You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1190 lines
64 KiB
1190 lines
64 KiB
NEWS ( CHANGELOG and HISTORY ) HTMLPurifier |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |
|
|
|
= KEY ==================== |
|
# Breaks back-compat |
|
! Feature |
|
- Bugfix |
|
+ Sub-comment |
|
. Internal change |
|
========================== |
|
|
|
4.10.0, released 2018-02-22 |
|
# PHP 5.3 is no longer officially supported by HTML Purifier |
|
(we did not specifically break support, but we are no longer |
|
testing on PHP 5.3) |
|
! Relative CSS length units are now supported |
|
- A few PHP 7.2 compatibility fixes, thanks John Flatness |
|
<john@zerocrates.org> |
|
- Improve portability with old versions of libxml which don't |
|
support accessing the data of a node |
|
- IDNA2008 is now used for converting domains to ASCII, fixing |
|
some rather strange bugs with international domains |
|
- Fix race condition resulting in E_WARNING when creating |
|
directories with Serializer |
|
|
|
4.9.3, released 2017-06-02 |
|
- Workaround PHP 7.1 infinite loop when opcode cache is enabled. |
|
Thanks @Xiphin (#134, #135) |
|
- Don't use autoloader when testing for DOMDocument. Hypothetically, |
|
this could cause your install to start using DirectLex if you had |
|
previously been monkeypatching in a custom, autoloaded implementation |
|
of DOMDocument. Don't do that. Thanks @Izumi-kun (#130) |
|
|
|
4.9.2, released 2017-03-12 |
|
- Fixes PHP 5.3 compatibility |
|
- Fix breakage when decoding decimal entities. Thanks @rybakit (#129) |
|
|
|
4.9.1, released 2017-03-08 |
|
! %URI.DefaultScheme can now be set to null, in which case |
|
all relative paths are removed. |
|
! New CSS properties: min-width, max-width, min-height, max-height (#94) |
|
! Transparency (rgba) and hsl/hsla supported where color CSS is present. |
|
Thanks @fxbt for contributing the patch. (#118) |
|
- When idn_to_ascii is defined, we might accept malformed |
|
hostnames. Apply validation to the result in such cases. |
|
- Close directory when done in Serializer DefinitionCache (#100) |
|
- Deleted some asserts to avoid linters from choking (#97) |
|
- Rework Serializer cache behavior to avoid chmod'ing if possible (#32) |
|
- Embedded semicolons in strings in CSS are now handled correctly! |
|
- We accidentally dropped certain Unicode characters if there was |
|
one or more invalid characters. This has been fixed, thanks |
|
to mpyw <ryosuke_i_628@yahoo.co.jp> |
|
- Fix for "Don't truncate upon encountering </div> when using DOMLex" |
|
caused a regression with HTML 4.01 Strict parsing with libxml 2.9.1 |
|
(and maybe later versions, but known OK with libxml 2.9.4). The |
|
fix is to go about handling truncation a bit more cleverly so that |
|
we can wrap with divs (sidestepping the bug) but slurping out the |
|
rest of the text in case it ran off the end. (#78) |
|
- Fix PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyle. |
|
Thanks @breathbath for contributing the report and fix (#120) |
|
- Fix entity decoding algorithm to be more conservative about |
|
decoding entities that are missing trailing semicolon. |
|
To get old behavior, set %Core.LegacyEntityDecoder to true. |
|
(#119) |
|
- Workaround libxml bug when HTML tags are embedded inside |
|
script tags. To disable workaround set %Core.AggressivelyRemoveScript |
|
to false. (#83) |
|
# By default, when a link has a target attribute associated |
|
with it, we now also add rel="noopener" in order to |
|
prevent the new window from being able to overwrite |
|
the original frame. To disable this protection, |
|
set %HTML.TargetNoopener to FALSE. |
|
|
|
4.9.0 was cut on Git but never properly released; when we did the |
|
real release we decided to skip this version number. |
|
|
|
4.8.0, released 2016-07-16 |
|
# By default, when a link has a target attribute associated |
|
with it, we now also add rel="noreferrer" in order to |
|
prevent the new window from being able to overwrite |
|
the original frame. To disable this protection, |
|
set %HTML.TargetNoreferrer to FALSE. |
|
! Full PHP 7 compatibility, the test suite is ALL GO. |
|
! %CSS.AllowDuplicates permits duplicate CSS properties. |
|
! Support for 'tel' URIs. |
|
! Partial support for 'border-radius' properties when %CSS.AllowProprietary is true. |
|
The slash syntax, i.e., 'border-radius: 2em 1em 4em / 0.5em 3em' is not |
|
yet supported. |
|
! %Attr.ID.HTML5 turns on HTML5-style ID handling. |
|
- alt truncation could result in malformed UTF-8 sequence. Don't |
|
truncate. Thanks Brandon Farber for reporting. |
|
- Linkify regex is smarter, based off of Gruber's regex. |
|
- IDNA supported natively on PHP 5.3 and later. |
|
- Non all-numeric top-level names (e.g., foo.1f, 1f) are now |
|
allowed. |
|
- Minor bounds error fix to squash a PHP 7 notice. |
|
- Support non-/tmp temporary directories for data:// validation |
|
- Give a better error message when a user attempts to allow |
|
ul/ol without allowing li. |
|
- On some versions of PHP, the Serializer DefinitionCache could |
|
infinite loop when the directory exists but is not listable. (#49) |
|
- Don't match for <body> inside comments with |
|
%Core.ConvertDocumentToFragment. (#67) |
|
- SafeObject is now less case sensitive. (#57) |
|
- AutoFormat.RemoveEmpty.Predicate now correctly renders in |
|
web form. (#85) |
|
|
|
4.7.0, released 2015-08-04 |
|
# opacity is now considered a "tricky" CSS property rather than a |
|
proprietary one. |
|
! %AutoFormat.RemoveEmpty.Predicate for specifying exactly when |
|
an element should be considered "empty" (maybe preserve if it |
|
has attributes), and modify iframe support so that the iframe |
|
is removed if it is missing a src attribute. Thanks meeva for |
|
reporting. |
|
- Don't truncate upon encountering </div> when using DOMLex. Thanks |
|
Myrto Christina for finally convincing me to fix this. |
|
- Update YouTube filter for new code. |
|
- Fix parsing of rgb() values with spaces in them for 'border' |
|
attribute. |
|
- Don't remove foo="" attributes if foo is a boolean attribute. Thanks |
|
valME for reporting. |
|
|
|
4.6.0, released 2013-11-30 |
|
# Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url, $secret). |
|
Please update any verification scripts you may have. |
|
# URI parsing algorithm was made more strict, so only prefixes which |
|
looks like schemes will actually be schemes. Thanks |
|
Michael Gusev <mgusev@sugarcrm.com> for fixing. |
|
# %Core.EscapeInvalidChildren is no longer supported, and no longer does |
|
anything. |
|
! New directive %Core.AllowHostnameUnderscore which allows underscores |
|
in hostnames. |
|
- Eliminate quadratic behavior in DOMLex by using a proper queue. |
|
Thanks Ole Laursen for noticing this. |
|
- Rewritten MakeWellFormed/FixNesting implementation eliminates quadratic |
|
behavior in the rest of the purificaiton pipeline. Thanks Chedburn |
|
Networks for sponsoring this work. |
|
- Made Linkify URL parser a bit less permissive, so that non-breaking |
|
spaces and commas are not included as part of URL. Thanks nAS for fixing. |
|
- Fix some bad interactions with %HTML.Allowed and injectors. Thanks |
|
David Hirtz for reporting. |
|
- Fix infinite loop in DirectLex. Thanks Ashar Javed (@soaj1664ashar) |
|
for reporting. |
|
|
|
4.5.0, released 2013-02-17 |
|
# Fix bug where stacked attribute transforms clobber each other; |
|
this also means it's no longer possible to override attribute |
|
transforms in later modules. No internal code was using this |
|
but this may break some clients. |
|
# We now use SHA-1 to identify cached definitions, instead of MD5. |
|
! Support display:inline-block |
|
! Support for more white-space CSS values. |
|
! Permit underscores in font families |
|
! Support for page-break-* CSS3 properties when proprietary properties |
|
are enabled. |
|
! New directive %Core.DisableExcludes; can be set to 'true' to turn off |
|
SGML excludes checking. If HTML Purifier is removing too much text |
|
and you don't care about full standards compliance, try setting this to |
|
'true'. |
|
- Use prepend for SPL autoloading on PHP 5.3 and later. |
|
- Fix bug with nofollow transform when pre-existing rel exists. |
|
- Fix bug where background:url() always gets lower-cased |
