1 NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
2 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 = KEY ====================
10 ==========================
12 3.1.0, unknown release date
13 # Autoload support added. Internal require_once's removed in favor of an
14 explicit require list or autoloading. To use HTML Purifier,
15 you must now either use HTMLPurifier.auto.php
16 or HTMLPurifier.includes.php; setting the include path and including
17 HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php
18 as well to register our autoload handler (or modify your autoload function
19 to check HTMLPurifier_Bootstrap::getPath($class)).
20 # HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema
21 information is stored in the ConfigSchema directory, and the
22 maintenance/generate-schema-cache.php generates the schema.ser file, which
23 is now instantiated. Support for userland schema changes coming soon!
24 ! Extra utility classes for testing and non-library operations can
25 be found in extras/. Specifically, these are FSTools and ConfigSchema.
26 You may find a use for these in your own project, but right now they
27 are highly experimental and volatile.
28 ! Integration with PHPT allows for automated smoketests
29 ! Limited support for proprietary HTML elements, namely <marquee>, sponsored
30 by Chris. You can enable them with %HTML.Proprietary if your client
32 ! Support for !important CSS cascade modifier. By default, this will be stripped
33 from CSS, but you can enable it using %CSS.AllowImportant
34 ! Support for display and visibility CSS properties added, set %CSS.AllowTricky
36 ! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception.
37 Developer error (not enduser error) can cause these to be triggered.
38 - Autoclose now operates iteratively, i.e. <span><span><div> now has
39 both span tags closed.
40 - Various HTMLPurifier_Config convenience functions now accept another parameter
41 $schema which defines what HTMLPurifier_ConfigSchema to use besides the
43 - Fix bug with trusted script handling in libxml versions later than 2.6.28.
44 - Fix bug in ExtractStyleBlocks with comments in style tags
45 - Fix bug in comment parsing for DirectLex
46 - Flush output now displayed when in command line mode for unit tester
47 . Plugins now get their own changelogs according to project conventions.
48 . Convert tokens to use instanceof, reducing memory footprint and
49 improving comparison speed.
50 . Dry runs now supported in SimpleTest; testing facilities improved
51 . Bootstrap class added for handling autoloading functionality
52 . Implemented recursive glob at FSTools->globr
53 . ConfigSchema now has instance methods for all corresponding define*
55 . A couple of new historical maintenance scripts were added.
56 . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
57 . tests/index.php can now be run from any directory.
58 . HTMLPurifier_Token subclasses split into seperate files
59 . HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php
60 . HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier
61 . New --php=php flag added, allows PHP executable to be specified (command
63 . htmlpurifier_add_test() preferred method to translate test files in to
64 classes, because it handles PHPT files too.
65 . Debugger class is deprecated and will be removed soon.
66 . Command line argument parsing for testing scripts revamped, now --opt value
68 . Smoketests now cleanup after magic quotes
69 . Generator now can output comments (however, comments are still stripped
70 from HTML Purifier output)
71 . substr_count PHP4 compatibility cludge removed
73 3.0.0, released 2008-01-06
74 # HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained
75 until PHP 4 is completely deprecated, but no new features will be added
77 + Visibility declarations added
78 + Constructor methods renamed to __construct()
79 + PHP4 reference cruft removed (in progress)
80 ! CSS properties are now case-insensitive
81 ! DefinitionCacheFactory now can register new implementations
82 ! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from
83 documents and cleaning their contents up. Requires the CSSTidy library
84 <http://csstidy.sourceforge.net/>. You can access the blocks with the
85 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')).
86 The output CSS can also be "scoped" for a specific element, use:
87 %Filter.ExtractStyleBlocksScope
88 ! Experimental support for some proprietary CSS attributes allowed:
89 opacity (and all of the browser-specific equivalents) and scrollbar colors.
90 Enable by setting %CSS.Proprietary to true.
91 - Colors missing # but in hex form will be corrected
92 - CSS Number algorithm improved
93 - Unit testing and multi-testing now on steroids: command lines,
94 XML output, and other goodies now added.
95 . Unit tests for Injector improved
97 + HTMLPurifier_AttrDef_CSS_AlphaValue
98 + HTMLPurifier_AttrDef_CSS_Filter
99 . Multitest now has a file docblock
101 2.1.3, released 2007-11-05
102 ! tests/multitest.php allows you to test multiple versions by running
103 tests/index.php through multiple interpreters using `phpv` shell
104 script (you must provide this script!)
