, specifically:
- %AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL
- %FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping
- %FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope
- %FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl
- As usual, the old directive names will still work, but will throw E_NOTICE
- errors.
- # The allowed values for class have been relaxed to allow all of CDATA for
- doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set
- %Attr.ClassUseCDATA to false.
- # Instead of appending the content model to an old content model, a blank
- element will replace the old content model. You can use #SUPER to get
- the old content model.
- ! More robust support for name="" and id=""
- ! HTMLPurifier_Config::inherit($config) allows you to inherit one
- configuration, and have changes to that configuration be propagated
- to all of its children.
- ! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on
- the name attribute when set. Use with care. Thanks Ian Cook for
- sponsoring.
- ! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty
- tags that contain non-breaking spaces as well other whitespace. You
- can also modify which tags should have maintained with
- %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.
- ! Implement %Attr.AllowedClasses, which allows administrators to restrict
- classes users can use to a specified finite set of classes, and
- %Attr.ForbiddenClasses, which is the logical inverse.
- ! You can now maintain your own configuration schema directories by
- creating a config-schema.php file or passing an extra argument. Check
- docs/dev-config-schema.html for more details.
- ! Added HTMLPurifier_Config->serialize() method, which lets you save away
- your configuration in a compact serial file, which you can unserialize
- and use directly without having to go through the overhead of setup.
- - Fix bug where URIDefinition would not get cleared if it's directives got
- changed.
- - Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0)
- - Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a>
- - Make %URI.Munge not apply to links that have the same host as your host.
- - Prevent stray </body> tag from truncating output, if a second </body>
- is present.
- . Created script maintenance/rename-config.php for renaming a configuration
- directive while maintaining its alias. This script does not change source code.
- . Implement namespace locking for definition construction, to prevent
- bugs where a directive is used for definition construction but is not
- used to construct the cache hash.
- 3.3.0, released 2009-02-16
- ! Implement CSS property 'overflow' when %CSS.AllowTricky is true.
- ! Implement generic property list classess
- - Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation
- does not do the "right thing" with characters not supported in the output
- set.
- - Spellcheck UTF-8: The Secret To Character Encoding
- - Fix improper removal of the contents of elements with only whitespace. Thanks
- Eric Wald for reporting.
- - Fix broken test suite in versions of PHP without spl_autoload_register()
- - Fix degenerate case with YouTube filter involving double hyphens.
- Thanks Pierre Attar for reporting.
- - Fix YouTube rendering problem on certain versions of Firefox.
- - Fix CSSDefinition Printer problems with decorators
- - Add text parameter to unit tests, forces text output
- . Add verbose mode to command line test runner, use (--verbose)
- . Turn on unit tests for UnitConverter
- . Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)
- . Fix newline errors that caused spurious failures when CRLF HTML Purifier was
- tested on Linux.
- . Removed trailing whitespace from all text files, see
- remote-trailing-whitespace.php maintenance script.
- . Convert configuration to use property list backend.
- 3.2.0, released 2008-10-31
- # Using %Core.CollectErrors forces line number/column tracking on, whereas
- previously you could theoretically turn it off.
- # HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please
- use handleEnd() instead.
- ! %Output.AttrSort for when you need your attributes in alphabetical order to
- deal with a bug in FCKEditor. Requested by frank farmer.
- ! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith.
- ! Proper support for name attribute. It is now allowed and equivalent to the id
- attribute in a and img tags, and is only converted to id when %HTML.TidyLevel
- is heavy (for all doctypes).
- ! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't
- use on hand-written HTML.
- ! Add error-cases for unsupported elements in MakeWellFormed. This enables
- the strategy to be used, standalone, on untrusted input.
- ! %Core.AggressivelyFixLt is on by default. This causes more sensible
- processing of left angled brackets in smileys and other whatnot.
- ! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
- 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
- the --only-phpt parameter, although for backwards-compatibility the flag
- will still work.
- ! AutoParagraph auto-formatter will now preserve double-newlines upon output.
- Users who are not performing inbound filtering, this may seem a little
- useless, but as a bonus, the test suite and handling of edge cases is also
- improved.
- ! Experimental implementation of forms for %HTML.Trusted
- ! Track column numbers when maintain line numbers is on
- ! Proprietary 'background' attribute on table-related elements converted into
- corresponding CSS. Thanks Fusemail for sponsoring this feature!
- ! Add forward(), forwardUntilEndToken(), backward() and current() to Injector
- supertype.
- ! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The
- time of operation varies slightly from notifyEnd() as *all* end tokens are
- processed by the injector before they are subject to the well-formedness rules.
- ! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to
- basename of image when not present.
- ! %AutoFormat.DisplayLinkURI neuters <a> tags into plain text URLs.
- - Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs,
- the other involving an undefined $is_folder error.
- - Throw error when %Core.Encoding is set to a spurious value. Previously,
- this errored silently and returned false.
- - Redirected stderr to stdout for flush error output.
- - %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
- available.
- - Do not re-munge URL if the output URL has the same host as the input URL.
- Requested by Chris.
