diff options
Diffstat (limited to 'vendor/ezyang/htmlpurifier/NEWS')
| -rw-r--r-- | vendor/ezyang/htmlpurifier/NEWS | 1224 |
1 files changed, 0 insertions, 1224 deletions
diff --git a/vendor/ezyang/htmlpurifier/NEWS b/vendor/ezyang/htmlpurifier/NEWS deleted file mode 100644 index 352835012..000000000 --- a/vendor/ezyang/htmlpurifier/NEWS +++ /dev/null @@ -1,1224 +0,0 @@ -NEWS ( CHANGELOG and HISTORY ) HTMLPurifier -||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| - -= KEY ==================== - # Breaks back-compat - ! Feature - - Bugfix - + Sub-comment - . Internal change -========================== - -4.12.0, released 2019-10-27 -! PHP 7.4 is supported, thank you Witold Wasiczko, Mateuz Turcza and - Edi Modrić -- PHPDocs for HTMLModule::addElement() and Bool attr are fixed (thanks - Mateusz) - -4.11.0, released 2019-07-14 -# SafeScripting now matches case-sensitively against its whitelist (previously it was - case-insensitive.) Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com> - for reporting. -! New directive %Core.AllowParseManyTags which allows parsing of many nested tags. - Thanks M. Suzuki <msuzuki1986@gmail.com> for contributing the patch. -! purifyArray now supports multidimensional arrays. Thanks - Sandro Miguel Marques <sandromiguel@sandromiguel.com> for contributing this patch. -! initial and inherit settings available for width, height, and the min-/max- - versions thereof. Thanks Michael Kliewe <info@phpgansta.de> for contributing - this patch. -! More color names are supported. Thanks Daijobou for contributing. -- Compatibility fixes for PHP 7.3, including new CI for PHP 7.3 - (thank you Lukas Neumann <lksnmnn@gmail.com>) and removal of - reserved words in our constants (thanks Darko Hrgovic <darko@darkodev.com> -- Compatibility fixes for HHVM. Thanks Mateusz Turcza for contributing - this fix. -- HTML Purifier now never defines __autoload, fixing #196. Thanks - Michael Kliewe for reporting. -- In some situations, Config.php would report an undefined index: class - error; this has been fixed. Thanks DiLong Fa for contributing - this fix. -- We no longer produce <script /> tags; we always explicitly write - out the open and close tag. Thanks Dimitri Gritsajuk - <gritsajuk.dimitri@gmail.com> for contributing this fix. -- Better compatibility when IDNA constants are not present. Thanks - Mateusz Turcza <xemlock@gmail.com> for contributing this fix. - -4.10.0, released 2018-02-22 -# PHP 5.3 is no longer officially supported by HTML Purifier - (we did not specifically break support, but we are no longer - testing on PHP 5.3) -! Relative CSS length units are now supported -- A few PHP 7.2 compatibility fixes, thanks John Flatness - <john@zerocrates.org> -- Improve portability with old versions of libxml which don't - support accessing the data of a node -- IDNA2008 is now used for converting domains to ASCII, fixing - some rather strange bugs with international domains -- Fix race condition resulting in E_WARNING when creating - directories with Serializer - -4.9.3, released 2017-06-02 -- Workaround PHP 7.1 infinite loop when opcode cache is enabled. - Thanks @Xiphin (#134, #135) -- Don't use autoloader when testing for DOMDocument. Hypothetically, - this could cause your install to start using DirectLex if you had - previously been monkeypatching in a custom, autoloaded implementation - of DOMDocument. Don't do that. Thanks @Izumi-kun (#130) - -4.9.2, released 2017-03-12 -- Fixes PHP 5.3 compatibility -- Fix breakage when decoding decimal entities. Thanks @rybakit (#129) - -4.9.1, released 2017-03-08 -! %URI.DefaultScheme can now be set to null, in which case - all relative paths are removed. -! New CSS properties: min-width, max-width, min-height, max-height (#94) -! Transparency (rgba) and hsl/hsla supported where color CSS is present. - Thanks @fxbt for contributing the patch. (#118) -- When idn_to_ascii is defined, we might accept malformed - hostnames. Apply validation to the result in such cases. -- Close directory when done in Serializer DefinitionCache (#100) -- Deleted some asserts to avoid linters from choking (#97) -- Rework Serializer cache behavior to avoid chmod'ing if possible (#32) -- Embedded semicolons in strings in CSS are now handled correctly! -- We accidentally dropped certain Unicode characters if there was - one or more invalid characters. This has been fixed, thanks - to mpyw <ryosuke_i_628@yahoo.co.jp> -- Fix for "Don't truncate upon encountering </div> when using DOMLex" - caused a regression with HTML 4.01 Strict parsing with libxml 2.9.1 - (and maybe later versions, but known OK with libxml 2.9.4). The - fix is to go about handling truncation a bit more cleverly so that - we can wrap with divs (sidestepping the bug) but slurping out the - rest of the text in case it ran off the end. (#78) -- Fix PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyle. - Thanks @breathbath for contributing the report and fix (#120) -- Fix entity decoding algorithm to be more conservative about - decoding entities that are missing trailing semicolon. - To get old behavior, set %Core.LegacyEntityDecoder to true. - (#119) -- Workaround libxml bug when HTML tags are embedded inside - script tags. To disable workaround set %Core.AggressivelyRemoveScript - to false. (#83) -# By default, when a link has a target attribute associated - with it, we now also add rel="noopener" in order to - prevent the new window from being able to overwrite - the original frame. To disable this protection, - set %HTML.TargetNoopener to FALSE. - -4.9.0 was cut on Git but never properly released; when we did the -real release we decided to skip this version number. - -4.8.0, released 2016-07-16 -# By default, when a link has a target attribute associated - with it, we now also add rel="noreferrer" in order to - prevent the new window from being able to overwrite - the original frame. To disable this protection, - set %HTML.TargetNoreferrer to FALSE. -! Full PHP 7 compatibility, the test suite is ALL GO. -! %CSS.AllowDuplicates permits duplicate CSS properties. -! Support for 'tel' URIs. -! Partial support for 'border-radius' properties when %CSS.AllowProprietary is true. - The slash syntax, i.e., 'border-radius: 2em 1em 4em / 0.5em 3em' is not - yet supported. -! %Attr.ID.HTML5 turns on HTML5-style ID handling. -- alt truncation could result in malformed UTF-8 sequence. Don't - truncate. Thanks Brandon Farber for reporting. -- Linkify regex is smarter, based off of Gruber's regex. -- IDNA supported natively on PHP 5.3 and later. -- Non all-numeric top-level names (e.g., foo.1f, 1f) are now - allowed. -- Minor bounds error fix to squash a PHP 7 notice. -- Support non-/tmp temporary directories for data:// validation -- Give a better error message when a user attempts to allow - ul/ol without allowing li. -- On some versions of PHP, the Serializer DefinitionCache could - infinite loop when the directory exists but is not listable. (#49) -- Don't match for <body> inside comments with - %Core.ConvertDocumentToFragment. (#67) -- SafeObject is now less case sensitive. (#57) -- AutoFormat.RemoveEmpty.Predicate now correctly renders in - web form. (#85) - -4.7.0, released 2015-08-04 -# opacity is now considered a "tricky" CSS property rather than a - proprietary one. -! %AutoFormat.RemoveEmpty.Predicate for specifying exactly when - an element should be considered "empty" (maybe preserve if it - has attributes), and modify iframe support so that the iframe - is removed if it is missing a src attribute. Thanks meeva for - reporting. -- Don't truncate upon encountering </div> when using DOMLex. Thanks - Myrto Christina for finally convincing me to fix this. -- Update YouTube filter for new code. -- Fix parsing of rgb() values with spaces in them for 'border' - attribute. -- Don't remove foo="" attributes if foo is a boolean attribute. Thanks - valME for reporting. - -4.6.0, released 2013-11-30 -# Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url, $secret). - Please update any verification scripts you may have. -# URI parsing algorithm was made more strict, so only prefixes which - looks like schemes will