Release 3.1.1

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1808 48356398-32a2-884e-a903-53898d9a118a

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or 
 # if some version control system is used.
 
-PROJECT_NUMBER         = 3.1.0
+PROJECT_NUMBER         = 3.1.1
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
 # base path where the generated documentation will be put. 

NEWS

@@ -9,12 +9,12 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
-3.1.1, unknown release date
+3.1.1, released 2008-06-19
 # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
   In order to enable this again, please set %URI.MungeResources to true. 
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
   and height/width HTML with %HTML.MaxImgLength.
-! %URI.SecureMunge for secure URI munging (as opposed to %URI.Munge). Thanks Chris
+! %URI.MungeSecretKey for secure URI munging. Thanks Chris
   for sponsoring this feature. Check out the corresponding documentation
   for details. (Att Nightly testers: The API for this feature changed before
   the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
@@ -24,26 +24,31 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Allow modules to define injectors via $info_injector. Injectors are 
   automatically disabled if injector's needed elements are not found.
 ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
+  Thanks Chris for sponsoring. If you've been using ad hoc code from the
+  forums, PLEASE use this instead.
 ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
   embedded, tag name, attribute name, CSS property name). See %URI.Munge
-  for more details.
-- Disable percent height/width attributes for img
+  for more details. Requested by Jochem Blok.
+- Disable percent height/width attributes for img.
 - AttrValidator operations are now atomic; updates to attributes are not
   manifest in token until end of operations. This prevents naughty internal
   code from directly modifying CurrentToken when they're not supposed to.
+  This semantics change was requested by frank farmer.
 - Percent encoding checks enabled for URI query and fragment
 - Fix stray backslashes in font-family; CSS Unicode character escapes are
-  now properly resolved (although *only* in font-family).
+  now properly resolved (although *only* in font-family). Thanks Takeshi Terada
+  for reporting.
 - Improve parseCDATA algorithm to take into account newline normalization
 - Account for browser confusion between Yen character and backslash in
   Shift_JIS encoding. This fix generalizes to any other encoding which is not
-  a strict superset of printable ASCII.
+  a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
 - Fix missing configuration parameter in Generator calls. Thanks vs for the
   partial patch.
 - Improved adherence to Unicode by checking for non-character codepoints.
   Thanks Geoffrey Sneddon for reporting. This may result in degraded
   performance for extremely large inputs.
-- Allow CSS property-value pair ''text-decoration: none''
+- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
+  for reporting.
 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
   handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
   this class.

TODO

@@ -108,6 +108,7 @@ Neat feature related
  - Full set of color keywords. Also, a way to add onto them without
    finalizing the configuration object.
  - Write a var_export and memcached DefinitionCache - Denis
+ - Allow restriction of allowed class values
 
 Maintenance related (slightly boring)
  # CHMOD install script for PEAR installs

VERSION

@@ -1 +1 @@
-3.1.0
+3.1.1

WHATSNEW

@@ -1,10 +1,9 @@
-HTML Purifier 3.1.0 is the second release series for HTML Purifier on PHP 5
-as well as a security update related to URIs. It shifts over to using
-autoload, and also includes support for the !important CSS modifier,
-display and visibility CSS properties with %CSS.AllowTricky, marquee with
-%HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper,
-%CSS.AllowedProperties, %HTML.ForbiddenAttributes and
-%HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the
-release candidate, there have also been a number of stability fixes such as
-improved URI escaping, a change in serializer ID format, and a relaxed
-format for %HTML.Allowed. And as always, numerous bugfixes.
+HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
+two security vulnerabilities, both related to CSS, and one of which only
+applies to users using Shift_JIS as their output encoding. There is also
+a security improvement regarding the imagecrash attack. There is a backwards
+incompatible change with %URI.Munge, in which resources are no longer munged
+by default; please enable using %URI.MungeResources. Besides this, there
+are numerous improvements to URI munging, esp. with the addition of
+%URI.MungeSecretKey, as well as an experimental implementation of 
+%HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  * 
- * @version 3.1.0
+ * @version 3.1.1
  * 
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,

library/HTMLPurifier.php

@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 3.1.0 - Standards Compliant HTML Filtering
+    HTML Purifier 3.1.1 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -55,10 +55,10 @@ class HTMLPurifier
 {
     
     /** Version of HTML Purifier */
-    public $version = '3.1.0';
+    public $version = '3.1.1';
     
     /** Constant with version of HTML Purifier */
-    const VERSION = '3.1.0';
+    const VERSION = '3.1.1';
     
     /** Global configuration object */
     public $config;

library/HTMLPurifier/Config.php

@@ -20,7 +20,7 @@ class HTMLPurifier_Config
     /**
      * HTML Purifier's version
      */
-    public $version = '3.1.0';
+    public $version = '3.1.1';
     
     /**
      * Bool indicator whether or not to automatically finalize