- - Fix error in documentation regarding %Filter.ExtractStyleBlocks
- - Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment
- - Fix bug with inline elements in blockquotes conflicting with strict doctype
- - Detect if HTML support is disabled for DOM by checking for loadHTML() method.
- - Fix bug where dots and double-dots in absolute URLs without hostname were
- not collapsed by URIFilter_MakeAbsolute.
- - Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements
- by reordering their addition.
- - Will now throw exception on many error conditions during lexer creation; also
- throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers
- is being used.
- - Detect if domxml extension is loaded, and use DirectLEx accordingly.
- - Improve handling of big numbers with floating point arithmetic in UnitConverter.
- Reported by David Morton.
- . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
- for more interesting filter-backtracking
- . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
- index to reprocess tokens.
- . StringHashParser now allows for multiline sections with "empty" content;
- previously the section would remain undefined.
- . Added --quick option to multitest.php, which tests only the most recent
- release for each series.
- . Added --distro option to multitest.php, which accepts either 'normal' or
- 'standalone'. This supercedes --exclude-normal and --exclude-standalone
- 3.1.1, released 2008-06-19
- # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
- In order to enable this again, please set %URI.MungeResources to true.
- ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
- and height/width HTML with %HTML.MaxImgLength.
- ! %URI.MungeSecretKey for secure URI munging. Thanks Chris
- for sponsoring this feature. Check out the corresponding documentation
- for details. (Att Nightly testers: The API for this feature changed before
- the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
- %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge)
- ! Implemented post URI filtering. Set member variable $post to true to set
- a URIFilter as such.
- ! Allow modules to define injectors via $info_injector. Injectors are
- automatically disabled if injector's needed elements are not found.
- ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
- Thanks Chris for sponsoring. If you've been using ad hoc code from the
- forums, PLEASE use this instead.
- ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
- embedded, tag name, attribute name, CSS property name). See %URI.Munge
- for more details. Requested by Jochem Blok.
- - Disable percent height/width attributes for img.
- - AttrValidator operations are now atomic; updates to attributes are not
- manifest in token until end of operations. This prevents naughty internal
- code from directly modifying CurrentToken when they're not supposed to.
- This semantics change was requested by frank farmer.
- - Percent encoding checks enabled for URI query and fragment
- - Fix stray backslashes in font-family; CSS Unicode character escapes are
- now properly resolved (although *only* in font-family). Thanks Takeshi Terada
- for reporting.
- - Improve parseCDATA algorithm to take into account newline normalization
- - Account for browser confusion between Yen character and backslash in
- Shift_JIS encoding. This fix generalizes to any other encoding which is not
- a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
- - Fix missing configuration parameter in Generator calls. Thanks vs for the
- partial patch.
- - Improved adherence to Unicode by checking for non-character codepoints.
- Thanks Geoffrey Sneddon for reporting. This may result in degraded
- performance for extremely large inputs.
- - Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
- for reporting.
- . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
- handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
- this class.
- . API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative)
- to __construct($min, $max). __construct(true) is equivalent to
- __construct('0').
- . Added HTMLPurifier_AttrDef_Switch class
- . Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method
- up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules
- get this called with the configuration object. All modules now
- use this rather than __construct(), although legacy code using constructors
- will still work--the new format, however, lets modules access the
- configuration object for HTML namespace dependant tweaks.
- . AttrDef_HTML_Pixels now takes a single construction parameter, pixels.
- . ConfigSchema data-structure heavily optimized; on average it uses a third
- the memory it did previously. The interface has changed accordingly,
- consult changes to HTMLPurifier_Config for details.
- . Variable parsing types now are magic integers instead of strings
- . Added benchmark for ConfigSchema
- . HTMLPurifier_Generator requires $config and $context parameters. If you
- don't know what they should be, use HTMLPurifier_Config::createDefault()
- and new HTMLPurifier_Context().
- . Printers now properly distinguish between output configuration, and
- target configuration. This is not applicable to scripts using
- the Printers for HTML Purifier related tasks.
- . HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise
- fatal errors will ensue.
- . URIFilter->prepare can return false in order to abort loading of the filter
- . Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds
- an external resource.
- . %URI.Munge functionality factored out into a post-filter class.
- . Added CurrentCSSProperty context variable during CSS validation
- 3.1.0, released 2008-05-18
- # Unnecessary references to objects (vestiges of PHP4) removed from method
- signatures. The following methods do not need references when assigning from
- them and will result in E_STRICT errors if you try:
- + HTMLPurifier_Config->get*Definition() [* = HTML, CSS]
- + HTMLPurifier_ConfigSchema::instance()
- + HTMLPurifier_DefinitionCacheFactory::instance()
- + HTMLPurifier_DefinitionCacheFactory->create()
- + HTMLPurifier_DoctypeRegistry->register()
- + HTMLPurifier_DoctypeRegistry->get()
- + HTMLPurifier_HTMLModule->addElement()
- + HTMLPurifier_HTMLModule->addBlankElement()
- + HTMLPurifier_LanguageFactory::instance()
- # Printer_ConfigForm's get*() functions were static-ified
- # %HTML.ForbiddenAttributes requires attribute declarations to be in the
- form of tag@attr, NOT tag.attr (which will throw an error and won't do
- anything). This is for forwards compatibility with XML; you'd do best
- to migrate an %HTML.AllowedAttributes directives to this syntax too.