|
(but not background-image:url()) |
|
- Fix bug with non lower-case color names in HTML |
|
- Fix bug where data URI validation doesn't remove temporary files. |
|
Thanks Javier Marín Ros <javiermarinros@gmail.com> for reporting. |
|
- Don't remove certain empty tags on RemoveEmpty. |
|
|
|
4.4.0, released 2012-01-18 |
|
# Removed PEARSax3 handler. |
|
# URI.Munge now munges URIs inside the same host that go from https |
|
to http. Reported by Neike Taika-Tessaro. |
|
# Core.EscapeNonASCIICharacters now always transforms entities to |
|
entities, even if target encoding is UTF-8. |
|
# Tighten up selector validation in ExtractStyleBlocks. |
|
Non-syntactically valid selectors are now rejected, along with |
|
some of the more obscure ones such as attribute selectors, the |
|
:lang pseudoselector, and anything not in CSS2.1. Furthermore, |
|
ID and class selectors now work properly with the relevant |
|
configuration attributes. Also, mute errors when parsing CSS |
|
with CSS Tidy. Reported by Mario Heiderich and Norman Hippert. |
|
! Added support for 'scope' attribute on tables. |
|
! Added %HTML.TargetBlank, which adds target="blank" to all outgoing links. |
|
! Properly handle sub-lists directly nested inside of lists in |
|
a standards compliant way, by moving them into the preceding <li> |
|
! Added %HTML.AllowedComments and %HTML.AllowedCommentsRegexp for |
|
limited allowed comments in untrusted situations. |
|
! Implement iframes, and allow them to be used in untrusted mode with |
|
%HTML.SafeIframe and %URI.SafeIframeRegexp. Thanks Bradley M. Froehle |
|
<brad.froehle@gmail.com> for submitting an initial version of the patch. |
|
! The Forms module now works properly for transitional doctypes. |
|
! Added support for internationalized domain names. You need the PEAR |
|
Net_IDNA2 module to be in your path; if it is installed, ensure the |
|
class can be loaded and then set %Core.EnableIDNA to true. |
|
- Color keywords are now case insensitive. Thanks Yzmir Ramirez |
|
<yramirez-htmlpurifier@adicio.com> for reporting. |
|
- Explicitly initialize anonModule variable to null. |
|
- Do not duplicate nofollow if already present. Thanks 178 |
|
for reporting. |
|
- Do not add nofollow if hostname matches our current host. Thanks 178 |
|
for reporting, and Neike Taika-Tessaro for helping diagnose. |
|
- Do not unset parser variable; this fixes intermittent serialization |
|
problems. Thanks Neike Taika-Tessaro for reporting, bill |
|
<10010tiger@gmail.com> for diagnosing. |
|
- Fix iconv truncation bug, where non-UTF-8 target encodings see |
|
output truncated after around 8000 characters. Thanks Jörg Ludwig |
|
<joerg.ludwig@iserv.eu> for reporting. |
|
- Fix broken table content model for XHTML1.1 (and also earlier |
|
versions, although the W3C validator doesn't catch those violations). |
|
Thanks GlitchMr <glitch.mr@gmail.com> for reporting. |
|
|
|
4.3.0, released 2011-03-27 |
|
# Fixed broken caching of customized raw definitions, but requires an |
|
API change. The old API still works but will emit a warning, |
|
see http://htmlpurifier.org/docs/enduser-customize.html#optimized |
|
for how to upgrade your code. |
|
# Protect against Internet Explorer innerHTML behavior by specially |
|
treating attributes with backticks but no angled brackets, quotes or |
|
spaces. This constitutes a slight semantic change, which can be |
|
reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro |
|
and Mario Heiderich. |
|
# Protect against cssText/innerHTML by restricting allowed characters |
|
used in fonts further than mandated by the specification and encoding |
|
some extra special characters in URLs. Reported by Neike |
|
Taika-Tessaro and Mario Heiderich. |
|
! Added %HTML.Nofollow to add rel="nofollow" to external links. |
|
! More types of SPL autoloaders allowed on later versions of PHP. |
|
! Implementations for position, top, left, right, bottom, z-index |
|
when %CSS.Trusted is on. |
|
! Add %Cache.SerializerPermissions option for custom serializer |
|
directory/file permissions |
|
! Fix longstanding bug in Flash support for non-IE browsers, and |
|
allow more wmode attributes. |
|
! Add %CSS.AllowedFonts to restrict permissible font names. |
|
- Switch to an iterative traversal of the DOM, which prevents us |
|
from running out of stack space for deeply nested documents. |
|
Thanks Maxim Krizhanovsky for contributing a patch. |
|
- Make removal of conditional IE comments ungreedy; thanks Bernd |
|
for reporting. |
|
- Escape CDATA before removing Internet Explorer comments. |
|
- Fix removal of id attributes under certain conditions by ensuring |
|
armor attributes are preserved when recreating tags. |
|
- Check if schema.ser was corrupted. |
|
- Check if zend.ze1_compatibility_mode is on, and error out if it is. |
|
This safety check is only done for HTMLPurifier.auto.php; if you |
|
are using standalone or the specialized includes files, you're |
|
expected to know what you're doing. |
|
- Stop repeatedly writing the cache file after I'm done customizing a |
|
raw definition. Reported by ajh. |
|
- Switch to using require_once in the Bootstrap to work around bad |
|
interaction with Zend Debugger and APC. Reported by Antonio Parraga. |
|
- Fix URI handling when hostname is missing but scheme is present. |
|
Reported by Neike Taika-Tessaro. |
|
- Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro |
|
for reporting. |
|
- Fix harmless notice from indexing into empty string. Thanks Matthijs |
|
Kooijman <matthijs@stdin.nl> for reporting. |
|
- Don't autoclose no parent elements are able to support the element |
|
that triggered the autoclose. In particular fixes strange behavior |
|
of stray <li> tags. Thanks pkuliga@gmail.com for reporting and |
|
Neike Taika-Tessaro <pinkgothic@gmail.com> for debugging assistance. |
|
|
|
4.2.0, released 2010-09-15 |
|
! Added %Core.RemoveProcessingInstructions, which lets you remove |
|
<? ... ?> statements. |
|
! Added %URI.DisableResources functionality; the directive originally |
|
did nothing. Thanks David Rothstein for reporting. |
|
! Add documentation about configuration directive types. |
|
! Add %CSS.ForbiddenProperties configuration directive. |
|
! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects |
|
to utilize full-screen mode. |
|
! Add optional support for the <code>file</code> URI scheme, enable |
|
by explicitly setting %URI.AllowedSchemes. |
|
! Add %Core.NormalizeNewlines options to allow turning off newline |
|
normalization. |
|
- Fix improper handling of Internet Explorer conditional comments |
|
by parser. Thanks zmonteca for reporting. |
|
- Fix missing attributes bug when running on Mac Snow Leopard and APC. |
|
Thanks sidepodcast for the fix. |
|
- Warn if an element is allowed, but an attribute it requires is |
|
not allowed. |
|
|
|
4.1.1, released 2010-05-31 |
|
- Fix undefined index warnings in maintenance scripts. |
|
- Fix bug in DirectLex for parsing elements with a single attribute |
|
with entities. |
|
- Rewrite CSS output logic for font-family and url(). Thanks Mario |
|
Heiderich <mario.heiderich@googlemail.com> for reporting and Takeshi |
|
Terada <t-terada@violet.plala.or.jp> for suggesting the fix. |
|
- Emit an error for CollectErrors if a body is extracted |
|
- Fix bug where in background-position for center keyword handling. |
|
- Fix infinite loop when a wrapper element is inserted in a context |
|
where it's not allowed. Thanks Lars <lars@renoz.dk> for reporting. |
|
- Remove +x bit and shebang from index.php; only supported mode is to |
|
explicitly call it with php. |
|
- Make test script less chatty when log_errors is on. |
|
|
|
4.1.0, released 2010-04-26 |
|
! Support proprietary height attribute on table element |
|
! Support YouTube slideshows that contain /cp/ in their URL. |
|
! Support for data: URI scheme; not enabled by default, add it using |
|
%URI.AllowedSchemes |
|
! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed. |
|
! Support for Internet Explorer compatibility with %HTML.SafeObject |
|
using %Output.FlashCompat. |
|
! Handle <ol><ol> properly, by inserting the necessary <li> tag. |
|
- Always quote the insides of url(...) in CSS. |
|
|
|
4.0.0, released 2009-07-07 |
|
