News

HTML Purifier in Objective C released

Posted 7:32 PM EST on Monday, March 3, 2014

I'm pleased to report the availability of a (partial) Objective C port of HTML Purifier, by Lukas Neumann and Roman Priebe of Mynigma. I am aware of a few attempts at porting HTML Purifier in the past, but I think Lukas and Roman are the first ever to pull off anything to this degree. Kudos to them!

HTML Purifier 4.6.0 released

Posted 4:02 AM EST on Saturday, November 30, 2013

HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMAC. There are some other miscellaneous bugfixes as well.

See NEWS for a complete changelog. If you were using the secure URI munge hashing, you will need to update your redirector scripts. Additionally, %Core.EscapeInvalidChildren no longer does anything.

HTML Purifier 4.5.0 released

Posted 7:17 PM EST on Sunday, February 17, 2013

HTML Purifier 4.5.0 is a minor bugfix and feature release, containing an accumulation of changes over a year. CSS support has been extended to support display:inline-block, white-space, underscores in font families, page-break-* CSS3 properties (when proprietary is enabled.) We now use SHA-1 to identify cached definitions, and the semantics of stacked attribute transforms has changed slightly.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.4.0 released

Posted 10:35 PM EST on Wednesday, January 18, 2012

HTML Purifier 4.4.0 is a minor security release addressing a security vulnerability associated with some optional functionality. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %HTML.TargetBlank, %HTML.AllowedComments, %HTML.AllowedCommentsRegexp, %HTML.SafeIframe, %URI.SafeIframeRegexp, %Core.EnableIDNA (requires PEAR Net_IDNA2 module and doesn't work for PHP 5.0.5). We also now support the 'scope' attribute on tables.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.3.0 released

Posted 6:55 PM EDT on Sunday, March 27, 2011

HTML Purifier 4.3.0 is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions, see the customization documentation for details.

See NEWS for a complete changelog.