- ! Allow index to be false for config from form creation
- ! Added HTMLPurifier::VERSION constant
- ! Commas, not dashes, used for serializer IDs. This change is forwards-compatible
- and allows for version numbers like "3.1.0-dev".
- ! %HTML.Allowed deals gracefully with whitespace anywhere, anytime!
- ! HTML Purifier's URI handling is a lot more robust, with much stricter
- validation checks and better percent encoding handling. Thanks Gareth Heyes
- for indicating security vulnerabilities from lax percent encoding.
- ! Bootstrap autoloader deals more robustly with classes that don't exist,
- preventing class_exists($class, true) from barfing.
- - InterchangeBuilder now alphabetizes its lists
- - Validation error in configdoc output fixed
- - Iconv and other encoding errors muted even with custom error handlers that
- do not honor error_reporting
- - Add protection against imagecrash attack with CSS height/width
- - HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
- - Fixed and revamped broken ConfigForm smoketest
- - Bug with bool/null fields in Printer_ConfigForm fixed
- - Bug with global forbidden attributes fixed
- - Improved error messages for allowed and forbidden HTML elements and attributes
- - Missing (or null) in configdoc documentation restored
- - If DOM throws and exception during parsing with PH5P (occurs in newer versions
- of DOM), HTML Purifier punts to DirectLex
- - Fatal error with unserialization of ScriptRequired
- - Created directories are now chmod'ed properly
- - Fixed bug with fallback languages in LanguageFactory
- - Standalone testing setup properly with autoload
- . Out-of-date documentation revised
- . UTF-8 encoding check optimization as suggested by Diego
- . HTMLPurifier_Error removed in favor of exceptions
- . More copy() function removed; should use clone instead
- . More extensive unit tests for HTMLDefinition
- . assertPurification moved to central harness
- . HTMLPurifier_Generator accepts $config and $context parameters during
- instantiation, not runtime
- . Double-quotes outside of attribute values are now unescaped
- 3.1.0rc1, released 2008-04-22
- # Autoload support added. Internal require_once's removed in favor of an
- explicit require list or autoloading. To use HTML Purifier,
- you must now either use HTMLPurifier.auto.php
- or HTMLPurifier.includes.php; setting the include path and including
- HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php
- as well to register our autoload handler (or modify your autoload function
- to check HTMLPurifier_Bootstrap::getPath($class)). You can also use
- HTMLPurifier.safe-includes.php for a less performance friendly but more
- user-friendly library load.
- # HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema
- information is stored in the ConfigSchema directory, and the
- maintenance/generate-schema-cache.php generates the schema.ser file, which
- is now instantiated. Support for userland schema changes coming soon!
- # HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive
- alias; to get rid of these errors just modify your configuration to use
- the new directive name.
- # HTMLPurifier->addFilter is deprecated; built-in filters can now be
- enabled using %Filter.$filter_name or by setting your own filters using
- %Filter.Custom
- # Directive-level safety properties superceded in favor of module-level
- safety. Internal method HTMLModule->addElement() has changed, although
- the externally visible HTMLDefinition->addElement has *not* changed.
- ! Extra utility classes for testing and non-library operations can
- be found in extras/. Specifically, these are FSTools and ConfigDoc.
- You may find a use for these in your own project, but right now they
- are highly experimental and volatile.
- ! Integration with PHPT allows for automated smoketests
- ! Limited support for proprietary HTML elements, namely <marquee>, sponsored
- by Chris. You can enable them with %HTML.Proprietary if your client
- demands them.
- ! Support for !important CSS cascade modifier. By default, this will be stripped
- from CSS, but you can enable it using %CSS.AllowImportant
- ! Support for display and visibility CSS properties added, set %CSS.AllowTricky
- to true to use them.
- ! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception.
- Developer error (not enduser error) can cause these to be triggered.
- ! Experimental kses() wrapper introduced with HTMLPurifier.kses.php
- ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
- mucking around with HTMLPurifier_CSSDefinition
- ! ConfigDoc output has been enhanced with version and deprecation info.
- ! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
- - Autoclose now operates iteratively, i.e. <span><span><div> now has
- both span tags closed.
- - Various HTMLPurifier_Config convenience functions now accept another parameter
- $schema which defines what HTMLPurifier_ConfigSchema to use besides the
- global default.
- - Fix bug with trusted script handling in libxml versions later than 2.6.28.
- - Fix bug in ExtractStyleBlocks with comments in style tags
- - Fix bug in comment parsing for DirectLex
- - Flush output now displayed when in command line mode for unit tester
- - Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax
- - HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times
- on the same element without emitting errors.
- - Fixed fatal error in PH5P lexer with invalid tag names
- . Plugins now get their own changelogs according to project conventions.
