1 NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
2 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 = KEY ====================
10 ==========================
12 4.0.0, unknown release date
13 # APIs for ConfigSchema subsystem have substantially changed. See
14 docs/dev-config-bcbreaks.txt for details; in essence, anything that
15 had both namespace and directive now have a single unified key.
16 # Some configuration directives were renamed, specifically:
17 %AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL
18 %FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping
19 %FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope
20 %FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl
21 As usual, the old directive names will still work, but will through E_NOTICE
23 ! More robust support for name="" and id=""
24 ! HTMLPurifier_Config::inherit($config) allows you to inherit one
25 configuration, and have changes to that configuration be propagated
26 to all of its children.
27 ! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on
28 the name attribute when set. Use with care. Thanks Ian Cook for
30 ! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty
31 tags that contain non-breaking spaces as well other whitespace. You
32 can also modify which tags should have maintained with
33 %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.
34 ! Implement %Attr.AllowedClasses, which allows administrators to restrict
35 classes users can use to a specified finite set of classes, and
36 %Attr.ForbiddenClasses, which is the logical inverse.
37 . Created script maintenance/rename-config.php for renaming a configuration
38 directive while maintaining its alias. This script does not change source code.
40 3.3.0, released 2009-02-16
41 ! Implement CSS property 'overflow' when %CSS.AllowTricky is true.
42 ! Implement generic property list classess
43 - Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation
44 does not do the "right thing" with characters not supported in the output
46 - Spellcheck UTF-8: The Secret To Character Encoding
47 - Fix improper removal of the contents of elements with only whitespace. Thanks
48 Eric Wald for reporting.
49 - Fix broken test suite in versions of PHP without spl_autoload_register()
50 - Fix degenerate case with YouTube filter involving double hyphens.
51 Thanks Pierre Attar for reporting.
52 - Fix YouTube rendering problem on certain versions of Firefox.
53 - Fix CSSDefinition Printer problems with decorators
54 - Add text parameter to unit tests, forces text output
55 . Add verbose mode to command line test runner, use (--verbose)
56 . Turn on unit tests for UnitConverter
57 . Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)
58 . Fix newline errors that caused spurious failures when CRLF HTML Purifier was
60 . Removed trailing whitespace from all text files, see
61 remote-trailing-whitespace.php maintenance script.
62 . Convert configuration to use property list backend.
64 3.2.0, released 2008-10-31
65 # Using %Core.CollectErrors forces line number/column tracking on, whereas
66 previously you could theoretically turn it off.
67 # HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please
68 use handleEnd() instead.
69 ! %Output.AttrSort for when you need your attributes in alphabetical order to
70 deal with a bug in FCKEditor. Requested by frank farmer.
71 ! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith.
72 ! Proper support for name attribute. It is now allowed and equivalent to the id
73 attribute in a and img tags, and is only converted to id when %HTML.TidyLevel
74 is heavy (for all doctypes).
75 ! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't
76 use on hand-written HTML.
77 ! Add error-cases for unsupported elements in MakeWellFormed. This enables
78 the strategy to be used, standalone, on untrusted input.
79 ! %Core.AggressivelyFixLt is on by default. This causes more sensible
80 processing of left angled brackets in smileys and other whatnot.
81 ! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
82 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
83 the --only-phpt parameter, although for backwards-compatibility the flag
85 ! AutoParagraph auto-formatter will now preserve double-newlines upon output.
86 Users who are not performing inbound filtering, this may seem a little
87 useless, but as a bonus, the test suite and handling of edge cases is also
89 ! Experimental implementation of forms for %HTML.Trusted
90 ! Track column numbers when maintain line numbers is on
91 ! Proprietary 'background' attribute on table-related elements converted into
92 corresponding CSS. Thanks Fusemail for sponsoring this feature!
93 ! Add forward(), forwardUntilEndToken(), backward() and current() to Injector
95 ! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The
96 time of operation varies slightly from notifyEnd() as *all* end tokens are
97 processed by the injector before they are subject to the well-formedness rules.
98 ! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to
99 basename of image when not present.
100 ! %AutoFormat.DisplayLinkURI neuters <a> tags into plain text URLs.
101 - Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs,
102 the other involving an undefined $is_folder error.
103 - Throw error when %Core.Encoding is set to a spurious value. Previously,
104 this errored silently and returned false.
105 - Redirected stderr to stdout for flush error output.
106 - %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
108 - Do not re-munge URL if the output URL has the same host as the input URL.
110 - Fix error in documentation regarding %Filter.ExtractStyleBlocks
111 - Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment
112 - Fix bug with inline elements in blockquotes conflicting with strict doctype
113 - Detect if HTML support is disabled for DOM by checking for loadHTML() method.
114 - Fix bug where dots and double-dots in absolute URLs without hostname were
115 not collapsed by URIFilter_MakeAbsolute.
116 - Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements
117 by reordering their addition.
118 - Will now throw exception on many error conditions during lexer creation; also
119 throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers
121 - Detect if domxml extension is loaded, and use DirectLEx accordingly.
122 - Improve handling of big numbers with floating point arithmetic in UnitConverter.
