From 7015aaff46401075b17a91443e15d5f70f96af9f Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Thu, 19 Jun 2008 21:43:57 +0000 Subject: [PATCH] Release 3.1.1 git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1808 48356398-32a2-884e-a903-53898d9a118a --- Doxyfile | 2 +- NEWS | 19 ++++++++++++------- TODO | 1 + VERSION | 2 +- WHATSNEW | 19 +++++++++---------- library/HTMLPurifier.includes.php | 2 +- library/HTMLPurifier.php | 6 +++--- library/HTMLPurifier/Config.php | 2 +- 8 files changed, 29 insertions(+), 24 deletions(-) rewrite WHATSNEW (100%) diff --git a/Doxyfile b/Doxyfile index 417ed045..6c13e02a 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = HTMLPurifier # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.0 +PROJECT_NUMBER = 3.1.1 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/NEWS b/NEWS index 3c2a8010..92a3c879 100644 --- a/NEWS +++ b/NEWS @@ -9,12 +9,12 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier . Internal change ========================== -3.1.1, unknown release date +3.1.1, released 2008-06-19 # %URI.Munge now, by default, does not munge resources (for example, ) In order to enable this again, please set %URI.MungeResources to true. ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, and height/width HTML with %HTML.MaxImgLength. -! %URI.SecureMunge for secure URI munging (as opposed to %URI.Munge). Thanks Chris +! %URI.MungeSecretKey for secure URI munging. Thanks Chris for sponsoring this feature. Check out the corresponding documentation for details. (Att Nightly testers: The API for this feature changed before the general release. Namely, rename your directives %URI.SecureMungeSecretKey => @@ -24,26 +24,31 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ! Allow modules to define injectors via $info_injector. Injectors are automatically disabled if injector's needed elements are not found. ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. + Thanks Chris for sponsoring. If you've been using ad hoc code from the + forums, PLEASE use this instead. ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order, embedded, tag name, attribute name, CSS property name). See %URI.Munge - for more details. -- Disable percent height/width attributes for img + for more details. Requested by Jochem Blok. +- Disable percent height/width attributes for img. - AttrValidator operations are now atomic; updates to attributes are not manifest in token until end of operations. This prevents naughty internal code from directly modifying CurrentToken when they're not supposed to. + This semantics change was requested by frank farmer. - Percent encoding checks enabled for URI query and fragment - Fix stray backslashes in font-family; CSS Unicode character escapes are - now properly resolved (although *only* in font-family). + now properly resolved (although *only* in font-family). Thanks Takeshi Terada + for reporting. - Improve parseCDATA algorithm to take into account newline normalization - Account for browser confusion between Yen character and backslash in Shift_JIS encoding. This fix generalizes to any other encoding which is not - a strict superset of printable ASCII. + a strict superset of printable ASCII. Thanks Takeshi Terada for reporting. - Fix missing configuration parameter in Generator calls. Thanks vs for the partial patch. - Improved adherence to Unicode by checking for non-character codepoints. Thanks Geoffrey Sneddon for reporting. This may result in degraded performance for extremely large inputs. -- Allow CSS property-value pair ''text-decoration: none'' +- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok + for reporting. . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses this class. diff --git a/TODO b/TODO index 8d3cefd7..c83ae974 100644 --- a/TODO +++ b/TODO @@ -108,6 +108,7 @@ Neat feature related - Full set of color keywords. Also, a way to add onto them without finalizing the configuration object. - Write a var_export and memcached DefinitionCache - Denis + - Allow restriction of allowed class values Maintenance related (slightly boring) # CHMOD install script for PEAR installs diff --git a/VERSION b/VERSION index a0cd9f0c..50e47c89 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.1.0 \ No newline at end of file +3.1.1 \ No newline at end of file diff --git a/WHATSNEW b/WHATSNEW dissimilarity index 100% index 0fa8562c..5f66abbe 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -1,10 +1,9 @@ -HTML Purifier 3.1.0 is the second release series for HTML Purifier on PHP 5 -as well as a security update related to URIs. It shifts over to using -autoload, and also includes support for the !important CSS modifier, -display and visibility CSS properties with %CSS.AllowTricky, marquee with -%HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, -%CSS.AllowedProperties, %HTML.ForbiddenAttributes and -%HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the -release candidate, there have also been a number of stability fixes such as -improved URI escaping, a change in serializer ID format, and a relaxed -format for %HTML.Allowed. And as always, numerous bugfixes. +HTML Purifier 3.1.1 is a security and bugfix release. This release addresses +two security vulnerabilities, both related to CSS, and one of which only +applies to users using Shift_JIS as their output encoding. There is also +a security improvement regarding the imagecrash attack. There is a backwards +incompatible change with %URI.Munge, in which resources are no longer munged +by default; please enable using %URI.MungeResources. Besides this, there +are numerous improvements to URI munging, esp. with the addition of +%URI.MungeSecretKey, as well as an experimental implementation of +%HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations. diff --git a/library/HTMLPurifier.includes.php b/library/HTMLPurifier.includes.php index 5ba2615e..620957a9 100644 --- a/library/HTMLPurifier.includes.php +++ b/library/HTMLPurifier.includes.php @@ -7,7 +7,7 @@ * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS * FILE, changes will be overwritten the next time the script is run. * - * @version 3.1.0 + * @version 3.1.1 * * @warning * You must *not* include any other HTML Purifier files before this file, diff --git a/library/HTMLPurifier.php b/library/HTMLPurifier.php index 03709f12..da2269da 100644 --- a/library/HTMLPurifier.php +++ b/library/HTMLPurifier.php @@ -19,7 +19,7 @@ */ /* - HTML Purifier 3.1.0 - Standards Compliant HTML Filtering + HTML Purifier 3.1.1 - Standards Compliant HTML Filtering Copyright (C) 2006-2008 Edward Z. Yang This library is free software; you can redistribute it and/or @@ -55,10 +55,10 @@ class HTMLPurifier { /** Version of HTML Purifier */ - public $version = '3.1.0'; + public $version = '3.1.1'; /** Constant with version of HTML Purifier */ - const VERSION = '3.1.0'; + const VERSION = '3.1.1'; /** Global configuration object */ public $config; diff --git a/library/HTMLPurifier/Config.php b/library/HTMLPurifier/Config.php index 68ec8d20..e2fe21b6 100644 --- a/library/HTMLPurifier/Config.php +++ b/library/HTMLPurifier/Config.php @@ -20,7 +20,7 @@ class HTMLPurifier_Config /** * HTML Purifier's version */ - public $version = '3.1.0'; + public $version = '3.1.1'; /** * Bool indicator whether or not to automatically finalize -- 2.11.4.GIT