- . Convert tokens to use instanceof, reducing memory footprint and
- improving comparison speed.
- . Dry runs now supported in SimpleTest; testing facilities improved
- . Bootstrap class added for handling autoloading functionality
- . Implemented recursive glob at FSTools->globr
- . ConfigSchema now has instance methods for all corresponding define*
- static methods.
- . A couple of new historical maintenance scripts were added.
- . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
- . tests/index.php can now be run from any directory.
- . HTMLPurifier_Token subclasses split into seperate files
- . HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php
- . HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier
- . New --php=php flag added, allows PHP executable to be specified (command
- line only!)
- . htmlpurifier_add_test() preferred method to translate test files in to
- classes, because it handles PHPT files too.
- . Debugger class is deprecated and will be removed soon.
- . Command line argument parsing for testing scripts revamped, now --opt value
- format is supported.
- . Smoketests now cleanup after magic quotes
- . Generator now can output comments (however, comments are still stripped
- from HTML Purifier output)
- . HTMLPurifier_ConfigSchema->validate() deprecated in favor of
- HTMLPurifier_VarParser->parse()
- . Integers auto-cast into float type by VarParser.
- . HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only
- during cache generation
- . Reordered script calls in maintenance/flush.php
- . Command line scripts now honor exit codes
- . When --flush fails in unit testers, abort tests and print message
- . Improved documentation in docs/dev-flush.html about the maintenance scripts
- . copy() methods removed in favor of clone keyword
- 3.0.0, released 2008-01-06
- # HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained
- until PHP 4 is completely deprecated, but no new features will be added
- to it.
- + Visibility declarations added
- + Constructor methods renamed to __construct()
- + PHP4 reference cruft removed (in progress)
- ! CSS properties are now case-insensitive
- ! DefinitionCacheFactory now can register new implementations
- ! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from
- documents and cleaning their contents up. Requires the CSSTidy library
- <http://csstidy.sourceforge.net/>. You can access the blocks with the
- 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')).
- The output CSS can also be "scoped" for a specific element, use:
- %Filter.ExtractStyleBlocksScope
- ! Experimental support for some proprietary CSS attributes allowed:
- opacity (and all of the browser-specific equivalents) and scrollbar colors.
- Enable by setting %CSS.Proprietary to true.
- - Colors missing # but in hex form will be corrected
- - CSS Number algorithm improved
- - Unit testing and multi-testing now on steroids: command lines,
- XML output, and other goodies now added.
- . Unit tests for Injector improved
- . New classes:
- + HTMLPurifier_AttrDef_CSS_AlphaValue
- + HTMLPurifier_AttrDef_CSS_Filter
- . Multitest now has a file docblock
- 2.1.3, released 2007-11-05
- ! tests/multitest.php allows you to test multiple versions by running
- tests/index.php through multiple interpreters using `phpv` shell
- script (you must provide this script!)
- - Fixed poor include ordering for Email URI AttrDefs, causes fatal errors
- on some systems.
- - Injector algorithm further refined: off-by-one error regarding skip
- counts for dormant injectors fixed
- - Corrective blockquote definition now enabled for HTML 4.01 Strict
- - Fatal error when <img> tag (or any other element with required attributes)
- has 'id' attribute fixed, thanks NykO18 for reporting
- - Fix warning emitted when a non-supported URI scheme is passed to the
- MakeAbsolute URIFilter, thanks NykO18 (again)
- - Further refine AutoParagraph injector. Behavior inside of elements
- allowing paragraph tags clarified: only inline content delimeted by
- double newlines (not block elements) are paragraphed.
- - Buggy treatment of end tags of elements that have required attributes
- fixed (does not manifest on default tag-set)
- - Spurious internal content reorganization error suppressed
- - HTMLDefinition->addElement now returns a reference to the created
- element object, as implied by the documentation
- - Phorum mod's HTML Purifier help message expanded (unreleased elsewhere)
- - Fix a theoretical class of infinite loops from DirectLex reported
- by Nate Abele
- - Work around unnecessary DOMElement type-cast in PH5P that caused errors
- in PHP 5.1
- - Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only
- HTMLDefinition errors, this may indicate problems with error-collecting
- facilities in PHP 5
- - Make ErrorCollectorEMock work in both PHP 4 and PHP 5
- - Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef
- . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
- to better communicate its purpose
- . Error unit tests can now specify the expectation of no errors. Future
- iterations of the harness will be extremely strict about what errors
- are allowed
- . Extend Injector hooks to allow for more powerful injector routines
- . HTMLDefinition->addBlankElement created, as according to the HTMLModule
- method
- . Doxygen configuration file updated, with minor improvements
- . Test runner now checks for similarly named files in conf/ directory too.
