News

HTML Purifier 4.7.0 released

Posted 9:21 PM EDT on Tuesday, August 4, 2015

HTML Purifier 4.7.0 is a bugfix release, collecting two years worth of accumulated bug fixes. Highlighted bugfixes are updated YouTube filter code, corrected rgb() CSS parsing, and one new configuration option, %AutoFormat.RemoveEmpty.Predicate.

See NEWS for a complete changelog.

HTML Purifier in Objective C released

Posted 7:32 PM EST on Monday, March 3, 2014

I'm pleased to report the availability of a (partial) Objective C port of HTML Purifier, by Lukas Neumann and Roman Priebe of Mynigma. I am aware of a few attempts at porting HTML Purifier in the past, but I think Lukas and Roman are the first ever to pull off anything to this degree. Kudos to them!

HTML Purifier 4.6.0 released

Posted 4:02 AM EST on Saturday, November 30, 2013

HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMAC. There are some other miscellaneous bugfixes as well.

See NEWS for a complete changelog. If you were using the secure URI munge hashing, you will need to update your redirector scripts. Additionally, %Core.EscapeInvalidChildren no longer does anything.

HTML Purifier 4.5.0 released

Posted 7:17 PM EST on Sunday, February 17, 2013

HTML Purifier 4.5.0 is a minor bugfix and feature release, containing an accumulation of changes over a year. CSS support has been extended to support display:inline-block, white-space, underscores in font families, page-break-* CSS3 properties (when proprietary is enabled.) We now use SHA-1 to identify cached definitions, and the semantics of stacked attribute transforms has changed slightly.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.4.0 released

Posted 10:35 PM EST on Wednesday, January 18, 2012

HTML Purifier 4.4.0 is a minor security release addressing a security vulnerability associated with some optional functionality. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %HTML.TargetBlank, %HTML.AllowedComments, %HTML.AllowedCommentsRegexp, %HTML.SafeIframe, %URI.SafeIframeRegexp, %Core.EnableIDNA (requires PEAR Net_IDNA2 module and doesn't work for PHP 5.0.5). We also now support the 'scope' attribute on tables.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.