1 NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
2 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 = KEY ====================
10 ==========================
12 3.1.2, unknown release date
13 # Using %Core.CollectErrors forces line number/column tracking on, whereas
14 previously you could theoretically turn it off.
15 # HTMLPurifier_Injector->notifyEnd() is formally deprecated, and has changed
16 behavior slightly (end tokens it sees are not guaranteed to exist). Please
17 use handleEnd() instead.
18 ! %Output.AttrSort for when you need your attributes in alphabetical order to
19 deal with a bug in FCKEditor. Requested by frank farmer.
20 ! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith.
21 ! Proper support for name attribute. It is now allowed and equivalent to the id
22 attribute in a and img tags, and is only converted to id when %HTML.TidyLevel
23 is heavy (for all doctypes).
24 ! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't
25 use on hand-written HTML.
26 ! Add error-cases for unsupported elements in MakeWellFormed. This enables
27 the strategy to be used, standalone, on untrusted input.
28 ! %Core.AggressivelyFixLt is on by default. This causes more sensible
29 processing of left angled brackets in smileys and other whatnot.
30 ! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
31 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
32 the --only-phpt parameter, although for backwards-compatibility the flag
34 ! AutoParagraph auto-formatter will now preserve double-newlines upon output.
35 Users who are not performing inbound filtering, this may seem a little
36 useless, but as a bonus, the test suite and handling of edge cases is also
38 ! Experimental implementation of forms for %HTML.Trusted
39 ! Track column numbers when maintain line numbers is on
40 ! Proprietary 'background' attribute on table-related elements converted into
41 corresponding CSS. Thanks Fusemail for sponsoring this feature!
42 ! Add forward(), forwardUntilEndToken(), backward() and current() to Injector
44 ! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The
45 time of operation varies slightly from notifyEnd() as *all* end tokens are
46 processed by the injector before they are subject to the well-formedness rules.
47 ! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to
48 basename of image when not present.
49 - Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs,
50 the other involving an undefined $is_folder error.
51 - Throw error when %Core.Encoding is set to a spurious value. Previously,
52 this errored silently and returned false.
53 - Redirected stderr to stdout for flush error output.
54 - %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
56 - Do not re-munge URL if the output URL has the same host as the input URL.
58 - Fix error in documentation regarding %Filter.ExtractStyleBlocks
59 - Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment
60 - Fix bug with inline elements in blockquotes conflicting with strict doctype
61 - Detect if HTML support is disabled for DOM by checking for loadHTML() method.
62 - Fix bug where dots and double-dots in absolute URLs without hostname were
63 not collapsed by URIFilter_MakeAbsolute.
64 - Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements
65 by reordering their addition.
66 - Will now throw exception on many error conditions during lexer creation; also
67 throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers
69 . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
70 for more interesting filter-backtracking
71 . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
72 index to reprocess tokens.
73 . StringHashParser now allows for multiline sections with "empty" content;
74 previously the section would remain undefined.
75 . Added --quick option to multitest.php, which tests only the most recent
76 release for each series.
77 . Added --distro option to multitest.php, which accepts either 'normal' or
78 'standalone'. This supercedes --exclude-normal and --exclude-standalone
80 3.1.1, released 2008-06-19
81 # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
82 In order to enable this again, please set %URI.MungeResources to true.
83 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
84 and height/width HTML with %HTML.MaxImgLength.
85 ! %URI.MungeSecretKey for secure URI munging. Thanks Chris
86 for sponsoring this feature. Check out the corresponding documentation
87 for details. (Att Nightly testers: The API for this feature changed before
88 the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
89 %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge)
90 ! Implemented post URI filtering. Set member variable $post to true to set
92 ! Allow modules to define injectors via $info_injector. Injectors are
93 automatically disabled if injector's needed elements are not found.
94 ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
95 Thanks Chris for sponsoring. If you've been using ad hoc code from the
96 forums, PLEASE use this instead.
97 ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
98 embedded, tag name, attribute name, CSS property name). See %URI.Munge
99 for more details. Requested by Jochem Blok.
100 - Disable percent height/width attributes for img.
101 - AttrValidator operations are now atomic; updates to attributes are not
102 manifest in token until end of operations. This prevents naughty internal
103 code from directly modifying CurrentToken when they're not supposed to.
104 This semantics change was requested by frank farmer.
105 - Percent encoding checks enabled for URI query and fragment
106 - Fix stray backslashes in font-family; CSS Unicode character escapes are
107 now properly resolved (although *only* in font-family). Thanks Takeshi Terada
109 - Improve parseCDATA algorithm to take into account newline normalization
110 - Account for browser confusion between Yen character and backslash in
111 Shift_JIS encoding. This fix generalizes to any other encoding which is not
112 a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
113 - Fix missing configuration parameter in Generator calls. Thanks vs for the
115 - Improved adherence to Unicode by checking for non-character codepoints.