123 Reported by David Morton.
124 . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
125 for more interesting filter-backtracking
126 . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
127 index to reprocess tokens.
128 . StringHashParser now allows for multiline sections with "empty" content;
129 previously the section would remain undefined.
130 . Added --quick option to multitest.php, which tests only the most recent
131 release for each series.
132 . Added --distro option to multitest.php, which accepts either 'normal' or
133 'standalone'. This supercedes --exclude-normal and --exclude-standalone
135 3.1.1, released 2008-06-19
136 # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
137 In order to enable this again, please set %URI.MungeResources to true.
138 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
139 and height/width HTML with %HTML.MaxImgLength.
140 ! %URI.MungeSecretKey for secure URI munging. Thanks Chris
141 for sponsoring this feature. Check out the corresponding documentation
142 for details. (Att Nightly testers: The API for this feature changed before
143 the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
144 %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge)
145 ! Implemented post URI filtering. Set member variable $post to true to set
147 ! Allow modules to define injectors via $info_injector. Injectors are
148 automatically disabled if injector's needed elements are not found.
149 ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
150 Thanks Chris for sponsoring. If you've been using ad hoc code from the
151 forums, PLEASE use this instead.
152 ! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
153 embedded, tag name, attribute name, CSS property name). See %URI.Munge
154 for more details. Requested by Jochem Blok.
155 - Disable percent height/width attributes for img.
156 - AttrValidator operations are now atomic; updates to attributes are not
157 manifest in token until end of operations. This prevents naughty internal
158 code from directly modifying CurrentToken when they're not supposed to.
159 This semantics change was requested by frank farmer.
160 - Percent encoding checks enabled for URI query and fragment
161 - Fix stray backslashes in font-family; CSS Unicode character escapes are
162 now properly resolved (although *only* in font-family). Thanks Takeshi Terada
164 - Improve parseCDATA algorithm to take into account newline normalization
165 - Account for browser confusion between Yen character and backslash in
166 Shift_JIS encoding. This fix generalizes to any other encoding which is not
167 a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
168 - Fix missing configuration parameter in Generator calls. Thanks vs for the
170 - Improved adherence to Unicode by checking for non-character codepoints.
171 Thanks Geoffrey Sneddon for reporting. This may result in degraded
172 performance for extremely large inputs.
173 - Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
175 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
176 handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
178 . API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative)
179 to __construct($min, $max). __construct(true) is equivalent to
181 . Added HTMLPurifier_AttrDef_Switch class
182 . Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method
183 up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules
184 get this called with the configuration object. All modules now
185 use this rather than __construct(), although legacy code using constructors
186 will still work--the new format, however, lets modules access the
187 configuration object for HTML namespace dependant tweaks.
188 . AttrDef_HTML_Pixels now takes a single construction parameter, pixels.
189 . ConfigSchema data-structure heavily optimized; on average it uses a third
190 the memory it did previously. The interface has changed accordingly,
191 consult changes to HTMLPurifier_Config for details.
192 . Variable parsing types now are magic integers instead of strings
193 . Added benchmark for ConfigSchema
194 . HTMLPurifier_Generator requires $config and $context parameters. If you
195 don't know what they should be, use HTMLPurifier_Config::createDefault()
196 and new HTMLPurifier_Context().
197 . Printers now properly distinguish between output configuration, and
198 target configuration. This is not applicable to scripts using
199 the Printers for HTML Purifier related tasks.
200 . HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise
201 fatal errors will ensue.
202 . URIFilter->prepare can return false in order to abort loading of the filter
203 . Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds
204 an external resource.
205 . %URI.Munge functionality factored out into a post-filter class.
206 . Added CurrentCSSProperty context variable during CSS validation
208 3.1.0, released 2008-05-18
209 # Unnecessary references to objects (vestiges of PHP4) removed from method
210 signatures. The following methods do not need references when assigning from
211 them and will result in E_STRICT errors if you try:
212 + HTMLPurifier_Config->get*Definition() [* = HTML, CSS]
213 + HTMLPurifier_ConfigSchema::instance()
214 + HTMLPurifier_DefinitionCacheFactory::instance()
215 + HTMLPurifier_DefinitionCacheFactory->create()
216 + HTMLPurifier_DoctypeRegistry->register()
217 + HTMLPurifier_DoctypeRegistry->get()
218 + HTMLPurifier_HTMLModule->addElement()
219 + HTMLPurifier_HTMLModule->addBlankElement()
220 + HTMLPurifier_LanguageFactory::instance()
221 # Printer_ConfigForm's get*() functions were static-ified
222 # %HTML.ForbiddenAttributes requires attribute declarations to be in the
223 form of tag@attr, NOT tag.attr (which will throw an error and won't do
224 anything). This is for forwards compatibility with XML; you'd do best
225 to migrate an %HTML.AllowedAttributes directives to this syntax too.
226 ! Allow index to be false for config from form creation
227 ! Added HTMLPurifier::VERSION constant
228 ! Commas, not dashes, used for serializer IDs. This change is forwards-compatible
229 and allows for version numbers like "3.1.0-dev".
