HTML Purifier 3.1.1 is a security and bugfix release. This release addresses two security vulnerabilities, both related to CSS, and one of which only applies to users using Shift_JIS as their output encoding. There is also a security improvement regarding the imagecrash attack. There is a backwards incompatible change with %URI.Munge, in which resources are no longer munged by default; please enable using %URI.MungeResources. Besides this, there are numerous improvements to URI munging, esp. with the addition of %URI.MungeSecretKey, as well as an experimental implementation of %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
As a security release, please update as quickly as possible. Care has been taken to prevent backwards-compatibiilty breakage this time (something that plagued users who tried to upgrade to 3.1.0), there is only one slight break related to a bugfix that can be easily undone with %URI.MungeResources.
See NEWS for a complete changelog. There were numerous added configuration directives not mentioned above.
Along with this release, we would like to announce full disclosure on the security vulnerability patched in 3.1.0. Please see HTTP Protocol Removal for more information about the vulnerability affecting versions prior to 3.1.0 and 2.1.4.
Finally, the security fixes and bug fixes were backported to our PHP4 branch with the release of HTML Purifier 2.1.5. See NEWS (PHP4) for a complete changelog.