116 Thanks Geoffrey Sneddon for reporting. This may result in degraded
117 performance for extremely large inputs.
118 - Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
120 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
121 handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
123 . API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative)
124 to __construct($min, $max). __construct(true) is equivalent to
126 . Added HTMLPurifier_AttrDef_Switch class
127 . Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method
128 up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules
129 get this called with the configuration object. All modules now
130 use this rather than __construct(), although legacy code using constructors
131 will still work--the new format, however, lets modules access the
132 configuration object for HTML namespace dependant tweaks.
133 . AttrDef_HTML_Pixels now takes a single construction parameter, pixels.
134 . ConfigSchema data-structure heavily optimized; on average it uses a third
135 the memory it did previously. The interface has changed accordingly,
136 consult changes to HTMLPurifier_Config for details.
137 . Variable parsing types now are magic integers instead of strings
138 . Added benchmark for ConfigSchema
139 . HTMLPurifier_Generator requires $config and $context parameters. If you
140 don't know what they should be, use HTMLPurifier_Config::createDefault()
141 and new HTMLPurifier_Context().
142 . Printers now properly distinguish between output configuration, and
143 target configuration. This is not applicable to scripts using
144 the Printers for HTML Purifier related tasks.
145 . HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise
146 fatal errors will ensue.
147 . URIFilter->prepare can return false in order to abort loading of the filter
148 . Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds
149 an external resource.
150 . %URI.Munge functionality factored out into a post-filter class.
151 . Added CurrentCSSProperty context variable during CSS validation
153 3.1.0, released 2008-05-18
154 # Unnecessary references to objects (vestiges of PHP4) removed from method
155 signatures. The following methods do not need references when assigning from
156 them and will result in E_STRICT errors if you try:
157 + HTMLPurifier_Config->get*Definition() [* = HTML, CSS]
158 + HTMLPurifier_ConfigSchema::instance()
159 + HTMLPurifier_DefinitionCacheFactory::instance()
160 + HTMLPurifier_DefinitionCacheFactory->create()
161 + HTMLPurifier_DoctypeRegistry->register()
162 + HTMLPurifier_DoctypeRegistry->get()
163 + HTMLPurifier_HTMLModule->addElement()
164 + HTMLPurifier_HTMLModule->addBlankElement()
165 + HTMLPurifier_LanguageFactory::instance()
166 # Printer_ConfigForm's get*() functions were static-ified
167 # %HTML.ForbiddenAttributes requires attribute declarations to be in the
168 form of tag@attr, NOT tag.attr (which will throw an error and won't do
169 anything). This is for forwards compatibility with XML; you'd do best
170 to migrate an %HTML.AllowedAttributes directives to this syntax too.
171 ! Allow index to be false for config from form creation
172 ! Added HTMLPurifier::VERSION constant
173 ! Commas, not dashes, used for serializer IDs. This change is forwards-compatible
174 and allows for version numbers like "3.1.0-dev".
175 ! %HTML.Allowed deals gracefully with whitespace anywhere, anytime!
176 ! HTML Purifier's URI handling is a lot more robust, with much stricter
177 validation checks and better percent encoding handling. Thanks Gareth Heyes
178 for indicating security vulnerabilities from lax percent encoding.
179 ! Bootstrap autoloader deals more robustly with classes that don't exist,
180 preventing class_exists($class, true) from barfing.
181 - InterchangeBuilder now alphabetizes its lists
182 - Validation error in configdoc output fixed
183 - Iconv and other encoding errors muted even with custom error handlers that
184 do not honor error_reporting
185 - Add protection against imagecrash attack with CSS height/width
186 - HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
187 - Fixed and revamped broken ConfigForm smoketest
188 - Bug with bool/null fields in Printer_ConfigForm fixed
189 - Bug with global forbidden attributes fixed
190 - Improved error messages for allowed and forbidden HTML elements and attributes
191 - Missing (or null) in configdoc documentation restored
192 - If DOM throws and exception during parsing with PH5P (occurs in newer versions
193 of DOM), HTML Purifier punts to DirectLex
194 - Fatal error with unserialization of ScriptRequired
195 - Created directories are now chmod'ed properly
196 - Fixed bug with fallback languages in LanguageFactory
197 - Standalone testing setup properly with autoload
198 . Out-of-date documentation revised
199 . UTF-8 encoding check optimization as suggested by Diego
200 . HTMLPurifier_Error removed in favor of exceptions
201 . More copy() function removed; should use clone instead
202 . More extensive unit tests for HTMLDefinition
203 . assertPurification moved to central harness
204 . HTMLPurifier_Generator accepts $config and $context parameters during
205 instantiation, not runtime
206 . Double-quotes outside of attribute values are now unescaped
208 3.1.0rc1, released 2008-04-22
209 # Autoload support added. Internal require_once's removed in favor of an
210 explicit require list or autoloading. To use HTML Purifier,
211 you must now either use HTMLPurifier.auto.php
212 or HTMLPurifier.includes.php; setting the include path and including
213 HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php
214 as well to register our autoload handler (or modify your autoload function
215 to check HTMLPurifier_Bootstrap::getPath($class)). You can also use
216 HTMLPurifier.safe-includes.php for a less performance friendly but more
217 user-friendly library load.