# APIs for ConfigSchema subsystem have substantially changed. See |
|
docs/dev-config-bcbreaks.txt for details; in essence, anything that |
|
had both namespace and directive now have a single unified key. |
|
# Some configuration directives were renamed, specifically: |
|
%AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL |
|
%FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping |
|
%FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope |
|
%FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl |
|
As usual, the old directive names will still work, but will throw E_NOTICE |
|
errors. |
|
# The allowed values for class have been relaxed to allow all of CDATA for |
|
doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set |
|
%Attr.ClassUseCDATA to false. |
|
# Instead of appending the content model to an old content model, a blank |
|
element will replace the old content model. You can use #SUPER to get |
|
the old content model. |
|
! More robust support for name="" and id="" |
|
! HTMLPurifier_Config::inherit($config) allows you to inherit one |
|
configuration, and have changes to that configuration be propagated |
|
to all of its children. |
|
! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on |
|
the name attribute when set. Use with care. Thanks Ian Cook for |
|
sponsoring. |
|
! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty |
|
tags that contain non-breaking spaces as well other whitespace. You |
|
can also modify which tags should have maintained with |
|
%AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions. |
|
! Implement %Attr.AllowedClasses, which allows administrators to restrict |
|
classes users can use to a specified finite set of classes, and |
|
%Attr.ForbiddenClasses, which is the logical inverse. |
|
! You can now maintain your own configuration schema directories by |
|
creating a config-schema.php file or passing an extra argument. Check |
|
docs/dev-config-schema.html for more details. |
|
! Added HTMLPurifier_Config->serialize() method, which lets you save away |
|
your configuration in a compact serial file, which you can unserialize |
|
and use directly without having to go through the overhead of setup. |
|
- Fix bug where URIDefinition would not get cleared if it's directives got |
|
changed. |
|
- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0) |
|
- Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a> |
|
- Make %URI.Munge not apply to links that have the same host as your host. |
|
- Prevent stray </body> tag from truncating output, if a second </body> |
|
is present. |
|
. Created script maintenance/rename-config.php for renaming a configuration |
|
directive while maintaining its alias. This script does not change source code. |
|
. Implement namespace locking for definition construction, to prevent |
|
bugs where a directive is used for definition construction but is not |
|
used to construct the cache hash. |
|
|
|
3.3.0, released 2009-02-16 |
|
! Implement CSS property 'overflow' when %CSS.AllowTricky is true. |
|
! Implement generic property list classess |
|
- Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation |
|
does not do the "right thing" with characters not supported in the output |
|
set. |
|
- Spellcheck UTF-8: The Secret To Character Encoding |
|
- Fix improper removal of the contents of elements with only whitespace. Thanks |
|
Eric Wald for reporting. |
|
- Fix broken test suite in versions of PHP without spl_autoload_register() |
|
- Fix degenerate case with YouTube filter involving double hyphens. |
|
Thanks Pierre Attar for reporting. |
|
- Fix YouTube rendering problem on certain versions of Firefox. |
|
- Fix CSSDefinition Printer problems with decorators |
|
- Add text parameter to unit tests, forces text output |
|
. Add verbose mode to command line test runner, use (--verbose) |
|
. Turn on unit tests for UnitConverter |
|
. Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0) |
|
. Fix newline errors that caused spurious failures when CRLF HTML Purifier was |
|
tested on Linux. |
|
. Removed trailing whitespace from all text files, see |
|
remote-trailing-whitespace.php maintenance script. |
|
. Convert configuration to use property list backend. |
|
|
|
3.2.0, released 2008-10-31 |
|
# Using %Core.CollectErrors forces line number/column tracking on, whereas |
|
previously you could theoretically turn it off. |
|
# HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please |
|
use handleEnd() instead. |
|
! %Output.AttrSort for when you need your attributes in alphabetical order to |
|
deal with a bug in FCKEditor. Requested by frank farmer. |
|
! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith. |
|
! Proper support for name attribute. It is now allowed and equivalent to the id |
|
attribute in a and img tags, and is only converted to id when %HTML.TidyLevel |
|
is heavy (for all doctypes). |
|
! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't |
|
use on hand-written HTML. |
|
! Add error-cases for unsupported elements in MakeWellFormed. This enables |
|
the strategy to be used, standalone, on untrusted input. |
|
! %Core.AggressivelyFixLt is on by default. This causes more sensible |
|
processing of left angled brackets in smileys and other whatnot. |
|
! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier', |
|
'phpt', 'vtest', etc. in order to only execute those tests. This supercedes |
|
the --only-phpt parameter, although for backwards-compatibility the flag |
|
will still work. |
|
! AutoParagraph auto-formatter will now preserve double-newlines upon output. |
|
Users who are not performing inbound filtering, this may seem a little |
|
useless, but as a bonus, the test suite and handling of edge cases is also |
|
improved. |
|
! Experimental implementation of forms for %HTML.Trusted |
|
! Track column numbers when maintain line numbers is on |
|
! Proprietary 'background' attribute on table-related elements converted into |
|
corresponding CSS. Thanks Fusemail for sponsoring this feature! |
|
! Add forward(), forwardUntilEndToken(), backward() and current() to Injector |
|
supertype. |
|
! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The |
|
time of operation varies slightly from notifyEnd() as *all* end tokens are |
|
processed by the injector before they are subject to the well-formedness rules. |
|
! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to |
|
basename of image when not present. |
|
! %AutoFormat.DisplayLinkURI neuters <a> tags into plain text URLs. |
|
- Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs, |
|
the other involving an undefined $is_folder error. |
|
- Throw error when %Core.Encoding is set to a spurious value. Previously, |
|
this errored silently and returned false. |
|
- Redirected stderr to stdout for flush error output. |
|
- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not |
|
available. |
|
- Do not re-munge URL if the output URL has the same host as the input URL. |
|
Requested by Chris. |
|
- Fix error in documentation regarding %Filter.ExtractStyleBlocks |
|
- Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment |
|
- Fix bug with inline elements in blockquotes conflicting with strict doctype |
|
- Detect if HTML support is disabled for DOM by checking for loadHTML() method. |
|
- Fix bug where dots and double-dots in absolute URLs without hostname were |
|
not collapsed by URIFilter_MakeAbsolute. |
|
- Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements |
|
by reordering their addition. |
|
- Will now throw exception on many error conditions during lexer creation; also |
|
throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers |
|
is being used. |
|
- Detect if domxml extension is loaded, and use DirectLEx accordingly. |
|
- Improve handling of big numbers with floating point arithmetic in UnitConverter. |
|
Reported by David Morton. |
|
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing |
|
for more interesting filter-backtracking |
|
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind |
|
index to reprocess tokens. |
|
. StringHashParser now allows for multiline sections with "empty" content; |
|
previously the section would remain undefined. |
|
. Added --quick option to multitest.php, which tests only the most recent |
|