105 - Fixed poor include ordering for Email URI AttrDefs, causes fatal errors
107 - Injector algorithm further refined: off-by-one error regarding skip
108 counts for dormant injectors fixed
109 - Corrective blockquote definition now enabled for HTML 4.01 Strict
110 - Fatal error when <img> tag (or any other element with required attributes)
111 has 'id' attribute fixed, thanks NykO18 for reporting
112 - Fix warning emitted when a non-supported URI scheme is passed to the
113 MakeAbsolute URIFilter, thanks NykO18 (again)
114 - Further refine AutoParagraph injector. Behavior inside of elements
115 allowing paragraph tags clarified: only inline content delimeted by
116 double newlines (not block elements) are paragraphed.
117 - Buggy treatment of end tags of elements that have required attributes
118 fixed (does not manifest on default tag-set)
119 - Spurious internal content reorganization error suppressed
120 - HTMLDefinition->addElement now returns a reference to the created
121 element object, as implied by the documentation
122 - Phorum mod's HTML Purifier help message expanded (unreleased elsewhere)
123 - Fix a theoretical class of infinite loops from DirectLex reported
125 - Work around unnecessary DOMElement type-cast in PH5P that caused errors
127 - Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only
128 HTMLDefinition errors, this may indicate problems with error-collecting
130 - Make ErrorCollectorEMock work in both PHP 4 and PHP 5
131 - Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef
132 . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
133 to better communicate its purpose
134 . Error unit tests can now specify the expectation of no errors. Future
135 iterations of the harness will be extremely strict about what errors
137 . Extend Injector hooks to allow for more powerful injector routines
138 . HTMLDefinition->addBlankElement created, as according to the HTMLModule
140 . Doxygen configuration file updated, with minor improvements
141 . Test runner now checks for similarly named files in conf/ directory too.
142 . Minor cosmetic change to flush-definition-cache.php: trailing newline is
144 . Maintenance script for generating PH5P patch added, original PH5P source
145 file also added under version control
146 . Full unit test runner script title made more descriptive with PHP version
147 . Updated INSTALL file to state that 4.3.7 is the earliest version we
150 2.1.2, released 2007-09-03
151 ! Implemented Object module for trusted users
152 ! Implemented experimental HTML5 parsing mode using PH5P. To use, add
154 require_once 'HTMLPurifier/Lexer/PH5P.php';
155 $config->set('Core', 'LexerImpl', 'PH5P');
156 Note that this Lexer introduces some classes not in the HTMLPurifier
157 namespace. Also, this is PHP5 only.
158 ! CSS property border-spacing implemented
159 - Fix non-visible parsing error in DirectLex with empty tags that have
160 slashes inside attribute values.
161 - Fix typo in CSS definition: border-collapse:seperate; was incorrectly
162 accepted as valid CSS. Usually non-visible, because this styling is the
163 default for tables in most browsers. Thanks Brett Zamir for pointing
165 - Fix validation errors in configuration form
166 - Hammer out a bunch of edge-case bugs in the standalone distribution
167 - Inclusion reflection removed from URISchemeRegistry; you must manually
168 include any new schema files you wish to use
169 - Numerous typo fixes in documentation thanks to Brett Zamir
170 . Unit test refactoring for one logical test per test function
171 . Config and context parameters in ComplexHarness deprecated: instead, edit
172 the $config and $context member variables
173 . HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't
174 really make a difference, but is good for completeness sake
175 . merge-library.php script refactored for greater code reusability and
178 2.1.1, released 2007-08-04
179 - Fix show-stopper bug in %URI.MakeAbsolute functionality
180 - Fix PHP4 syntax error in standalone version
181 . Add prefix directory to include path for standalone, this prevents
182 other installations from clobbering the standalone's URI schemes
183 . Single test methods can be invoked by prefixing with __only
185 2.1.0, released 2007-08-02
186 # flush-htmldefinition-cache.php superseded in favor of a generic
187 flush-definition-cache.php script, you can clear a specific cache
188 by passing its name as a parameter to the script
189 ! Phorum mod implemented for HTML Purifier
190 ! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer
191 trigger HTML removal in PHP5 (DOMLex). This directive is not necessary
192 for PHP4 (DirectLex).