218 # HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema
219 information is stored in the ConfigSchema directory, and the
220 maintenance/generate-schema-cache.php generates the schema.ser file, which
221 is now instantiated. Support for userland schema changes coming soon!
222 # HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive
223 alias; to get rid of these errors just modify your configuration to use
224 the new directive name.
225 # HTMLPurifier->addFilter is deprecated; built-in filters can now be
226 enabled using %Filter.$filter_name or by setting your own filters using
228 # Directive-level safety properties superceded in favor of module-level
229 safety. Internal method HTMLModule->addElement() has changed, although
230 the externally visible HTMLDefinition->addElement has *not* changed.
231 ! Extra utility classes for testing and non-library operations can
232 be found in extras/. Specifically, these are FSTools and ConfigDoc.
233 You may find a use for these in your own project, but right now they
234 are highly experimental and volatile.
235 ! Integration with PHPT allows for automated smoketests
236 ! Limited support for proprietary HTML elements, namely <marquee>, sponsored
237 by Chris. You can enable them with %HTML.Proprietary if your client
239 ! Support for !important CSS cascade modifier. By default, this will be stripped
240 from CSS, but you can enable it using %CSS.AllowImportant
241 ! Support for display and visibility CSS properties added, set %CSS.AllowTricky
243 ! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception.
244 Developer error (not enduser error) can cause these to be triggered.
245 ! Experimental kses() wrapper introduced with HTMLPurifier.kses.php
246 ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
247 mucking around with HTMLPurifier_CSSDefinition
248 ! ConfigDoc output has been enhanced with version and deprecation info.
249 ! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
250 - Autoclose now operates iteratively, i.e. <span><span><div> now has
251 both span tags closed.
252 - Various HTMLPurifier_Config convenience functions now accept another parameter
253 $schema which defines what HTMLPurifier_ConfigSchema to use besides the
255 - Fix bug with trusted script handling in libxml versions later than 2.6.28.
256 - Fix bug in ExtractStyleBlocks with comments in style tags
257 - Fix bug in comment parsing for DirectLex
258 - Flush output now displayed when in command line mode for unit tester
259 - Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax
260 - HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times
261 on the same element without emitting errors.
262 - Fixed fatal error in PH5P lexer with invalid tag names
263 . Plugins now get their own changelogs according to project conventions.
264 . Convert tokens to use instanceof, reducing memory footprint and
265 improving comparison speed.
266 . Dry runs now supported in SimpleTest; testing facilities improved
267 . Bootstrap class added for handling autoloading functionality
268 . Implemented recursive glob at FSTools->globr
269 . ConfigSchema now has instance methods for all corresponding define*
271 . A couple of new historical maintenance scripts were added.
272 . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
273 . tests/index.php can now be run from any directory.
274 . HTMLPurifier_Token subclasses split into seperate files
275 . HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php
276 . HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier
277 . New --php=php flag added, allows PHP executable to be specified (command
279 . htmlpurifier_add_test() preferred method to translate test files in to
280 classes, because it handles PHPT files too.
281 . Debugger class is deprecated and will be removed soon.
282 . Command line argument parsing for testing scripts revamped, now --opt value
284 . Smoketests now cleanup after magic quotes
285 . Generator now can output comments (however, comments are still stripped
286 from HTML Purifier output)
287 . HTMLPurifier_ConfigSchema->validate() deprecated in favor of
288 HTMLPurifier_VarParser->parse()
289 . Integers auto-cast into float type by VarParser.
290 . HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only
291 during cache generation
292 . Reordered script calls in maintenance/flush.php
293 . Command line scripts now honor exit codes
294 . When --flush fails in unit testers, abort tests and print message
295 . Improved documentation in docs/dev-flush.html about the maintenance scripts
296 . copy() methods removed in favor of clone keyword
298 3.0.0, released 2008-01-06
299 # HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained
300 until PHP 4 is completely deprecated, but no new features will be added
302 + Visibility declarations added
303 + Constructor methods renamed to __construct()
304 + PHP4 reference cruft removed (in progress)
305 ! CSS properties are now case-insensitive
306 ! DefinitionCacheFactory now can register new implementations
307 ! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from
308 documents and cleaning their contents up. Requires the CSSTidy library
309 <http://csstidy.sourceforge.net/>. You can access the blocks with the
310 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')).
