Edward Z. Yang
[fix] Remove occurrences of E_STRICT
Signed-off-by: Edward Z. Yang <ezyang@meta.com>
2024-11-09 20:43:22 -05:00
chore(release): 4.18.0 [skip ci]
# [4.18.0](https://github.com/ezyang/htmlpurifier/compare/v4.17.0...v4.18.0 ) (2024-11-01)
### Bug Fixes
* Adjust Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986 ([#406 ](https://github.com/ezyang/htmlpurifier/issues/406 )) ([d9fbef8](d9fbef8e27
* Avoid a deprecated error when the attribute name is numeric and DirectLex is used ([#412 ](https://github.com/ezyang/htmlpurifier/issues/412 )) ([f0fbf51](f0fbf51098
* checking that node has property name ([#399 ](https://github.com/ezyang/htmlpurifier/issues/399 )) ([9ca5a36](9ca5a3687b
* Ignore conditional comments ([#401 ](https://github.com/ezyang/htmlpurifier/issues/401 )) ([4828fdf](4828fdf45a
* Support PHP 8.4 ([#396 ](https://github.com/ezyang/htmlpurifier/issues/396 )) ([92da247](92da2473ff
* undefined array key warning ([#419 ](https://github.com/ezyang/htmlpurifier/issues/419 )) ([01be377](01be377f93
### Features
* Add allowfullscreen attr for iframe ([#411 ](https://github.com/ezyang/htmlpurifier/issues/411 )) ([70754a2](70754a2533
* add directive for removing blank nodes ([#404 ](https://github.com/ezyang/htmlpurifier/issues/404 )) ([c9d60c9](c9d60c96d7
* Add support for CSS aspect-ratio ([#408 ](https://github.com/ezyang/htmlpurifier/issues/408 )) ([93bee73](93bee73349
* Allow universal CSS values for all properties ([#410 ](https://github.com/ezyang/htmlpurifier/issues/410 )) ([9723267](972326785d
2024-11-01 03:51:45 +00:00
chore(release): 4.17.0 [skip ci]
# [4.17.0](https://github.com/ezyang/htmlpurifier/compare/v4.16.0...v4.17.0 ) (2023-11-17)
### Bug Fixes
* CSSTidy ImportantComments not handled properly ([#359 ](https://github.com/ezyang/htmlpurifier/issues/359 )) ([78a9b4d](78a9b4d0da
* fix CI ([#361 ](https://github.com/ezyang/htmlpurifier/issues/361 )) ([9ec687c](9ec687c904
* Invalid scheme check in Attr.TargetBlank ([#363 ](https://github.com/ezyang/htmlpurifier/issues/363 )) ([0176ef4](0176ef4bb6
* semantic release ([#339 ](https://github.com/ezyang/htmlpurifier/issues/339 )) ([d82f3d9](d82f3d996a
* semantic release ([#341 ](https://github.com/ezyang/htmlpurifier/issues/341 )) ([e55fead](e55fead09f
)), closes [#339 ](https://github.com/ezyang/htmlpurifier/issues/339 )
* Support for locales using decimal separators other than . (dot) ([#372 ](https://github.com/ezyang/htmlpurifier/issues/372 )) ([43f49ac](43f49ac9a5
### Features
* Add support for all text-decoration properties ([#360 ](https://github.com/ezyang/htmlpurifier/issues/360 )) ([2d775c0](2d775c0187
* Allows commas to be included in tel URI ([#389 ](https://github.com/ezyang/htmlpurifier/issues/389 )) ([ec92490](ec92490139
)), closes [#388 ](https://github.com/ezyang/htmlpurifier/issues/388 )
### Reverts
* Revert "fix: semantic release (#339 )" (#340 ) ([3e83215](3e832152a6
)), closes [#339 ](https://github.com/ezyang/htmlpurifier/issues/339 ) [#340 ](https://github.com/ezyang/htmlpurifier/issues/340 )
2023-11-17 15:01:25 +00:00
Edward Z. Yang
Release 4.15.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2022-09-18 02:23:57 -04:00
Edward Z. Yang
Release 4.14.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2021-12-24 20:21:49 -05:00
Mateusz Turcza
Add %HTML.Forms config directive ( #260 )
The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted
value. This adds support for form elements without enabling other unsafe
modules, such as Scripts, Iframe or Object.
To achieve the same effect without this directive one has to explicitly list
all enabled modules in %HTML.AllowedModules, and any not listed will be
removed. This however is not very convenient, as the allowed modules may vary
between doctypes.
Resolves #213 .
2020-06-28 20:26:33 -04:00
Edward Z. Yang
Release 4.11.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2019-07-14 14:58:38 -04:00
Supported hundreds of nested HTML ( #202 )
* Supported hundreds of nested HTML (#201 )
* Add Core.AllowParseManyTags
2019-07-14 13:15:31 -04:00
Dimitri Gritsajuk
[SafeScripting] disable autoclosing of <script /> tag ( #198 )
2018-11-11 15:04:11 -05:00
Edward Z. Yang
Release 4.9.2
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-12 23:30:53 -07:00
Edward Z. Yang
Release 4.9.1 (sic)
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-08 00:22:36 -08:00
Edward Z. Yang
Fix #83 .
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-07 17:52:41 -08:00
Edward Z. Yang
Revamp entity decoding to be more like HTML5.