230 ! %HTML.Allowed deals gracefully with whitespace anywhere, anytime!
231 ! HTML Purifier's URI handling is a lot more robust, with much stricter
232 validation checks and better percent encoding handling. Thanks Gareth Heyes
233 for indicating security vulnerabilities from lax percent encoding.
234 ! Bootstrap autoloader deals more robustly with classes that don't exist,
235 preventing class_exists($class, true) from barfing.
236 - InterchangeBuilder now alphabetizes its lists
237 - Validation error in configdoc output fixed
238 - Iconv and other encoding errors muted even with custom error handlers that
239 do not honor error_reporting
240 - Add protection against imagecrash attack with CSS height/width
241 - HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
242 - Fixed and revamped broken ConfigForm smoketest
243 - Bug with bool/null fields in Printer_ConfigForm fixed
244 - Bug with global forbidden attributes fixed
245 - Improved error messages for allowed and forbidden HTML elements and attributes
246 - Missing (or null) in configdoc documentation restored
247 - If DOM throws and exception during parsing with PH5P (occurs in newer versions
248 of DOM), HTML Purifier punts to DirectLex
249 - Fatal error with unserialization of ScriptRequired
250 - Created directories are now chmod'ed properly
251 - Fixed bug with fallback languages in LanguageFactory
252 - Standalone testing setup properly with autoload
253 . Out-of-date documentation revised
254 . UTF-8 encoding check optimization as suggested by Diego
255 . HTMLPurifier_Error removed in favor of exceptions
256 . More copy() function removed; should use clone instead
257 . More extensive unit tests for HTMLDefinition
258 . assertPurification moved to central harness
259 . HTMLPurifier_Generator accepts $config and $context parameters during
260 instantiation, not runtime
261 . Double-quotes outside of attribute values are now unescaped
263 3.1.0rc1, released 2008-04-22
264 # Autoload support added. Internal require_once's removed in favor of an
265 explicit require list or autoloading. To use HTML Purifier,
266 you must now either use HTMLPurifier.auto.php
267 or HTMLPurifier.includes.php; setting the include path and including
268 HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php
269 as well to register our autoload handler (or modify your autoload function
270 to check HTMLPurifier_Bootstrap::getPath($class)). You can also use
271 HTMLPurifier.safe-includes.php for a less performance friendly but more
272 user-friendly library load.
273 # HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema
274 information is stored in the ConfigSchema directory, and the
275 maintenance/generate-schema-cache.php generates the schema.ser file, which
276 is now instantiated. Support for userland schema changes coming soon!
277 # HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive
278 alias; to get rid of these errors just modify your configuration to use
279 the new directive name.
280 # HTMLPurifier->addFilter is deprecated; built-in filters can now be
281 enabled using %Filter.$filter_name or by setting your own filters using
283 # Directive-level safety properties superceded in favor of module-level
284 safety. Internal method HTMLModule->addElement() has changed, although
285 the externally visible HTMLDefinition->addElement has *not* changed.
286 ! Extra utility classes for testing and non-library operations can
287 be found in extras/. Specifically, these are FSTools and ConfigDoc.
288 You may find a use for these in your own project, but right now they
289 are highly experimental and volatile.
290 ! Integration with PHPT allows for automated smoketests
291 ! Limited support for proprietary HTML elements, namely <marquee>, sponsored
292 by Chris. You can enable them with %HTML.Proprietary if your client
294 ! Support for !important CSS cascade modifier. By default, this will be stripped
295 from CSS, but you can enable it using %CSS.AllowImportant
296 ! Support for display and visibility CSS properties added, set %CSS.AllowTricky
298 ! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception.
299 Developer error (not enduser error) can cause these to be triggered.
300 ! Experimental kses() wrapper introduced with HTMLPurifier.kses.php
301 ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
302 mucking around with HTMLPurifier_CSSDefinition
303 ! ConfigDoc output has been enhanced with version and deprecation info.
304 ! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
305 - Autoclose now operates iteratively, i.e. <span><span><div> now has
306 both span tags closed.
307 - Various HTMLPurifier_Config convenience functions now accept another parameter
308 $schema which defines what HTMLPurifier_ConfigSchema to use besides the
310 - Fix bug with trusted script handling in libxml versions later than 2.6.28.
311 - Fix bug in ExtractStyleBlocks with comments in style tags
312 - Fix bug in comment parsing for DirectLex
313 - Flush output now displayed when in command line mode for unit tester
314 - Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax
315 - HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times
316 on the same element without emitting errors.
317 - Fixed fatal error in PH5P lexer with invalid tag names
318 . Plugins now get their own changelogs according to project conventions.
319 . Convert tokens to use instanceof, reducing memory footprint and
320 improving comparison speed.
321 . Dry runs now supported in SimpleTest; testing facilities improved
322 . Bootstrap class added for handling autoloading functionality
323 . Implemented recursive glob at FSTools->globr
324 . ConfigSchema now has instance methods for all corresponding define*
326 . A couple of new historical maintenance scripts were added.
327 . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
328 . tests/index.php can now be run from any directory.