311 The output CSS can also be "scoped" for a specific element, use:
312 %Filter.ExtractStyleBlocksScope
313 ! Experimental support for some proprietary CSS attributes allowed:
314 opacity (and all of the browser-specific equivalents) and scrollbar colors.
315 Enable by setting %CSS.Proprietary to true.
316 - Colors missing # but in hex form will be corrected
317 - CSS Number algorithm improved
318 - Unit testing and multi-testing now on steroids: command lines,
319 XML output, and other goodies now added.
320 . Unit tests for Injector improved
322 + HTMLPurifier_AttrDef_CSS_AlphaValue
323 + HTMLPurifier_AttrDef_CSS_Filter
324 . Multitest now has a file docblock
326 2.1.3, released 2007-11-05
327 ! tests/multitest.php allows you to test multiple versions by running
328 tests/index.php through multiple interpreters using `phpv` shell
329 script (you must provide this script!)
330 - Fixed poor include ordering for Email URI AttrDefs, causes fatal errors
332 - Injector algorithm further refined: off-by-one error regarding skip
333 counts for dormant injectors fixed
334 - Corrective blockquote definition now enabled for HTML 4.01 Strict
335 - Fatal error when <img> tag (or any other element with required attributes)
336 has 'id' attribute fixed, thanks NykO18 for reporting
337 - Fix warning emitted when a non-supported URI scheme is passed to the
338 MakeAbsolute URIFilter, thanks NykO18 (again)
339 - Further refine AutoParagraph injector. Behavior inside of elements
340 allowing paragraph tags clarified: only inline content delimeted by
341 double newlines (not block elements) are paragraphed.
342 - Buggy treatment of end tags of elements that have required attributes
343 fixed (does not manifest on default tag-set)
344 - Spurious internal content reorganization error suppressed
345 - HTMLDefinition->addElement now returns a reference to the created
346 element object, as implied by the documentation
347 - Phorum mod's HTML Purifier help message expanded (unreleased elsewhere)
348 - Fix a theoretical class of infinite loops from DirectLex reported
350 - Work around unnecessary DOMElement type-cast in PH5P that caused errors
352 - Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only
353 HTMLDefinition errors, this may indicate problems with error-collecting
355 - Make ErrorCollectorEMock work in both PHP 4 and PHP 5
356 - Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef
357 . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
358 to better communicate its purpose
359 . Error unit tests can now specify the expectation of no errors. Future
360 iterations of the harness will be extremely strict about what errors
362 . Extend Injector hooks to allow for more powerful injector routines
363 . HTMLDefinition->addBlankElement created, as according to the HTMLModule
365 . Doxygen configuration file updated, with minor improvements
366 . Test runner now checks for similarly named files in conf/ directory too.
367 . Minor cosmetic change to flush-definition-cache.php: trailing newline is
369 . Maintenance script for generating PH5P patch added, original PH5P source
370 file also added under version control
371 . Full unit test runner script title made more descriptive with PHP version
372 . Updated INSTALL file to state that 4.3.7 is the earliest version we
375 2.1.2, released 2007-09-03
376 ! Implemented Object module for trusted users
377 ! Implemented experimental HTML5 parsing mode using PH5P. To use, add
379 require_once 'HTMLPurifier/Lexer/PH5P.php';
380 $config->set('Core', 'LexerImpl', 'PH5P');
381 Note that this Lexer introduces some classes not in the HTMLPurifier
382 namespace. Also, this is PHP5 only.
383 ! CSS property border-spacing implemented
384 - Fix non-visible parsing error in DirectLex with empty tags that have
385 slashes inside attribute values.
386 - Fix typo in CSS definition: border-collapse:seperate; was incorrectly
387 accepted as valid CSS. Usually non-visible, because this styling is the
388 default for tables in most browsers. Thanks Brett Zamir for pointing
390 - Fix validation errors in configuration form
391 - Hammer out a bunch of edge-case bugs in the standalone distribution
392 - Inclusion reflection removed from URISchemeRegistry; you must manually
393 include any new schema files you wish to use
394 - Numerous typo fixes in documentation thanks to Brett Zamir
395 . Unit test refactoring for one logical test per test function
396 . Config and context parameters in ComplexHarness deprecated: instead, edit
397 the $config and $context member variables
398 . HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't
399 really make a difference, but is good for completeness sake
400 . merge-library.php script refactored for greater code reusability and
403 2.1.1, released 2007-08-04
404 - Fix show-stopper bug in %URI.MakeAbsolute functionality
405 - Fix PHP4 syntax error in standalone version
406 . Add prefix directory to include path for standalone, this prevents
407 other installations from clobbering the standalone's URI schemes
408 . Single test methods can be invoked by prefixing with __only
410 2.1.0, released 2007-08-02
411 # flush-htmldefinition-cache.php superseded in favor of a generic
412 flush-definition-cache.php script, you can clear a specific cache
413 by passing its name as a parameter to the script
414 ! Phorum mod implemented for HTML Purifier
415 ! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer
416 trigger HTML removal in PHP5 (DOMLex). This directive is not necessary
417 for PHP4 (DirectLex).