release for each series. |
|
. Added --distro option to multitest.php, which accepts either 'normal' or |
|
'standalone'. This supercedes --exclude-normal and --exclude-standalone |
|
|
|
3.1.1, released 2008-06-19 |
|
# %URI.Munge now, by default, does not munge resources (for example, <img src="">) |
|
In order to enable this again, please set %URI.MungeResources to true. |
|
! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, |
|
and height/width HTML with %HTML.MaxImgLength. |
|
! %URI.MungeSecretKey for secure URI munging. Thanks Chris |
|
for sponsoring this feature. Check out the corresponding documentation |
|
for details. (Att Nightly testers: The API for this feature changed before |
|
the general release. Namely, rename your directives %URI.SecureMungeSecretKey => |
|
%URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge) |
|
! Implemented post URI filtering. Set member variable $post to true to set |
|
a URIFilter as such. |
|
! Allow modules to define injectors via $info_injector. Injectors are |
|
automatically disabled if injector's needed elements are not found. |
|
! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. |
|
Thanks Chris for sponsoring. If you've been using ad hoc code from the |
|
forums, PLEASE use this instead. |
|
! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order, |
|
embedded, tag name, attribute name, CSS property name). See %URI.Munge |
|
for more details. Requested by Jochem Blok. |
|
- Disable percent height/width attributes for img. |
|
- AttrValidator operations are now atomic; updates to attributes are not |
|
manifest in token until end of operations. This prevents naughty internal |
|
code from directly modifying CurrentToken when they're not supposed to. |
|
This semantics change was requested by frank farmer. |
|
- Percent encoding checks enabled for URI query and fragment |
|
- Fix stray backslashes in font-family; CSS Unicode character escapes are |
|
now properly resolved (although *only* in font-family). Thanks Takeshi Terada |
|
for reporting. |
|
- Improve parseCDATA algorithm to take into account newline normalization |
|
- Account for browser confusion between Yen character and backslash in |
|
Shift_JIS encoding. This fix generalizes to any other encoding which is not |
|
a strict superset of printable ASCII. Thanks Takeshi Terada for reporting. |
|
- Fix missing configuration parameter in Generator calls. Thanks vs for the |
|
partial patch. |
|
- Improved adherence to Unicode by checking for non-character codepoints. |
|
Thanks Geoffrey Sneddon for reporting. This may result in degraded |
|
performance for extremely large inputs. |
|
- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok |
|
for reporting. |
|
. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient |
|
handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses |
|
this class. |
|
. API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative) |
|
to __construct($min, $max). __construct(true) is equivalent to |
|
__construct('0'). |
|
. Added HTMLPurifier_AttrDef_Switch class |
|
. Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method |
|
up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules |
|
get this called with the configuration object. All modules now |
|
use this rather than __construct(), although legacy code using constructors |
|
will still work--the new format, however, lets modules access the |
|
configuration object for HTML namespace dependant tweaks. |
|
. AttrDef_HTML_Pixels now takes a single construction parameter, pixels. |
|
. ConfigSchema data-structure heavily optimized; on average it uses a third |
|
the memory it did previously. The interface has changed accordingly, |
|
consult changes to HTMLPurifier_Config for details. |
|
. Variable parsing types now are magic integers instead of strings |
|
. Added benchmark for ConfigSchema |
|
. HTMLPurifier_Generator requires $config and $context parameters. If you |
|
don't know what they should be, use HTMLPurifier_Config::createDefault() |
|
and new HTMLPurifier_Context(). |
|
. Printers now properly distinguish between output configuration, and |
|
target configuration. This is not applicable to scripts using |
|
the Printers for HTML Purifier related tasks. |
|
. HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise |
|
fatal errors will ensue. |
|
. URIFilter->prepare can return false in order to abort loading of the filter |
|
. Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds |
|
an external resource. |
|
. %URI.Munge functionality factored out into a post-filter class. |
|
. Added CurrentCSSProperty context variable during CSS validation |
|
|
|
3.1.0, released 2008-05-18 |
|
# Unnecessary references to objects (vestiges of PHP4) removed from method |
|
signatures. The following methods do not need references when assigning from |
|
them and will result in E_STRICT errors if you try: |
|
+ HTMLPurifier_Config->get*Definition() [* = HTML, CSS] |
|
+ HTMLPurifier_ConfigSchema::instance() |
|
+ HTMLPurifier_DefinitionCacheFactory::instance() |
|
+ HTMLPurifier_DefinitionCacheFactory->create() |
|
+ HTMLPurifier_DoctypeRegistry->register() |
|
+ HTMLPurifier_DoctypeRegistry->get() |
|
+ HTMLPurifier_HTMLModule->addElement() |
|
+ HTMLPurifier_HTMLModule->addBlankElement() |
|
+ HTMLPurifier_LanguageFactory::instance() |
|
# Printer_ConfigForm's get*() functions were static-ified |
|
# %HTML.ForbiddenAttributes requires attribute declarations to be in the |
|
form of tag@attr, NOT tag.attr (which will throw an error and won't do |
|
anything). This is for forwards compatibility with XML; you'd do best |
|
to migrate an %HTML.AllowedAttributes directives to this syntax too. |
|
! Allow index to be false for config from form creation |
|
! Added HTMLPurifier::VERSION constant |
|
! Commas, not dashes, used for serializer IDs. This change is forwards-compatible |
|
and allows for version numbers like "3.1.0-dev". |
|
! %HTML.Allowed deals gracefully with whitespace anywhere, anytime! |
|
! HTML Purifier's URI handling is a lot more robust, with much stricter |
|
validation checks and better percent encoding handling. Thanks Gareth Heyes |
|
for indicating security vulnerabilities from lax percent encoding. |
|
! Bootstrap autoloader deals more robustly with classes that don't exist, |
|
preventing class_exists($class, true) from barfing. |
|
- InterchangeBuilder now alphabetizes its lists |
|
- Validation error in configdoc output fixed |
|
- Iconv and other encoding errors muted even with custom error handlers that |
|
do not honor error_reporting |
|
- Add protection against imagecrash attack with CSS height/width |
|
- HTMLPurifier::instance() created for consistency, is equivalent to getInstance() |
|
- Fixed and revamped broken ConfigForm smoketest |
|
- Bug with bool/null fields in Printer_ConfigForm fixed |
|
- Bug with global forbidden attributes fixed |
|
- Improved error messages for allowed and forbidden HTML elements and attributes |
|
- Missing (or null) in configdoc documentation restored |
|
- If DOM throws and exception during parsing with PH5P (occurs in newer versions |
|
of DOM), HTML Purifier punts to DirectLex |
|
- Fatal error with unserialization of ScriptRequired |
|
- Created directories are now chmod'ed properly |
|
- Fixed bug with fallback languages in LanguageFactory |
|
- Standalone testing setup properly with autoload |
|
. Out-of-date documentation revised |
|
. UTF-8 encoding check optimization as suggested by Diego |
|
. HTMLPurifier_Error removed in favor of exceptions |
|
. More copy() function removed; should use clone instead |
|
. More extensive unit tests for HTMLDefinition |
|
. assertPurification moved to central harness |
|
. HTMLPurifier_Generator accepts $config and $context parameters during |
|
instantiation, not runtime |
|
. Double-quotes outside of attribute values are now unescaped |
|
|
|
3.1.0rc1, released 2008-04-22 |
|
# Autoload support added. Internal require_once's removed in favor of an |
|
explicit require list or autoloading. To use HTML Purifier, |
|
you must now either use HTMLPurifier.auto.php |
|
or HTMLPurifier.includes.php; setting the include path and including |
|
HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php |