- . Minor cosmetic change to flush-definition-cache.php: trailing newline is
- outputted
- . Maintenance script for generating PH5P patch added, original PH5P source
- file also added under version control
- . Full unit test runner script title made more descriptive with PHP version
- . Updated INSTALL file to state that 4.3.7 is the earliest version we
- are actively testing
- 2.1.2, released 2007-09-03
- ! Implemented Object module for trusted users
- ! Implemented experimental HTML5 parsing mode using PH5P. To use, add
- this to your code:
- require_once 'HTMLPurifier/Lexer/PH5P.php';
- $config->set('Core', 'LexerImpl', 'PH5P');
- Note that this Lexer introduces some classes not in the HTMLPurifier
- namespace. Also, this is PHP5 only.
- ! CSS property border-spacing implemented
- - Fix non-visible parsing error in DirectLex with empty tags that have
- slashes inside attribute values.
- - Fix typo in CSS definition: border-collapse:seperate; was incorrectly
- accepted as valid CSS. Usually non-visible, because this styling is the
- default for tables in most browsers. Thanks Brett Zamir for pointing
- this out.
- - Fix validation errors in configuration form
- - Hammer out a bunch of edge-case bugs in the standalone distribution
- - Inclusion reflection removed from URISchemeRegistry; you must manually
- include any new schema files you wish to use
- - Numerous typo fixes in documentation thanks to Brett Zamir
- . Unit test refactoring for one logical test per test function
- . Config and context parameters in ComplexHarness deprecated: instead, edit
- the $config and $context member variables
- . HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't
- really make a difference, but is good for completeness sake
- . merge-library.php script refactored for greater code reusability and
- PHP4 compatibility
- 2.1.1, released 2007-08-04
- - Fix show-stopper bug in %URI.MakeAbsolute functionality
- - Fix PHP4 syntax error in standalone version
- . Add prefix directory to include path for standalone, this prevents
- other installations from clobbering the standalone's URI schemes
- . Single test methods can be invoked by prefixing with __only
- 2.1.0, released 2007-08-02
- # flush-htmldefinition-cache.php superseded in favor of a generic
- flush-definition-cache.php script, you can clear a specific cache
- by passing its name as a parameter to the script
- ! Phorum mod implemented for HTML Purifier
- ! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer
- trigger HTML removal in PHP5 (DOMLex). This directive is not necessary
- for PHP4 (DirectLex).
- ! Standalone file now available, which greatly reduces the amount of
- includes (although there are still a few files that reside in the
- standalone folder)
- ! Relative URIs can now be transformed into their absolute equivalents
- using %URI.Base and %URI.MakeAbsolute
- ! Ruby implemented for XHTML 1.1
- ! You can now define custom URI filtering behavior, see enduser-uri-filter.html
- for more details
- ! UTF-8 font names now supported in CSS
- - AutoFormatters emit friendly error messages if tags or attributes they
- need are not allowed
- - ConfigForm's compactification of directive names is now configurable
- - AutoParagraph autoformatter algorithm refined after field-testing
- - XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely
- blockquote wrapping
- - Contents of <style> tags removed by default when tags are removed
- . HTMLPurifier_Config->getSerial() implemented, this is extremely useful
- for output cache invalidation
- . ConfigForm printer now can retrieve CSS and JS files as strings, in
- case HTML Purifier's directory is not publically accessible
- . Introduce new text/itext configuration directive values: these represent
- longer strings that would be more appropriately edited with a textarea
- . Allow newlines to act as separators for lists, hashes, lookups and
- %HTML.Allowed
- . ConfigForm generates textareas instead of text inputs for lists, hashes,
- lookups, text and itext fields
- . Hidden element content removal genericized: %Core.HiddenElements can
- be used to customize this behavior, by default <script> and <style> are
- hidden
- . Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__)
- . Custom ChildDef added to default include list
- . URIScheme reflection improved: will not attempt to include file if class
- already exists. May clobber autoload, so I need to keep an eye on it
- . ConfigSchema heavily optimized, will only collect information and validate
- definitions when HTMLPURIFIER_SCHEMA_STRICT is true.
- . AttrDef_URI unit tests and implementation refactored
- . benchmarks/ directory now protected from public view with .htaccess file;
- run the tests via command line
- . URI scheme is munged off if there is no authority and the scheme is the
- default one
- . All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase
- . Interface for URIScheme changed
- . Generic URI object to hold components of URI added, most systems involved
- in URI validation have been migrated to use it
- . Custom filtering for URIs factored out to URIDefinition interface for
- maximum extensibility
- 2.0.1, released 2007-06-27
- ! Tag auto-closing now based on a ChildDef heuristic rather than a
- manually set auto_close array; some behavior may change
- ! Experimental AutoFormat functionality added: auto-paragraph and
- linkify your HTML input by setting %AutoFormat.AutoParagraph and
- %AutoFormat.Linkify to true
- ! Newlines normalized internally, and then converted back to the
- value of PHP_EOL. If this is not desired, set your newline format
- using %Output.Newline.