418 ! Standalone file now available, which greatly reduces the amount of
419 includes (although there are still a few files that reside in the
421 ! Relative URIs can now be transformed into their absolute equivalents
422 using %URI.Base and %URI.MakeAbsolute
423 ! Ruby implemented for XHTML 1.1
424 ! You can now define custom URI filtering behavior, see enduser-uri-filter.html
426 ! UTF-8 font names now supported in CSS
427 - AutoFormatters emit friendly error messages if tags or attributes they
429 - ConfigForm's compactification of directive names is now configurable
430 - AutoParagraph autoformatter algorithm refined after field-testing
431 - XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely
433 - Contents of <style> tags removed by default when tags are removed
434 . HTMLPurifier_Config->getSerial() implemented, this is extremely useful
435 for output cache invalidation
436 . ConfigForm printer now can retrieve CSS and JS files as strings, in
437 case HTML Purifier's directory is not publically accessible
438 . Introduce new text/itext configuration directive values: these represent
439 longer strings that would be more appropriately edited with a textarea
440 . Allow newlines to act as separators for lists, hashes, lookups and
442 . ConfigForm generates textareas instead of text inputs for lists, hashes,
443 lookups, text and itext fields
444 . Hidden element content removal genericized: %Core.HiddenElements can
445 be used to customize this behavior, by default <script> and <style> are
447 . Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__)
448 . Custom ChildDef added to default include list
449 . URIScheme reflection improved: will not attempt to include file if class
450 already exists. May clobber autoload, so I need to keep an eye on it
451 . ConfigSchema heavily optimized, will only collect information and validate
452 definitions when HTMLPURIFIER_SCHEMA_STRICT is true.
453 . AttrDef_URI unit tests and implementation refactored
454 . benchmarks/ directory now protected from public view with .htaccess file;
455 run the tests via command line
456 . URI scheme is munged off if there is no authority and the scheme is the
458 . All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase
459 . Interface for URIScheme changed
460 . Generic URI object to hold components of URI added, most systems involved
461 in URI validation have been migrated to use it
462 . Custom filtering for URIs factored out to URIDefinition interface for
463 maximum extensibility
465 2.0.1, released 2007-06-27
466 ! Tag auto-closing now based on a ChildDef heuristic rather than a
467 manually set auto_close array; some behavior may change
468 ! Experimental AutoFormat functionality added: auto-paragraph and
469 linkify your HTML input by setting %AutoFormat.AutoParagraph and
470 %AutoFormat.Linkify to true
471 ! Newlines normalized internally, and then converted back to the
472 value of PHP_EOL. If this is not desired, set your newline format
473 using %Output.Newline.
474 ! Beta error collection, messages are implemented for the most generic
475 cases involving Lexing or Strategies
476 - Clean up special case code for <script> tags
477 - Reorder includes for DefinitionCache decorators, fixes a possible
479 - Fixed bug where manually modified definitions were not saved via cache
480 (mostly harmless, except for the fact that it would be a little slower)
481 - Configuration objects with different serials do not clobber each
482 others when revision numbers are unequal
483 - Improve Serializer DefinitionCache directory permissions checks
484 - DefinitionCache no longer throws errors when it encounters old
485 serial files that do not conform to the current style
486 - Stray xmlns attributes removed from configuration documentation
487 - configForm.php smoketest no longer has XSS vulnerability due to
488 unescaped print_r output
489 - Printer adheres to configuration's directives on output format
490 - Fix improperly named form field in ConfigForm printer
491 . Rewire some test-cases to swallow errors rather than expect them
492 . HTMLDefinition printer updated with some of the new attributes
493 . DefinitionCache keys reordered to reflect precedence: version number,
494 hash, then revision number
495 . %Core.DefinitionCache renamed to %Cache.DefinitionImpl
496 . Interlinking in configuration documentation added using
497 Injector_PurifierLinkify
498 . Directives now keep track of aliases to themselves
499 . Error collector now requires a severity to be passed, use PHP's internal
500 error constants for this
501 . HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows
502 much easier selective embedding of configuration values
503 . Doctype objects now accept public and system DTD identifiers
504 . %HTML.Doctype is now constrained by specific values, to specify a custom
505 doctype use new %HTML.CustomDoctype
506 . ConfigForm truncates long directives to keep the form small, and does
507 not re-output namespaces
509 2.0.0, released 2007-06-20
510 # Completely refactored HTMLModuleManager, decentralizing safety
512 # Transform modules changed to Tidy modules, which offer more flexibility
513 and better modularization
514 # Configuration object now finalizes itself when a read operation is
515 performed on it, ensuring that its internal state stays consistent.