|
as well to register our autoload handler (or modify your autoload function |
|
to check HTMLPurifier_Bootstrap::getPath($class)). You can also use |
|
HTMLPurifier.safe-includes.php for a less performance friendly but more |
|
user-friendly library load. |
|
# HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema |
|
information is stored in the ConfigSchema directory, and the |
|
maintenance/generate-schema-cache.php generates the schema.ser file, which |
|
is now instantiated. Support for userland schema changes coming soon! |
|
# HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive |
|
alias; to get rid of these errors just modify your configuration to use |
|
the new directive name. |
|
# HTMLPurifier->addFilter is deprecated; built-in filters can now be |
|
enabled using %Filter.$filter_name or by setting your own filters using |
|
%Filter.Custom |
|
# Directive-level safety properties superceded in favor of module-level |
|
safety. Internal method HTMLModule->addElement() has changed, although |
|
the externally visible HTMLDefinition->addElement has *not* changed. |
|
! Extra utility classes for testing and non-library operations can |
|
be found in extras/. Specifically, these are FSTools and ConfigDoc. |
|
You may find a use for these in your own project, but right now they |
|
are highly experimental and volatile. |
|
! Integration with PHPT allows for automated smoketests |
|
! Limited support for proprietary HTML elements, namely <marquee>, sponsored |
|
by Chris. You can enable them with %HTML.Proprietary if your client |
|
demands them. |
|
! Support for !important CSS cascade modifier. By default, this will be stripped |
|
from CSS, but you can enable it using %CSS.AllowImportant |
|
! Support for display and visibility CSS properties added, set %CSS.AllowTricky |
|
to true to use them. |
|
! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception. |
|
Developer error (not enduser error) can cause these to be triggered. |
|
! Experimental kses() wrapper introduced with HTMLPurifier.kses.php |
|
! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without |
|
mucking around with HTMLPurifier_CSSDefinition |
|
! ConfigDoc output has been enhanced with version and deprecation info. |
|
! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented. |
|
- Autoclose now operates iteratively, i.e. <span><span><div> now has |
|
both span tags closed. |
|
- Various HTMLPurifier_Config convenience functions now accept another parameter |
|
$schema which defines what HTMLPurifier_ConfigSchema to use besides the |
|
global default. |
|
- Fix bug with trusted script handling in libxml versions later than 2.6.28. |
|
- Fix bug in ExtractStyleBlocks with comments in style tags |
|
- Fix bug in comment parsing for DirectLex |
|
- Flush output now displayed when in command line mode for unit tester |
|
- Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax |
|
- HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times |
|
on the same element without emitting errors. |
|
- Fixed fatal error in PH5P lexer with invalid tag names |
|
. Plugins now get their own changelogs according to project conventions. |
|
. Convert tokens to use instanceof, reducing memory footprint and |
|
improving comparison speed. |
|
. Dry runs now supported in SimpleTest; testing facilities improved |
|
. Bootstrap class added for handling autoloading functionality |
|
. Implemented recursive glob at FSTools->globr |
|
. ConfigSchema now has instance methods for all corresponding define* |
|
static methods. |
|
. A couple of new historical maintenance scripts were added. |
|
. HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files |
|
. tests/index.php can now be run from any directory. |
|
. HTMLPurifier_Token subclasses split into seperate files |
|
. HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php |
|
. HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier |
|
. New --php=php flag added, allows PHP executable to be specified (command |
|
line only!) |
|
. htmlpurifier_add_test() preferred method to translate test files in to |
|
classes, because it handles PHPT files too. |
|
. Debugger class is deprecated and will be removed soon. |
|
. Command line argument parsing for testing scripts revamped, now --opt value |
|
format is supported. |
|
. Smoketests now cleanup after magic quotes |
|
. Generator now can output comments (however, comments are still stripped |
|
from HTML Purifier output) |
|
. HTMLPurifier_ConfigSchema->validate() deprecated in favor of |
|
HTMLPurifier_VarParser->parse() |
|
. Integers auto-cast into float type by VarParser. |
|
. HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only |
|
during cache generation |
|
. Reordered script calls in maintenance/flush.php |
|
. Command line scripts now honor exit codes |
|
. When --flush fails in unit testers, abort tests and print message |
|
. Improved documentation in docs/dev-flush.html about the maintenance scripts |
|
. copy() methods removed in favor of clone keyword |
|
|
|
3.0.0, released 2008-01-06 |
|
# HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained |
|
until PHP 4 is completely deprecated, but no new features will be added |
|
to it. |
|
+ Visibility declarations added |
|
+ Constructor methods renamed to __construct() |
|
+ PHP4 reference cruft removed (in progress) |
|
! CSS properties are now case-insensitive |
|
! DefinitionCacheFactory now can register new implementations |
|
! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from |
|
documents and cleaning their contents up. Requires the CSSTidy library |
|
<http://csstidy.sourceforge.net/>. You can access the blocks with the |
|
'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')). |
|
The output CSS can also be "scoped" for a specific element, use: |
|
%Filter.ExtractStyleBlocksScope |
|
! Experimental support for some proprietary CSS attributes allowed: |
|
opacity (and all of the browser-specific equivalents) and scrollbar colors. |
|
Enable by setting %CSS.Proprietary to true. |
|
- Colors missing # but in hex form will be corrected |
|
- CSS Number algorithm improved |
|
- Unit testing and multi-testing now on steroids: command lines, |
|
XML output, and other goodies now added. |
|
. Unit tests for Injector improved |
|
. New classes: |
|
+ HTMLPurifier_AttrDef_CSS_AlphaValue |
|
+ HTMLPurifier_AttrDef_CSS_Filter |
|
. Multitest now has a file docblock |
|
|
|
2.1.3, released 2007-11-05 |
|
! tests/multitest.php allows you to test multiple versions by running |
|
tests/index.php through multiple interpreters using `phpv` shell |
|
script (you must provide this script!) |
|
- Fixed poor include ordering for Email URI AttrDefs, causes fatal errors |
|
on some systems. |
|
- Injector algorithm further refined: off-by-one error regarding skip |
|
counts for dormant injectors fixed |
|
- Corrective blockquote definition now enabled for HTML 4.01 Strict |
|
- Fatal error when <img> tag (or any other element with required attributes) |
|
has 'id' attribute fixed, thanks NykO18 for reporting |
|
- Fix warning emitted when a non-supported URI scheme is passed to the |
|
MakeAbsolute URIFilter, thanks NykO18 (again) |
|
- Further refine AutoParagraph injector. Behavior inside of elements |
|
allowing paragraph tags clarified: only inline content delimeted by |
|
double newlines (not block elements) are paragraphed. |
|
- Buggy treatment of end tags of elements that have required attributes |
|
fixed (does not manifest on default tag-set) |
|
- Spurious internal content reorganization error suppressed |
|
- HTMLDefinition->addElement now returns a reference to the created |
|
element object, as implied by the documentation |
|
- Phorum mod's HTML Purifier help message expanded (unreleased elsewhere) |
|
- Fix a theoretical class of infinite loops from DirectLex reported |
|
by Nate Abele |
|
- Work around unnecessary DOMElement type-cast in PH5P that caused errors |
|
in PHP 5.1 |
|
- Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only |
|
HTMLDefinition errors, this may indicate problems with error-collecting |
|
facilities in PHP 5 |
|
- Make ErrorCollectorEMock work in both PHP 4 and PHP 5 |
|
- Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef |
|