329 . HTMLPurifier_Token subclasses split into seperate files
330 . HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php
331 . HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier
332 . New --php=php flag added, allows PHP executable to be specified (command
334 . htmlpurifier_add_test() preferred method to translate test files in to
335 classes, because it handles PHPT files too.
336 . Debugger class is deprecated and will be removed soon.
337 . Command line argument parsing for testing scripts revamped, now --opt value
339 . Smoketests now cleanup after magic quotes
340 . Generator now can output comments (however, comments are still stripped
341 from HTML Purifier output)
342 . HTMLPurifier_ConfigSchema->validate() deprecated in favor of
343 HTMLPurifier_VarParser->parse()
344 . Integers auto-cast into float type by VarParser.
345 . HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only
346 during cache generation
347 . Reordered script calls in maintenance/flush.php
348 . Command line scripts now honor exit codes
349 . When --flush fails in unit testers, abort tests and print message
350 . Improved documentation in docs/dev-flush.html about the maintenance scripts
351 . copy() methods removed in favor of clone keyword
353 3.0.0, released 2008-01-06
354 # HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained
355 until PHP 4 is completely deprecated, but no new features will be added
357 + Visibility declarations added
358 + Constructor methods renamed to __construct()
359 + PHP4 reference cruft removed (in progress)
360 ! CSS properties are now case-insensitive
361 ! DefinitionCacheFactory now can register new implementations
362 ! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from
363 documents and cleaning their contents up. Requires the CSSTidy library
364 <http://csstidy.sourceforge.net/>. You can access the blocks with the
365 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')).
366 The output CSS can also be "scoped" for a specific element, use:
367 %Filter.ExtractStyleBlocksScope
368 ! Experimental support for some proprietary CSS attributes allowed:
369 opacity (and all of the browser-specific equivalents) and scrollbar colors.
370 Enable by setting %CSS.Proprietary to true.
371 - Colors missing # but in hex form will be corrected
372 - CSS Number algorithm improved
373 - Unit testing and multi-testing now on steroids: command lines,
374 XML output, and other goodies now added.
375 . Unit tests for Injector improved
377 + HTMLPurifier_AttrDef_CSS_AlphaValue
378 + HTMLPurifier_AttrDef_CSS_Filter
379 . Multitest now has a file docblock
381 2.1.3, released 2007-11-05
382 ! tests/multitest.php allows you to test multiple versions by running
383 tests/index.php through multiple interpreters using `phpv` shell
384 script (you must provide this script!)
385 - Fixed poor include ordering for Email URI AttrDefs, causes fatal errors
387 - Injector algorithm further refined: off-by-one error regarding skip
388 counts for dormant injectors fixed
389 - Corrective blockquote definition now enabled for HTML 4.01 Strict
390 - Fatal error when <img> tag (or any other element with required attributes)
391 has 'id' attribute fixed, thanks NykO18 for reporting
392 - Fix warning emitted when a non-supported URI scheme is passed to the
393 MakeAbsolute URIFilter, thanks NykO18 (again)
394 - Further refine AutoParagraph injector. Behavior inside of elements
395 allowing paragraph tags clarified: only inline content delimeted by
396 double newlines (not block elements) are paragraphed.
397 - Buggy treatment of end tags of elements that have required attributes
398 fixed (does not manifest on default tag-set)
399 - Spurious internal content reorganization error suppressed
400 - HTMLDefinition->addElement now returns a reference to the created
401 element object, as implied by the documentation
402 - Phorum mod's HTML Purifier help message expanded (unreleased elsewhere)
403 - Fix a theoretical class of infinite loops from DirectLex reported
405 - Work around unnecessary DOMElement type-cast in PH5P that caused errors
407 - Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only
408 HTMLDefinition errors, this may indicate problems with error-collecting
410 - Make ErrorCollectorEMock work in both PHP 4 and PHP 5
411 - Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef
412 . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
413 to better communicate its purpose
414 . Error unit tests can now specify the expectation of no errors. Future
415 iterations of the harness will be extremely strict about what errors
417 . Extend Injector hooks to allow for more powerful injector routines
418 . HTMLDefinition->addBlankElement created, as according to the HTMLModule
420 . Doxygen configuration file updated, with minor improvements
421 . Test runner now checks for similarly named files in conf/ directory too.
422 . Minor cosmetic change to flush-definition-cache.php: trailing newline is
424 . Maintenance script for generating PH5P patch added, original PH5P source
425 file also added under version control
426 . Full unit test runner script title made more descriptive with PHP version
427 . Updated INSTALL file to state that 4.3.7 is the earliest version we
430 2.1.2, released 2007-09-03
431 ! Implemented Object module for trusted users
432 ! Implemented experimental HTML5 parsing mode using PH5P. To use, add
434 require_once 'HTMLPurifier/Lexer/PH5P.php';
435 $config->set('Core', 'LexerImpl', 'PH5P');
436 Note that this Lexer introduces some classes not in the HTMLPurifier
437 namespace. Also, this is PHP5 only.