- ! Beta error collection, messages are implemented for the most generic
- cases involving Lexing or Strategies
- - Clean up special case code for <script> tags
- - Reorder includes for DefinitionCache decorators, fixes a possible
- missing class error
- - Fixed bug where manually modified definitions were not saved via cache
- (mostly harmless, except for the fact that it would be a little slower)
- - Configuration objects with different serials do not clobber each
- others when revision numbers are unequal
- - Improve Serializer DefinitionCache directory permissions checks
- - DefinitionCache no longer throws errors when it encounters old
- serial files that do not conform to the current style
- - Stray xmlns attributes removed from configuration documentation
- - configForm.php smoketest no longer has XSS vulnerability due to
- unescaped print_r output
- - Printer adheres to configuration's directives on output format
- - Fix improperly named form field in ConfigForm printer
- . Rewire some test-cases to swallow errors rather than expect them
- . HTMLDefinition printer updated with some of the new attributes
- . DefinitionCache keys reordered to reflect precedence: version number,
- hash, then revision number
- . %Core.DefinitionCache renamed to %Cache.DefinitionImpl
- . Interlinking in configuration documentation added using
- Injector_PurifierLinkify
- . Directives now keep track of aliases to themselves
- . Error collector now requires a severity to be passed, use PHP's internal
- error constants for this
- . HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows
- much easier selective embedding of configuration values
- . Doctype objects now accept public and system DTD identifiers
- . %HTML.Doctype is now constrained by specific values, to specify a custom
- doctype use new %HTML.CustomDoctype
- . ConfigForm truncates long directives to keep the form small, and does
- not re-output namespaces
- 2.0.0, released 2007-06-20
- # Completely refactored HTMLModuleManager, decentralizing safety
- information
- # Transform modules changed to Tidy modules, which offer more flexibility
- and better modularization
- # Configuration object now finalizes itself when a read operation is
- performed on it, ensuring that its internal state stays consistent.
- To revert this behavior, you can set the $autoFinalize member variable
- off, but it's not recommended.
- # New compact syntax for AttrDef objects that can be used to instantiate
- new objects via make()
- # Definitions (esp. HTMLDefinition) are now cached for a significant
- performance boost. You can disable caching by setting %Core.DefinitionCache
- to null. You CANNOT edit raw definitions without setting the corresponding
- DefinitionID directive (%HTML.DefinitionID for HTMLDefinition).
- # Contents between <script> tags are now completely removed if <script>
- is not allowed
- # Prototype-declarations for Lexer removed in favor of configuration
- determination of Lexer implementations.
- ! HTML Purifier now works in PHP 4.3.2.
- ! Configuration form-editing API makes tweaking HTMLPurifier_Config a
- breeze!
- ! Configuration directives that accept hashes now allow new string
- format: key1:value1,key2:value2
- ! ConfigDoc now factored into OOP design
- ! All deprecated elements now natively supported
- ! Implement TinyMCE styled whitelist specification format in
- %HTML.Allowed
- ! Config object gives more friendly error messages when things go wrong
- ! Advanced API implemented: easy functions for creating elements (addElement)
- and attributes (addAttribute) on HTMLDefinition
- ! Add native support for required attributes
- - Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work!
- - DOMLex will not emit errors when a custom error handler that does not
- honor error_reporting is used
- - StrictBlockquote child definition refrains from wrapping whitespace
- in tags now.
- - Bug resulting from tag transforms to non-allowed elements fixed
- - ChildDef_Custom's regex generation has been improved, removing several
- false positives
- . Unit test for ElementDef created, ElementDef behavior modified to
- be more flexible
- . Added convenience functions for HTMLModule constructors
- . AttrTypes now has accessor functions that should be used instead
- of directly manipulating info
- . TagTransform_Center deprecated in favor of generic TagTransform_Simple
- . Add extra protection in AttrDef_URI against phantom Schemes
- . Doctype object added to HTMLDefinition which describes certain aspects
- of the operational document type
- . Lexer is now pre-emptively included, with a conditional include for the
- PHP5 only version.
- . HTMLDefinition and CSSDefinition have a common parent class: Definition.
- . DirectLex can now track line-numbers
- . Preliminary error collector is in place, although no code actually reports
- errors yet
- . Factor out most of ValidateAttributes to new AttrValidator class
- 1.6.1, released 2007-05-05
- ! Support for more deprecated attributes via transformations:
- + hspace and vspace in img
- + size and noshade in hr
- + nowrap in td
- + clear in br
- + align in caption, table, img and hr
- + type in ul, ol and li
- ! DirectLex now preserves text in which a < bracket is followed by
- a non-alphanumeric character. This means that certain emoticons
- are now preserved.
- ! %Core.RemoveInvalidImg is now operational, when set to false invalid
- images will hang around with an empty src
- ! target attribute in a tag supported, use %Attr.AllowedFrameTargets
- to enable
- ! CSS property white-space now allows nowrap (supported in all modern
- browsers) but not others (which have spotty browser implementations)
- ! XHTML 1.1 mode now sort-of works without any fatal errors, and
- lang is now moved over to xml:lang.
- ! Attribute transformation smoketest available at smoketests/attrTransform.php
- ! Transformation of font's size attribute now handles super-large numbers
- - Possibly fatal bug with __autoload() fixed in module manager
- - Invert HTMLModuleManager->addModule() processing order to check
- prefixes first and then the literal module
- - Empty strings get converted to empty arrays instead of arrays with
- an empty string in them.