. %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment |
|
to better communicate its purpose |
|
. Error unit tests can now specify the expectation of no errors. Future |
|
iterations of the harness will be extremely strict about what errors |
|
are allowed |
|
. Extend Injector hooks to allow for more powerful injector routines |
|
. HTMLDefinition->addBlankElement created, as according to the HTMLModule |
|
method |
|
. Doxygen configuration file updated, with minor improvements |
|
. Test runner now checks for similarly named files in conf/ directory too. |
|
. Minor cosmetic change to flush-definition-cache.php: trailing newline is |
|
outputted |
|
. Maintenance script for generating PH5P patch added, original PH5P source |
|
file also added under version control |
|
. Full unit test runner script title made more descriptive with PHP version |
|
. Updated INSTALL file to state that 4.3.7 is the earliest version we |
|
are actively testing |
|
|
|
2.1.2, released 2007-09-03 |
|
! Implemented Object module for trusted users |
|
! Implemented experimental HTML5 parsing mode using PH5P. To use, add |
|
this to your code: |
|
require_once 'HTMLPurifier/Lexer/PH5P.php'; |
|
$config->set('Core', 'LexerImpl', 'PH5P'); |
|
Note that this Lexer introduces some classes not in the HTMLPurifier |
|
namespace. Also, this is PHP5 only. |
|
! CSS property border-spacing implemented |
|
- Fix non-visible parsing error in DirectLex with empty tags that have |
|
slashes inside attribute values. |
|
- Fix typo in CSS definition: border-collapse:seperate; was incorrectly |
|
accepted as valid CSS. Usually non-visible, because this styling is the |
|
default for tables in most browsers. Thanks Brett Zamir for pointing |
|
this out. |
|
- Fix validation errors in configuration form |
|
- Hammer out a bunch of edge-case bugs in the standalone distribution |
|
- Inclusion reflection removed from URISchemeRegistry; you must manually |
|
include any new schema files you wish to use |
|
- Numerous typo fixes in documentation thanks to Brett Zamir |
|
. Unit test refactoring for one logical test per test function |
|
. Config and context parameters in ComplexHarness deprecated: instead, edit |
|
the $config and $context member variables |
|
. HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't |
|
really make a difference, but is good for completeness sake |
|
. merge-library.php script refactored for greater code reusability and |
|
PHP4 compatibility |
|
|
|
2.1.1, released 2007-08-04 |
|
- Fix show-stopper bug in %URI.MakeAbsolute functionality |
|
- Fix PHP4 syntax error in standalone version |
|
. Add prefix directory to include path for standalone, this prevents |
|
other installations from clobbering the standalone's URI schemes |
|
. Single test methods can be invoked by prefixing with __only |
|
|
|
2.1.0, released 2007-08-02 |
|
# flush-htmldefinition-cache.php superseded in favor of a generic |
|
flush-definition-cache.php script, you can clear a specific cache |
|
by passing its name as a parameter to the script |
|
! Phorum mod implemented for HTML Purifier |
|
! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer |
|
trigger HTML removal in PHP5 (DOMLex). This directive is not necessary |
|
for PHP4 (DirectLex). |
|
! Standalone file now available, which greatly reduces the amount of |
|
includes (although there are still a few files that reside in the |
|
standalone folder) |
|
! Relative URIs can now be transformed into their absolute equivalents |
|
using %URI.Base and %URI.MakeAbsolute |
|
! Ruby implemented for XHTML 1.1 |
|
! You can now define custom URI filtering behavior, see enduser-uri-filter.html |
|
for more details |
|
! UTF-8 font names now supported in CSS |
|
- AutoFormatters emit friendly error messages if tags or attributes they |
|
need are not allowed |
|
- ConfigForm's compactification of directive names is now configurable |
|
- AutoParagraph autoformatter algorithm refined after field-testing |
|
- XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely |
|
blockquote wrapping |
|
- Contents of <style> tags removed by default when tags are removed |
|
. HTMLPurifier_Config->getSerial() implemented, this is extremely useful |
|
for output cache invalidation |
|
. ConfigForm printer now can retrieve CSS and JS files as strings, in |
|
case HTML Purifier's directory is not publically accessible |
|
. Introduce new text/itext configuration directive values: these represent |
|
longer strings that would be more appropriately edited with a textarea |
|
. Allow newlines to act as separators for lists, hashes, lookups and |
|
%HTML.Allowed |
|
. ConfigForm generates textareas instead of text inputs for lists, hashes, |
|
lookups, text and itext fields |
|
. Hidden element content removal genericized: %Core.HiddenElements can |
|
be used to customize this behavior, by default <script> and <style> are |
|
hidden |
|
. Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__) |
|
. Custom ChildDef added to default include list |
|
. URIScheme reflection improved: will not attempt to include file if class |
|
already exists. May clobber autoload, so I need to keep an eye on it |
|
. ConfigSchema heavily optimized, will only collect information and validate |
|
definitions when HTMLPURIFIER_SCHEMA_STRICT is true. |
|
. AttrDef_URI unit tests and implementation refactored |
|
. benchmarks/ directory now protected from public view with .htaccess file; |
|
run the tests via command line |
|
. URI scheme is munged off if there is no authority and the scheme is the |
|
default one |
|
. All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase |
|
. Interface for URIScheme changed |
|
. Generic URI object to hold components of URI added, most systems involved |
|
in URI validation have been migrated to use it |
|
. Custom filtering for URIs factored out to URIDefinition interface for |
|
maximum extensibility |
|
|
|
2.0.1, released 2007-06-27 |
|
! Tag auto-closing now based on a ChildDef heuristic rather than a |
|
manually set auto_close array; some behavior may change |
|
! Experimental AutoFormat functionality added: auto-paragraph and |
|
linkify your HTML input by setting %AutoFormat.AutoParagraph and |
|
%AutoFormat.Linkify to true |
|
! Newlines normalized internally, and then converted back to the |
|
value of PHP_EOL. If this is not desired, set your newline format |
|
using %Output.Newline. |
|
! Beta error collection, messages are implemented for the most generic |
|
cases involving Lexing or Strategies |
|
- Clean up special case code for <script> tags |
|
- Reorder includes for DefinitionCache decorators, fixes a possible |
|
missing class error |
|
- Fixed bug where manually modified definitions were not saved via cache |
|
(mostly harmless, except for the fact that it would be a little slower) |
|
- Configuration objects with different serials do not clobber each |
|
others when revision numbers are unequal |
|
- Improve Serializer DefinitionCache directory permissions checks |
|
- DefinitionCache no longer throws errors when it encounters old |
|
serial files that do not conform to the current style |
|
- Stray xmlns attributes removed from configuration documentation |
|
- configForm.php smoketest no longer has XSS vulnerability due to |
|
unescaped print_r output |
|
- Printer adheres to configuration's directives on output format |
|
- Fix improperly named form field in ConfigForm printer |
|
. Rewire some test-cases to swallow errors rather than expect them |
|
. HTMLDefinition printer updated with some of the new attributes |
|
. DefinitionCache keys reordered to reflect precedence: version number, |
|
hash, then revision number |
|
. %Core.DefinitionCache renamed to %Cache.DefinitionImpl |
|
. Interlinking in configuration documentation added using |
|
Injector_PurifierLinkify |
|
. Directives now keep track of aliases to themselves |
|
. Error collector now requires a severity to be passed, use PHP's internal |
|
error constants for this |
|
. HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows |
|
much easier selective embedding of configuration values |
|
. Doctype objects now accept public and system DTD identifiers |
|
. %HTML.Doctype is now constrained by specific values, to specify a custom |
