Complete migration to new News format.

[htmlpurifier-web.git] / news / 2008 / 3.1.0rc1-released.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
  xmlns="http://www.w3.org/1999/xhtml"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xc="urn:xhtml-compiler"
  xml:lang="en">
<head>
  <title>3.1.0 Release Candidate - News - HTML Purifier</title>
  <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  <meta name="description" content="Release candidate notice for HTML Purifier 3.1.0rc1." />
  <meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, 3.1.0, 3.1.0rc1, candidate, release, version, news" />
</head>
<body>

<xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
<h1 id="title">3.1.0 Release Candidate</h1>

<div id="content">

<p>
    It's never happened before; HTML Purifier is now having its first ever
    release candidate! Not since the beta-days has such a momentous event
    occurred!
</p>

<p>
    All joking aside, there have been some serious changes in the way HTML
    Purifier is loaded on the developer-side; needless to say, I will not
    be surprised if you see a fat <strong>Fatal</strong> error when you drop
    in this release candidate. Some of them are intentional, some of them are
    not (well, I hope not!) I need your help to iron out bugs stemming from
    different system configurations before I do the official release.
</p>

<blockquote class="digression">
    <p>
        If you are a <em>new</em> user, you can treat this version as stable and
        use it normally. The main uncertainty is with regards to upgrade
        paths.
    </p>
</blockquote>

<p>
    So, if you are willing and ready, grab a copy, and then read on...
</p>

<xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />

<h2>Autoloading</h2>

<p>
    Autoloading is singularly the largest architectural change in HTML
    Purifier, and under certain circumstances, can give you a hefty performance
    boost too (not using the autoloader, but hold onto that thought for a moment).
    Previously, HTML Purifier loaded everything it needed from <em>HTMLPurifier.php</em>.
    Things have changed a little. I've investigated this thoroughly, and the
    following cases will require some
    user intervention:
</p>

<h3>You're a <acronym>PEAR</acronym> user</h3>

<p>
    Previously, I told you to use this code:
</p>

<pre>require_once 'HTMLPurifier.php';</pre>

<p>
    This will no longer be sufficient, because it doesn't register HTML Purifier's
    autoloader. Replace the line with:
</p>

<pre>require_once 'HTMLPurifier.auto.php';</pre>

<h3>You included HTMLPurifier.php directly</h3>

<p>
    Follow the same instructions as a <acronym>PEAR</acronym> user.
</p>

<h3>You are already using autoloading, and are on a version of PHP earlier than 5.1.2</h3>

<p>
    In early versions of PHP 5, there was no way to register multiple autoload
    handlers (with <code>spl_autoload_register</code>). You will need to
    manually modify your autoloader to get HTML Purifier to play nice with it.
</p>

<p>Suppose your autoload function looks like this:</p>

<pre>function __autoload($class) {
    require str_replace('_', '/', $class) . '.php';
    return true;
}</pre>
        
<p>A modified version with HTML Purifier would look like this:</p>

<pre>function __autoload($class) {
    if (HTMLPurifier_Bootstrap::autoload($class)) return true;
    require str_replace('_', '/', $class) . '.php';
    return true;
}</pre>

<p>
    Make sure you call <code>HTMLPurifier_Bootstrap::autoload()</code> first,
    because it will ignore class names that aren't prefixed with HTMLPurifier.
</p>

<h3>You are already using autoloading, and are on PHP 5.1.2+</h3>

<p>
    Congratulations; you probably won't need to make any modifications.
    However, it's worth taking a look whether or not you are using
    <code>__autoload</code> or <code>spl_autoload_register</code>. If it's the
    former, you may want to consider adding this line of code to your
    application:
</p>

<pre>spl_autoload_register('__autoload');</pre>

<p>
    This is a good idea because <code>spl_autoload_register</code> overrides
    any <code>__autoload</code> function, so if a misbehaving library (not HTML Purifier,
    of course!) registers its
    own autoloader function, yours will mysteriously stop working. You are
    <em>required</em> to do this if your autoloader is defined <em>after</em>
    HTML Purifier's autoloader is called.
</p>

<h3>Some extra notes</h3>

<p>
    With those modifications, your HTML Purifier installation should not be
    fatally error'ing out. If it is, please <a href="http://htmlpurifier.org/phorum/list.php?3">post
    in the Support forums</a> and I'll try to help and figure it out.
</p>

<p>
    If you've got things working, and would like to try some of the newest features
    out, check out the following files:
</p>

<dl>
    <dt><strong>HTMLPurifier.includes.php</strong></dt>
    <dd>This is the performance-friendly file I was talking about earlier. If you
    use this, you don't need the autoloader at all&mdash;just swap 'auto' with
    'includes'. The downside is that if you are using any non-standard classes,
    you'll need to include them manually.</dd>
    
