1 NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
2 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 = KEY ====================
10 ==========================
12 1.4.0, unknown release date
13 ! Implemented list-style-image, URIs now allowed in list-style
14 ! Implemented background-image, background-repeat and background-attachment
15 CSS properties. background shorthand property HAS NOT been extended
16 to allow these, and background-position IS NOT implemented yet.
17 ! Configuration documentation looks nicer
18 ! Added smoketest 'all.php', which loads all other smoketests via frames
19 . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
21 1.3.3, unknown release date, likely to be dropped
22 ! Moved SLOW to docs/enduser-slow.html and added code examples
24 1.3.2, released 2006-12-25
25 ! HTMLPurifier object now accepts configuration arrays, no need to manually
26 instantiate a configuration object
27 ! Context object now accessible to outside
28 ! Added enduser-youtube.html, explains how to embed YouTube videos. See
29 also corresponding smoketest preserveYouTube.php.
30 ! Added purifyArray(), which takes a list of HTML and purifies it all
31 ! Added static member variable $version to HTML Purifier with PHP-compatible
32 version number string.
33 - Fixed fatal error thrown by upper-cased language attributes
34 - printDefinition.php: added labels, added better clarification
35 . HTMLPurifier_Config::create() added, takes mixed variable and converts into
36 a HTMLPurifier_Config object.
38 1.3.1, released 2006-12-06
39 ! Added HTMLPurifier.func.php stub for a convenient function to call the library
40 - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
41 (thanks to .mario for reporting this)
42 . Standardized all attribute handling variables to attr, made it plural
44 1.3.0, released 2006-11-26
45 # Invalid images are now removed, rather than replaced with a dud
46 <img src="" alt="Invalid image" />. Previous behavior can be restored
47 with new directive %Core.RemoveInvalidImg set to false.
48 ! (X)HTML Strict now supported
49 + Transparently handles inline elements in block context (blockquote)
50 ! Added GET method to demo for easier validation, added 50kb max input size
51 ! New directive %HTML.BlockWrapper, for block-ifying inline elements
52 ! New directive %HTML.Parent, allows you to only allow inline content
53 ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
54 users narrow the set of allowed tags
55 ! <li value="4"> and <ul start="2"> now allowed in loose mode
56 ! New directives %URI.DisableExternalResources and %URI.DisableResources
57 ! New directive %Attr.DisableURI, which eliminates all hyperlinking
58 ! New directive %URI.Munge, munges URI so you can use some sort of redirector
59 service to avoid PageRank leaks or warn users that they are exiting your site.
60 ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
61 the configuration settings and see how the internal rules are affected.
62 ! New directive %URI.HostBlacklist for blocking links to bad hosts.
63 xssAttacks.php smoketest updated accordingly.
64 - Added missing type to ChildDef_Chameleon
65 - Remove Tidy option from demo if there is not Tidy available
66 . ChildDef_Required guards against empty tags
67 . Lookup table HTMLDefinition->info_flow_elements added
68 . Added peace-of-mind variable initialization to Strategy_FixNesting
69 . Added HTMLPurifier->info_parent_def, parent child processing made special
70 . Added internal documents briefly summarizing future progression of HTML
71 . HTMLPurifier_Config->getBatch($namespace) added
72 . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
73 . Refactored ChildDef classes into their own files
75 1.2.0, released 2006-11-19
76 # ID attributes now disabled by default. New directives:
77 + %HTML.EnableAttrID - restores old behavior by allowing IDs
78 + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
79 so that they don't collide with your IDs
80 + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
81 instances of user content on the page
82 + Profuse documentation on how to use these available in docs/enduser-id.txt
83 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
84 ! Added percent encoding normalization
85 ! XSS attacks smoketest given facelift
86 ! Configuration documentation now has table of contents
87 ! Added %URI.DisableExternal, which prevents links to external websites. You
88 can also use %URI.Host to permit absolute linking to subdomains
89 ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
90 - Type variable in HTMLDefinition was not being set properly, fixed
91 - Documentation updated
92 + TODO added request Phalanger
93 + TODO added request Native compression
94 + TODO added request Remove redundant tags
95 + TODO added possible plaintext formatter for HTML Purifier documentation
96 + Updated ConfigDoc TODO
97 + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
99 + Revamped documentation into HTML, along with misc updates
100 - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
101 to retrieve a non-existent variable
102 . Switched to purify()-wide Context object registry
103 . Refactored unit tests to minimize duplication
104 . XSS attack sheet updated
105 . configdoc.xml now has xml:space attached to default value nodes
106 . Allow configuration directives to permit null values
107 . Cleaned up test-cases to remove unnecessary swallowErrors()
109 1.1.2, released 2006-09-30
110 ! Add HTMLPurifier.auto.php stub file that configures include_path
111 - Documentation updated
112 + INSTALL document rewritten
113 + TODO added semi-lossy conversion
114 + API Doxygen docs' file exclusions updated
115 + Added notes on HTML versus XML attribute whitespace handling
116 + Noted that HTMLPurifier_ChildDef_Custom isn't being used
117 + Noted that config object's definitions are cached versions
118 - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
119 - ftp:// URIs now have their typecodes checked
120 - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
121 . Line endings standardized throughout project (svn:eol-style standardized)
122 . Refactored parseData() to general Lexer class
123 . Tester named "HTML Purifier" not "HTMLPurifier"
125 1.1.1, released 2006-09-24
126 ! Configuration option to optionally Tidy up output for indentation to make up
127 for dropped whitespace by DOMLex (pretty-printing for the entire application
128 should be done by a page-wide Tidy)
129 - Various documentation updates
130 - Fixed parse error in configuration documentation script
131 - Fixed fatal error in benchmark scripts, slightly augmented
132 - As far as possible, whitespace is preserved in-between table children
133 - Sample test-settings.php file included
135 1.1.0, released 2006-09-16
136 ! Directive documentation generation using XSLT
137 ! XHTML can now be turned off, output becomes <br>
138 - Made URI validator more forgiving: will ignore leading and trailing
139 quotes, apostrophes and less than or greater than signs.
140 - Enforce alphanumeric namespace and directive names for configuration.
141 - Table child definition made more flexible, will fix up poorly ordered elements
142 . Renamed ConfigDef to ConfigSchema
144 1.0.1, released 2006-09-04
145 - Fixed slight bug in DOMLex attribute parsing
146 - Fixed rejection of case-insensitive configuration values when there is a
147 set of allowed values. This manifested in %Core.Encoding.
148 - Fixed rejection of inline style declarations that had lots of extra
149 space in them. This manifested in TinyMCE.
151 1.0.0, released 2006-09-01
152 ! Shorthand CSS properties implemented: font, border, background, list-style
153 ! Basic color keywords translated into hexadecimal values
154 ! Table CSS properties implemented
155 ! Support for charsets other than UTF-8 (defined by iconv)
156 ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
157 - Fixed broken numeric entity conversion
158 - API documentation completed
159 . (HTML|CSS)Definition de-singleton-ized
161 1.0.0beta, released 2006-08-16
162 ! First public release, most functionality implemented. Notable omissions are:
163 + Shorthand CSS properties
164 + Table CSS properties
165 + Deprecated attribute transformations