News

HTML Purifier 4.4.0 released

Posted 10:35 PM EST on Wednesday, January 18, 2012

HTML Purifier 4.4.0 is a minor security release addressing a security vulnerability associated with some optional functionality. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %HTML.TargetBlank, %HTML.AllowedComments, %HTML.AllowedCommentsRegexp, %HTML.SafeIframe, %URI.SafeIframeRegexp, %Core.EnableIDNA (requires PEAR Net_IDNA2 module and doesn't work for PHP 5.0.5). We also now support the 'scope' attribute on tables.

See NEWS for a complete changelog. There are some minor, backwards incompatible changes, which we don't expect users to notice.

HTML Purifier 4.3.0 released

Posted 6:55 PM EDT on Sunday, March 27, 2011

HTML Purifier 4.3.0 is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions, see the customization documentation for details.

See NEWS for a complete changelog.

HTML Purifier 4.2.0 released

Posted 3:40 AM EDT on Wednesday, September 15, 2010

HTML Purifier 4.2.0 is a minor release that implements a number of feature requests accumulated over half a year. New configuration options include %Core.RemoveProcessingInstructions, %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen and %Core.NormalizeNewlines. Additionally,%URI.DisableResources is now functional and file: is an optionally supported URI scheme. There are also some minor bugfixes, usability improvements and documentation updates.

See NEWS for a complete changelog.

Along with this release, we would like to announce full disclosure on the security vulnerability patched in 4.1.0 and 4.1.1. Please see the CSS Quoting full disclosure page.

HTML Purifier 4.1.1 released

Posted 12:00 AM EDT on Tuesday, June 1, 2010

HTML Purifier 4.1.1 is a major security and bugfix release that improves on 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.

See NEWS for a complete changelog.

HTML Purifier 4.1 released

Posted 6:52 PM EDT on Monday, April 26, 2010

HTML Purifier 4.1 is a major security release that fixes an XSS vulnerability exploitable on Internet Explorer. Thanks to Mario Heiderich for reporting. It also contains a number of new features, including dramatically more flexible Flash support, including %Output.FlashCompat to replace %HTML.SafeEmbed, optional support for the data: URI scheme and better HTML parsing capabilities.

See NEWS for a complete changelog.