See %Core.LegacyEntityDecoder for more details.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-07 17:34:59 -08:00
Edward Z. Yang
Usage/includes update.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 23:06:56 -08:00
Bastian Hofmann
Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set
2017-02-03 16:54:51 -08:00
Bastian Hofmann
Add HTML.Noopener to add a noopener rel to every external link
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/
Adresses https://github.com/ezyang/htmlpurifier/issues/96
2017-02-03 16:54:51 -08:00
Edward Z. Yang
Allow %URI.DefaultScheme to be null.
Fixes #103 .
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 17:30:44 -07:00
Edward Z. Yang
Update usage.xml.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 02:00:47 -07:00
Edward Z. Yang
Fix #73 with Attr.ID.HTML5
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-16 05:52:45 -07:00
Edward Z. Yang
Stop trying to chmod if SerializerPermissions is null, fixes #71
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-01 16:04:11 -04:00
Edward Z. Yang
Partial border-radius support.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 22:22:13 -04:00
Cameron Ball
Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 21:53:43 -04:00
Wes Cossick
tel protocol support.
2016-06-30 21:19:49 -04:00
Edward Z. Yang
Add AutoFormat.RemoveEmpty.Predicate, fixes #35 .
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 12:12:17 +01:00
Edward Z. Yang
Rewrite FixNesting implementation to be tree-based.
This mega-patch rips out the FixNesting implementation and the related
ChildDef components. The primary algorithmic change is to convert from
use of tokens to tree nodes, which are far more amenable to the style
of processing that FixNesting uses. Additionally, FixNesting has been
changed to go bottom-up rather than top-down, in order to avoid needing
to implement backtracking.
This patch simplifies a good deal of the relevant logic, since we no
longer need to continually recalculate the nesting structure when
processing things. However, the conversion to the alternate format
incurs some overhead, so for small inputs these changes are not a win.
One possibility to greatly reduce the constant factors here is to switch
to entirely using libxml's representation, and never serializing tokens;
this would require one to rewrite injectors, however.
The iterative post-order traversal in FixNesting is a bit subtle, but
we have essentially reified the stack and continuations.
We've removed support for %Core.EscapeInvalidChildren.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 22:37:01 -07:00
Edward Z. Yang
Add conversion functions for our own tree format.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 15:05:11 -07:00
Edward Z. Yang
Use a Zipper to process MakeWellFormed, removing quadratic behavior.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 13:21:02 -07:00
Edward Z. Yang
Fix quadratic behavior in DOMLex due to array_shift.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-09-17 00:48:42 -07:00
Edward Z. Yang
New directive %Core.AllowHostnameUnderscore
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:33:39 -07:00
Edward Z. Yang
Add %Core.DisableExcludes directive
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-02-17 15:47:38 -08:00
Edward Z. Yang
Support for safe external scripts via explicit whitelist.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-04-27 17:44:49 -04:00
Edward Z. Yang
Fix problem where stacked AttrTransforms clobber each other.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-16 23:12:16 -04:00
Edward Z. Yang
Release 4.4.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 19:22:31 -05:00
Edward Z. Yang
Make all of the tests work on all PHP versions.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 18:57:13 -05:00
Edward Z. Yang
Tighter CSS selector validation.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-17 15:36:26 -05:00
Edward Z. Yang
Optional support for IDNAs with PEAR Net_IDNA2
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-06 05:28:00 -08:00
Bradley M. Froehle
Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage.
The purpose of this addition is twofold. In trusted mode, iframes are
now unconditionally allowed.
However, many online video providers (YouTube, Vimeo) and other web
applications (Google Maps, Google Calendar, etc) provide embed code in
iframe format, which is useful functionality in untrusted mode.
You can specify iframes as trusted elements with %HTML.SafeIframe;
however, you need to additionally specify a whitelist mechanism such as
%URI.SafeIframeRegexp to say what iframe embeds are OK (by default
everything is rejected).
Note: As iframes are invalid in strict doctypes, you will not be able to
use them there.
We also added an always_load parameter to URIFilters in order to support
the strange nature of the SafeIframe URIFilter (it always needs to be
loaded, due to the inability of accessing the %HTML.SafeIframe directive
to see if it's needed!) We expect this URIFilter can expand in the future
to offer more complex validation mechanisms.
Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 21:50:53 +08:00
Edward Z. Yang
Implement %HTML.AllowedComments and %HTML.AllowedCommentsRegexp
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 15:34:42 +08:00
Edward Z. Yang
Implement %HTML.TargetBlank
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 08:36:00 +08:00
Edward Z. Yang
Update INSTALL to avoid missing config snafu, update usage.xml.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:21 -04:00
Edward Z. Yang
Protect against font family innerHTML/cssText attacks.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-27 20:35:43 +01:00
Edward Z. Yang
Fix embedding flash on non-IE browsers and allow more wmode.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-22 12:28:57 +00:00
Petr Skoda
Add new Cache.SerializerPermissions option.
2011-01-13 22:57:40 +00:00
Edward Z. Yang
Add initial implementation of CSS.Trusted.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-11-12 18:45:03 +00:00
Edward Z. Yang
Implement HTML.Nofollow for external links.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-28 12:01:57 -04:00
Edward Z. Yang
Rename newline normalization directive to something better.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-15 02:50:39 -04:00
Tomasz Muras
Make newline normalization optional.
2010-09-14 23:49:28 -04:00
Edward Z. Yang
Implement HTML.FlashAllowFullScreen.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-08 23:39:20 -04:00
Edward Z. Yang
Add %CSS.ForbiddenProperties directive.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-04 02:59:03 -04:00
Edward Z. Yang
Add documentation about configuration directive types.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-04 02:28:53 -04:00