NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| = KEY ==================== # Breaks back-compat ! Feature - Bugfix + Sub-comment . Internal change ========================== 1.3.0, unknown release date (major feature release) 1.2.1, unknown release date (bugfix/minor feature release, may be dropped if 1.2.0 is stable) 1.2.0, released 2006-11-19 # ID attributes now disabled by default. New directives: + %HTML.EnableAttrID - restores old behavior by allowing IDs + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs so that they don't collide with your IDs + %Attr.IDPrefixLocal - Same as above, but for when there are multiple instances of user content on the page + Profuse documentation on how to use these available in docs/enduser-id.txt ! Added MODx plugin ! Added percent encoding normalization ! XSS attacks smoketest given facelift ! Configuration documentation now has table of contents ! Added %URI.DisableExternal, which prevents links to external websites. You can also use %URI.Host to permit absolute linking to subdomains ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src) - Type variable in HTMLDefinition was not being set properly, fixed - Documentation updated + TODO added request Phalanger + TODO added request Native compression + TODO added request Remove redundant tags + TODO added possible plaintext formatter for HTML Purifier documentation + Updated ConfigDoc TODO + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php and AttrDef/Host.php + Revamped documentation into HTML, along with misc updates - HTMLPurifier_Context doesn't throw a variable reference error if you attempt to retrieve a non-existent variable . Switched to purify()-wide Context object registry . Refactored unit tests to minimize duplication . XSS attack sheet updated . configdoc.xml now has xml:space attached to default value nodes . Allow configuration directives to permit null values . Cleaned up test-cases to remove unnecessary swallowErrors() 1.1.2, released 2006-09-30 ! Add HTMLPurifier.auto.php stub file that configures include_path - Documentation updated + INSTALL document rewritten + TODO added semi-lossy conversion + API Doxygen docs' file exclusions updated + Added notes on HTML versus XML attribute whitespace handling + Noted that HTMLPurifier_ChildDef_Custom isn't being used + Noted that config object's definitions are cached versions - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3 - ftp:// URIs now have their typecodes checked - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run) . Line endings standardized throughout project (svn:eol-style standardized) . Refactored parseData() to general Lexer class . Tester named "HTML Purifier" not "HTMLPurifier" 1.1.1, released 2006-09-24 ! Configuration option to optionally Tidy up output for indentation to make up for dropped whitespace by DOMLex (pretty-printing for the entire application should be done by a page-wide Tidy) - Various documentation updates - Fixed parse error in configuration documentation script - Fixed fatal error in benchmark scripts, slightly augmented - As far as possible, whitespace is preserved in-between table children - Sample test-settings.php file included 1.1.0, released 2006-09-16 ! Directive documentation generation using XSLT ! XHTML can now be turned off, output becomes
- Made URI validator more forgiving: will ignore leading and trailing quotes, apostrophes and less than or greater than signs. - Enforce alphanumeric namespace and directive names for configuration. - Table child definition made more flexible, will fix up poorly ordered elements . Renamed ConfigDef to ConfigSchema 1.0.1, released 2006-09-04 - Fixed slight bug in DOMLex attribute parsing - Fixed rejection of case-insensitive configuration values when there is a set of allowed values. This manifested in %Core.Encoding. - Fixed rejection of inline style declarations that had lots of extra space in them. This manifested in TinyMCE. 1.0.0, released 2006-09-01 ! Shorthand CSS properties implemented: font, border, background, list-style ! Basic color keywords translated into hexadecimal values ! Table CSS properties implemented ! Support for charsets other than UTF-8 (defined by iconv) ! Malformed UTF-8 and non-SGML character detection and cleaning implemented - Fixed broken numeric entity conversion - API documentation completed . (HTML|CSS)Definition de-singleton-ized 1.0.0beta, released 2006-08-16 ! First public release, most functionality implemented. Notable omissions are: + Shorthand CSS properties + Table CSS properties + Deprecated attribute transformations