[3.1.1] Update Munge docs.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1804 48356398-32a2-884e-a903-53898d9a118a

NEWS

@@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ==========================
 
 3.1.1, unknown release date
+# %URI.Munge now, by default, does not munge resources (for example, <img src="">)
+  In order to enable this again, please set %URI.MungeResources to true. 
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
   and height/width HTML with %HTML.MaxImgLength.
 ! %URI.SecureMunge for secure URI munging (as opposed to %URI.Munge). Thanks Chris

TODO

@@ -13,9 +13,7 @@ afraid to cast your vote for the next feature to be implemented!
 
 - Investigate how early internal structures can be accessed; this would
   prevent structures from being parsed and serialized multiple times.
-- Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)
 - Built-in support for target="_blank" on all external links
-- Implement SecureMunge for resources too
 - Gitify the repository
 
 FUTURE VERSIONS
@@ -28,6 +26,7 @@ FUTURE VERSIONS
    IDREFs to non-existent IDs)
  # Frameset XHTML 1.0 and HTML 4.01 doctypes
  - Implement <area>
+ - Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)
 
 3.3 release [Error'ed]
  # Error logging for filtering/cleanup procedures

configdoc/styles/plain.xsl

@@ -19,7 +19,7 @@
     <xsl:variable name="usageLookup" select="document('../usage.xml')/usage" />
     
     <!-- Twiddle this variable to get the columns as even as possible -->
-    <xsl:variable name="maxNumberAdjust" select="1" />
+    <xsl:variable name="maxNumberAdjust" select="2" />
     
     <xsl:template match="/">
         <html lang="en" xml:lang="en">

library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt

@@ -27,6 +27,12 @@ DEFAULT: NULL
         in corporate environments.
     </li>
 </ul>
+<p>
+    Prior to HTML Purifier 3.1.1, this directive also enabled the munging
+    of browsable external resources, which could break things if your redirection
+    script was a splash page or used <code>meta</code> tags. To revert to
+    previous behavior, please use %URI.MungeResources.
+</p>
 <p>
     You may want to also use %URI.MungeSecretKey along with this directive
     in order to enforce what URIs your redirector script allows. Open

library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt

@@ -4,9 +4,13 @@ VERSION: 3.1.1
 DEFAULT: false
 --DESCRIPTION--
 <p>
-    If true, any URI munging directives like %URI.Munge or %URI.SecureMunge
+    If true, any URI munging directives like %URI.Munge
     will also apply to embedded resources, such as <code>&lt;img src=""&gt;</code>.
     Be careful enabling this directive if you have a redirector script
     that does not use the <code>Location</code> HTTP header; all of your images
     and other embedded resources will break.
-</ul>
+</p>
+<p>
+    <strong>Warning:</strong> It is strongly advised you use this in conjunction
+    %URI.MungeSecretKey to mitigate the security risk of an open redirector.
+</p>