438 ! CSS property border-spacing implemented
439 - Fix non-visible parsing error in DirectLex with empty tags that have
440 slashes inside attribute values.
441 - Fix typo in CSS definition: border-collapse:seperate; was incorrectly
442 accepted as valid CSS. Usually non-visible, because this styling is the
443 default for tables in most browsers. Thanks Brett Zamir for pointing
445 - Fix validation errors in configuration form
446 - Hammer out a bunch of edge-case bugs in the standalone distribution
447 - Inclusion reflection removed from URISchemeRegistry; you must manually
448 include any new schema files you wish to use
449 - Numerous typo fixes in documentation thanks to Brett Zamir
450 . Unit test refactoring for one logical test per test function
451 . Config and context parameters in ComplexHarness deprecated: instead, edit
452 the $config and $context member variables
453 . HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't
454 really make a difference, but is good for completeness sake
455 . merge-library.php script refactored for greater code reusability and
458 2.1.1, released 2007-08-04
459 - Fix show-stopper bug in %URI.MakeAbsolute functionality
460 - Fix PHP4 syntax error in standalone version
461 . Add prefix directory to include path for standalone, this prevents
462 other installations from clobbering the standalone's URI schemes
463 . Single test methods can be invoked by prefixing with __only
465 2.1.0, released 2007-08-02
466 # flush-htmldefinition-cache.php superseded in favor of a generic
467 flush-definition-cache.php script, you can clear a specific cache
468 by passing its name as a parameter to the script
469 ! Phorum mod implemented for HTML Purifier
470 ! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer
471 trigger HTML removal in PHP5 (DOMLex). This directive is not necessary
472 for PHP4 (DirectLex).
473 ! Standalone file now available, which greatly reduces the amount of
474 includes (although there are still a few files that reside in the
476 ! Relative URIs can now be transformed into their absolute equivalents
477 using %URI.Base and %URI.MakeAbsolute
478 ! Ruby implemented for XHTML 1.1
479 ! You can now define custom URI filtering behavior, see enduser-uri-filter.html
481 ! UTF-8 font names now supported in CSS
482 - AutoFormatters emit friendly error messages if tags or attributes they
484 - ConfigForm's compactification of directive names is now configurable
485 - AutoParagraph autoformatter algorithm refined after field-testing
486 - XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely
488 - Contents of <style> tags removed by default when tags are removed
489 . HTMLPurifier_Config->getSerial() implemented, this is extremely useful
490 for output cache invalidation
491 . ConfigForm printer now can retrieve CSS and JS files as strings, in
492 case HTML Purifier's directory is not publically accessible
493 . Introduce new text/itext configuration directive values: these represent
494 longer strings that would be more appropriately edited with a textarea
495 . Allow newlines to act as separators for lists, hashes, lookups and
497 . ConfigForm generates textareas instead of text inputs for lists, hashes,
498 lookups, text and itext fields
499 . Hidden element content removal genericized: %Core.HiddenElements can
500 be used to customize this behavior, by default <script> and <style> are
502 . Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__)
503 . Custom ChildDef added to default include list
504 . URIScheme reflection improved: will not attempt to include file if class
505 already exists. May clobber autoload, so I need to keep an eye on it
506 . ConfigSchema heavily optimized, will only collect information and validate
507 definitions when HTMLPURIFIER_SCHEMA_STRICT is true.
508 . AttrDef_URI unit tests and implementation refactored
509 . benchmarks/ directory now protected from public view with .htaccess file;
510 run the tests via command line
511 . URI scheme is munged off if there is no authority and the scheme is the
513 . All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase
514 . Interface for URIScheme changed
515 . Generic URI object to hold components of URI added, most systems involved
516 in URI validation have been migrated to use it
517 . Custom filtering for URIs factored out to URIDefinition interface for
518 maximum extensibility
520 2.0.1, released 2007-06-27
521 ! Tag auto-closing now based on a ChildDef heuristic rather than a
522 manually set auto_close array; some behavior may change
523 ! Experimental AutoFormat functionality added: auto-paragraph and
524 linkify your HTML input by setting %AutoFormat.AutoParagraph and
525 %AutoFormat.Linkify to true
526 ! Newlines normalized internally, and then converted back to the
527 value of PHP_EOL. If this is not desired, set your newline format
528 using %Output.Newline.
