[3.1.1] Update Munge docs.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1804 48356398-32a2-884e-a903-53898d9a118a
2024-11-09 15:28:40 +00:00 · 2008-06-19 19:06:55 +00:00 · 2008-06-19 19:06:55 +00:00 · 511dfe2d4a
commit 511dfe2d4a
parent 463aa3a0fa
5 changed files with 16 additions and 5 deletions
--- a/2
+++ b/2
@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ==========================

 3.1.1, unknown release date
+# %URI.Munge now, by default, does not munge resources (for example, <img src="">)
+  In order to enable this again, please set %URI.MungeResources to true. 
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
  and height/width HTML with %HTML.MaxImgLength.
 ! %URI.SecureMunge for secure URI munging (as opposed to %URI.Munge). Thanks Chris
--- a/3
+++ b/3
@ -13,9 +13,7 @@ afraid to cast your vote for the next feature to be implemented!

 - Investigate how early internal structures can be accessed; this would
  prevent structures from being parsed and serialized multiple times.
- Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)
 - Built-in support for target="_blank" on all external links
- Implement SecureMunge for resources too
 - Gitify the repository

 FUTURE VERSIONS
@ -28,6 +26,7 @@ FUTURE VERSIONS
   IDREFs to non-existent IDs)
 # Frameset XHTML 1.0 and HTML 4.01 doctypes
 - Implement <area>
+ - Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)

 3.3 release [Error'ed]
 # Error logging for filtering/cleanup procedures
--- a/configdoc/styles/plain.xsl
+++ b/configdoc/styles/plain.xsl
@ -19,7 +19,7 @@
    <xsl:variable name="usageLookup" select="document('../usage.xml')/usage" />
    
    <!-- Twiddle this variable to get the columns as even as possible -->
-    <xsl:variable name="maxNumberAdjust" select="1" />
+    <xsl:variable name="maxNumberAdjust" select="2" />
    
    <xsl:template match="/">
        <html lang="en" xml:lang="en">
--- a/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt
@ -27,6 +27,12 @@ DEFAULT: NULL
        in corporate environments.
    </li>
 </ul>
+<p>
+    Prior to HTML Purifier 3.1.1, this directive also enabled the munging
+    of browsable external resources, which could break things if your redirection
+    script was a splash page or used <code>meta</code> tags. To revert to
+    previous behavior, please use %URI.MungeResources.
+</p>
 <p>
    You may want to also use %URI.MungeSecretKey along with this directive
    in order to enforce what URIs your redirector script allows. Open
--- a/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt
@ -4,9 +4,13 @@ VERSION: 3.1.1
 DEFAULT: false
 --DESCRIPTION--
 <p>
-    If true, any URI munging directives like %URI.Munge or %URI.SecureMunge
+    If true, any URI munging directives like %URI.Munge
    will also apply to embedded resources, such as <code>&lt;img src=""&gt;</code>.
    Be careful enabling this directive if you have a redirector script
    that does not use the <code>Location</code> HTTP header; all of your images
    and other embedded resources will break.
-</ul>
+</p>
+<p>
+    <strong>Warning:</strong> It is strongly advised you use this in conjunction
+    %URI.MungeSecretKey to mitigate the security risk of an open redirector.
+</p>