News

HTML Purifier 4.1.1 is a major security and bugfix release that improves on 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.

See NEWS for a complete changelog.

HTML Purifier 4.1 is a major security release that fixes an XSS vulnerability exploitable on Internet Explorer. Thanks to Mario Heiderich for reporting. It also contains a number of new features, including dramatically more flexible Flash support, including %Output.FlashCompat to replace %HTML.SafeEmbed, optional support for the data: URI scheme and better HTML parsing capabilities.

See NEWS for a complete changelog.

It is no exaggeration when I say that more than half of the support requests on HTML Purifier are for Flash. I don't hold any especial fondness for the technology: from a purely security standpoint—that is, after all, what HTML Purifier is about, right?—the platform is an utterly byzantine, a twisty maze of flags and syntax and variations that make it really hard to whitelist properly. I'd be much happier if no one used the damn software, and support for it shows in HTML Purifier; if you would like to support flash videos, you either:

• Hack around it manually using a filter which needs to be custom tailored for each website you wish to support, or
• Use SafeObject and SafeEmbed.

From an end-user perspective, I've basically become convinced that the filter approach is not scalable; people expect to be able to include videos from any website. Thus, work needs to be devoted to SafeObject and SafeEmbed to make them more robust. Specifically, we need:

• Support for the flashvars parameter, which some flash players use in order to specify what content is being played,
• Support for Internet Explorer compatibility code, which gets specifically removed right now since we don't understand Internet Explorer conditional comments, and
• Better documentation about what is up with all of the different ways of setting up flash.

I'm working on a patch as we speak to make flashvars happen. I have no idea if this is going to introduce a security vulnerability, although my gut feeling is that anything a user could have done with a flashvar, they could have done with a malicious swf file.

For compatibility code, there was a patch being bandied around on the forums for some time now. I spent a few hours looking at it, and decided that the approach was wrong and am scrapping it. I'll be adding a special hack to make Internet Explorer compatible code generated if we see an object tag.

And of course, everyone loves documentation. I'll be drawing up another document about using SafeObject and SafeEmbed effectively once these changes are released.

Thank you all for being patient!

HTML Purifier 4.0 is a major feature release focused on configuration It deprecates the $config->set('Ns', 'Directive', $value) syntax for $config->set('Ns.Directive', $value); both syntaxes work but the former will throw errors. There are also some new features: robust support for name/id, configuration inheritance, remove nbsp in the RemoveEmpty autoformatter, userland configuration directives and configuration serialization.

You can find full information on how to perform the migration at dev-config-bcbreaks.txt, although the transforms are very simple and the error messages should tell you what you need to do.

Having not performed an HTML Purifier release in so long, I have unfortunately forgotten the passphrase on my original private key. Furthermore, you may have noticed that commit messages are now showing up as ezyang@mit.edu instead of edwardzyang@thewritingpot.com. While not intentional, this is a good time to switch my GnuPG signing key. The new key you should verify against is 0x1E1C674B. Those of you who are paranoid should directly use the Git repository, which is tagged with the correct key (yes, muscle memory worked once, and then fled from me), although all future releases will be tagged with the new key. The key is also locally stored on htmlpurifier.org.

See NEWS for a complete changelog.

Update: I have remembered my password, and have resigned all of the releases with the old key. I still plan on going forward with the transition to the new GnuPG signing key (as it has a much larger key size and should be resilient in the face of nascent attacks against SHA-1). Check the download page for more information.

HTML Purifier 3.3.0 is fixes a number of obscure bugs reported and fixed over a four month period. It is probably the last release in the 3.x series. Notable new features include support for the overflow CSS property; notable bugfixes include fixed YouTube rendering in certain versions of Firefox, CSSDefinition Printer, improved early PHP support and bugs in iconv.

See NEWS for a complete changelog.