529 ! Beta error collection, messages are implemented for the most generic
530 cases involving Lexing or Strategies
531 - Clean up special case code for <script> tags
532 - Reorder includes for DefinitionCache decorators, fixes a possible
534 - Fixed bug where manually modified definitions were not saved via cache
535 (mostly harmless, except for the fact that it would be a little slower)
536 - Configuration objects with different serials do not clobber each
537 others when revision numbers are unequal
538 - Improve Serializer DefinitionCache directory permissions checks
539 - DefinitionCache no longer throws errors when it encounters old
540 serial files that do not conform to the current style
541 - Stray xmlns attributes removed from configuration documentation
542 - configForm.php smoketest no longer has XSS vulnerability due to
543 unescaped print_r output
544 - Printer adheres to configuration's directives on output format
545 - Fix improperly named form field in ConfigForm printer
546 . Rewire some test-cases to swallow errors rather than expect them
547 . HTMLDefinition printer updated with some of the new attributes
548 . DefinitionCache keys reordered to reflect precedence: version number,
549 hash, then revision number
550 . %Core.DefinitionCache renamed to %Cache.DefinitionImpl
551 . Interlinking in configuration documentation added using
552 Injector_PurifierLinkify
553 . Directives now keep track of aliases to themselves
554 . Error collector now requires a severity to be passed, use PHP's internal
555 error constants for this
556 . HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows
557 much easier selective embedding of configuration values
558 . Doctype objects now accept public and system DTD identifiers
559 . %HTML.Doctype is now constrained by specific values, to specify a custom
560 doctype use new %HTML.CustomDoctype
561 . ConfigForm truncates long directives to keep the form small, and does
562 not re-output namespaces
564 2.0.0, released 2007-06-20
565 # Completely refactored HTMLModuleManager, decentralizing safety
567 # Transform modules changed to Tidy modules, which offer more flexibility
568 and better modularization
569 # Configuration object now finalizes itself when a read operation is
570 performed on it, ensuring that its internal state stays consistent.
571 To revert this behavior, you can set the $autoFinalize member variable
572 off, but it's not recommended.
573 # New compact syntax for AttrDef objects that can be used to instantiate
574 new objects via make()
575 # Definitions (esp. HTMLDefinition) are now cached for a significant
576 performance boost. You can disable caching by setting %Core.DefinitionCache
577 to null. You CANNOT edit raw definitions without setting the corresponding
578 DefinitionID directive (%HTML.DefinitionID for HTMLDefinition).
579 # Contents between <script> tags are now completely removed if <script>
581 # Prototype-declarations for Lexer removed in favor of configuration
582 determination of Lexer implementations.
583 ! HTML Purifier now works in PHP 4.3.2.
584 ! Configuration form-editing API makes tweaking HTMLPurifier_Config a
586 ! Configuration directives that accept hashes now allow new string
587 format: key1:value1,key2:value2
588 ! ConfigDoc now factored into OOP design
589 ! All deprecated elements now natively supported
590 ! Implement TinyMCE styled whitelist specification format in
592 ! Config object gives more friendly error messages when things go wrong
593 ! Advanced API implemented: easy functions for creating elements (addElement)
594 and attributes (addAttribute) on HTMLDefinition
595 ! Add native support for required attributes
596 - Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work!
597 - DOMLex will not emit errors when a custom error handler that does not
598 honor error_reporting is used
599 - StrictBlockquote child definition refrains from wrapping whitespace
601 - Bug resulting from tag transforms to non-allowed elements fixed
602 - ChildDef_Custom's regex generation has been improved, removing several
604 . Unit test for ElementDef created, ElementDef behavior modified to
606 . Added convenience functions for HTMLModule constructors
607 . AttrTypes now has accessor functions that should be used instead
608 of directly manipulating info
609 . TagTransform_Center deprecated in favor of generic TagTransform_Simple
610 . Add extra protection in AttrDef_URI against phantom Schemes
611 . Doctype object added to HTMLDefinition which describes certain aspects
612 of the operational document type
613 . Lexer is now pre-emptively included, with a conditional include for the
615 . HTMLDefinition and CSSDefinition have a common parent class: Definition.
616 . DirectLex can now track line-numbers
617 . Preliminary error collector is in place, although no code actually reports
619 . Factor out most of ValidateAttributes to new AttrValidator class
621 1.6.1, released 2007-05-05
622 ! Support for more deprecated attributes via transformations:
623 + hspace and vspace in img
624 + size and noshade in hr
627 + align in caption, table, img and hr
628 + type in ul, ol and li
629 ! DirectLex now preserves text in which a < bracket is followed by
630 a non-alphanumeric character. This means that certain emoticons
632 ! %Core.RemoveInvalidImg is now operational, when set to false invalid
633 images will hang around with an empty src
634 ! target attribute in a tag supported, use %Attr.AllowedFrameTargets
636 ! CSS property white-space now allows nowrap (supported in all modern
637 browsers) but not others (which have spotty browser implementations)
638 ! XHTML 1.1 mode now sort-of works without any fatal errors, and
639 lang is now moved over to xml:lang.
640 ! Attribute transformation smoketest available at smoketests/attrTransform.php
641 ! Transformation of font's size attribute now handles super-large numbers
642 - Possibly fatal bug with __autoload() fixed in module manager
643 - Invert HTMLModuleManager->addModule() processing order to check
644 prefixes first and then the literal module
645 - Empty strings get converted to empty arrays instead of arrays with
646 an empty string in them.
647 - Merging in attribute lists now works.