- - Merging in attribute lists now works.
- . Demo script removed: it has been added to the website's repository
- . Basic.php script modified to work out of the box
- . Refactor AttrTransform classes to reduce duplication
- . AttrTransform_TextAlign axed in favor of a more general
- AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to
- see how the new equivalent is implemented
- . Unit tests now use exclusively assertIdentical
- 1.6.0, released 2007-04-01
- ! Support for most common deprecated attributes via transformations:
- + bgcolor in td, th, tr and table
- + border in img
- + name in a and img
- + width in td, th and hr
- + height in td, th
- ! Support for CSS attribute 'height' added
- ! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel
- and %Attr.AllowedRev to activate
- - You can define ID blacklists using regular expressions via
- %Attr.IDBlacklistRegexp
- - Error messages are emitted when you attempt to "allow" elements or
- attributes that HTML Purifier does not support
- - Fix segfault in unit test. The problem is not very reproduceable and
- I don't know what causes it, but a six line patch fixed it.
- 1.5.0, released 2007-03-23
- ! Added a rudimentary I18N and L10N system modeled off MediaWiki. It
- doesn't actually do anything yet, but keep your eyes peeled.
- ! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier
- ! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules.
- I am loathe to release beta quality APIs, but this is exactly that;
- don't use the internal interfaces if you're not willing to do migration
- later on.
- - Allow 'x' subtag in language codes
- - Fixed buggy chameleon-support for ins and del
- . Added support for IDREF attributes (i.e. for)
- . Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens
- . Removed context variable ParentType, replaced with IsInline, which
- is false when you're not inline and an integer of the parent that
- caused you to become inline when you are (so possibly zero)
- . Removed ElementDef->type in favor of ElementDef->descendants_are_inline
- and HTMLDefinition->content_sets
- . StrictBlockquote now reports what elements its supposed to allow,
- rather than what it does allow
- . Removed HTMLDefinition->info_flow_elements in favor of
- HTMLDefinition->content_sets['Flow']
- . Removed redundant "exclusionary" definitions from DTD roster
- . StrictBlockquote now requires a construction parameter as if it
- were an Required ChildDef, this is the "real" set of allowed elements
- . AttrDef partitioned into HTML, CSS and URI segments
- . Modify Youtube filter regexp to be multiline
- . Require both PHP5 and DOM extension in order to use DOMLex, fixes
- some edge cases where a DOMDocument class exists in a PHP4 environment
- due to DOM XML extension.
- 1.4.1, released 2007-01-21
- ! docs/enduser-youtube.html updated according to new functionality
- - YouTube IDs can have underscores and dashes
- 1.4.0, released 2007-01-21
- ! Implemented list-style-image, URIs now allowed in list-style
- ! Implemented background-image, background-repeat, background-attachment
- and background-position CSS properties. Shorthand property background
- supports all of these properties.
- ! Configuration documentation looks nicer
- ! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode
- characters while %Core.Encoding is set to a non-UTF-8 encoding.
- ! Support for configuration directive aliases added
- ! Config object can now be instantiated from ini files
- ! YouTube preservation code added to the core, with two lines of code
- you can add it as a filter to your code. See smoketests/preserveYouTube.php
- for sample code.
- ! Moved SLOW to docs/enduser-slow.html and added code examples
- - Replaced version check with functionality check for DOM (thanks Stephen
- Khoo)
- . Added smoketest 'all.php', which loads all other smoketests via frames
- . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
- . Added convenient single test selector form on test runner
- 1.3.2, released 2006-12-25
- ! HTMLPurifier object now accepts configuration arrays, no need to manually
- instantiate a configuration object
- ! Context object now accessible to outside
- ! Added enduser-youtube.html, explains how to embed YouTube videos. See
- also corresponding smoketest preserveYouTube.php.
- ! Added purifyArray(), which takes a list of HTML and purifies it all
- ! Added static member variable $version to HTML Purifier with PHP-compatible
- version number string.
- - Fixed fatal error thrown by upper-cased language attributes
- - printDefinition.php: added labels, added better clarification
- . HTMLPurifier_Config::create() added, takes mixed variable and converts into
- a HTMLPurifier_Config object.
- 1.3.1, released 2006-12-06
- ! Added HTMLPurifier.func.php stub for a convenient function to call the library
- - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
- (thanks to .mario for reporting this)
- . Standardized all attribute handling variables to attr, made it plural
- 1.3.0, released 2006-11-26
- # Invalid images are now removed, rather than replaced with a dud
- <img src="" alt="Invalid image" />. Previous behavior can be restored
- with new directive %Core.RemoveInvalidImg set to false.
