1 NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
2 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 = KEY ====================
10 ==========================
12 1.4.0, unknown release date (around Christmas, hopefully)
13 (major feature release)
15 1.3.2, unknown release date, may be dropped
16 (security/bugfix/minor feature release)
18 1.3.1, released 2006-12-06
19 ! Added HTMLPurifier.func.php stub for a convenient function to call the library
20 - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
21 (thanks to .mario for reporting this)
22 . Standardized all attribute handling variables to attr, made it plural
24 1.3.0, released 2006-11-26
25 # Invalid images are now removed, rather than replaced with a dud
26 <img src="" alt="Invalid image" />. Previous behavior can be restored
27 with new directive %Core.RemoveInvalidImg set to false.
28 ! (X)HTML Strict now supported
29 + Transparently handles inline elements in block context (blockquote)
30 ! Added GET method to demo for easier validation, added 50kb max input size
31 ! New directive %HTML.BlockWrapper, for block-ifying inline elements
32 ! New directive %HTML.Parent, allows you to only allow inline content
33 ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
34 users narrow the set of allowed tags
35 ! <li value="4"> and <ul start="2"> now allowed in loose mode
36 ! New directives %URI.DisableExternalResources and %URI.DisableResources
37 ! New directive %Attr.DisableURI, which eliminates all hyperlinking
38 ! New directive %URI.Munge, munges URI so you can use some sort of redirector
39 service to avoid PageRank leaks or warn users that they are exiting your site.
40 ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
41 the configuration settings and see how the internal rules are affected.
42 ! New directive %URI.HostBlacklist for blocking links to bad hosts.
43 xssAttacks.php smoketest updated accordingly.
44 - Added missing type to ChildDef_Chameleon
45 - Remove Tidy option from demo if there is not Tidy available
46 . ChildDef_Required guards against empty tags
47 . Lookup table HTMLDefinition->info_flow_elements added
48 . Added peace-of-mind variable initialization to Strategy_FixNesting
49 . Added HTMLPurifier->info_parent_def, parent child processing made special
50 . Added internal documents briefly summarizing future progression of HTML
51 . HTMLPurifier_Config->getBatch($namespace) added
52 . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
53 . Refactored ChildDef classes into their own files
55 1.2.0, released 2006-11-19
56 # ID attributes now disabled by default. New directives:
57 + %HTML.EnableAttrID - restores old behavior by allowing IDs
58 + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
59 so that they don't collide with your IDs
60 + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
61 instances of user content on the page
62 + Profuse documentation on how to use these available in docs/enduser-id.txt
63 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
64 ! Added percent encoding normalization
65 ! XSS attacks smoketest given facelift
66 ! Configuration documentation now has table of contents
67 ! Added %URI.DisableExternal, which prevents links to external websites. You
68 can also use %URI.Host to permit absolute linking to subdomains
69 ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
70 - Type variable in HTMLDefinition was not being set properly, fixed
71 - Documentation updated
72 + TODO added request Phalanger
73 + TODO added request Native compression
74 + TODO added request Remove redundant tags
75 + TODO added possible plaintext formatter for HTML Purifier documentation
76 + Updated ConfigDoc TODO
77 + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
79 + Revamped documentation into HTML, along with misc updates
80 - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
81 to retrieve a non-existent variable
82 . Switched to purify()-wide Context object registry
83 . Refactored unit tests to minimize duplication
84 . XSS attack sheet updated
85 . configdoc.xml now has xml:space attached to default value nodes
86 . Allow configuration directives to permit null values
87 . Cleaned up test-cases to remove unnecessary swallowErrors()
89 1.1.2, released 2006-09-30
90 ! Add HTMLPurifier.auto.php stub file that configures include_path
91 - Documentation updated
92 + INSTALL document rewritten
93 + TODO added semi-lossy conversion
94 + API Doxygen docs' file exclusions updated
95 + Added notes on HTML versus XML attribute whitespace handling
96 + Noted that HTMLPurifier_ChildDef_Custom isn't being used
97 + Noted that config object's definitions are cached versions
98 - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
99 - ftp:// URIs now have their typecodes checked
100 - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
101 . Line endings standardized throughout project (svn:eol-style standardized)
102 . Refactored parseData() to general Lexer class
103 . Tester named "HTML Purifier" not "HTMLPurifier"
105 1.1.1, released 2006-09-24
106 ! Configuration option to optionally Tidy up output for indentation to make up
107 for dropped whitespace by DOMLex (pretty-printing for the entire application
108 should be done by a page-wide Tidy)
109 - Various documentation updates
110 - Fixed parse error in configuration documentation script
111 - Fixed fatal error in benchmark scripts, slightly augmented
112 - As far as possible, whitespace is preserved in-between table children
113 - Sample test-settings.php file included
115 1.1.0, released 2006-09-16
116 ! Directive documentation generation using XSLT
117 ! XHTML can now be turned off, output becomes <br>
118 - Made URI validator more forgiving: will ignore leading and trailing
119 quotes, apostrophes and less than or greater than signs.
120 - Enforce alphanumeric namespace and directive names for configuration.
121 - Table child definition made more flexible, will fix up poorly ordered elements
122 . Renamed ConfigDef to ConfigSchema
124 1.0.1, released 2006-09-04
125 - Fixed slight bug in DOMLex attribute parsing
126 - Fixed rejection of case-insensitive configuration values when there is a
127 set of allowed values. This manifested in %Core.Encoding.
128 - Fixed rejection of inline style declarations that had lots of extra
129 space in them. This manifested in TinyMCE.
131 1.0.0, released 2006-09-01
132 ! Shorthand CSS properties implemented: font, border, background, list-style
133 ! Basic color keywords translated into hexadecimal values
134 ! Table CSS properties implemented
135 ! Support for charsets other than UTF-8 (defined by iconv)
136 ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
137 - Fixed broken numeric entity conversion
138 - API documentation completed
139 . (HTML|CSS)Definition de-singleton-ized
141 1.0.0beta, released 2006-08-16
142 ! First public release, most functionality implemented. Notable omissions are:
143 + Shorthand CSS properties
144 + Table CSS properties
145 + Deprecated attribute transformations