2006-08-16 17:35:24 +00:00
|
|
|
NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
2006-08-16 16:32:44 +00:00
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
2006-09-28 01:28:18 +00:00
|
|
|
= KEY ====================
|
2006-11-17 01:05:41 +00:00
|
|
|
# Breaks back-compat
|
2006-09-28 01:28:18 +00:00
|
|
|
! Feature
|
|
|
|
- Bugfix
|
|
|
|
+ Sub-comment
|
|
|
|
. Internal change
|
|
|
|
==========================
|
|
|
|
|
2006-12-26 04:31:48 +00:00
|
|
|
1.4.0, unknown release date
|
2006-11-27 00:15:43 +00:00
|
|
|
(major feature release)
|
|
|
|
|
2006-12-26 04:31:48 +00:00
|
|
|
1.3.3, unknown release date, may be dropped
|
2006-12-06 22:52:22 +00:00
|
|
|
(security/bugfix/minor feature release)
|
2006-12-26 04:31:48 +00:00
|
|
|
|
|
|
|
1.3.2, released 2006-12-25
|
2006-12-15 02:12:03 +00:00
|
|
|
! HTMLPurifier object now accepts configuration arrays, no need to manually
|
|
|
|
instantiate a configuration object
|
|
|
|
! Context object now accessible to outside
|
2006-12-20 02:59:19 +00:00
|
|
|
! Added enduser-youtube.html, explains how to embed YouTube videos. See
|
|
|
|
also corresponding smoketest preserveYouTube.php.
|
2006-12-20 23:51:09 +00:00
|
|
|
! Added purifyArray(), which takes a list of HTML and purifies it all
|
2006-12-26 04:31:48 +00:00
|
|
|
! Added static member variable $version to HTML Purifier with PHP-compatible
|
|
|
|
version number string.
|
2006-12-26 03:56:53 +00:00
|
|
|
- Fixed fatal error thrown by upper-cased language attributes
|
2006-12-13 04:14:30 +00:00
|
|
|
- printDefinition.php: added labels, added better clarification
|
2006-12-15 02:12:03 +00:00
|
|
|
. HTMLPurifier_Config::create() added, takes mixed variable and converts into
|
|
|
|
a HTMLPurifier_Config object.
|
2006-12-06 22:52:22 +00:00
|
|
|
|
|
|
|
1.3.1, released 2006-12-06
|
2006-12-06 22:04:16 +00:00
|
|
|
! Added HTMLPurifier.func.php stub for a convenient function to call the library
|
2006-12-06 22:29:08 +00:00
|
|
|
- Fixed bug in RemoveInvalidImg code that caused all images to be dropped
|
2006-12-06 22:41:40 +00:00
|
|
|
(thanks to .mario for reporting this)
|
2006-12-06 22:29:08 +00:00
|
|
|
. Standardized all attribute handling variables to attr, made it plural
|
2006-11-27 00:15:43 +00:00
|
|
|
|
2006-11-26 23:18:32 +00:00
|
|
|
1.3.0, released 2006-11-26
|
2006-11-23 23:59:20 +00:00
|
|
|
# Invalid images are now removed, rather than replaced with a dud
|
|
|
|
<img src="" alt="Invalid image" />. Previous behavior can be restored
|
|
|
|
with new directive %Core.RemoveInvalidImg set to false.
|
2006-11-23 03:23:35 +00:00
|
|
|
! (X)HTML Strict now supported
|
|
|
|
+ Transparently handles inline elements in block context (blockquote)
|
|
|
|
! Added GET method to demo for easier validation, added 50kb max input size
|
|
|
|
! New directive %HTML.BlockWrapper, for block-ifying inline elements
|
|
|
|
! New directive %HTML.Parent, allows you to only allow inline content
|
2006-11-23 13:51:19 +00:00
|
|
|
! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
|
|
|
|
users narrow the set of allowed tags
|
2006-11-23 22:15:35 +00:00
|
|
|
! <li value="4"> and <ul start="2"> now allowed in loose mode
|
2006-11-23 23:59:20 +00:00
|
|
|
! New directives %URI.DisableExternalResources and %URI.DisableResources
|
|
|
|
! New directive %Attr.DisableURI, which eliminates all hyperlinking
|
2006-11-24 00:29:16 +00:00
|
|
|
! New directive %URI.Munge, munges URI so you can use some sort of redirector
|
|
|
|
service to avoid PageRank leaks or warn users that they are exiting your site.
|
2006-11-24 06:26:02 +00:00
|
|
|
! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
|
|
|
|
the configuration settings and see how the internal rules are affected.
|
2006-11-26 23:14:12 +00:00
|
|
|
! New directive %URI.HostBlacklist for blocking links to bad hosts.