516 To revert this behavior, you can set the $autoFinalize member variable
517 off, but it's not recommended.
518 # New compact syntax for AttrDef objects that can be used to instantiate
519 new objects via make()
520 # Definitions (esp. HTMLDefinition) are now cached for a significant
521 performance boost. You can disable caching by setting %Core.DefinitionCache
522 to null. You CANNOT edit raw definitions without setting the corresponding
523 DefinitionID directive (%HTML.DefinitionID for HTMLDefinition).
524 # Contents between <script> tags are now completely removed if <script>
526 # Prototype-declarations for Lexer removed in favor of configuration
527 determination of Lexer implementations.
528 ! HTML Purifier now works in PHP 4.3.2.
529 ! Configuration form-editing API makes tweaking HTMLPurifier_Config a
531 ! Configuration directives that accept hashes now allow new string
532 format: key1:value1,key2:value2
533 ! ConfigDoc now factored into OOP design
534 ! All deprecated elements now natively supported
535 ! Implement TinyMCE styled whitelist specification format in
537 ! Config object gives more friendly error messages when things go wrong
538 ! Advanced API implemented: easy functions for creating elements (addElement)
539 and attributes (addAttribute) on HTMLDefinition
540 ! Add native support for required attributes
541 - Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work!
542 - DOMLex will not emit errors when a custom error handler that does not
543 honor error_reporting is used
544 - StrictBlockquote child definition refrains from wrapping whitespace
546 - Bug resulting from tag transforms to non-allowed elements fixed
547 - ChildDef_Custom's regex generation has been improved, removing several
549 . Unit test for ElementDef created, ElementDef behavior modified to
551 . Added convenience functions for HTMLModule constructors
552 . AttrTypes now has accessor functions that should be used instead
553 of directly manipulating info
554 . TagTransform_Center deprecated in favor of generic TagTransform_Simple
555 . Add extra protection in AttrDef_URI against phantom Schemes
556 . Doctype object added to HTMLDefinition which describes certain aspects
557 of the operational document type
558 . Lexer is now pre-emptively included, with a conditional include for the
560 . HTMLDefinition and CSSDefinition have a common parent class: Definition.
561 . DirectLex can now track line-numbers
562 . Preliminary error collector is in place, although no code actually reports
564 . Factor out most of ValidateAttributes to new AttrValidator class
566 1.6.1, released 2007-05-05
567 ! Support for more deprecated attributes via transformations:
568 + hspace and vspace in img
569 + size and noshade in hr
572 + align in caption, table, img and hr
573 + type in ul, ol and li
574 ! DirectLex now preserves text in which a < bracket is followed by
575 a non-alphanumeric character. This means that certain emoticons
577 ! %Core.RemoveInvalidImg is now operational, when set to false invalid
578 images will hang around with an empty src
579 ! target attribute in a tag supported, use %Attr.AllowedFrameTargets
581 ! CSS property white-space now allows nowrap (supported in all modern
582 browsers) but not others (which have spotty browser implementations)
583 ! XHTML 1.1 mode now sort-of works without any fatal errors, and
584 lang is now moved over to xml:lang.
585 ! Attribute transformation smoketest available at smoketests/attrTransform.php
586 ! Transformation of font's size attribute now handles super-large numbers
587 - Possibly fatal bug with __autoload() fixed in module manager
588 - Invert HTMLModuleManager->addModule() processing order to check
589 prefixes first and then the literal module
590 - Empty strings get converted to empty arrays instead of arrays with
591 an empty string in them.
592 - Merging in attribute lists now works.
593 . Demo script removed: it has been added to the website's repository
594 . Basic.php script modified to work out of the box
595 . Refactor AttrTransform classes to reduce duplication
596 . AttrTransform_TextAlign axed in favor of a more general
597 AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to
598 see how the new equivalent is implemented
599 . Unit tests now use exclusively assertIdentical
601 1.6.0, released 2007-04-01
602 ! Support for most common deprecated attributes via transformations:
603 + bgcolor in td, th, tr and table
606 + width in td, th and hr
608 ! Support for CSS attribute 'height' added
609 ! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel
610 and %Attr.AllowedRev to activate
611 - You can define ID blacklists using regular expressions via
612 %Attr.IDBlacklistRegexp
613 - Error messages are emitted when you attempt to "allow" elements or
614 attributes that HTML Purifier does not support
615 - Fix segfault in unit test. The problem is not very reproduceable and
616 I don't know what causes it, but a six line patch fixed it.
618 1.5.0, released 2007-03-23
619 ! Added a rudimentary I18N and L10N system modeled off MediaWiki. It
620 doesn't actually do anything yet, but keep your eyes peeled.