|
doctype use new %HTML.CustomDoctype |
|
. ConfigForm truncates long directives to keep the form small, and does |
|
not re-output namespaces |
|
|
|
2.0.0, released 2007-06-20 |
|
# Completely refactored HTMLModuleManager, decentralizing safety |
|
information |
|
# Transform modules changed to Tidy modules, which offer more flexibility |
|
and better modularization |
|
# Configuration object now finalizes itself when a read operation is |
|
performed on it, ensuring that its internal state stays consistent. |
|
To revert this behavior, you can set the $autoFinalize member variable |
|
off, but it's not recommended. |
|
# New compact syntax for AttrDef objects that can be used to instantiate |
|
new objects via make() |
|
# Definitions (esp. HTMLDefinition) are now cached for a significant |
|
performance boost. You can disable caching by setting %Core.DefinitionCache |
|
to null. You CANNOT edit raw definitions without setting the corresponding |
|
DefinitionID directive (%HTML.DefinitionID for HTMLDefinition). |
|
# Contents between <script> tags are now completely removed if <script> |
|
is not allowed |
|
# Prototype-declarations for Lexer removed in favor of configuration |
|
determination of Lexer implementations. |
|
! HTML Purifier now works in PHP 4.3.2. |
|
! Configuration form-editing API makes tweaking HTMLPurifier_Config a |
|
breeze! |
|
! Configuration directives that accept hashes now allow new string |
|
format: key1:value1,key2:value2 |
|
! ConfigDoc now factored into OOP design |
|
! All deprecated elements now natively supported |
|
! Implement TinyMCE styled whitelist specification format in |
|
%HTML.Allowed |
|
! Config object gives more friendly error messages when things go wrong |
|
! Advanced API implemented: easy functions for creating elements (addElement) |
|
and attributes (addAttribute) on HTMLDefinition |
|
! Add native support for required attributes |
|
- Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work! |
|
- DOMLex will not emit errors when a custom error handler that does not |
|
honor error_reporting is used |
|
- StrictBlockquote child definition refrains from wrapping whitespace |
|
in tags now. |
|
- Bug resulting from tag transforms to non-allowed elements fixed |
|
- ChildDef_Custom's regex generation has been improved, removing several |
|
false positives |
|
. Unit test for ElementDef created, ElementDef behavior modified to |
|
be more flexible |
|
. Added convenience functions for HTMLModule constructors |
|
. AttrTypes now has accessor functions that should be used instead |
|
of directly manipulating info |
|
. TagTransform_Center deprecated in favor of generic TagTransform_Simple |
|
. Add extra protection in AttrDef_URI against phantom Schemes |
|
. Doctype object added to HTMLDefinition which describes certain aspects |
|
of the operational document type |
|
. Lexer is now pre-emptively included, with a conditional include for the |
|
PHP5 only version. |
|
. HTMLDefinition and CSSDefinition have a common parent class: Definition. |
|
. DirectLex can now track line-numbers |
|
. Preliminary error collector is in place, although no code actually reports |
|
errors yet |
|
. Factor out most of ValidateAttributes to new AttrValidator class |
|
|
|
1.6.1, released 2007-05-05 |
|
! Support for more deprecated attributes via transformations: |
|
+ hspace and vspace in img |
|
+ size and noshade in hr |
|
+ nowrap in td |
|
+ clear in br |
|
+ align in caption, table, img and hr |
|
+ type in ul, ol and li |
|
! DirectLex now preserves text in which a < bracket is followed by |
|
a non-alphanumeric character. This means that certain emoticons |
|
are now preserved. |
|
! %Core.RemoveInvalidImg is now operational, when set to false invalid |
|
images will hang around with an empty src |
|
! target attribute in a tag supported, use %Attr.AllowedFrameTargets |
|
to enable |
|
! CSS property white-space now allows nowrap (supported in all modern |
|
browsers) but not others (which have spotty browser implementations) |
|
! XHTML 1.1 mode now sort-of works without any fatal errors, and |
|
lang is now moved over to xml:lang. |
|
! Attribute transformation smoketest available at smoketests/attrTransform.php |
|
! Transformation of font's size attribute now handles super-large numbers |
|
- Possibly fatal bug with __autoload() fixed in module manager |
|
- Invert HTMLModuleManager->addModule() processing order to check |
|
prefixes first and then the literal module |
|
- Empty strings get converted to empty arrays instead of arrays with |
|
an empty string in them. |
|
- Merging in attribute lists now works. |
|
. Demo script removed: it has been added to the website's repository |
|
. Basic.php script modified to work out of the box |
|
. Refactor AttrTransform classes to reduce duplication |
|
. AttrTransform_TextAlign axed in favor of a more general |
|
AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to |
|
see how the new equivalent is implemented |
|
. Unit tests now use exclusively assertIdentical |
|
|
|
1.6.0, released 2007-04-01 |
|
! Support for most common deprecated attributes via transformations: |
|
+ bgcolor in td, th, tr and table |
|
+ border in img |
|
+ name in a and img |
|
+ width in td, th and hr |
|
+ height in td, th |
|
! Support for CSS attribute 'height' added |
|
! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel |
|
and %Attr.AllowedRev to activate |
|
- You can define ID blacklists using regular expressions via |
|
%Attr.IDBlacklistRegexp |
|
- Error messages are emitted when you attempt to "allow" elements or |
|
attributes that HTML Purifier does not support |
|
- Fix segfault in unit test. The problem is not very reproduceable and |
|
I don't know what causes it, but a six line patch fixed it. |
|
|
|
1.5.0, released 2007-03-23 |
|
! Added a rudimentary I18N and L10N system modeled off MediaWiki. It |
|
doesn't actually do anything yet, but keep your eyes peeled. |
|
! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier |
|
! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules. |
|
I am loathe to release beta quality APIs, but this is exactly that; |
|
don't use the internal interfaces if you're not willing to do migration |
|
later on. |
|
- Allow 'x' subtag in language codes |
|
- Fixed buggy chameleon-support for ins and del |
|
. Added support for IDREF attributes (i.e. for) |
|
. Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens |
|
. Removed context variable ParentType, replaced with IsInline, which |
|
is false when you're not inline and an integer of the parent that |
|
caused you to become inline when you are (so possibly zero) |
|
. Removed ElementDef->type in favor of ElementDef->descendants_are_inline |
|
and HTMLDefinition->content_sets |
|
. StrictBlockquote now reports what elements its supposed to allow, |
|
rather than what it does allow |
|
. Removed HTMLDefinition->info_flow_elements in favor of |
|
HTMLDefinition->content_sets['Flow'] |
|
. Removed redundant "exclusionary" definitions from DTD roster |
|
. StrictBlockquote now requires a construction parameter as if it |
|
were an Required ChildDef, this is the "real" set of allowed elements |
|
. AttrDef partitioned into HTML, CSS and URI segments |
|
. Modify Youtube filter regexp to be multiline |
|
. Require both PHP5 and DOM extension in order to use DOMLex, fixes |
|
some edge cases where a DOMDocument class exists in a PHP4 environment |
|
due to DOM XML extension. |
|
|
|
1.4.1, released 2007-01-21 |
|
! docs/enduser-youtube.html updated according to new functionality |
|
- YouTube IDs can have underscores and dashes |
|
|
|
1.4.0, released 2007-01-21 |
|
! Implemented list-style-image, URIs now allowed in list-style |
|
! Implemented background-image, background-repeat, background-attachment |
|
and background-position CSS properties. Shorthand property background |
|
supports all of these properties. |
|
! Configuration documentation looks nicer |
|
! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode |
|
characters while %Core.Encoding is set to a non-UTF-8 encoding. |
|
! Support for configuration directive aliases added |
|
! Config object can now be instantiated from ini files |
|
! YouTube preservation code added to the core, with two lines of code |
