News

HTML Purifier 3.2.0 is an amalgamation of new features and fixes that have accumulated over a four month period. Some notable features include optional removal of empty elements, column tracking for tokens, proper support for the name attribute and overridable behavior for alt text. There were also major improvements to the test suite interface, error collection output and the auto-formatter framework.

The new configuration directives in this release are:

• %Attr.DefaultImageAlt
• %AutoFormat.RemoveEmpty
• %AutoFormat.DisplayLinkURI
• %Output.SortAttr

See NEWS for a complete changelog. There are numerous new features not mentioned here.

Along with this release, we would like to announce full disclosure on the two security vulnerabilities patched in 3.1.1. Please see the CSS Backslash and Shift_JIS full disclosure pages.

If you're reading this news entry, you're probably a user of HTML Purifier. In fact, it wouldn't be too far fetched to say you're a power user of HTML Purifier. In fact, you probably know the ins-and-outs of the HTMLPurifier class, have used HTML Purifier for multiple projects, and, doubtless, have some gripes about HTML Purifier.

Well, now is the chance to let those latent feature requests, complaints of poor documentation, and gotcha's be heard. We gave you the source; it is time for you to use it.

Today, we have launched a new forum, the “Internals” forum. This is the place for anyone interested in playing a part in HTML Purifier's open source development process; to display prototypes of new features, to discuss HTML Purifier's support of the upcoming versions of HTML, to ask for questions regarding internal components, and much more. If you've ever modified a portion of HTML Purifier's core code, or created an extension to it, dust it off and show it to the world. We've migrated to Git, so you can fork the main project, develop your new feature, and hopefully get it integrated back into the mainline.

If you've never looked at HTML Purifier's source before, now is the time to start. This document on contributing will give you inside tips and tricks to getting started developing HTML Purifier.

Thanks for reading! We look forward to seeing your contributions.

You may have noticed some various improvements and changes to our news system; entries now get their own permalink pages and the most recent news entry shows up on the front page. These are some easily noticeable cosmetic changes demonstrating the new News DOMFilter. This filter aggregates pages following the YYYY/MMDD-name.xhtml format in a folder and places the most recent contents on one page. This is opposed to what we previously did, which was stuff all the news contents on one page and have a scraper generate RSS for us (by the way, we still use the same scraper, which is due to the quite nice modularity of the two filters).

There should be more improvements coming soon as we add the features and trappings of a standard “blog”; expect comments and improved navigation, for example. I also plan on launching a personal weblog for PHP and other development related things; stay tuned.

As usual, this software is all free and can be accessed under the XHTML Compiler project at repo.or.cz.

After several weeks of testing, HTML Purifier is proud to announce that it will be switching to Git as its source control management system. Git offers a number of advantages over Subversion:

• Superior support for branchy development. Subversion 1.5 introduces merge-tracking which somewhat diminishes this benefit, but implementing that is entirely at the whimsy of Dreamhost, which I am not going to bother with.
• Increased possibility for user participation. Git makes it extremely easy to do local development and submit patches.
• Data redundancy. Every user has a complete copy of HTML Purifier's history, making it extremely difficult to lose data. This is opposed to our current setup, where htmlpurifier.org is a central point of failure, and backups are sent to only one other machine.
• Performance. Git is fast, both in terms of disk operations and network operations. Gone are the days of waiting several minutes for Subversion to finish committing.

Currently, only htmlpurifier has been migrated to Git; htmlpurifier-web will be migrated after any kinks are worked out. There are number of features such as nightly snapshot generation and contributor documentation that needs to be written.

We will be using repo.or.cz as our primary remote repository; push access will be administered there, and changes will be mirrored (courtesy of a script by aeruder at #git) to a repository hosted at git.htmlpurifier.org as well as GitHub. If you want to grab a development copy, use this command:

git clone git://repo.or.cz/htmlpurifier.git

Feel free to play around, and register comments and complaints at the forum.

HTML Purifier 3.1.1 is a security and bugfix release. This release addresses two security vulnerabilities, both related to CSS, and one of which only applies to users using Shift_JIS as their output encoding. There is also a security improvement regarding the imagecrash attack. There is a backwards incompatible change with %URI.Munge, in which resources are no longer munged by default; please enable using %URI.MungeResources. Besides this, there are numerous improvements to URI munging, esp. with the addition of %URI.MungeSecretKey, as well as an experimental implementation of %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.

As a security release, please update as quickly as possible. Care has been taken to prevent backwards-compatibiilty breakage this time (something that plagued users who tried to upgrade to 3.1.0), there is only one slight break related to a bugfix that can be easily undone with %URI.MungeResources.

See NEWS for a complete changelog. There were numerous added configuration directives not mentioned above.

Along with this release, we would like to announce full disclosure on the security vulnerability patched in 3.1.0. Please see HTTP Protocol Removal for more information about the vulnerability affecting versions prior to 3.1.0 and 2.1.4.

Finally, the security fixes and bug fixes were backported to our PHP4 branch with the release of HTML Purifier 2.1.5. See NEWS (PHP4) for a complete changelog.