621 ! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier
622 ! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules.
623 I am loathe to release beta quality APIs, but this is exactly that;
624 don't use the internal interfaces if you're not willing to do migration
626 - Allow 'x' subtag in language codes
627 - Fixed buggy chameleon-support for ins and del
628 . Added support for IDREF attributes (i.e. for)
629 . Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens
630 . Removed context variable ParentType, replaced with IsInline, which
631 is false when you're not inline and an integer of the parent that
632 caused you to become inline when you are (so possibly zero)
633 . Removed ElementDef->type in favor of ElementDef->descendants_are_inline
634 and HTMLDefinition->content_sets
635 . StrictBlockquote now reports what elements its supposed to allow,
636 rather than what it does allow
637 . Removed HTMLDefinition->info_flow_elements in favor of
638 HTMLDefinition->content_sets['Flow']
639 . Removed redundant "exclusionary" definitions from DTD roster
640 . StrictBlockquote now requires a construction parameter as if it
641 were an Required ChildDef, this is the "real" set of allowed elements
642 . AttrDef partitioned into HTML, CSS and URI segments
643 . Modify Youtube filter regexp to be multiline
644 . Require both PHP5 and DOM extension in order to use DOMLex, fixes
645 some edge cases where a DOMDocument class exists in a PHP4 environment
646 due to DOM XML extension.
648 1.4.1, released 2007-01-21
649 ! docs/enduser-youtube.html updated according to new functionality
650 - YouTube IDs can have underscores and dashes
652 1.4.0, released 2007-01-21
653 ! Implemented list-style-image, URIs now allowed in list-style
654 ! Implemented background-image, background-repeat, background-attachment
655 and background-position CSS properties. Shorthand property background
656 supports all of these properties.
657 ! Configuration documentation looks nicer
658 ! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode
659 characters while %Core.Encoding is set to a non-UTF-8 encoding.
660 ! Support for configuration directive aliases added
661 ! Config object can now be instantiated from ini files
662 ! YouTube preservation code added to the core, with two lines of code
663 you can add it as a filter to your code. See smoketests/preserveYouTube.php
665 ! Moved SLOW to docs/enduser-slow.html and added code examples
666 - Replaced version check with functionality check for DOM (thanks Stephen
668 . Added smoketest 'all.php', which loads all other smoketests via frames
669 . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
670 . Added convenient single test selector form on test runner
672 1.3.2, released 2006-12-25
673 ! HTMLPurifier object now accepts configuration arrays, no need to manually
674 instantiate a configuration object
675 ! Context object now accessible to outside
676 ! Added enduser-youtube.html, explains how to embed YouTube videos. See
677 also corresponding smoketest preserveYouTube.php.
678 ! Added purifyArray(), which takes a list of HTML and purifies it all
679 ! Added static member variable $version to HTML Purifier with PHP-compatible
680 version number string.
681 - Fixed fatal error thrown by upper-cased language attributes
682 - printDefinition.php: added labels, added better clarification
683 . HTMLPurifier_Config::create() added, takes mixed variable and converts into
684 a HTMLPurifier_Config object.
686 1.3.1, released 2006-12-06
687 ! Added HTMLPurifier.func.php stub for a convenient function to call the library
688 - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
689 (thanks to .mario for reporting this)
690 . Standardized all attribute handling variables to attr, made it plural
692 1.3.0, released 2006-11-26
693 # Invalid images are now removed, rather than replaced with a dud
694 <img src="" alt="Invalid image" />. Previous behavior can be restored
695 with new directive %Core.RemoveInvalidImg set to false.
696 ! (X)HTML Strict now supported
697 + Transparently handles inline elements in block context (blockquote)
698 ! Added GET method to demo for easier validation, added 50kb max input size
699 ! New directive %HTML.BlockWrapper, for block-ifying inline elements
700 ! New directive %HTML.Parent, allows you to only allow inline content
701 ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
702 users narrow the set of allowed tags
703 ! <li value="4"> and <ul start="2"> now allowed in loose mode
704 ! New directives %URI.DisableExternalResources and %URI.DisableResources
705 ! New directive %Attr.DisableURI, which eliminates all hyperlinking
706 ! New directive %URI.Munge, munges URI so you can use some sort of redirector
707 service to avoid PageRank leaks or warn users that they are exiting your site.