648 . Demo script removed: it has been added to the website's repository
649 . Basic.php script modified to work out of the box
650 . Refactor AttrTransform classes to reduce duplication
651 . AttrTransform_TextAlign axed in favor of a more general
652 AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to
653 see how the new equivalent is implemented
654 . Unit tests now use exclusively assertIdentical
656 1.6.0, released 2007-04-01
657 ! Support for most common deprecated attributes via transformations:
658 + bgcolor in td, th, tr and table
661 + width in td, th and hr
663 ! Support for CSS attribute 'height' added
664 ! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel
665 and %Attr.AllowedRev to activate
666 - You can define ID blacklists using regular expressions via
667 %Attr.IDBlacklistRegexp
668 - Error messages are emitted when you attempt to "allow" elements or
669 attributes that HTML Purifier does not support
670 - Fix segfault in unit test. The problem is not very reproduceable and
671 I don't know what causes it, but a six line patch fixed it.
673 1.5.0, released 2007-03-23
674 ! Added a rudimentary I18N and L10N system modeled off MediaWiki. It
675 doesn't actually do anything yet, but keep your eyes peeled.
676 ! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier
677 ! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules.
678 I am loathe to release beta quality APIs, but this is exactly that;
679 don't use the internal interfaces if you're not willing to do migration
681 - Allow 'x' subtag in language codes
682 - Fixed buggy chameleon-support for ins and del
683 . Added support for IDREF attributes (i.e. for)
684 . Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens
685 . Removed context variable ParentType, replaced with IsInline, which
686 is false when you're not inline and an integer of the parent that
687 caused you to become inline when you are (so possibly zero)
688 . Removed ElementDef->type in favor of ElementDef->descendants_are_inline
689 and HTMLDefinition->content_sets
690 . StrictBlockquote now reports what elements its supposed to allow,
691 rather than what it does allow
692 . Removed HTMLDefinition->info_flow_elements in favor of
693 HTMLDefinition->content_sets['Flow']
694 . Removed redundant "exclusionary" definitions from DTD roster
695 . StrictBlockquote now requires a construction parameter as if it
696 were an Required ChildDef, this is the "real" set of allowed elements
697 . AttrDef partitioned into HTML, CSS and URI segments
698 . Modify Youtube filter regexp to be multiline
699 . Require both PHP5 and DOM extension in order to use DOMLex, fixes
700 some edge cases where a DOMDocument class exists in a PHP4 environment
701 due to DOM XML extension.
703 1.4.1, released 2007-01-21
704 ! docs/enduser-youtube.html updated according to new functionality
705 - YouTube IDs can have underscores and dashes
707 1.4.0, released 2007-01-21
708 ! Implemented list-style-image, URIs now allowed in list-style
709 ! Implemented background-image, background-repeat, background-attachment
710 and background-position CSS properties. Shorthand property background
711 supports all of these properties.
712 ! Configuration documentation looks nicer
713 ! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode
714 characters while %Core.Encoding is set to a non-UTF-8 encoding.
715 ! Support for configuration directive aliases added
716 ! Config object can now be instantiated from ini files
717 ! YouTube preservation code added to the core, with two lines of code
718 you can add it as a filter to your code. See smoketests/preserveYouTube.php
720 ! Moved SLOW to docs/enduser-slow.html and added code examples
721 - Replaced version check with functionality check for DOM (thanks Stephen
723 . Added smoketest 'all.php', which loads all other smoketests via frames
724 . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
725 . Added convenient single test selector form on test runner
727 1.3.2, released 2006-12-25
728 ! HTMLPurifier object now accepts configuration arrays, no need to manually
729 instantiate a configuration object
730 ! Context object now accessible to outside
731 ! Added enduser-youtube.html, explains how to embed YouTube videos. See
732 also corresponding smoketest preserveYouTube.php.
733 ! Added purifyArray(), which takes a list of HTML and purifies it all
734 ! Added static member variable $version to HTML Purifier with PHP-compatible
735 version number string.
736 - Fixed fatal error thrown by upper-cased language attributes
737 - printDefinition.php: added labels, added better clarification
738 . HTMLPurifier_Config::create() added, takes mixed variable and converts into
739 a HTMLPurifier_Config object.
741 1.3.1, released 2006-12-06
742 ! Added HTMLPurifier.func.php stub for a convenient function to call the library
743 - Fixed bug in RemoveInvalidImg code that caused all images to be dropped
744 (thanks to .mario for reporting this)
745 . Standardized all attribute handling variables to attr, made it plural
747 1.3.0, released 2006-11-26
748 # Invalid images are now removed, rather than replaced with a dud
749 <img src="" alt="Invalid image" />. Previous behavior can be restored
750 with new directive %Core.RemoveInvalidImg set to false.
751 ! (X)HTML Strict now supported
752 + Transparently handles inline elements in block context (blockquote)
753 ! Added GET method to demo for easier validation, added 50kb max input size
754 ! New directive %HTML.BlockWrapper, for block-ifying inline elements
755 ! New directive %HTML.Parent, allows you to only allow inline content
756 ! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let
757 users narrow the set of allowed tags
758 ! <li value="4"> and <ul start="2"> now allowed in loose mode
759 ! New directives %URI.DisableExternalResources and %URI.DisableResources
760 ! New directive %Attr.DisableURI, which eliminates all hyperlinking
761 ! New directive %URI.Munge, munges URI so you can use some sort of redirector
762 service to avoid PageRank leaks or warn users that they are exiting your site.