actually be schemes. Thanks - Michael Gusev <mgusev@sugarcrm.com> for fixing. -# %Core.EscapeInvalidChildren is no longer supported, and no longer does - anything. -! New directive %Core.AllowHostnameUnderscore which allows underscores - in hostnames. -- Eliminate quadratic behavior in DOMLex by using a proper queue. - Thanks Ole Laursen for noticing this. -- Rewritten MakeWellFormed/FixNesting implementation eliminates quadratic - behavior in the rest of the purificaiton pipeline. Thanks Chedburn - Networks for sponsoring this work. -- Made Linkify URL parser a bit less permissive, so that non-breaking - spaces and commas are not included as part of URL. Thanks nAS for fixing. -- Fix some bad interactions with %HTML.Allowed and injectors. Thanks - David Hirtz for reporting. -- Fix infinite loop in DirectLex. Thanks Ashar Javed (@soaj1664ashar) - for reporting. - -4.5.0, released 2013-02-17 -# Fix bug where stacked attribute transforms clobber each other; - this also means it's no longer possible to override attribute - transforms in later modules. No internal code was using this - but this may break some clients. -# We now use SHA-1 to identify cached definitions, instead of MD5. -! Support display:inline-block -! Support for more white-space CSS values. -! Permit underscores in font families -! Support for page-break-* CSS3 properties when proprietary properties - are enabled. -! New directive %Core.DisableExcludes; can be set to 'true' to turn off - SGML excludes checking. If HTML Purifier is removing too much text - and you don't care about full standards compliance, try setting this to - 'true'. -- Use prepend for SPL autoloading on PHP 5.3 and later. -- Fix bug with nofollow transform when pre-existing rel exists. -- Fix bug where background:url() always gets lower-cased - (but not background-image:url()) -- Fix bug with non lower-case color names in HTML -- Fix bug where data URI validation doesn't remove temporary files. - Thanks Javier Marín Ros <javiermarinros@gmail.com> for reporting. -- Don't remove certain empty tags on RemoveEmpty. - -4.4.0, released 2012-01-18 -# Removed PEARSax3 handler. -# URI.Munge now munges URIs inside the same host that go from https - to http. Reported by Neike Taika-Tessaro. -# Core.EscapeNonASCIICharacters now always transforms entities to - entities, even if target encoding is UTF-8. -# Tighten up selector validation in ExtractStyleBlocks. - Non-syntactically valid selectors are now rejected, along with - some of the more obscure ones such as attribute selectors, the - :lang pseudoselector, and anything not in CSS2.1. Furthermore, - ID and class selectors now work properly with the relevant - configuration attributes. Also, mute errors when parsing CSS - with CSS Tidy. Reported by Mario Heiderich and Norman Hippert. -! Added support for 'scope' attribute on tables. -! Added %HTML.TargetBlank, which adds target="blank" to all outgoing links. -! Properly handle sub-lists directly nested inside of lists in - a standards compliant way, by moving them into the preceding <li> -! Added %HTML.AllowedComments and %HTML.AllowedCommentsRegexp for - limited allowed comments in untrusted situations. -! Implement iframes, and allow them to be used in untrusted mode with - %HTML.SafeIframe and %URI.SafeIframeRegexp. Thanks Bradley M. Froehle - <brad.froehle@gmail.com> for submitting an initial version of the patch. -! The Forms module now works properly for transitional doctypes. -! Added support for internationalized domain names. You need the PEAR - Net_IDNA2 module to be in your path; if it is installed, ensure the - class can be loaded and then set %Core.EnableIDNA to true. -- Color keywords are now case insensitive. Thanks Yzmir Ramirez - <yramirez-htmlpurifier@adicio.com> for reporting. -- Explicitly initialize anonModule variable to null. -- Do not duplicate nofollow if already present. Thanks 178 - for reporting. -- Do not add nofollow if hostname matches our current host. Thanks 178 - for reporting, and Neike Taika-Tessaro for helping diagnose. -- Do not unset parser variable; this fixes intermittent serialization - problems. Thanks Neike Taika-Tessaro for reporting, bill - <10010tiger@gmail.com> for diagnosing. -- Fix iconv truncation bug, where non-UTF-8 target encodings see - output truncated after around 8000 characters. Thanks Jörg Ludwig - <joerg.ludwig@iserv.eu> for reporting. -- Fix broken table content model for XHTML1.1 (and also earlier - versions, although the W3C validator doesn't catch those violations). - Thanks GlitchMr <glitch.mr@gmail.com> for reporting. - -4.3.0, released 2011-03-27 -# Fixed broken caching of customized raw definitions, but requires an - API change. The old API still works but will emit a warning, - see http://htmlpurifier.org/docs/enduser-customize.html#optimized - for how to upgrade your code. -# Protect against Internet Explorer innerHTML behavior by specially - treating attributes with backticks but no angled brackets, quotes or - spaces. This constitutes a slight semantic change, which can be - reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro - and Mario Heiderich. -# Protect against cssText/innerHTML by restricting allowed characters - used in fonts further than mandated by the specification and encoding - some extra special characters in URLs. Reported by Neike - Taika-Tessaro and Mario Heiderich. -! Added %HTML.Nofollow to add rel="nofollow" to external links. -! More types of SPL autoloaders allowed on later versions of PHP. -! Implementations for position, top, left, right, bottom, z-index - when %CSS.Trusted is on. -! Add %Cache.SerializerPermissions option for custom serializer - directory/file permissions -! Fix longstanding bug in Flash support for non-IE browsers, and - allow more wmode attributes. -! Add %CSS.AllowedFonts to restrict permissible font names. -- Switch to an iterative traversal of the DOM, which prevents us - from running out of stack space for deeply nested documents. - Thanks Maxim Krizhanovsky for contributing a patch. -- Make removal of conditional IE comments ungreedy; thanks Bernd - for reporting. -- Escape CDATA before removing Internet Explorer comments. -- Fix removal of id attributes under certain conditions by ensuring - armor attributes are preserved when recreating tags. -- Check if schema.ser was corrupted. -- Check if zend.ze1_compatibility_mode is on, and error out if it is. - This safety check is only done for HTMLPurifier.auto.php; if you - are using standalone or the specialized includes files, you're - expected to know what you're doing. -- Stop repeatedly writing the cache file after I'm done customizing a - raw definition. Reported by ajh. -- Switch to using require_once in the Bootstrap to work around bad - interaction with Zend Debugger and APC. Reported by Antonio Parraga. -- Fix URI handling when hostname is missing but scheme is present. - Reported by Neike Taika-Tessaro. -- Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro - for reporting. -- Fix harmless notice from indexing into empty string. Thanks Matthijs - Kooijman <matthijs@stdin.nl> for reporting. -- Don't autoclose no parent elements are able to support the element - that triggered the autoclose. In particular fixes strange behavior - of stray <li> tags. Thanks pkuliga@gmail.com for reporting and - Neike Taika-Tessaro <pinkgothic@gmail.com> for debugging assistance. - -4.2.0, released 2010-09-15 -! Added %Core.RemoveProcessingInstructions, which lets you remove - <? ... ?> statements. -! Added %URI.DisableResources functionality; the directive originally - did nothing. Thanks David Rothstein for reporting. -! Add documentation about configuration directive types. -! Add %CSS.ForbiddenProperties configuration directive. -! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects - to utilize full-screen mode. -! Add optional support for the <code>file</code> URI scheme, enable - by explicitly setting %URI.AllowedSchemes. -! Add %Core.NormalizeNewlines options to allow turning off newline - normalization. -- Fix improper handling of Internet Explorer conditional comments - by parser. Thanks zmonteca for reporting. -- Fix missing attributes bug when running on Mac Snow Leopard and APC. - Thanks sidepodcast for the fix. -- Warn if an element is allowed, but an attribute it requires is - not allowed. - -4.1.1, released 2010-05-31 -- Fix undefined index warnings in maintenance scripts. -- Fix bug in DirectLex for parsing elements with a single attribute - with entities. -- Rewrite CSS output logic for font-family and url(). Thanks Mario - Heiderich <mario.heiderich@googlemail.com> for reporting and Takeshi - Terada <t-terada@violet.plala.or.jp> for suggesting the fix. -- Emit an error for CollectErrors if a body is extracted -- Fix bug where in background-position for center keyword handling. -- Fix infinite loop when a wrapper element is inserted in a context - where it's not allowed. Thanks Lars <lars@renoz.dk> for reporting. -- Remove +x bit and shebang from index.php; only supported mode is to - explicitly call it with php. -- Make test script less chatty when log_errors is on. - -4.1.0, released 2010-04-26 -! Support proprietary height attribute on table element -! Support YouTube slideshows that contain /cp/ in their URL. -! Support for data: URI scheme; not enabled by default, add it using - %URI.AllowedSchemes -! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed. -! Support for Internet Explorer compatibility with %HTML.SafeObject - using %Output.FlashCompat. -! Handle <ol><ol> properly, by inserting the necessary <li> tag. -- Always quote the insides of url(...) in CSS. - -4.0.0, released 2009-07-07 -# APIs for ConfigSchema subsystem have substantially changed. See - docs/dev-config-bcbreaks.txt for details; in essence, anything that - had both namespace and directive now have a single unified key. -# Some configuration directives were renamed, specifically: - %AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL - %FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping - %FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope - %FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl - As usual, the old directive names will still work, but will throw E_NOTICE - errors. -# The allowed values for class have been relaxed to allow all of CDATA for - doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set - %Attr.ClassUseCDATA to false. -# Instead of appending the content model to an old content model, a blank - element will replace the old content model. You can use #SUPER to get - the old content model. -! More robust support for name="" and id="" -! HTMLPurifier_Config::inherit($config) allows you to inherit one - configuration, and have changes to that configuration be propagated - to all of its children. -! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on - the name attribute when set. Use with care. Thanks Ian Cook for - sponsoring. -! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty - tags that contain non-breaking spaces as well other whitespace. You - can also modify which tags should have maintained with - %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions. -! Implement %Attr.AllowedClasses, which allows administrators to restrict - classes users can use to a specified finite set of classes, and - %Attr.ForbiddenClasses, which is the logical inverse. -! You can now maintain your own configuration schema directories by - creating a config-schema.php file or passing an extra argument. Check - docs/dev-config-schema.html for more details. -! Added HTMLPurifier_Config->serialize() method, which lets you save away - your configuration in a compact serial file, which you can unserialize - and use directly without having to go through the overhead of setup. -- Fix bug where URIDefinition would not get cleared if it's directives got - changed. -- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0) -- Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a> -- Make %URI.Munge not apply to links that have the same host as your host. -- Prevent stray </body> tag from truncating output, if a second </body> - is present. -. Created script maintenance/rename-config.php for renaming a configuration - directive while maintaining its alias. This script does not change source code. -. Implement namespace locking for definition construction, to prevent - bugs where a directive is used for definition construction but is not - used to construct the cache hash. - -3.3.0, released 2009-02-16 -! Implement CSS property 'overflow' when %CSS.AllowTricky is true. -! Implement generic property list classess -- Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation - does not do the "right thing" with characters not supported in the output - set. -- Spellcheck UTF-8: The Secret To Character Encoding -- Fix improper removal of the contents of elements with only whitespace. Thanks - Eric Wald for reporting. -- Fix broken test suite in versions of PHP without spl_autoload_register() -- Fix degenerate case with YouTube filter involving double hyphens. - Thanks Pierre Attar for reporting. -- Fix YouTube rendering problem on certain versions of Firefox. -- Fix CSSDefinition Printer problems with decorators -- Add text parameter to unit tests, forces text output -. Add verbose mode to command line test runner, use (--verbose) -. Turn on unit tests for UnitConverter -. Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0) -. Fix newline errors that caused spurious failures when CRLF HTML Purifier was - tested on Linux. -. Removed trailing whitespace from all text files, see - remote-trailing-whitespace.php maintenance script. -. Convert configuration to use property list backend. - -3.2.0, released 2008-10-31 -# Using %Core.CollectErrors forces line number/column tracking on, whereas - previously you could theoretically turn it off. -# HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please - use handleEnd() instead. -! %Output.AttrSort for when you need your attributes in alphabetical order to - deal with a bug in FCKEditor. Requested by frank farmer. -! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith. -! Proper support for name attribute. It is now allowed and equivalent to the id - attribute in a and img tags, and is only converted to id when %HTML.TidyLevel - is heavy (for all doctypes). -! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't - use on hand-written HTML. -! Add error-cases for unsupported elements in MakeWellFormed. This enables - the strategy to be used, standalone, on untrusted input. -! %Core.AggressivelyFixLt is on by default. This causes more sensible - processing of left angled brackets in smileys and other whatnot. -! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier', - 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes - the --only-phpt parameter, although for backwards-compatibility the flag - will still work. -! AutoParagraph auto-formatter will now preserve double-newlines upon output. - Users who are not performing inbound filtering, this may seem a little - useless, but as a bonus, the test suite and handling of edge cases is also - improved. -! Experimental implementation of forms for %HTML.Trusted -! Track column numbers when maintain line numbers is on -! Proprietary 'background' attribute on table-related elements converted into - corresponding CSS. Thanks Fusemail for sponsoring this feature! -! Add forward(), forwardUntilEndToken(), backward() and current() to Injector - supertype. -! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The - time of operation varies slightly from notifyEnd() as *all* end tokens are - processed by the injector before they are subject to the well-formedness rules. -! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to - basename of image when not present. -! %AutoFormat.DisplayLinkURI neuters <a> tags into plain text URLs. -- Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs, - the other involving an undefined $is_folder error. -- Throw error when %Core.Encoding is set to a spurious value. Previously, - this errored silently and returned false. -- Redirected stderr to stdout for flush error output. -- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not - available. -- Do not re-munge URL if the output URL has the same host as the input URL. - Requested by Chris. -- Fix error in documentation regarding %Filter.ExtractStyleBlocks -- Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment -- Fix bug with inline elements in blockquotes conflicting with strict doctype -- Detect if HTML support is disabled for DOM by checking for loadHTML() method. -- Fix bug where dots and double-dots in absolute URLs without hostname were - not collapsed by URIFilter_MakeAbsolute. -- Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements - by reordering their addition. -- Will now throw exception on many error conditions during lexer creation; also - throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers - is being used. -- Detect if domxml extension is loaded, and use DirectLEx accordingly. -- Improve handling of big numbers with floating point arithmetic in UnitConverter. - Reported by David Morton. -. Strategy_MakeWellFormed now operates in-place, saving memory and allowing - for more interesting filter-backtracking -. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind - index to reprocess tokens. -. StringHashParser now allows for multiline sections with "empty" content; - previously the section would remain undefined. -. Added --quick option to multitest.php, which tests only the most recent - release for each series. -. Added --distro option to multitest.php, which accepts either 'normal' or - 'standalone'. This supercedes --exclude-normal and --exclude-standalone - -3.1.1, released 2008-06-19 -# %URI.Munge now, by default, does not munge resources (for example, <img src="">) - In order to enable this again, please set %URI.MungeResources to true. -! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, - and height/width HTML with %HTML.MaxImgLength. -! %URI.MungeSecretKey for secure URI munging. Thanks Chris - for sponsoring this feature. Check out the corresponding documentation - for details. (Att Nightly testers: The API for this feature changed before - the general release. Namely, rename your directives %URI.SecureMungeSecretKey => - %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge) -! Implemented post URI filtering. Set member variable $post to true to set - a URIFilter as such. -! Allow modules to define injectors via $info_injector. Injectors are - automatically disabled if injector's needed elements are not found. -! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. - Thanks Chris for sponsoring. If you've been using ad hoc code from the - forums, PLEASE use this instead. -! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order, - embedded, tag name, attribute name, CSS property name). See %URI.Munge - for more details. Requested by Jochem Blok. -- Disable percent height/width attributes for img. -- AttrValidator operations are now atomic; updates to attributes are not - manifest in token until end of operations. This prevents naughty internal - code from directly modifying CurrentToken when they're not supposed to. - This semantics change was requested by frank farmer. -- Percent encoding checks enabled for URI query and fragment -- Fix stray backslashes in font-family; CSS Unicode character escapes are - now properly resolved (although *only* in font-family). Thanks Takeshi Terada - for reporting. -- Improve parseCDATA algorithm to take into account newline normalization -- Account for browser confusion between Yen character and backslash in - Shift_JIS encoding. This fix generalizes to any other encoding which is not - a strict superset of printable ASCII. Thanks Takeshi Terada for reporting. -- Fix missing configuration parameter in Generator calls. Thanks vs for the - partial patch. -- Improved adherence to Unicode by checking for non-character codepoints. - Thanks Geoffrey Sneddon for reporting. This may result in degraded - performance for extremely large inputs. -- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok - for reporting. -. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient - handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses - this class. -. API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative) - to __construct($min, $max). __construct(true) is equivalent to - __construct('0'). -. Added HTMLPurifier_AttrDef_Switch class -. Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method - up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules - get this called with the configuration object. All modules now - use this rather than __construct(), although legacy code using constructors - will still work--the new format, however, lets modules access the - configuration object for HTML namespace dependant tweaks. -. AttrDef_HTML_Pixels now takes a single construction parameter, pixels. -. ConfigSchema data-structure heavily optimized; on average it uses a third - the memory it did previously. The interface has changed accordingly, - consult changes to HTMLPurifier_Config for details. -. Variable parsing types now are magic integers instead of strings -. Added benchmark for ConfigSchema -. HTMLPurifier_Generator requires $config and $context parameters. If you - don't know what they should be, use HTMLPurifier_Config::createDefault() - and new HTMLPurifier_Context(). -. Printers now properly distinguish between output configuration, and - target configuration. This is not applicable to scripts using - the Printers for HTML Purifier related tasks. -. HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise - fatal errors will ensue. -. URIFilter->prepare can return false in order to abort loading of the filter -. Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds - an external resource. -. %URI.Munge functionality factored out into a post-filter class. -. Added CurrentCSSProperty context variable during CSS validation - -3.1.0, released 2008-05-18 -# Unnecessary references to objects (vestiges of PHP4) removed from method - signatures. The following methods do not need references when assigning from - them and will result in E_STRICT errors if you try: - + HTMLPurifier_Config->get*Definition() [* = HTML, CSS] - + HTMLPurifier_ConfigSchema::instance() - + HTMLPurifier_DefinitionCacheFactory::instance() - + HTMLPurifier_DefinitionCacheFactory->create() - + HTMLPurifier_DoctypeRegistry->register() - + HTMLPurifier_DoctypeRegistry->get() - + HTMLPurifier_HTMLModule->addElement() - + HTMLPurifier_HTMLModule->addBlankElement() - + HTMLPurifier_LanguageFactory::instance() -# Printer_ConfigForm's get*() functions were static-ified -# %HTML.ForbiddenAttributes requires attribute declarations to be in the - form of tag@attr, NOT tag.attr (which will throw an error and won't do - anything). This is for forwards compatibility with XML; you'd do best - to migrate an %HTML.AllowedAttributes directives to this syntax too. -! Allow index to be false for config from form creation -! Added HTMLPurifier::VERSION constant -! Commas, not dashes, used for serializer IDs. This change is forwards-compatible - and allows for version numbers like "3.1.0-dev". -! %HTML.Allowed deals gracefully with whitespace anywhere, anytime! -! HTML Purifier's URI handling is a lot more robust, with much stricter - validation checks and better percent encoding handling. Thanks Gareth Heyes - for indicating security vulnerabilities from lax percent encoding. -! Bootstrap autoloader deals more robustly with classes that don't exist, - preventing class_exists($class, true) from barfing. -- InterchangeBuilder now alphabetizes its lists -- Validation error in configdoc output fixed -- Iconv and other encoding errors muted even with custom error handlers that - do not honor error_reporting -- Add protection against imagecrash attack with CSS height/width -- HTMLPurifier::instance() created for consistency, is equivalent to getInstance() -- Fixed and revamped broken ConfigForm smoketest -- Bug with bool/null fields in Printer_ConfigForm fixed -- Bug with global forbidden attributes fixed -- Improved error messages for allowed and forbidden HTML elements and attributes -- Missing (or null) in configdoc documentation restored -- If DOM throws and exception during parsing with PH5P (occurs