news/2008/0619-3.1.1-released.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xmlns:xc="urn:xhtml-compiler"
   8   xc:news="yes"
   9   xml:lang="en">
  10 <head>
  11   <title>HTML Purifier 3.1.1 released - News - HTML Purifier</title>
  12   <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  13   <meta name="Date" content="Thu, 19 June 2008 17:57:00 EST" />
  14 </head>
  15 <body>
  16
  17 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
  18
  19 <div id="main">
  20 <h1 id="title">HTML Purifier 3.1.1 released</h1>
  21
  22 <div id="content">
  23   <p>
  24     HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
  25     two security vulnerabilities, both related to <abbr>CSS</abbr>, and one of which only
  26     applies to users using Shift_JIS as their output encoding. There is also
  27     a security improvement regarding the imagecrash attack. There is a backwards
  28     incompatible change with %URI.Munge, in which resources are no longer munged
  29     by default; please enable using %URI.MungeResources. Besides this, there
  30     are numerous improvements to <abbr>URI</abbr> munging, esp. with the addition of
  31     %URI.MungeSecretKey, as well as an experimental implementation of
  32     %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
  33   </p>
  34   <p>
  35     As a security release, please update as quickly as possible. Care has been
  36     taken to prevent backwards-compatibiilty breakage this time (something that
  37     plagued users who tried to upgrade to 3.1.0), there is only one slight break
  38     related to a bugfix that can be easily undone with %URI.MungeResources.
  39   </p>
  40   <p>
  41     See <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/3.1.1/NEWS">NEWS</a>
  42     for a complete changelog. There were numerous added configuration directives
  43     not mentioned above.
  44   </p>
  45   <p>
  46     Along with this release, we would like to announce full disclosure on
  47     the security vulnerability patched in 3.1.0. Please see
  48     <a href="security/2008/http-protocol-removal.html" xc:absolute="href"><abbr>HTTP</abbr> Protocol Removal</a>
  49     for more information about the vulnerability affecting versions prior
  50     to 3.1.0 and 2.1.4.
  51   </p>
  52   <p>
  53     Finally, the security fixes and bug fixes were backported to our PHP4
  54     branch with the release of HTML Purifier 2.1.5. See
  55     <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/2.1.5/NEWS">NEWS (PHP4)</a>
  56     for a complete changelog.
  57   </p>
  58 </div>
  59 </div>
  60 </body>
  61 </html>