763 ! Added spiffy new smoketest printDefinition.php, which lets you twiddle with
764 the configuration settings and see how the internal rules are affected.
765 ! New directive %URI.HostBlacklist for blocking links to bad hosts.
766 xssAttacks.php smoketest updated accordingly.
767 - Added missing type to ChildDef_Chameleon
768 - Remove Tidy option from demo if there is not Tidy available
769 . ChildDef_Required guards against empty tags
770 . Lookup table HTMLDefinition->info_flow_elements added
771 . Added peace-of-mind variable initialization to Strategy_FixNesting
772 . Added HTMLPurifier->info_parent_def, parent child processing made special
773 . Added internal documents briefly summarizing future progression of HTML
774 . HTMLPurifier_Config->getBatch($namespace) added
775 . More lenient casting to bool from string in HTMLPurifier_ConfigSchema
776 . Refactored ChildDef classes into their own files
778 1.2.0, released 2006-11-19
779 # ID attributes now disabled by default. New directives:
780 + %HTML.EnableAttrID - restores old behavior by allowing IDs
781 + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs
782 so that they don't collide with your IDs
783 + %Attr.IDPrefixLocal - Same as above, but for when there are multiple
784 instances of user content on the page
785 + Profuse documentation on how to use these available in docs/enduser-id.txt
786 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
787 ! Added percent encoding normalization
788 ! XSS attacks smoketest given facelift
789 ! Configuration documentation now has table of contents
790 ! Added %URI.DisableExternal, which prevents links to external websites. You
791 can also use %URI.Host to permit absolute linking to subdomains
792 ! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
793 - Type variable in HTMLDefinition was not being set properly, fixed
794 - Documentation updated
795 + TODO added request Phalanger
796 + TODO added request Native compression
797 + TODO added request Remove redundant tags
798 + TODO added possible plaintext formatter for HTML Purifier documentation
799 + Updated ConfigDoc TODO
800 + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php
802 + Revamped documentation into HTML, along with misc updates
803 - HTMLPurifier_Context doesn't throw a variable reference error if you attempt
804 to retrieve a non-existent variable
805 . Switched to purify()-wide Context object registry
806 . Refactored unit tests to minimize duplication
807 . XSS attack sheet updated
808 . configdoc.xml now has xml:space attached to default value nodes
809 . Allow configuration directives to permit null values
810 . Cleaned up test-cases to remove unnecessary swallowErrors()
812 1.1.2, released 2006-09-30
813 ! Add HTMLPurifier.auto.php stub file that configures include_path
814 - Documentation updated
815 + INSTALL document rewritten
816 + TODO added semi-lossy conversion
817 + API Doxygen docs' file exclusions updated
818 + Added notes on HTML versus XML attribute whitespace handling
819 + Noted that HTMLPurifier_ChildDef_Custom isn't being used
820 + Noted that config object's definitions are cached versions
821 - Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3
822 - ftp:// URIs now have their typecodes checked
823 - Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run)
824 . Line endings standardized throughout project (svn:eol-style standardized)
825 . Refactored parseData() to general Lexer class
826 . Tester named "HTML Purifier" not "HTMLPurifier"
828 1.1.1, released 2006-09-24
829 ! Configuration option to optionally Tidy up output for indentation to make up
830 for dropped whitespace by DOMLex (pretty-printing for the entire application
831 should be done by a page-wide Tidy)
832 - Various documentation updates
833 - Fixed parse error in configuration documentation script
834 - Fixed fatal error in benchmark scripts, slightly augmented
835 - As far as possible, whitespace is preserved in-between table children
836 - Sample test-settings.php file included
838 1.1.0, released 2006-09-16
839 ! Directive documentation generation using XSLT
840 ! XHTML can now be turned off, output becomes <br>
841 - Made URI validator more forgiving: will ignore leading and trailing
842 quotes, apostrophes and less than or greater than signs.
843 - Enforce alphanumeric namespace and directive names for configuration.
844 - Table child definition made more flexible, will fix up poorly ordered elements
845 . Renamed ConfigDef to ConfigSchema
847 1.0.1, released 2006-09-04
848 - Fixed slight bug in DOMLex attribute parsing
849 - Fixed rejection of case-insensitive configuration values when there is a
850 set of allowed values. This manifested in %Core.Encoding.
851 - Fixed rejection of inline style declarations that had lots of extra
852 space in them. This manifested in TinyMCE.
854 1.0.0, released 2006-09-01
855 ! Shorthand CSS properties implemented: font, border, background, list-style
856 ! Basic color keywords translated into hexadecimal values
857 ! Table CSS properties implemented
858 ! Support for charsets other than UTF-8 (defined by iconv)
859 ! Malformed UTF-8 and non-SGML character detection and cleaning implemented
860 - Fixed broken numeric entity conversion
861 - API documentation completed
862 . (HTML|CSS)Definition de-singleton-ized
864 1.0.0beta, released 2006-08-16
865 ! First public release, most functionality implemented. Notable omissions are:
866 + Shorthand CSS properties
867 + Table CSS properties
868 + Deprecated attribute transformations