0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00

Release 3.1.1

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1808 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-06-19 21:43:57 +00:00
parent 1009bd41a6
commit 7015aaff46
8 changed files with 29 additions and 24 deletions

View File

@ -31,7 +31,7 @@ PROJECT_NAME = HTMLPurifier
# This could be handy for archiving the generated documentation or # This could be handy for archiving the generated documentation or
# if some version control system is used. # if some version control system is used.
PROJECT_NUMBER = 3.1.0 PROJECT_NUMBER = 3.1.1
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
# base path where the generated documentation will be put. # base path where the generated documentation will be put.

19
NEWS
View File

@ -9,12 +9,12 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. Internal change . Internal change
========================== ==========================
3.1.1, unknown release date 3.1.1, released 2008-06-19
# %URI.Munge now, by default, does not munge resources (for example, <img src="">) # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
In order to enable this again, please set %URI.MungeResources to true. In order to enable this again, please set %URI.MungeResources to true.
! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
and height/width HTML with %HTML.MaxImgLength. and height/width HTML with %HTML.MaxImgLength.
! %URI.SecureMunge for secure URI munging (as opposed to %URI.Munge). Thanks Chris ! %URI.MungeSecretKey for secure URI munging. Thanks Chris
for sponsoring this feature. Check out the corresponding documentation for sponsoring this feature. Check out the corresponding documentation
for details. (Att Nightly testers: The API for this feature changed before for details. (Att Nightly testers: The API for this feature changed before
the general release. Namely, rename your directives %URI.SecureMungeSecretKey => the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
@ -24,26 +24,31 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Allow modules to define injectors via $info_injector. Injectors are ! Allow modules to define injectors via $info_injector. Injectors are
automatically disabled if injector's needed elements are not found. automatically disabled if injector's needed elements are not found.
! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
Thanks Chris for sponsoring. If you've been using ad hoc code from the
forums, PLEASE use this instead.
! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order, ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
embedded, tag name, attribute name, CSS property name). See %URI.Munge embedded, tag name, attribute name, CSS property name). See %URI.Munge
for more details. for more details. Requested by Jochem Blok.
- Disable percent height/width attributes for img - Disable percent height/width attributes for img.
- AttrValidator operations are now atomic; updates to attributes are not - AttrValidator operations are now atomic; updates to attributes are not
manifest in token until end of operations. This prevents naughty internal manifest in token until end of operations. This prevents naughty internal
code from directly modifying CurrentToken when they're not supposed to. code from directly modifying CurrentToken when they're not supposed to.
This semantics change was requested by frank farmer.
- Percent encoding checks enabled for URI query and fragment - Percent encoding checks enabled for URI query and fragment
- Fix stray backslashes in font-family; CSS Unicode character escapes are - Fix stray backslashes in font-family; CSS Unicode character escapes are
now properly resolved (although *only* in font-family). now properly resolved (although *only* in font-family). Thanks Takeshi Terada
for reporting.
- Improve parseCDATA algorithm to take into account newline normalization - Improve parseCDATA algorithm to take into account newline normalization
- Account for browser confusion between Yen character and backslash in - Account for browser confusion between Yen character and backslash in
Shift_JIS encoding. This fix generalizes to any other encoding which is not Shift_JIS encoding. This fix generalizes to any other encoding which is not
a strict superset of printable ASCII. a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
- Fix missing configuration parameter in Generator calls. Thanks vs for the - Fix missing configuration parameter in Generator calls. Thanks vs for the
partial patch. partial patch.
- Improved adherence to Unicode by checking for non-character codepoints. - Improved adherence to Unicode by checking for non-character codepoints.
Thanks Geoffrey Sneddon for reporting. This may result in degraded Thanks Geoffrey Sneddon for reporting. This may result in degraded
performance for extremely large inputs. performance for extremely large inputs.
- Allow CSS property-value pair ''text-decoration: none'' - Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
for reporting.
. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
this class. this class.

1
TODO
View File

@ -108,6 +108,7 @@ Neat feature related
- Full set of color keywords. Also, a way to add onto them without - Full set of color keywords. Also, a way to add onto them without
finalizing the configuration object. finalizing the configuration object.
- Write a var_export and memcached DefinitionCache - Denis - Write a var_export and memcached DefinitionCache - Denis
- Allow restriction of allowed class values
Maintenance related (slightly boring) Maintenance related (slightly boring)
# CHMOD install script for PEAR installs # CHMOD install script for PEAR installs

View File

@ -1 +1 @@
3.1.0 3.1.1

View File

@ -1,10 +1,9 @@
HTML Purifier 3.1.0 is the second release series for HTML Purifier on PHP 5 HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
as well as a security update related to URIs. It shifts over to using two security vulnerabilities, both related to CSS, and one of which only
autoload, and also includes support for the !important CSS modifier, applies to users using Shift_JIS as their output encoding. There is also
display and visibility CSS properties with %CSS.AllowTricky, marquee with a security improvement regarding the imagecrash attack. There is a backwards
%HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, incompatible change with %URI.Munge, in which resources are no longer munged
%CSS.AllowedProperties, %HTML.ForbiddenAttributes and by default; please enable using %URI.MungeResources. Besides this, there
%HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the are numerous improvements to URI munging, esp. with the addition of
release candidate, there have also been a number of stability fixes such as %URI.MungeSecretKey, as well as an experimental implementation of
improved URI escaping, a change in serializer ID format, and a relaxed %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
format for %HTML.Allowed. And as always, numerous bugfixes.

View File

@ -7,7 +7,7 @@
* primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
* FILE, changes will be overwritten the next time the script is run. * FILE, changes will be overwritten the next time the script is run.
* *
* @version 3.1.0 * @version 3.1.1
* *
* @warning * @warning
* You must *not* include any other HTML Purifier files before this file, * You must *not* include any other HTML Purifier files before this file,

View File

@ -19,7 +19,7 @@
*/ */
/* /*
HTML Purifier 3.1.0 - Standards Compliant HTML Filtering HTML Purifier 3.1.1 - Standards Compliant HTML Filtering
Copyright (C) 2006-2008 Edward Z. Yang Copyright (C) 2006-2008 Edward Z. Yang
This library is free software; you can redistribute it and/or This library is free software; you can redistribute it and/or
@ -55,10 +55,10 @@ class HTMLPurifier
{ {
/** Version of HTML Purifier */ /** Version of HTML Purifier */
public $version = '3.1.0'; public $version = '3.1.1';
/** Constant with version of HTML Purifier */ /** Constant with version of HTML Purifier */
const VERSION = '3.1.0'; const VERSION = '3.1.1';
/** Global configuration object */ /** Global configuration object */
public $config; public $config;

View File

@ -20,7 +20,7 @@ class HTMLPurifier_Config
/** /**
* HTML Purifier's version * HTML Purifier's version
*/ */
public $version = '3.1.0'; public $version = '3.1.1';
/** /**
* Bool indicator whether or not to automatically finalize * Bool indicator whether or not to automatically finalize