News

HTML Purifier 4.5.0 is a minor bugfix and feature release, containing an accumulation of changes over a year. CSS support has been extended to support display:inline-block, white-space, underscores in font families, page-break-* CSS3 properties (when proprietary is enabled.) We now use SHA-1 to identify cached definitions, and the semantics of stacked attribute transforms has changed slightly.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.4.0 is a minor security release addressing a security vulnerability associated with some optional functionality. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %HTML.TargetBlank, %HTML.AllowedComments, %HTML.AllowedCommentsRegexp, %HTML.SafeIframe, %URI.SafeIframeRegexp, %Core.EnableIDNA (requires PEAR Net_IDNA2 module and doesn't work for PHP 5.0.5). We also now support the 'scope' attribute on tables.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.3.0 is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions, see the customization documentation for details.

See NEWS for a complete changelog.

HTML Purifier 4.2.0 is a minor release that implements a number of feature requests accumulated over half a year. New configuration options include %Core.RemoveProcessingInstructions, %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen and %Core.NormalizeNewlines. Additionally,%URI.DisableResources is now functional and file: is an optionally supported URI scheme. There are also some minor bugfixes, usability improvements and documentation updates.

See NEWS for a complete changelog.

Along with this release, we would like to announce full disclosure on the security vulnerability patched in 4.1.0 and 4.1.1. Please see the CSS Quoting full disclosure page.

HTML Purifier 4.1.1 is a major security and bugfix release that improves on 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.

See NEWS for a complete changelog.