193 ! Standalone file now available, which greatly reduces the amount of
194 includes (although there are still a few files that reside in the
196 ! Relative URIs can now be transformed into their absolute equivalents
197 using %URI.Base and %URI.MakeAbsolute
198 ! Ruby implemented for XHTML 1.1
199 ! You can now define custom URI filtering behavior, see enduser-uri-filter.html
201 ! UTF-8 font names now supported in CSS
202 - AutoFormatters emit friendly error messages if tags or attributes they
204 - ConfigForm's compactification of directive names is now configurable
205 - AutoParagraph autoformatter algorithm refined after field-testing
206 - XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely
208 - Contents of <style> tags removed by default when tags are removed
209 . HTMLPurifier_Config->getSerial() implemented, this is extremely useful
210 for output cache invalidation
211 . ConfigForm printer now can retrieve CSS and JS files as strings, in
212 case HTML Purifier's directory is not publically accessible
213 . Introduce new text/itext configuration directive values: these represent
214 longer strings that would be more appropriately edited with a textarea
215 . Allow newlines to act as separators for lists, hashes, lookups and
217 . ConfigForm generates textareas instead of text inputs for lists, hashes,
218 lookups, text and itext fields
219 . Hidden element content removal genericized: %Core.HiddenElements can
220 be used to customize this behavior, by default <script> and <style> are
222 . Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__)
223 . Custom ChildDef added to default include list
224 . URIScheme reflection improved: will not attempt to include file if class
225 already exists. May clobber autoload, so I need to keep an eye on it
226 . ConfigSchema heavily optimized, will only collect information and validate
227 definitions when HTMLPURIFIER_SCHEMA_STRICT is true.
228 . AttrDef_URI unit tests and implementation refactored
229 . benchmarks/ directory now protected from public view with .htaccess file;
230 run the tests via command line
231 . URI scheme is munged off if there is no authority and the scheme is the
233 . All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase
234 . Interface for URIScheme changed
235 . Generic URI object to hold components of URI added, most systems involved
236 in URI validation have been migrated to use it
237 . Custom filtering for URIs factored out to URIDefinition interface for
238 maximum extensibility
240 2.0.1, released 2007-06-27
241 ! Tag auto-closing now based on a ChildDef heuristic rather than a
242 manually set auto_close array; some behavior may change
243 ! Experimental AutoFormat functionality added: auto-paragraph and
244 linkify your HTML input by setting %AutoFormat.AutoParagraph and
245 %AutoFormat.Linkify to true
246 ! Newlines normalized internally, and then converted back to the
247 value of PHP_EOL. If this is not desired, set your newline format
248 using %Output.Newline.
249 ! Beta error collection, messages are implemented for the most generic
250 cases involving Lexing or Strategies
251 - Clean up special case code for <script> tags
252 - Reorder includes for DefinitionCache decorators, fixes a possible
254 - Fixed bug where manually modified definitions were not saved via cache
255 (mostly harmless, except for the fact that it would be a little slower)
256 - Configuration objects with different serials do not clobber each
257 others when revision numbers are unequal
258 - Improve Serializer DefinitionCache directory permissions checks
259 - DefinitionCache no longer throws errors when it encounters old
260 serial files that do not conform to the current style
261 - Stray xmlns attributes removed from configuration documentation
262 - configForm.php smoketest no longer has XSS vulnerability due to
263 unescaped print_r output
264 - Printer adheres to configuration's directives on output format
265 - Fix improperly named form field in ConfigForm printer
266 . Rewire some test-cases to swallow errors rather than expect them
267 . HTMLDefinition printer updated with some of the new attributes
268 . DefinitionCache keys reordered to reflect precedence: version number,
269 hash, then revision number
270 . %Core.DefinitionCache renamed to %Cache.DefinitionImpl
271 . Interlinking in configuration documentation added using
272 Injector_PurifierLinkify
273 . Directives now keep track of aliases to themselves
274 . Error collector now requires a severity to be passed, use PHP's internal
275 error constants for this
276 . HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows
277 much easier selective embedding of configuration values
278 . Doctype objects now accept public and system DTD identifiers
279 . %HTML.Doctype is now constrained by specific values, to specify a custom
280 doctype use new %HTML.CustomDoctype
281 . ConfigForm truncates long directives to keep the form small, and does
282 not re-output namespaces
284 2.0.0, released 2007-06-20
285 # Completely refactored HTMLModuleManager, decentralizing safety
287 # Transform modules changed to Tidy modules, which offer more flexibility
288 and better modularization
289 # Configuration object now finalizes itself when a read operation is
290 performed on it, ensuring that its internal state stays consistent.
291 To revert this behavior, you can set the $autoFinalize member variable
292 off, but it's not recommended.