    <dt><strong>HTMLPurifier.kses.php</strong></dt>
    <dd>On the prompting of Lukasz Pilorz, I wrote a little wrapper for
    HTML Purifier using the kses interface. It's pretty neat and works with
    kses's configuration parameters, so check it out if you've got some
    legacy code you want to migrate.</dd>
    
    <dt><strong>HTMLPurifier.safe-includes.php</strong></dt>
    <dd>This is the not-so-performance-friendly counterpart of
    HTMLPurifier.includes.php. On the plus side, however, it doesn't need
    autoload, and it can be included from anywhere with impunity.</dd>
</dl>

<h2>Filters</h2>

<p>
    The interface for registering filters changed slightly. You may have noticed
    some <code>E_USER_WARNING</code>s emitting from code that looks like:
</p>

<pre><![CDATA[$purifier = new HTMLPurifier();
require_once 'HTMLPurifier/Filter/YouTube.php';
$purifier->addFilter(new HTMLPurifier_Filter_YouTube());]]></pre>

<p>
    We've replaced <code>addFilter()</code> with some new configuration directives.
    Combined with autoloading, the above code turns into:
</p>

<pre><![CDATA[$config = HTMLPurifier_Config::createDefault();
$config->set('Filter', 'YouTube', true);
$purifier = new HTMLPurifier($config);]]></pre>

<p>
    If you're using a custom filter, you'll need some slightly different code:
</p>

<pre><![CDATA[$config = HTMLPurifier_Config::createDefault();
$config->set('Filter', 'Custom', array(
    new YourCustomFilter()
));
$purifier = new HTMLPurifier($config);]]></pre>

<h2>Everything else...</h2>

<p>
    There may be a few miscellaneous warnings left. If your error-reporting
    level includes notices, you might see HTML Purifier complaining about
    the usage of deprecated aliases. Don't worry: I'm not going to remove
    those aliases, but from a performance standpoint it's a good idea to
    convert the old directive to the new directive.
</p>

<p>
    From there, it gets highly internal. If you've been making custom modules
    for yourself, please note that the signature of
    <code>HTMLPurifier_HTMLModule->addElement()</code> has changed; there is
    no more <code>$safe</code> parameter. <em>However</em>, there was no
    <code>$safe</code> parameter to begin with in
    <code>HTMLPurifier_HTMLDefinition->addElement()</code>, so users of that
    method don't have to worry about this change. For the curious, this change
    is indicative of the shift from element-based safety to module-based
    safety. Once I implement more elements and attributes for trusted mode,
    there will be more documentation for this.
</p>

<p>
    Finally, the static methods in <code>HTMLPurifier_ConfigSchema</code>
    were deprecated. They probably still work, although they're not being
    actively tested now. If you need to add custom configuration to HTML
    Purifier, retrieve a copy of the schema using 
    <code>HTMLPurifier_ConfigSchema::instance()</code> and then operating
    on it using the <code>add*()</code> methods. Some of the method
    signatures have changed, most notably there's an extra 
    <code>$allowsNull</code> parameter after <code>$type</code> in
    <code>add()</code>. Extensible configuration
    is somewhat an unknown, so if you have definitive use-cases you'd like to
    share with me and influence the architecture of this, please say so.
    Please <em>do not</em> add your own files to the <code>schema/</code>
    directory unless you plan on submitting your changes for incorporation
    with the core. For information on how this subsystem works, check out
    <a href="http://htmlpurifier.org/docs/dev-config-schema.html">the documentation
    on Config Schema</a>.
</p>

<h2>New features!</h2>

<p>
    Thanks for putting up with all that backwards-compatibility documentation!
    Now we get to the fun stuff: new features. The new features are mostly
    all configuration directives:
</p>

<ul>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#HTML.Proprietary">%HTML.Proprietary</a>
    - Enables some proprietary <abbr>HTML</abbr> elements like <code>marquee</code>.</li>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowImportant">%CSS.AllowImportant</a>
    - Enables the !important selector in <abbr>CSS</abbr> code, most useful
      in conjunction with the ExtractStyleBlocks filter.</li>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowTricky">%CSS.AllowTricky</a>
    - Enables some possibly mischevious <abbr>CSS</abbr> properties, namely <code>display</code> and <code>visibility</code></li>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowedProperties">%CSS.AllowedProperties</a>
    - Allows you to control which CSS properties you would like to allow</li>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#HTML.ForbiddenAttributes">%HTML.ForbiddenAttributes</a>
    - Allows you to blacklist certain HTML attributes</li>
    <li><a href="http://htmlpurifier.org/live/configdoc/plain.html#HTML.ForbiddenElements">%HTML.ForbiddenElements</a>
    - Allows you to blacklist certain HTML elements</li>
</ul>

<p>
    As usual, see <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/3.1.0rc1/NEWS">the NEWS</a> for a full list of enhancements
    and bugfixes.
</p>

</div>

</body>
</html>