HTML Purifier 4.8.0 released

Posted 9:14 AM EDT on Saturday, July 16, 2016

HTML Purifier 4.8.0 is a bugfix release, collecting a year of accumulated bug fixes. In particular, we fixed some minor bugs and now declare full PHP 7 compatibility. The primary backwards-incompatible change is that HTML Purifier will now add rel="noreferrer" to all links with target attributes (you can disable this with %HTML.TargetNoReferrer.) Other changes: new configuration options %CSS.AllowDuplicates and %Attr.ID.HTML5; border-radius is partially supported when %CSS.Proprietary, and tel URIs are supported by default.

See NEWS for a complete changelog.

HTML Purifier 4.7.0 released

Posted 9:21 PM EDT on Tuesday, August 4, 2015

HTML Purifier 4.7.0 is a bugfix release, collecting two years worth of accumulated bug fixes. Highlighted bugfixes are updated YouTube filter code, corrected rgb() CSS parsing, and one new configuration option, %AutoFormat.RemoveEmpty.Predicate.

See NEWS for a complete changelog.

HTML Purifier in Objective C released

Posted 7:32 PM EST on Monday, March 3, 2014

I'm pleased to report the availability of a (partial) Objective C port of HTML Purifier, by Lukas Neumann and Roman Priebe of Mynigma. I am aware of a few attempts at porting HTML Purifier in the past, but I think Lukas and Roman are the first ever to pull off anything to this degree. Kudos to them!

HTML Purifier 4.6.0 released

Posted 4:02 AM EST on Saturday, November 30, 2013

HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMAC. There are some other miscellaneous bugfixes as well.

See NEWS for a complete changelog. If you were using the secure URI munge hashing, you will need to update your redirector scripts. Additionally, %Core.EscapeInvalidChildren no longer does anything.

HTML Purifier 4.5.0 released

Posted 7:17 PM EST on Sunday, February 17, 2013

HTML Purifier 4.5.0 is a minor bugfix and feature release, containing an accumulation of changes over a year. CSS support has been extended to support display:inline-block, white-space, underscores in font families, page-break-* CSS3 properties (when proprietary is enabled.) We now use SHA-1 to identify cached definitions, and the semantics of stacked attribute transforms has changed slightly.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.