293 # New compact syntax for AttrDef objects that can be used to instantiate
294 new objects via make()
295 # Definitions (esp. HTMLDefinition) are now cached for a significant
296 performance boost. You can disable caching by setting %Core.DefinitionCache
297 to null. You CANNOT edit raw definitions without setting the corresponding
298 DefinitionID directive (%HTML.DefinitionID for HTMLDefinition).
299 # Contents between <script> tags are now completely removed if <script>
301 # Prototype-declarations for Lexer removed in favor of configuration
302 determination of Lexer implementations.
303 ! HTML Purifier now works in PHP 4.3.2.
304 ! Configuration form-editing API makes tweaking HTMLPurifier_Config a
306 ! Configuration directives that accept hashes now allow new string
307 format: key1:value1,key2:value2
308 ! ConfigDoc now factored into OOP design
309 ! All deprecated elements now natively supported
310 ! Implement TinyMCE styled whitelist specification format in
312 ! Config object gives more friendly error messages when things go wrong
313 ! Advanced API implemented: easy functions for creating elements (addElement)
314 and attributes (addAttribute) on HTMLDefinition
315 ! Add native support for required attributes
316 - Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work!
317 - DOMLex will not emit errors when a custom error handler that does not
318 honor error_reporting is used
319 - StrictBlockquote child definition refrains from wrapping whitespace
321 - Bug resulting from tag transforms to non-allowed elements fixed
322 - ChildDef_Custom's regex generation has been improved, removing several
324 . Unit test for ElementDef created, ElementDef behavior modified to
326 . Added convenience functions for HTMLModule constructors
327 . AttrTypes now has accessor functions that should be used instead
328 of directly manipulating info
329 . TagTransform_Center deprecated in favor of generic TagTransform_Simple
330 . Add extra protection in AttrDef_URI against phantom Schemes
331 . Doctype object added to HTMLDefinition which describes certain aspects
332 of the operational document type
333 . Lexer is now pre-emptively included, with a conditional include for the
335 . HTMLDefinition and CSSDefinition have a common parent class: Definition.
336 . DirectLex can now track line-numbers
337 . Preliminary error collector is in place, although no code actually reports
339 . Factor out most of ValidateAttributes to new AttrValidator class
341 1.6.1, released 2007-05-05
342 ! Support for more deprecated attributes via transformations:
343 + hspace and vspace in img
344 + size and noshade in hr
347 + align in caption, table, img and hr
348 + type in ul, ol and li
349 ! DirectLex now preserves text in which a < bracket is followed by
350 a non-alphanumeric character. This means that certain emoticons
352 ! %Core.RemoveInvalidImg is now operational, when set to false invalid
353 images will hang around with an empty src
354 ! target attribute in a tag supported, use %Attr.AllowedFrameTargets
356 ! CSS property white-space now allows nowrap (supported in all modern
357 browsers) but not others (which have spotty browser implementations)
358 ! XHTML 1.1 mode now sort-of works without any fatal errors, and
359 lang is now moved over to xml:lang.
360 ! Attribute transformation smoketest available at smoketests/attrTransform.php
361 ! Transformation of font's size attribute now handles super-large numbers
362 - Possibly fatal bug with __autoload() fixed in module manager
363 - Invert HTMLModuleManager->addModule() processing order to check
364 prefixes first and then the literal module
365 - Empty strings get converted to empty arrays instead of arrays with
366 an empty string in them.
367 - Merging in attribute lists now works.
368 . Demo script removed: it has been added to the website's repository
369 . Basic.php script modified to work out of the box
370 . Refactor AttrTransform classes to reduce duplication
371 . AttrTransform_TextAlign axed in favor of a more general
372 AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to
373 see how the new equivalent is implemented
374 . Unit tests now use exclusively assertIdentical
376 1.6.0, released 2007-04-01
377 ! Support for most common deprecated attributes via transformations:
378 + bgcolor in td, th, tr and table
381 + width in td, th and hr
383 ! Support for CSS attribute 'height' added
384 ! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel
385 and %Attr.AllowedRev to activate
386 - You can define ID blacklists using regular expressions via
387 %Attr.IDBlacklistRegexp
388 - Error messages are emitted when you attempt to "allow" elements or
389 attributes that HTML Purifier does not support
390 - Fix segfault in unit test. The problem is not very reproduceable and
391 I don't know what causes it, but a six line patch fixed it.
393 1.5.0, released 2007-03-23
394 ! Added a rudimentary I18N and L10N system modeled off MediaWiki. It
395 doesn't actually do anything yet, but keep your eyes peeled.
396 ! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier
397 ! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules.