in newer versions - of DOM), HTML Purifier punts to DirectLex -- Fatal error with unserialization of ScriptRequired -- Created directories are now chmod'ed properly -- Fixed bug with fallback languages in LanguageFactory -- Standalone testing setup properly with autoload -. Out-of-date documentation revised -. UTF-8 encoding check optimization as suggested by Diego -. HTMLPurifier_Error removed in favor of exceptions -. More copy() function removed; should use clone instead -. More extensive unit tests for HTMLDefinition -. assertPurification moved to central harness -. HTMLPurifier_Generator accepts $config and $context parameters during - instantiation, not runtime -. Double-quotes outside of attribute values are now unescaped - -3.1.0rc1, released 2008-04-22 -# Autoload support added. Internal require_once's removed in favor of an - explicit require list or autoloading. To use HTML Purifier, - you must now either use HTMLPurifier.auto.php - or HTMLPurifier.includes.php; setting the include path and including - HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php - as well to register our autoload handler (or modify your autoload function - to check HTMLPurifier_Bootstrap::getPath($class)). You can also use - HTMLPurifier.safe-includes.php for a less performance friendly but more - user-friendly library load. -# HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema - information is stored in the ConfigSchema directory, and the - maintenance/generate-schema-cache.php generates the schema.ser file, which - is now instantiated. Support for userland schema changes coming soon! -# HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive - alias; to get rid of these errors just modify your configuration to use - the new directive name. -# HTMLPurifier->addFilter is deprecated; built-in filters can now be - enabled using %Filter.$filter_name or by setting your own filters using - %Filter.Custom -# Directive-level safety properties superceded in favor of module-level - safety. Internal method HTMLModule->addElement() has changed, although - the externally visible HTMLDefinition->addElement has *not* changed. -! Extra utility classes for testing and non-library operations can - be found in extras/. Specifically, these are FSTools and ConfigDoc. - You may find a use for these in your own project, but right now they - are highly experimental and volatile. -! Integration with PHPT allows for automated smoketests -! Limited support for proprietary HTML elements, namely <marquee>, sponsored - by Chris. You can enable them with %HTML.Proprietary if your client - demands them. -! Support for !important CSS cascade modifier. By default, this will be stripped - from CSS, but you can enable it using %CSS.AllowImportant -! Support for display and visibility CSS properties added, set %CSS.AllowTricky - to true to use them. -! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception. - Developer error (not enduser error) can cause these to be triggered. -! Experimental kses() wrapper introduced with HTMLPurifier.kses.php -! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without - mucking around with HTMLPurifier_CSSDefinition -! ConfigDoc output has been enhanced with version and deprecation info. -! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented. -- Autoclose now operates iteratively, i.e. <span><span><div> now has - both span tags closed. -- Various HTMLPurifier_Config convenience functions now accept another parameter - $schema which defines what HTMLPurifier_ConfigSchema to use besides the - global default. -- Fix bug with trusted script handling in libxml versions later than 2.6.28. -- Fix bug in ExtractStyleBlocks with comments in style tags -- Fix bug in comment parsing for DirectLex -- Flush output now displayed when in command line mode for unit tester -- Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax -- HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times - on the same element without emitting errors. -- Fixed fatal error in PH5P lexer with invalid tag names -. Plugins now get their own changelogs according to project conventions. -. Convert tokens to use instanceof, reducing memory footprint and - improving comparison speed. -. Dry runs now supported in SimpleTest; testing facilities improved -. Bootstrap class added for handling autoloading functionality -. Implemented recursive glob at FSTools->globr -. ConfigSchema now has instance methods for all corresponding define* - static methods. -. A couple of new historical maintenance scripts were added. -. HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files -. tests/index.php can now be run from any directory. -. HTMLPurifier_Token subclasses split into seperate files -. HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php -. HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier -. New --php=php flag added, allows PHP executable to be specified (command - line only!) -. htmlpurifier_add_test() preferred method to translate test files in to - classes, because it handles PHPT files too. -. Debugger class is deprecated and will be removed soon. -. Command line argument parsing for testing scripts revamped, now --opt value - format is supported. -. Smoketests now cleanup after magic quotes -. Generator now can output comments (however, comments are still stripped - from HTML Purifier output) -. HTMLPurifier_ConfigSchema->validate() deprecated in favor of - HTMLPurifier_VarParser->parse() -. Integers auto-cast into float type by VarParser. -. HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only - during cache generation -. Reordered script calls in maintenance/flush.php -. Command line scripts now honor exit codes -. When --flush fails in unit testers, abort tests and print message -. Improved documentation in docs/dev-flush.html about the maintenance scripts -. copy() methods removed in favor of clone keyword - -3.0.0, released 2008-01-06 -# HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained - until PHP 4 is completely deprecated, but no new features will be added - to it. - + Visibility declarations added - + Constructor methods renamed to __construct() - + PHP4 reference cruft removed (in progress) -! CSS properties are now case-insensitive -! DefinitionCacheFactory now can register new implementations -! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from - documents and cleaning their contents up. Requires the CSSTidy library - <http://csstidy.sourceforge.net/>. You can access the blocks with the - 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')). - The output CSS can also be "scoped" for a specific element, use: - %Filter.ExtractStyleBlocksScope -! Experimental support for some proprietary CSS attributes allowed: - opacity (and all of the browser-specific equivalents) and scrollbar colors. - Enable by setting %CSS.Proprietary to true. -- Colors missing # but in hex form will be corrected -- CSS Number algorithm improved -- Unit testing and multi-testing now on steroids: command lines, - XML output, and other goodies now added. -. Unit tests for Injector improved -. New classes: - + HTMLPurifier_AttrDef_CSS_AlphaValue - + HTMLPurifier_AttrDef_CSS_Filter -. Multitest now has a file docblock - -2.1.3, released 2007-11-05 -! tests/multitest.php allows you to test multiple versions by running - tests/index.php through multiple interpreters using `phpv` shell - script (you must provide this script!) -- Fixed poor include ordering for Email URI AttrDefs, causes fatal errors - on some systems. -- Injector algorithm further refined: off-by-one error regarding skip - counts for dormant injectors fixed -- Corrective blockquote definition now enabled for HTML 4.01 Strict -- Fatal error when <img> tag (or any other element with required attributes) - has 'id' attribute fixed, thanks NykO18 for reporting -- Fix warning emitted when a non-supported URI scheme is passed to the - MakeAbsolute URIFilter, thanks NykO18 (again) -- Further refine AutoParagraph injector. Behavior inside of elements - allowing paragraph tags clarified: only inline content delimeted by - double newlines (not block elements) are