TODO List = KEY ==================== # Flagship - Regular ? At-risk ========================== 1.4 release # More extensive URI filtering schemes (see docs/proposal-new-directives.txt) # Allow for background-image and list-style-image (intrinsically tied to above) - Aggressive caching ? Rich set* methods and config file loaders for HTMLPurifier_Config ? Configuration profiles: sets of directives that get set with one func call ? ConfigSchema directive aliases (so we can rename some of them) ? URI validation routines tighter (see docs/dev-code-quality.html) (COMPLEX) 1.5 release # Error logging for filtering/cleanup procedures - Requires I18N facilities to be created first (COMPLEX) 1.6 release # Add pre-packaged "levels" of cleaning (custom behavior already done) - More fine-grained control over escaping behavior - Silently drop content inbetween SCRIPT tags (can be generalized to allow specification of elements that, when detected as foreign, trigger removal of children, although unbalanced tags could wreck havoc (or at least delete the rest of the document)). 1.7 release # Additional support for poorly written HTML - Implement all non-essential attribute transforms (BIG!) - Microsoft Word HTML cleaning (i.e. MsoNormal, but research essential!) - Friendly strict handling of
(block ->or related tags) - Win32 Phalanger C# binaries (?) - Remove redundant tags, ex. Underlined. Implementation notes: 1. Analyzing which tags to remove duplicants 2. Ensure attributes are merged into the parent tag 3. Extend the tag exclusion system to specify whether or not the contents should be dropped or not (currently, there's code that could do something like this if it didn't drop the inner text too.) - More user-friendly warnings when %HTML.Allow* attempts to specify a tag or attribute that is not supported - Allow specifying global attributes on a tag-by-tag basis in %HTML.AllowAttributes - Parse TinyMCE whitelist into our %HTML.Allow whitelists - XSS-attempt detection Wontfix - Non-lossy smart alternate character encoding transformations (unless patch provided) - Pretty-printing HTML, users can use Tidy on the output on entire page