398 I am loathe to release beta quality APIs, but this is exactly that;
399 don't use the internal interfaces if you're not willing to do migration
401 - Allow 'x' subtag in language codes
402 - Fixed buggy chameleon-support for ins and del
403 . Added support for IDREF attributes (i.e. for)
404 . Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens
405 . Removed context variable ParentType, replaced with IsInline, which
406 is false when you're not inline and an integer of the parent that
407 caused you to become inline when you are (so possibly zero)
408 . Removed ElementDef->type in favor of ElementDef->descendants_are_inline
409 and HTMLDefinition->content_sets
410 . StrictBlockquote now reports what elements its supposed to allow,
411 rather than what it does allow
412 . Removed HTMLDefinition->info_flow_elements in favor of
413 HTMLDefinition->content_sets['Flow']
414 . Removed redundant "exclusionary" definitions from DTD roster
415 . StrictBlockquote now requires a construction parameter as if it
416 were an Required ChildDef, this is the "real" set of allowed elements
417 . AttrDef partitioned into HTML, CSS and URI segments
418 . Modify Youtube filter regexp to be multiline
419 . Require both PHP5 and DOM extension in order to use DOMLex, fixes
420 some edge cases where a DOMDocument class exists in a PHP4 environment
421 due to DOM XML extension.
423 1.4.1, released 2007-01-21
424 ! docs/enduser-youtube.html updated according to new functionality
425 - YouTube IDs can have underscores and dashes
427 1.4.0, released 2007-01-21
428 ! Implemented list-style-image, URIs now allowed in list-style
429 ! Implemented background-image, background-repeat, background-attachment
430 and background-position CSS properties. Shorthand property background
431 supports all of these properties.
432 ! Configuration documentation looks nicer
433 ! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode
434 characters while %Core.Encoding is set to a non-UTF-8 encoding.
435 ! Support for configuration directive aliases added
436 ! Config object can now be instantiated from ini files
437 ! YouTube preservation code added to the core, with two lines of code
438 you can add it as a filter to your code. See smoketests/preserveYouTube.php
440 ! Moved SLOW to docs/enduser-slow.html and added code examples
441 - Replaced version check with functionality check for DOM (thanks Stephen
443 . Added smoketest 'all.php', which loads all other smoketests via frames
444 . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
445 . Added convenient single test selector form on test runner
447 1.3.2, released 2006-12-25
448 ! HTMLPurifier object now accepts configuration arrays, no need to manually
449 instantiate a configuration object
450 ! Context object now accessible to outside
451 ! Added enduser-youtube.html, explains how to embed YouTube videos. See
452 also corresponding smoketest preserveYouTube.php.
453 ! Added purifyArray(), which takes a list of HTML and purifies it all
454 ! Added static member variable $version to HTML Purifier with PHP-compatible
455 version number string.
456 - Fixed fatal error thrown by upper-cased language attributes
457 - printDefinition.php: added labels, added better clarification
458 . HTMLPurifier_Config::create() added, takes mixed variable and converts into
459 a HTMLPurifier_Config object.
461 1.3.1, released 2006-12-06
462 ! Added HTMLPurifier.func.php stub for a convenient function to call the library
463 - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
464 (thanks to .mario for reporting this)
465 . Standardized all attribute handling variables to attr, made it plural
467 1.3.0, released 2006-11-26
468 # Invalid images are now removed, rather than replaced with a dud
469 <img src="" alt="Invalid image" />. Previous behavior can be restored
470 with new directive %Core.RemoveInvalidImg set to false.
471 ! (X)HTML Strict now supported
472 + Transparently handles inline elements in block context (blockquote)
473 ! Added GET method to demo for easier validation, added 50kb max input size
474 ! New directive %HTML.BlockWrapper, for block-ifying inline elements
475 ! New directive %HTML.Parent, allows you to only allow inline content
476 ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
477 users narrow the set of allowed tags
478 ! <li value="4"> and <ul start="2"> now allowed in loose mode
479 ! New directives %URI.DisableExternalResources and %URI.DisableResources
480 ! New directive %Attr.DisableURI, which eliminates all hyperlinking
481 ! New directive %URI.Munge, munges URI so you can use some sort of redirector
482 service to avoid PageRank leaks or warn users that they are exiting your site.
483 ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
484 the configuration settings and see how the internal rules are affected.
485 ! New directive %URI.HostBlacklist for blocking links to bad hosts.
486 xssAttacks.php smoketest updated accordingly.