paragraphed. -- Buggy treatment of end tags of elements that have required attributes - fixed (does not manifest on default tag-set) -- Spurious internal content reorganization error suppressed -- HTMLDefinition->addElement now returns a reference to the created - element object, as implied by the documentation -- Phorum mod's HTML Purifier help message expanded (unreleased elsewhere) -- Fix a theoretical class of infinite loops from DirectLex reported - by Nate Abele -- Work around unnecessary DOMElement type-cast in PH5P that caused errors - in PHP 5.1 -- Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only - HTMLDefinition errors, this may indicate problems with error-collecting - facilities in PHP 5 -- Make ErrorCollectorEMock work in both PHP 4 and PHP 5 -- Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef -. %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment - to better communicate its purpose -. Error unit tests can now specify the expectation of no errors. Future - iterations of the harness will be extremely strict about what errors - are allowed -. Extend Injector hooks to allow for more powerful injector routines -. HTMLDefinition->addBlankElement created, as according to the HTMLModule - method -. Doxygen configuration file updated, with minor improvements -. Test runner now checks for similarly named files in conf/ directory too. -. Minor cosmetic change to flush-definition-cache.php: trailing newline is - outputted -. Maintenance script for generating PH5P patch added, original PH5P source - file also added under version control -. Full unit test runner script title made more descriptive with PHP version -. Updated INSTALL file to state that 4.3.7 is the earliest version we - are actively testing - -2.1.2, released 2007-09-03 -! Implemented Object module for trusted users -! Implemented experimental HTML5 parsing mode using PH5P. To use, add - this to your code: - require_once 'HTMLPurifier/Lexer/PH5P.php'; - $config->set('Core', 'LexerImpl', 'PH5P'); - Note that this Lexer introduces some classes not in the HTMLPurifier - namespace. Also, this is PHP5 only. -! CSS property border-spacing implemented -- Fix non-visible parsing error in DirectLex with empty tags that have - slashes inside attribute values. -- Fix typo in CSS definition: border-collapse:seperate; was incorrectly - accepted as valid CSS. Usually non-visible, because this styling is the - default for tables in most browsers. Thanks Brett Zamir for pointing - this out. -- Fix validation errors in configuration form -- Hammer out a bunch of edge-case bugs in the standalone distribution -- Inclusion reflection removed from URISchemeRegistry; you must manually - include any new schema files you wish to use -- Numerous typo fixes in documentation thanks to Brett Zamir -. Unit test refactoring for one logical test per test function -. Config and context parameters in ComplexHarness deprecated: instead, edit - the $config and $context member variables -. HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't - really make a difference, but is good for completeness sake -. merge-library.php script refactored for greater code reusability and - PHP4 compatibility - -2.1.1, released 2007-08-04 -- Fix show-stopper bug in %URI.MakeAbsolute functionality -- Fix PHP4 syntax error in standalone version -. Add prefix directory to include path for standalone, this prevents - other installations from clobbering the standalone's URI schemes -. Single test methods can be invoked by prefixing with __only - -2.1.0, released 2007-08-02 -# flush-htmldefinition-cache.php superseded in favor of a generic - flush-definition-cache.php script, you can clear a specific cache - by passing its name as a parameter to the script -! Phorum mod implemented for HTML Purifier -! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer - trigger HTML removal in PHP5 (DOMLex). This directive is not necessary - for PHP4 (DirectLex). -! Standalone file now available, which greatly reduces the amount of - includes (although there are still a few files that reside in the - standalone folder) -! Relative URIs can now be transformed into their absolute equivalents - using %URI.Base and %URI.MakeAbsolute -! Ruby implemented for XHTML 1.1 -! You can now define custom URI filtering behavior, see enduser-uri-filter.html - for more details -! UTF-8 font names now supported in CSS -- AutoFormatters emit friendly error messages if tags or attributes they - need are not allowed -- ConfigForm's compactification of directive names is now configurable -- AutoParagraph autoformatter algorithm refined after field-testing -- XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely - blockquote wrapping -- Contents of <style> tags removed by default when tags are removed -. HTMLPurifier_Config->getSerial() implemented, this is extremely useful - for output cache invalidation -. ConfigForm printer now can retrieve CSS and JS files as strings, in - case HTML Purifier's directory is not publically accessible -. Introduce new text/itext configuration directive values: these represent - longer strings that would be more appropriately edited with a textarea -. Allow newlines to act as separators for lists, hashes, lookups and - %HTML.Allowed -. ConfigForm generates textareas instead of text inputs for lists, hashes, - lookups, text and itext fields -. Hidden element content removal genericized: %Core.HiddenElements can - be used to customize this behavior, by default <script> and <style> are - hidden -. Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__) -. Custom ChildDef added to default include list -. URIScheme reflection improved: will not attempt to include file if class - already exists. May clobber autoload, so I need to keep an eye on it -. ConfigSchema heavily optimized, will only collect information and validate - definitions when HTMLPURIFIER_SCHEMA_STRICT is true. -. AttrDef_URI unit tests and implementation refactored -. benchmarks/ directory now protected from public view with .htaccess file; - run the tests via command line -. URI scheme is munged off if there is no authority and the scheme is the - default one -. All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase -. Interface for URIScheme changed -. Generic URI object to hold components of URI added, most systems involved - in URI validation have been migrated to use it -. Custom filtering for URIs factored out to URIDefinition interface for - maximum extensibility - -2.0.1, released 2007-06-27 -! Tag auto-closing now based on a ChildDef heuristic rather than a - manually set auto_close array; some behavior may change -! Experimental AutoFormat functionality added: auto-paragraph and - linkify your HTML input by setting %AutoFormat.AutoParagraph and - %AutoFormat.Linkify to true -! Newlines normalized internally, and then converted back to the - value of PHP_EOL. If this is not desired, set your newline format - using %Output.Newline. -! Beta error collection, messages are implemented for the most generic - cases involving Lexing or Strategies -- Clean up special case code for <script> tags -- Reorder includes for DefinitionCache decorators, fixes a possible - missing class error -- Fixed bug where manually modified definitions were not saved via cache - (mostly harmless, except for the fact that it would be a little slower) -- Configuration objects with different serials do not clobber each - others when revision numbers are unequal -- Improve Serializer DefinitionCache directory permissions checks -- DefinitionCache no longer throws errors when it encounters old - serial files that do not conform to the current style -- Stray xmlns attributes removed from configuration documentation -- configForm.php smoketest no longer has XSS vulnerability due to - unescaped print_r output -- Printer adheres to configuration's directives on output format -- Fix improperly named form field in ConfigForm printer -. Rewire some test-cases to swallow errors rather than expect them -. HTMLDefinition printer updated with some of the new attributes -. DefinitionCache keys reordered to reflect precedence: version number, - hash, then