708 ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
709 the configuration settings and see how the internal rules are affected.
710 ! New directive %URI.HostBlacklist for blocking links to bad hosts.
711 xssAttacks.php smoketest updated accordingly.
712 - Added missing type to ChildDef_Chameleon
713 - Remove Tidy option from demo if there is not Tidy available
714 . ChildDef_Required guards against empty tags
715 . Lookup table HTMLDefinition->info_flow_elements added
716 . Added peace-of-mind variable initialization to Strategy_FixNesting
717 . Added HTMLPurifier->info_parent_def, parent child processing made special
718 . Added internal documents briefly summarizing future progression of HTML
719 . HTMLPurifier_Config->getBatch($namespace) added
720 . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
721 . Refactored ChildDef classes into their own files
723 1.2.0, released 2006-11-19
724 # ID attributes now disabled by default. New directives:
725 + %HTML.EnableAttrID - restores old behavior by allowing IDs
726 + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
727 so that they don't collide with your IDs
728 + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
729 instances of user content on the page
730 + Profuse documentation on how to use these available in docs/enduser-id.txt
731 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
732 ! Added percent encoding normalization
733 ! XSS attacks smoketest given facelift
734 ! Configuration documentation now has table of contents
735 ! Added %URI.DisableExternal, which prevents links to external websites. You
736 can also use %URI.Host to permit absolute linking to subdomains
737 ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
738 - Type variable in HTMLDefinition was not being set properly, fixed
739 - Documentation updated
740 + TODO added request Phalanger
741 + TODO added request Native compression
742 + TODO added request Remove redundant tags
743 + TODO added possible plaintext formatter for HTML Purifier documentation
744 + Updated ConfigDoc TODO
745 + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
747 + Revamped documentation into HTML, along with misc updates
748 - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
749 to retrieve a non-existent variable
750 . Switched to purify()-wide Context object registry
751 . Refactored unit tests to minimize duplication
752 . XSS attack sheet updated
753 . configdoc.xml now has xml:space attached to default value nodes
754 . Allow configuration directives to permit null values
755 . Cleaned up test-cases to remove unnecessary swallowErrors()
757 1.1.2, released 2006-09-30
758 ! Add HTMLPurifier.auto.php stub file that configures include_path
759 - Documentation updated
760 + INSTALL document rewritten
761 + TODO added semi-lossy conversion
762 + API Doxygen docs' file exclusions updated
763 + Added notes on HTML versus XML attribute whitespace handling
764 + Noted that HTMLPurifier_ChildDef_Custom isn't being used
765 + Noted that config object's definitions are cached versions
766 - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
767 - ftp:// URIs now have their typecodes checked
768 - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
769 . Line endings standardized throughout project (svn:eol-style standardized)
770 . Refactored parseData() to general Lexer class
771 . Tester named "HTML Purifier" not "HTMLPurifier"
773 1.1.1, released 2006-09-24
774 ! Configuration option to optionally Tidy up output for indentation to make up
775 for dropped whitespace by DOMLex (pretty-printing for the entire application
776 should be done by a page-wide Tidy)
777 - Various documentation updates
778 - Fixed parse error in configuration documentation script
779 - Fixed fatal error in benchmark scripts, slightly augmented
780 - As far as possible, whitespace is preserved in-between table children
781 - Sample test-settings.php file included
783 1.1.0, released 2006-09-16
784 ! Directive documentation generation using XSLT
785 ! XHTML can now be turned off, output becomes <br>
786 - Made URI validator more forgiving: will ignore leading and trailing
787 quotes, apostrophes and less than or greater than signs.
788 - Enforce alphanumeric namespace and directive names for configuration.
789 - Table child definition made more flexible, will fix up poorly ordered elements
790 . Renamed ConfigDef to ConfigSchema
792 1.0.1, released 2006-09-04
793 - Fixed slight bug in DOMLex attribute parsing
794 - Fixed rejection of case-insensitive configuration values when there is a
795 set of allowed values. This manifested in %Core.Encoding.
796 - Fixed rejection of inline style declarations that had lots of extra
797 space in them. This manifested in TinyMCE.
799 1.0.0, released 2006-09-01
800 ! Shorthand CSS properties implemented: font, border, background, list-style
801 ! Basic color keywords translated into hexadecimal values
802 ! Table CSS properties implemented
803 ! Support for charsets other than UTF-8 (defined by iconv)
804 ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
805 - Fixed broken numeric entity conversion
806 - API documentation completed
807 . (HTML|CSS)Definition de-singleton-ized
809 1.0.0beta, released 2006-08-16
810 ! First public release, most functionality implemented. Notable omissions are:
811 + Shorthand CSS properties
812 + Table CSS properties
813 + Deprecated attribute transformations