|
you can add it as a filter to your code. See smoketests/preserveYouTube.php |
|
for sample code. |
|
! Moved SLOW to docs/enduser-slow.html and added code examples |
|
- Replaced version check with functionality check for DOM (thanks Stephen |
|
Khoo) |
|
. Added smoketest 'all.php', which loads all other smoketests via frames |
|
. Implemented AttrDef_CSSURI for url(http://google.com) style declarations |
|
. Added convenient single test selector form on test runner |
|
|
|
1.3.2, released 2006-12-25 |
|
! HTMLPurifier object now accepts configuration arrays, no need to manually |
|
instantiate a configuration object |
|
! Context object now accessible to outside |
|
! Added enduser-youtube.html, explains how to embed YouTube videos. See |
|
also corresponding smoketest preserveYouTube.php. |
|
! Added purifyArray(), which takes a list of HTML and purifies it all |
|
! Added static member variable $version to HTML Purifier with PHP-compatible |
|
version number string. |
|
- Fixed fatal error thrown by upper-cased language attributes |
|
- printDefinition.php: added labels, added better clarification |
|
. HTMLPurifier_Config::create() added, takes mixed variable and converts into |
|
a HTMLPurifier_Config object. |
|
|
|
1.3.1, released 2006-12-06 |
|
! Added HTMLPurifier.func.php stub for a convenient function to call the library |
|
- Fixed bug in RemoveInvalidImg code that caused all images to be dropped |
|
(thanks to .mario for reporting this) |
|
. Standardized all attribute handling variables to attr, made it plural |
|
|
|
1.3.0, released 2006-11-26 |
|
# Invalid images are now removed, rather than replaced with a dud |
|
<img src="" alt="Invalid image" />. Previous behavior can be restored |
|
with new directive %Core.RemoveInvalidImg set to false. |
|
! (X)HTML Strict now supported |
|
+ Transparently handles inline elements in block context (blockquote) |
|
! Added GET method to demo for easier validation, added 50kb max input size |
|
! New directive %HTML.BlockWrapper, for block-ifying inline elements |
|
! New directive %HTML.Parent, allows you to only allow inline content |
|
! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let |
|
users narrow the set of allowed tags |
|
! <li value="4"> and <ul start="2"> now allowed in loose mode |
|
! New directives %URI.DisableExternalResources and %URI.DisableResources |
|
! New directive %Attr.DisableURI, which eliminates all hyperlinking |
|
! New directive %URI.Munge, munges URI so you can use some sort of redirector |
|
service to avoid PageRank leaks or warn users that they are exiting your site. |
|
! Added spiffy new smoketest printDefinition.php, which lets you twiddle with |
|
the configuration settings and see how the internal rules are affected. |
|
! New directive %URI.HostBlacklist for blocking links to bad hosts. |
|
xssAttacks.php smoketest updated accordingly. |
|
- Added missing type to ChildDef_Chameleon |
|
- Remove Tidy option from demo if there is not Tidy available |
|
. ChildDef_Required guards against empty tags |
|
. Lookup table HTMLDefinition->info_flow_elements added |
|
. Added peace-of-mind variable initialization to Strategy_FixNesting |
|
. Added HTMLPurifier->info_parent_def, parent child processing made special |
|
. Added internal documents briefly summarizing future progression of HTML |
|
. HTMLPurifier_Config->getBatch($namespace) added |
|
. More lenient casting to bool from string in HTMLPurifier_ConfigSchema |
|
. Refactored ChildDef classes into their own files |
|
|
|
1.2.0, released 2006-11-19 |
|
# ID attributes now disabled by default. New directives: |
|
+ %HTML.EnableAttrID - restores old behavior by allowing IDs |
|
+ %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs |
|
so that they don't collide with your IDs |
|
+ %Attr.IDPrefixLocal - Same as above, but for when there are multiple |
|
instances of user content on the page |
|
+ Profuse documentation on how to use these available in docs/enduser-id.txt |
|
! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html> |
|
! Added percent encoding normalization |
|
! XSS attacks smoketest given facelift |
|
! Configuration documentation now has table of contents |
|
! Added %URI.DisableExternal, which prevents links to external websites. You |
|
can also use %URI.Host to permit absolute linking to subdomains |
|
! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src) |
|
- Type variable in HTMLDefinition was not being set properly, fixed |
|
- Documentation updated |
|
+ TODO added request Phalanger |
|
+ TODO added request Native compression |
|
+ TODO added request Remove redundant tags |
|
+ TODO added possible plaintext formatter for HTML Purifier documentation |
|
+ Updated ConfigDoc TODO |
|
+ Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php |
|
and AttrDef/Host.php |
|
+ Revamped documentation into HTML, along with misc updates |
|
- HTMLPurifier_Context doesn't throw a variable reference error if you attempt |
|
to retrieve a non-existent variable |
|
. Switched to purify()-wide Context object registry |
|
. Refactored unit tests to minimize duplication |
|
. XSS attack sheet updated |
|
. configdoc.xml now has xml:space attached to default value nodes |
|
. Allow configuration directives to permit null values |
|
. Cleaned up test-cases to remove unnecessary swallowErrors() |
|
|
|
1.1.2, released 2006-09-30 |
|
! Add HTMLPurifier.auto.php stub file that configures include_path |
|
- Documentation updated |
|
+ INSTALL document rewritten |
|
+ TODO added semi-lossy conversion |
|
+ API Doxygen docs' file exclusions updated |
|
+ Added notes on HTML versus XML attribute whitespace handling |
|
+ Noted that HTMLPurifier_ChildDef_Custom isn't being used |
|
+ Noted that config object's definitions are cached versions |
|
- Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3 |
|
- ftp:// URIs now have their typecodes checked |
|
- Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run) |
|
. Line endings standardized throughout project (svn:eol-style standardized) |
|
. Refactored parseData() to general Lexer class |
|
. Tester named "HTML Purifier" not "HTMLPurifier" |
|
|
|
1.1.1, released 2006-09-24 |
|
! Configuration option to optionally Tidy up output for indentation to make up |
|
for dropped whitespace by DOMLex (pretty-printing for the entire application |
|
should be done by a page-wide Tidy) |
|
- Various documentation updates |
|
- Fixed parse error in configuration documentation script |
|
- Fixed fatal error in benchmark scripts, slightly augmented |
|
- As far as possible, whitespace is preserved in-between table children |
|
- Sample test-settings.php file included |
|
|
|
1.1.0, released 2006-09-16 |
|
! Directive documentation generation using XSLT |
|
! XHTML can now be turned off, output becomes <br> |
|
- Made URI validator more forgiving: will ignore leading and trailing |
|
quotes, apostrophes and less than or greater than signs. |
|
- Enforce alphanumeric namespace and directive names for configuration. |
|
- Table child definition made more flexible, will fix up poorly ordered elements |
|
. Renamed ConfigDef to ConfigSchema |
|
|
|
1.0.1, released 2006-09-04 |
|
- Fixed slight bug in DOMLex attribute parsing |
|
- Fixed rejection of case-insensitive configuration values when there is a |
|
set of allowed values. This manifested in %Core.Encoding. |
|
- Fixed rejection of inline style declarations that had lots of extra |
|
space in them. This manifested in TinyMCE. |
|
|
|
1.0.0, released 2006-09-01 |
|
! Shorthand CSS properties implemented: font, border, background, list-style |
|
! Basic color keywords translated into hexadecimal values |
|
! Table CSS properties implemented |
|
! Support for charsets other than UTF-8 (defined by iconv) |
|
! Malformed UTF-8 and non-SGML character detection and cleaning implemented |
|
- Fixed broken numeric entity conversion |
|
- API documentation completed |
|
. (HTML|CSS)Definition de-singleton-ized |
|
|
|
1.0.0beta, released 2006-08-16 |
|
! First public release, most functionality implemented. Notable omissions are: |
|
+ Shorthand CSS properties |
|
+ Table CSS properties |
|
+ Deprecated attribute transformations |
|
|
|
vim: et sw=4 sts=4
|
|
|