487 - Added missing type to ChildDef_Chameleon
488 - Remove Tidy option from demo if there is not Tidy available
489 . ChildDef_Required guards against empty tags
490 . Lookup table HTMLDefinition->info_flow_elements added
491 . Added peace-of-mind variable initialization to Strategy_FixNesting
492 . Added HTMLPurifier->info_parent_def, parent child processing made special
493 . Added internal documents briefly summarizing future progression of HTML
494 . HTMLPurifier_Config->getBatch($namespace) added
495 . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
496 . Refactored ChildDef classes into their own files
498 1.2.0, released 2006-11-19
499 # ID attributes now disabled by default. New directives:
500 + %HTML.EnableAttrID - restores old behavior by allowing IDs
501 + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
502 so that they don't collide with your IDs
503 + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
504 instances of user content on the page
505 + Profuse documentation on how to use these available in docs/enduser-id.txt
506 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
507 ! Added percent encoding normalization
508 ! XSS attacks smoketest given facelift
509 ! Configuration documentation now has table of contents
510 ! Added %URI.DisableExternal, which prevents links to external websites. You
511 can also use %URI.Host to permit absolute linking to subdomains
512 ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
513 - Type variable in HTMLDefinition was not being set properly, fixed
514 - Documentation updated
515 + TODO added request Phalanger
516 + TODO added request Native compression
517 + TODO added request Remove redundant tags
518 + TODO added possible plaintext formatter for HTML Purifier documentation
519 + Updated ConfigDoc TODO
520 + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
522 + Revamped documentation into HTML, along with misc updates
523 - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
524 to retrieve a non-existent variable
525 . Switched to purify()-wide Context object registry
526 . Refactored unit tests to minimize duplication
527 . XSS attack sheet updated
528 . configdoc.xml now has xml:space attached to default value nodes
529 . Allow configuration directives to permit null values
530 . Cleaned up test-cases to remove unnecessary swallowErrors()
532 1.1.2, released 2006-09-30
533 ! Add HTMLPurifier.auto.php stub file that configures include_path
534 - Documentation updated
535 + INSTALL document rewritten
536 + TODO added semi-lossy conversion
537 + API Doxygen docs' file exclusions updated
538 + Added notes on HTML versus XML attribute whitespace handling
539 + Noted that HTMLPurifier_ChildDef_Custom isn't being used
540 + Noted that config object's definitions are cached versions
541 - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
542 - ftp:// URIs now have their typecodes checked
543 - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
544 . Line endings standardized throughout project (svn:eol-style standardized)
545 . Refactored parseData() to general Lexer class
546 . Tester named "HTML Purifier" not "HTMLPurifier"
548 1.1.1, released 2006-09-24
549 ! Configuration option to optionally Tidy up output for indentation to make up
550 for dropped whitespace by DOMLex (pretty-printing for the entire application
551 should be done by a page-wide Tidy)
552 - Various documentation updates
553 - Fixed parse error in configuration documentation script
554 - Fixed fatal error in benchmark scripts, slightly augmented
555 - As far as possible, whitespace is preserved in-between table children
556 - Sample test-settings.php file included
558 1.1.0, released 2006-09-16
559 ! Directive documentation generation using XSLT
560 ! XHTML can now be turned off, output becomes <br>
561 - Made URI validator more forgiving: will ignore leading and trailing
562 quotes, apostrophes and less than or greater than signs.
563 - Enforce alphanumeric namespace and directive names for configuration.
564 - Table child definition made more flexible, will fix up poorly ordered elements
565 . Renamed ConfigDef to ConfigSchema
567 1.0.1, released 2006-09-04
568 - Fixed slight bug in DOMLex attribute parsing
569 - Fixed rejection of case-insensitive configuration values when there is a
570 set of allowed values. This manifested in %Core.Encoding.
571 - Fixed rejection of inline style declarations that had lots of extra
572 space in them. This manifested in TinyMCE.
574 1.0.0, released 2006-09-01
575 ! Shorthand CSS properties implemented: font, border, background, list-style
576 ! Basic color keywords translated into hexadecimal values
577 ! Table CSS properties implemented
578 ! Support for charsets other than UTF-8 (defined by iconv)
579 ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
580 - Fixed broken numeric entity conversion
581 - API documentation completed
582 . (HTML|CSS)Definition de-singleton-ized
584 1.0.0beta, released 2006-08-16
585 ! First public release, most functionality implemented. Notable omissions are:
586 + Shorthand CSS properties
587 + Table CSS properties
588 + Deprecated attribute transformations