|
|
|
|
xssAttacks.php smoketest updated accordingly.
|
2006-11-23 03:23:35 +00:00
|
|
|
- Added missing type to ChildDef_Chameleon
|
2006-11-23 03:49:19 +00:00
|
|
|
- Remove Tidy option from demo if there is not Tidy available
|
2006-11-23 03:23:35 +00:00
|
|
|
. ChildDef_Required guards against empty tags
|
|
|
|
. Lookup table HTMLDefinition->info_flow_elements added
|
|
|
|
. Added peace-of-mind variable initialization to Strategy_FixNesting
|
2006-11-23 13:51:19 +00:00
|
|
|
. Added HTMLPurifier->info_parent_def, parent child processing made special
|
2006-11-23 22:33:07 +00:00
|
|
|
. Added internal documents briefly summarizing future progression of HTML
|
2006-11-24 06:26:02 +00:00
|
|
|
. HTMLPurifier_Config->getBatch($namespace) added
|
|
|
|
. More lenient casting to bool from string in HTMLPurifier_ConfigSchema
|
2006-11-22 18:55:15 +00:00
|
|
|
. Refactored ChildDef classes into their own files
|
2006-11-20 03:58:56 +00:00
|
|
|
|
2006-11-20 03:16:32 +00:00
|
|
|
1.2.0, released 2006-11-19
|
2006-11-17 01:05:41 +00:00
|
|
|
# ID attributes now disabled by default. New directives:
|
|
|
|
+ %HTML.EnableAttrID - restores old behavior by allowing IDs
|
|
|
|
+ %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
|
|
|
|
so that they don't collide with your IDs
|
|
|
|
+ %Attr.IDPrefixLocal - Same as above, but for when there are multiple
|
|
|
|
instances of user content on the page
|
2006-11-19 04:37:26 +00:00
|
|
|
+ Profuse documentation on how to use these available in docs/enduser-id.txt
|
2006-10-02 16:56:47 +00:00
|
|
|
! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
|
2006-11-07 17:15:28 +00:00
|
|
|
! Added percent encoding normalization
|
2006-11-08 01:31:38 +00:00
|
|
|
! XSS attacks smoketest given facelift
|
2006-11-08 14:21:06 +00:00
|
|
|
! Configuration documentation now has table of contents
|
2006-11-12 03:35:41 +00:00
|
|
|
! Added %URI.DisableExternal, which prevents links to external websites. You
|
|
|
|
can also use %URI.Host to permit absolute linking to subdomains
|
2006-11-17 23:09:10 +00:00
|
|
|
! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
|
2006-11-19 04:42:42 +00:00
|
|
|
- Type variable in HTMLDefinition was not being set properly, fixed
|
2006-11-03 02:40:37 +00:00
|
|
|
- Documentation updated
|
|
|
|
+ TODO added request Phalanger
|
|
|
|
+ TODO added request Native compression
|
2006-11-04 05:05:19 +00:00
|
|
|
+ TODO added request Remove redundant tags
|
2006-11-12 19:26:49 +00:00
|
|
|
+ TODO added possible plaintext formatter for HTML Purifier documentation
|
2006-11-12 00:05:27 +00:00
|
|
|
+ Updated ConfigDoc TODO
|
2006-11-12 19:26:49 +00:00
|
|
|
+ Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
|
|
|
|
and AttrDef/Host.php
|
2006-11-19 04:37:26 +00:00
|
|
|
+ Revamped documentation into HTML, along with misc updates
|
2006-11-16 23:58:33 +00:00
|
|
|
- HTMLPurifier_Context doesn't throw a variable reference error if you attempt
|
|
|
|
to retrieve a non-existent variable
|
2006-10-01 18:14:08 +00:00
|
|
|
. Switched to purify()-wide Context object registry
|
2006-10-01 21:55:13 +00:00
|
|
|
. Refactored unit tests to minimize duplication
|
2006-11-03 02:40:37 +00:00
|
|
|
. XSS attack sheet updated
|
2006-11-12 00:05:27 +00:00
|
|
|
. configdoc.xml now has xml:space attached to default value nodes
|
2006-11-12 02:59:36 +00:00
|
|
|
. Allow configuration directives to permit null values
|
2006-11-16 23:58:33 +00:00
|
|
|
. Cleaned up test-cases to remove unnecessary swallowErrors()
|
2006-09-17 00:17:45 +00:00
|
|
|
|
2006-09-30 19:02:32 +00:00
|
|
|
1.1.2, released 2006-09-30
|
2006-09-30 19:34:59 +00:00
|
|
|
! Add HTMLPurifier.auto.php stub file that configures include_path
|
2006-09-27 02:09:54 +00:00
|
|
|