- ! (X)HTML Strict now supported
- + Transparently handles inline elements in block context (blockquote)
- ! Added GET method to demo for easier validation, added 50kb max input size
- ! New directive %HTML.BlockWrapper, for block-ifying inline elements
- ! New directive %HTML.Parent, allows you to only allow inline content
- ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
- users narrow the set of allowed tags
- ! <li value="4"> and <ul start="2"> now allowed in loose mode
- ! New directives %URI.DisableExternalResources and %URI.DisableResources
- ! New directive %Attr.DisableURI, which eliminates all hyperlinking
- ! New directive %URI.Munge, munges URI so you can use some sort of redirector
- service to avoid PageRank leaks or warn users that they are exiting your site.
- ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
- the configuration settings and see how the internal rules are affected.
- ! New directive %URI.HostBlacklist for blocking links to bad hosts.
- xssAttacks.php smoketest updated accordingly.
- - Added missing type to ChildDef_Chameleon
- - Remove Tidy option from demo if there is not Tidy available
- . ChildDef_Required guards against empty tags
- . Lookup table HTMLDefinition->info_flow_elements added
- . Added peace-of-mind variable initialization to Strategy_FixNesting
- . Added HTMLPurifier->info_parent_def, parent child processing made special
- . Added internal documents briefly summarizing future progression of HTML
- . HTMLPurifier_Config->getBatch($namespace) added
- . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
- . Refactored ChildDef classes into their own files
- 1.2.0, released 2006-11-19
- # ID attributes now disabled by default. New directives:
- + %HTML.EnableAttrID - restores old behavior by allowing IDs
- + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
- so that they don't collide with your IDs
- + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
- instances of user content on the page
- + Profuse documentation on how to use these available in docs/enduser-id.txt
- ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
- ! Added percent encoding normalization
- ! XSS attacks smoketest given facelift
- ! Configuration documentation now has table of contents
- ! Added %URI.DisableExternal, which prevents links to external websites. You
- can also use %URI.Host to permit absolute linking to subdomains
- ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
- - Type variable in HTMLDefinition was not being set properly, fixed
- - Documentation updated
- + TODO added request Phalanger
- + TODO added request Native compression
- + TODO added request Remove redundant tags
- + TODO added possible plaintext formatter for HTML Purifier documentation
- + Updated ConfigDoc TODO
- + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
- and AttrDef/Host.php
- + Revamped documentation into HTML, along with misc updates
- - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
- to retrieve a non-existent variable
- . Switched to purify()-wide Context object registry
- . Refactored unit tests to minimize duplication
- . XSS attack sheet updated
- . configdoc.xml now has xml:space attached to default value nodes
- . Allow configuration directives to permit null values
- . Cleaned up test-cases to remove unnecessary swallowErrors()
- 1.1.2, released 2006-09-30
- ! Add HTMLPurifier.auto.php stub file that configures include_path
- - Documentation updated
- + INSTALL document rewritten
- + TODO added semi-lossy conversion
- + API Doxygen docs' file exclusions updated
- + Added notes on HTML versus XML attribute whitespace handling
- + Noted that HTMLPurifier_ChildDef_Custom isn't being used
- + Noted that config object's definitions are cached versions
- - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
- - ftp:// URIs now have their typecodes checked
- - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
- . Line endings standardized throughout project (svn:eol-style standardized)
- . Refactored parseData() to general Lexer class
- . Tester named "HTML Purifier" not "HTMLPurifier"
- 1.1.1, released 2006-09-24
- ! Configuration option to optionally Tidy up output for indentation to make up
- for dropped whitespace by DOMLex (pretty-printing for the entire application
- should be done by a page-wide Tidy)
- - Various documentation updates
- - Fixed parse error in configuration documentation script
- - Fixed fatal error in benchmark scripts, slightly augmented
- - As far as possible, whitespace is preserved in-between table children
- - Sample test-settings.php file included
- 1.1.0, released 2006-09-16
- ! Directive documentation generation using XSLT
- ! XHTML can now be turned off, output becomes <br>
- - Made URI validator more forgiving: will ignore leading and trailing
- quotes, apostrophes and less than or greater than signs.
- - Enforce alphanumeric namespace and directive names for configuration.
- - Table child definition made more flexible, will fix up poorly ordered elements
- . Renamed ConfigDef to ConfigSchema
- 1.0.1, released 2006-09-04
- - Fixed slight bug in DOMLex attribute parsing
- - Fixed rejection of case-insensitive configuration values when there is a
- set of allowed values. This manifested in %Core.Encoding.
- - Fixed rejection of inline style declarations that had lots of extra
- space in them. This manifested in TinyMCE.
- 1.0.0, released 2006-09-01
- ! Shorthand CSS properties implemented: font, border, background, list-style
- ! Basic color keywords translated into hexadecimal values
- ! Table CSS properties implemented
- ! Support for charsets other than UTF-8 (defined by iconv)
- ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
- - Fixed broken numeric entity conversion
- - API documentation completed
- . (HTML|CSS)Definition de-singleton-ized
- 1.0.0beta, released 2006-08-16
- ! First public release, most functionality implemented. Notable omissions are:
- + Shorthand CSS properties
- + Table CSS properties
- + Deprecated attribute transformations
- vim: et sw=4 sts=4
|