news/2008/0619-3.1.1-released.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xmlns:xc="urn:xhtml-compiler"
   8   xc:news="yes"
   9   xml:lang="en">
  10 <head>
  11   <title>HTML Purifier 3.1.1 released - News - HTML Purifier</title>
  12   <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  13   <meta name="Date" content="Thu, 19 June 2008 17:57:00 EST" />
  14 </head>
  15 <body>
  16
  17 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
  18 <h1 id="title">HTML Purifier 3.1.1 released</h1>
  19
  20 <div id="content">
  21   <p>
  22     HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
  23     two security vulnerabilities, both related to <abbr>CSS</abbr>, and one of which only
  24     applies to users using Shift_JIS as their output encoding. There is also
  25     a security improvement regarding the imagecrash attack. There is a backwards
  26     incompatible change with %URI.Munge, in which resources are no longer munged
  27     by default; please enable using %URI.MungeResources. Besides this, there
  28     are numerous improvements to <abbr>URI</abbr> munging, esp. with the addition of
  29     %URI.MungeSecretKey, as well as an experimental implementation of
  30     %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
  31   </p>
  32   <p>
  33     As a security release, please update as quickly as possible. Care has been
  34     taken to prevent backwards-compatibiilty breakage this time (something that
  35     plagued users who tried to upgrade to 3.1.0), there is only one slight break
  36     related to a bugfix that can be easily undone with %URI.MungeResources.
  37   </p>
  38   <p>
  39     See <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/3.1.1/NEWS">NEWS</a>
  40     for a complete changelog. There were numerous added configuration directives
  41     not mentioned above.
  42   </p>
  43   <p>
  44     Along with this release, we would like to announce full disclosure on
  45     the security vulnerability patched in 3.1.0. Please see
  46     <a href="security/2008/http-protocol-removal.html" xc:absolute="href"><abbr>HTTP</abbr> Protocol Removal</a>
  47     for more information about the vulnerability affecting versions prior
  48     to 3.1.0 and 2.1.4.
  49   </p>
  50   <p>
  51     Finally, the security fixes and bug fixes were backported to our PHP4
  52     branch with the release of HTML Purifier 2.1.5. See
  53     <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/2.1.5/NEWS">NEWS (PHP4)</a>
  54     for a complete changelog.
  55   </p>
  56 </div>
  57 </body>
  58 </html>