News

After several weeks of testing, HTML Purifier is proud to announce that it will be switching to Git as its source control management system. Git offers a number of advantages over Subversion:

• Superior support for branchy development. Subversion 1.5 introduces merge-tracking which somewhat diminishes this benefit, but implementing that is entirely at the whimsy of Dreamhost, which I am not going to bother with.
• Increased possibility for user participation. Git makes it extremely easy to do local development and submit patches.
• Data redundancy. Every user has a complete copy of HTML Purifier's history, making it extremely difficult to lose data. This is opposed to our current setup, where htmlpurifier.org is a central point of failure, and backups are sent to only one other machine.
• Performance. Git is fast, both in terms of disk operations and network operations. Gone are the days of waiting several minutes for Subversion to finish committing.

Currently, only htmlpurifier has been migrated to Git; htmlpurifier-web will be migrated after any kinks are worked out. There are number of features such as nightly snapshot generation and contributor documentation that needs to be written.

We will be using repo.or.cz as our primary remote repository; push access will be administered there, and changes will be mirrored (courtesy of a script by aeruder at #git) to a repository hosted at git.htmlpurifier.org as well as GitHub. If you want to grab a development copy, use this command:

git clone git://repo.or.cz/htmlpurifier.git

Feel free to play around, and register comments and complaints at the forum.

HTML Purifier 3.1.1 is a security and bugfix release. This release addresses two security vulnerabilities, both related to CSS, and one of which only applies to users using Shift_JIS as their output encoding. There is also a security improvement regarding the imagecrash attack. There is a backwards incompatible change with %URI.Munge, in which resources are no longer munged by default; please enable using %URI.MungeResources. Besides this, there are numerous improvements to URI munging, esp. with the addition of %URI.MungeSecretKey, as well as an experimental implementation of %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.

As a security release, please update as quickly as possible. Care has been taken to prevent backwards-compatibiilty breakage this time (something that plagued users who tried to upgrade to 3.1.0), there is only one slight break related to a bugfix that can be easily undone with %URI.MungeResources.

See NEWS for a complete changelog. There were numerous added configuration directives not mentioned above.

Along with this release, we would like to announce full disclosure on the security vulnerability patched in 3.1.0. Please see HTTP Protocol Removal for more information about the vulnerability affecting versions prior to 3.1.0 and 2.1.4.

Finally, the security fixes and bug fixes were backported to our PHP4 branch with the release of HTML Purifier 2.1.5. See NEWS (PHP4) for a complete changelog.

This is a security and bugfix release for the HTML Purifier 2.1 series, and should only be downloaded by developers stuck on PHP 4. Important: Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no known exploits have been found in the wild. This is the same vulnerability as was fixed in HTML Purifier 3.1.0.

See NEWS for a complete changelog.

HTML Purifier 3.1.0 is the first offical stable release for 3.1 series. It improves HTML Purifier's integration with PHP 5, mainly through the new use of autoloading. It also includes support for the !important CSS modifier, display and visibility CSS properties with %CSS.AllowTricky, marquee with %HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, %CSS.AllowedProperties, %HTML.ForbiddenAttributes and %HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the release candidate, there have also been a number of stability fixes such as improved URI escaping, a change in serializer ID format, and a relaxed format for %HTML.Allowed. And as always, numerous bugfixes.

Important: HTML Purifier 3.1.0 also fixes a security vulnerability. Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no known exploits have been found in the wild.

For a detailed migration guide, please see the 3.1.0 release page. If you had been using the release candidate, you do not need to worry about this.

I assure you, this has never happened before to HTML Purifier; never before have we had a release candidate. I assure you, there is something big with this release, and that's why I am painstakingly doing a release candidate before the official 3.1 series begins.

To read more about it, please check out the 3.1.0rc1 release candidate page.