revision number -. %Core.DefinitionCache renamed to %Cache.DefinitionImpl -. Interlinking in configuration documentation added using - Injector_PurifierLinkify -. Directives now keep track of aliases to themselves -. Error collector now requires a severity to be passed, use PHP's internal - error constants for this -. HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows - much easier selective embedding of configuration values -. Doctype objects now accept public and system DTD identifiers -. %HTML.Doctype is now constrained by specific values, to specify a custom - doctype use new %HTML.CustomDoctype -. ConfigForm truncates long directives to keep the form small, and does - not re-output namespaces - -2.0.0, released 2007-06-20 -# Completely refactored HTMLModuleManager, decentralizing safety - information -# Transform modules changed to Tidy modules, which offer more flexibility - and better modularization -# Configuration object now finalizes itself when a read operation is - performed on it, ensuring that its internal state stays consistent. - To revert this behavior, you can set the $autoFinalize member variable - off, but it's not recommended. -# New compact syntax for AttrDef objects that can be used to instantiate - new objects via make() -# Definitions (esp. HTMLDefinition) are now cached for a significant - performance boost. You can disable caching by setting %Core.DefinitionCache - to null. You CANNOT edit raw definitions without setting the corresponding - DefinitionID directive (%HTML.DefinitionID for HTMLDefinition). -# Contents between <script> tags are now completely removed if <script> - is not allowed -# Prototype-declarations for Lexer removed in favor of configuration - determination of Lexer implementations. -! HTML Purifier now works in PHP 4.3.2. -! Configuration form-editing API makes tweaking HTMLPurifier_Config a - breeze! -! Configuration directives that accept hashes now allow new string - format: key1:value1,key2:value2 -! ConfigDoc now factored into OOP design -! All deprecated elements now natively supported -! Implement TinyMCE styled whitelist specification format in - %HTML.Allowed -! Config object gives more friendly error messages when things go wrong -! Advanced API implemented: easy functions for creating elements (addElement) - and attributes (addAttribute) on HTMLDefinition -! Add native support for required attributes -- Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work! -- DOMLex will not emit errors when a custom error handler that does not - honor error_reporting is used -- StrictBlockquote child definition refrains from wrapping whitespace - in tags now. -- Bug resulting from tag transforms to non-allowed elements fixed -- ChildDef_Custom's regex generation has been improved, removing several - false positives -. Unit test for ElementDef created, ElementDef behavior modified to - be more flexible -. Added convenience functions for HTMLModule constructors -. AttrTypes now has accessor functions that should be used instead - of directly manipulating info -. TagTransform_Center deprecated in favor of generic TagTransform_Simple -. Add extra protection in AttrDef_URI against phantom Schemes -. Doctype object added to HTMLDefinition which describes certain aspects - of the operational document type -. Lexer is now pre-emptively included, with a conditional include for the - PHP5 only version. -. HTMLDefinition and CSSDefinition have a common parent class: Definition. -. DirectLex can now track line-numbers -. Preliminary error collector is in place, although no code actually reports - errors yet -. Factor out most of ValidateAttributes to new AttrValidator class - -1.6.1, released 2007-05-05 -! Support for more deprecated attributes via transformations: - + hspace and vspace in img - + size and noshade in hr - + nowrap in td - + clear in br - + align in caption, table, img and hr - + type in ul, ol and li -! DirectLex now preserves text in which a < bracket is followed by - a non-alphanumeric character. This means that certain emoticons - are now preserved. -! %Core.RemoveInvalidImg is now operational, when set to false invalid - images will hang around with an empty src -! target attribute in a tag supported, use %Attr.AllowedFrameTargets - to enable -! CSS property white-space now allows nowrap (supported in all modern - browsers) but not others (which have spotty browser implementations) -! XHTML 1.1 mode now sort-of works without any fatal errors, and - lang is now moved over to xml:lang. -! Attribute transformation smoketest available at smoketests/attrTransform.php -! Transformation of font's size attribute now handles super-large numbers -- Possibly fatal bug with __autoload() fixed in module manager -- Invert HTMLModuleManager->addModule() processing order to check - prefixes first and then the literal module -- Empty strings get converted to empty arrays instead of arrays with - an empty string in them. -- Merging in attribute lists now works. -. Demo script removed: it has been added to the website's repository -. Basic.php script modified to work out of the box -. Refactor AttrTransform classes to reduce duplication -. AttrTransform_TextAlign axed in favor of a more general - AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to - see how the new equivalent is implemented -. Unit tests now use exclusively assertIdentical - -1.6.0, released 2007-04-01 -! Support for most common deprecated attributes via transformations: - + bgcolor in td, th, tr and table - + border in img - + name in a and img - + width in td, th and hr - + height in td, th -! Support for CSS attribute 'height' added -! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel - and %Attr.AllowedRev to activate -- You can define ID blacklists using regular expressions via - %Attr.IDBlacklistRegexp -- Error messages are emitted when you attempt to "allow" elements or - attributes that HTML Purifier does not support -- Fix segfault in unit test. The problem is not very reproduceable and - I don't know what causes it, but a six line patch fixed it. - -1.5.0, released 2007-03-23 -! Added a rudimentary I18N and L10N system modeled off MediaWiki. It - doesn't actually do anything yet, but keep your eyes peeled. -! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier -! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules. - I am loathe to release beta quality APIs, but this is exactly that; - don't use the internal interfaces if you're not willing to do migration - later on. -- Allow 'x' subtag in language codes -- Fixed buggy chameleon-support for ins and del -. Added support for IDREF attributes (i.e. for) -. Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens -. Removed context variable ParentType, replaced with IsInline, which - is false when you're not inline and an integer of the parent that - caused you to become inline when you are (so possibly zero) -. Removed ElementDef->type in favor of ElementDef->descendants_are_inline - and HTMLDefinition->content_sets -. StrictBlockquote now reports what elements its supposed to allow, - rather than what it does allow -. Removed HTMLDefinition->info_flow_elements in favor of - HTMLDefinition->content_sets['Flow'] -. Removed redundant "exclusionary" definitions from DTD roster -. StrictBlockquote now requires a construction parameter as if it - were an Required ChildDef, this is the "real" set of allowed elements -. AttrDef partitioned into HTML, CSS and URI segments -. Modify Youtube filter regexp to be multiline -. Require both PHP5 and DOM extension in order to use DOMLex, fixes - some edge cases where a DOMDocument class exists in a PHP4 environment - due to DOM XML extension. - -1.4.1, released 2007-01-21 -! docs/enduser-youtube.html updated according to new functionality -- YouTube IDs can have underscores and dashes - -1.4.0, released 2007-01-21 -! Implemented list-style-image, URIs now allowed in list-style -! Implemented background-image, background-repeat, background-attachment - and background-position CSS properties. Shorthand property background - supports all of these properties. -! Configuration documentation looks nicer -! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode - characters while %Core.Encoding is set to a non-UTF-8 encoding. -! Support for configuration directive aliases added -! Config object can now be instantiated from ini files -! YouTube preservation code added to the core, with two lines of code - you can add it as a filter to your code. See smoketests/preserveYouTube.php - for sample code. -! Moved SLOW to docs/enduser-slow.html and added code examples -- Replaced version check with functionality check for DOM (thanks Stephen - Khoo) -. Added smoketest 'all.php', which loads all other smoketests via frames -. Implemented AttrDef_CSSURI for url(http://google.com) style declarations -. Added convenient single test selector form on test runner - -1.3.2, released 2006-12-25 -! HTMLPurifier object now accepts configuration arrays, no need to manually - instantiate a configuration object -! Context object now accessible to outside -! Added enduser-youtube.html, explains how to embed YouTube videos. See - also corresponding smoketest preserveYouTube.php. -! Added purifyArray(), which takes a list of HTML and purifies it all -! Added static member variable $version to HTML Purifier with PHP-compatible - version number string. -- Fixed fatal error thrown by upper-cased language attributes -- printDefinition.php: added labels, added better clarification -. HTMLPurifier_Config::create() added, takes mixed variable and converts into - a HTMLPurifier_Config object. - -1.3.1, released 2006-12-06 -! Added HTMLPurifier.func.php stub for a convenient function to call the library -- Fixed bug in RemoveInvalidImg code that caused all images to be dropped - (thanks to .mario for reporting this) -. Standardized all attribute handling variables to attr, made it plural - -1.3.0, released 2006-11-26 -# Invalid images are now removed, rather than replaced with a dud - <img src="" alt="Invalid image" />. Previous behavior can be restored - with new directive %Core.RemoveInvalidImg set to false. -! (X)HTML Strict now supported - + Transparently handles inline elements in block context (blockquote) -! Added GET method to demo for easier validation, added 50kb max input size -! New directive %HTML.BlockWrapper, for block-ifying inline elements -! New directive %HTML.Parent, allows you to only allow inline content -! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let - users narrow the set of allowed tags -! <li value="4"> and <ul start="2"> now allowed in loose mode -! New directives %URI.DisableExternalResources and %URI.DisableResources -! New directive %Attr.DisableURI, which eliminates all hyperlinking -! New directive %URI.Munge, munges URI so you can use some sort of redirector - service to avoid PageRank leaks or warn users that they are exiting your site. -! Added spiffy new smoketest printDefinition.php, which lets you twiddle with - the configuration settings and see how the internal rules are affected. -! New directive %URI.HostBlacklist for blocking links to bad hosts. - xssAttacks.php smoketest updated accordingly. -- Added missing type to ChildDef_Chameleon -- Remove Tidy option from demo if there is not Tidy available -. ChildDef_Required guards against empty tags -. Lookup table HTMLDefinition->info_flow_elements added -. Added peace-of-mind variable initialization to Strategy_FixNesting -. Added HTMLPurifier->info_parent_def, parent child processing made special -. Added internal documents briefly summarizing future progression of HTML -. HTMLPurifier_Config->getBatch($namespace) added -. More lenient casting to bool from string in HTMLPurifier_ConfigSchema -. Refactored ChildDef classes into their own files - -1.2.0, released 2006-11-19 -# ID attributes now disabled by default. New directives: - + %HTML.EnableAttrID - restores old behavior by allowing IDs - + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs - so that they don't collide with your IDs - + %Attr.IDPrefixLocal - Same as above, but for when there are multiple - instances of user content on the page - + Profuse documentation on how to use these available in docs/enduser-id.txt -! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html> -! Added percent encoding normalization -! XSS attacks smoketest given facelift -! Configuration documentation now has table of contents -! Added %URI.DisableExternal, which prevents links to external websites. You - can also use %URI.Host to permit absolute linking to subdomains -! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src) -- Type variable in HTMLDefinition was not being set properly, fixed -- Documentation updated - + TODO added request Phalanger - + TODO added request Native compression - + TODO added request Remove redundant tags - + TODO added possible plaintext formatter for HTML Purifier documentation - + Updated ConfigDoc TODO - + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php - and AttrDef/Host.php - + Revamped documentation into HTML, along with misc updates -- HTMLPurifier_Context doesn't throw a variable reference error if you attempt - to retrieve a non-existent variable -. Switched to purify()-wide Context object registry -. Refactored unit tests to minimize duplication -. XSS attack sheet updated -. configdoc.xml now has xml:space attached to default value nodes -. Allow configuration directives to permit null values -. Cleaned up test-cases to remove unnecessary swallowErrors() - -1.1.2, released 2006-09-30 -! Add HTMLPurifier.auto.php stub file that configures include_path -- Documentation updated - + INSTALL document rewritten - + TODO added semi-lossy conversion - + API Doxygen docs' file exclusions updated - + Added notes on HTML versus XML attribute whitespace handling - + Noted that HTMLPurifier_ChildDef_Custom isn't being used - + Noted that config object's definitions are cached versions -- Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3 -- ftp:// URIs now have their typecodes checked -- Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run) -. Line endings standardized throughout project (svn:eol-style standardized) -. Refactored parseData() to general Lexer class -. Tester named "HTML Purifier" not "HTMLPurifier" - -1.1.1, released 2006-09-24 -! Configuration option to optionally Tidy up output for indentation to make up - for dropped whitespace by DOMLex (pretty-printing for the entire application - should be done by a page-wide Tidy) -- Various documentation updates -- Fixed parse error in configuration documentation script -- Fixed fatal error in benchmark scripts, slightly augmented -- As far as possible, whitespace is preserved in-between table children -- Sample test-settings.php file included - -1.1.0, released 2006-09-16 -! Directive documentation generation using XSLT -! XHTML can now be turned off, output becomes <br> -- Made URI validator more forgiving: will ignore leading and trailing - quotes, apostrophes and less than or greater than signs. -- Enforce alphanumeric namespace and directive names for configuration. -- Table child definition made more flexible, will fix up poorly ordered elements -. Renamed ConfigDef to ConfigSchema - -1.0.1, released 2006-09-04 -- Fixed slight bug in DOMLex attribute parsing -- Fixed rejection of case-insensitive configuration values when there is a - set of allowed values. This manifested in %Core.Encoding. -- Fixed rejection of inline style declarations that had lots of extra - space in them. This manifested in TinyMCE. - -1.0.0, released 2006-09-01 -! Shorthand CSS properties implemented: font, border, background, list-style -! Basic color keywords translated into hexadecimal values -! Table CSS properties implemented -! Support for charsets other than UTF-8 (defined by iconv) -! Malformed UTF-8 and non-SGML character detection and cleaning implemented -- Fixed broken numeric entity conversion -- API documentation completed -. (HTML|CSS)Definition de-singleton-ized - -1.0.0beta, released 2006-08-16 -! First public release, most functionality implemented. Notable omissions are: - + Shorthand CSS properties - + Table CSS properties - + Deprecated attribute transformations - - vim: et sw=4 sts=4 |