- Documentation updated
|
2006-09-28 01:28:18 +00:00
|
|
|
+ INSTALL document rewritten
|
|
|
|
+ TODO added semi-lossy conversion
|
|
|
|
+ API Doxygen docs' file exclusions updated
|
2006-09-30 18:55:17 +00:00
|
|
|
+ Added notes on HTML versus XML attribute whitespace handling
|
|
|
|
+ Noted that HTMLPurifier_ChildDef_Custom isn't being used
|
|
|
|
+ Noted that config object's definitions are cached versions
|
2006-09-27 02:09:54 +00:00
|
|
|
- Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
|
2006-09-30 17:24:12 +00:00
|
|
|
- ftp:// URIs now have their typecodes checked
|
2006-09-30 18:55:17 +00:00
|
|
|
- Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
|
2006-09-28 01:28:18 +00:00
|
|
|
. Line endings standardized throughout project (svn:eol-style standardized)
|
|
|
|
. Refactored parseData() to general Lexer class
|
2006-09-30 18:55:17 +00:00
|
|
|
. Tester named "HTML Purifier" not "HTMLPurifier"
|
2006-09-24 23:42:14 +00:00
|
|
|
|
|
|
|
1.1.1, released 2006-09-24
|
2006-09-28 01:28:18 +00:00
|
|
|
! Configuration option to optionally Tidy up output for indentation to make up
|
|
|
|
for dropped whitespace by DOMLex (pretty-printing for the entire application
|
|
|
|
should be done by a page-wide Tidy)
|
2006-09-24 02:06:12 +00:00
|
|
|
- Various documentation updates
|
|
|
|
- Fixed parse error in configuration documentation script
|
2006-09-24 21:58:14 +00:00
|
|
|
- Fixed fatal error in benchmark scripts, slightly augmented
|
|
|
|
- As far as possible, whitespace is preserved in-between table children
|
|
|
|
- Sample test-settings.php file included
|
2006-09-17 00:17:45 +00:00
|
|
|
|
|
|
|
1.1.0, released 2006-09-16
|
2006-09-28 01:28:18 +00:00
|
|
|
! Directive documentation generation using XSLT
|
|
|
|
! XHTML can now be turned off, output becomes <br>
|
2006-09-04 02:31:27 +00:00
|
|
|
- Made URI validator more forgiving: will ignore leading and trailing
|
|
|
|
quotes, apostrophes and less than or greater than signs.
|
2006-09-06 02:07:46 +00:00
|
|
|
- Enforce alphanumeric namespace and directive names for configuration.
|
2006-09-15 01:52:22 +00:00
|
|
|
- Table child definition made more flexible, will fix up poorly ordered elements
|
2006-09-28 01:28:18 +00:00
|
|
|
. Renamed ConfigDef to ConfigSchema
|
2006-09-11 02:20:33 +00:00
|
|
|
|
|
|
|
1.0.1, released 2006-09-04
|
2006-09-01 16:19:21 +00:00
|
|
|
- Fixed slight bug in DOMLex attribute parsing
|
2006-09-01 16:40:14 +00:00
|
|
|
- Fixed rejection of case-insensitive configuration values when there is a
|
|
|
|
set of allowed values. This manifested in %Core.Encoding.
|
2006-09-04 23:01:47 +00:00
|
|
|
- Fixed rejection of inline style declarations that had lots of extra
|
|
|
|
space in them. This manifested in TinyMCE.
|
2006-09-01 16:19:21 +00:00
|
|
|
|
2006-09-01 14:57:47 +00:00
|
|
|
1.0.0, released 2006-09-01
|
2006-09-28 01:28:18 +00:00
|
|
|
! Shorthand CSS properties implemented: font, border, background, list-style
|
|
|
|
! Basic color keywords translated into hexadecimal values
|
|
|
|
! Table CSS properties implemented
|
|
|
|
! Support for charsets other than UTF-8 (defined by iconv)
|
|
|
|
! Malformed UTF-8 and non-SGML character detection and cleaning implemented
|
2006-08-18 17:49:33 +00:00
|
|
|
- Fixed broken numeric entity conversion
|
2006-08-20 22:06:11 +00:00
|
|
|
- API documentation completed
|
2006-09-28 01:28:18 +00:00
|
|
|
. (HTML|CSS)Definition de-singleton-ized
|
2006-08-18 00:04:05 +00:00
|
|
|
|
2006-08-16 17:35:24 +00:00
|
|
|
1.0.0beta, released 2006-08-16
|
2006-09-28 01:28:18 +00:00
|
|
|
! First public release, most functionality implemented. Notable omissions are:
|
|
|
|
+ Shorthand CSS properties
|
|
|
|
+ Table CSS properties
|
|
|
|
+ Deprecated attribute transformations
|