HTML Purifier

HTML Purifier 3.1.1 is a security and bugfix release. This release addresses two security vulnerabilities, both related to CSS, and one of which only applies to users using Shift_JIS as their output encoding. There is also a security improvement ... [More] regarding the imagecrash attack. There is a backwards incompatible change with %URI.Munge, in which resources are no longer munged by default; please enable using %URI.MungeResources. Besides this, there are numerous improvements to URI munging, esp. with the addition of %URI.MungeSecretKey, as well as an experimental implementation of %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations. As a security release, please update as quickly as possible. Care has been taken to prevent backwards-compatibiilty breakage this time (something that plagued users who tried to upgrade to 3.1.0), there is only one slight break related to a bugfix that can be easily undone with %URI.MungeResources. See NEWS for a complete changelog. There were numerous added configuration directives not mentioned above. Along with this release, we would like to announce full disclosure on the security vulnerability patched in 3.1.0. Please see HTTP Protocol Removal for more information about the vulnerability affecting versions prior to 3.1.0 and 2.1.4. Finally, the security fixes and bug fixes were backported to our PHP4 branch with the release of HTML Purifier 2.1.5. See NEWS (PHP4) for a complete changelog. [Less]

HTML Purifier 3.1.1 is a security and bugfix release. This release addresses two security vulnerabilities, both related to CSS, and one of which only applies to users using Shift_JIS as their output encoding. There is also a security improvement ... [More] regarding the imagecrash attack. There is a backwards incompatible change with %URI.Munge, in which resources are no longer munged by default; please enable using %URI.MungeResources. Besides this, there are numerous improvements to URI munging, esp. with the addition of %URI.MungeSecretKey, as well as an experimental implementation of %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations. As a security release, please update as quickly as possible. Care has been taken to prevent backwards-compatibiilty breakage this time (something that plagued users who tried to upgrade to 3.1.0), there is only one slight break related to a bugfix that can be easily undone with %URI.MungeResources. See NEWS for a complete changelog. There were numerous added configuration directives not mentioned above. Along with this release, we would like to announce full disclosure on the security vulnerability patched in 3.1.0. Please see HTTP Protocol Removal for more information about the vulnerability affecting versions prior to 3.1.0 and 2.1.4. Finally, the security fixes and bug fixes were backported to our PHP4 branch with the release of HTML Purifier 2.1.5. See NEWS (PHP4) for a complete changelog. [Less]

This is a security and bugfix release for the HTML Purifier 2.1 series, and should only be downloaded by developers stuck on PHP 4. Important: Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no ... [More] known exploits have been found in the wild. This is the same vulnerability as was fixed in HTML Purifier 3.1.0. See NEWS for a complete changelog. [Less]

This is a security and bugfix release for the HTML Purifier 2.1 series, and should only be downloaded by developers stuck on PHP 4. Important: Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no ... [More] known exploits have been found in the wild. This is the same vulnerability as was fixed in HTML Purifier 3.1.0. See NEWS for a complete changelog. [Less]

HTML Purifier 3.1.0 is the first offical stable release for 3.1 series. It improves HTML Purifier's integration with PHP 5, mainly through the new use of autoloading. It also includes support for the !important CSS modifier, display and visibility ... [More] CSS properties with %CSS.AllowTricky, marquee with %HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, %CSS.AllowedProperties, %HTML.ForbiddenAttributes and %HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the release candidate, there have also been a number of stability fixes such as improved URI escaping, a change in serializer ID format, and a relaxed format for %HTML.Allowed. And as always, numerous bugfixes. Important: HTML Purifier 3.1.0 also fixes a security vulnerability. Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no known exploits have been found in the wild. For a detailed migration guide, please see the 3.1.0 release page. If you had been using the release candidate, you do not need to worry about this. [Less]

HTML Purifier 3.1.0 is the first offical stable release for 3.1 series. It improves HTML Purifier's integration with PHP 5, mainly through the new use of autoloading. It also includes support for the !important CSS modifier, display and visibility ... [More] CSS properties with %CSS.AllowTricky, marquee with %HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, %CSS.AllowedProperties, %HTML.ForbiddenAttributes and %HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the release candidate, there have also been a number of stability fixes such as improved URI escaping, a change in serializer ID format, and a relaxed format for %HTML.Allowed. And as always, numerous bugfixes. Important: HTML Purifier 3.1.0 also fixes a security vulnerability. Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no known exploits have been found in the wild. For a detailed migration guide, please see the 3.1.0 release page. If you had been using the release candidate, you do not need to worry about this. [Less]

HTML Purifier 3.1.0 is the first offical stable release for 3.1 release. It improves HTML Purifier's integration with PHP 5, mainly through the new use of autoloading. It also includes support for the !important CSS modifier, display and visibility ... [More] CSS properties with %CSS.AllowTricky, marquee with %HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper, %CSS.AllowedProperties, %HTML.ForbiddenAttributes and %HTML.ForbiddenElements and a totally revamped ConfigDoc system. Since the release candidate, there have also been a number of stability fixes such as improved URI escaping, a change in serializer ID format, and a relaxed format for %HTML.Allowed. And as always, numerous bugfixes. Important: HTML Purifier 3.1.0 also fixes a security vulnerability. Please upgrade your libraries as quickly as possible. The vulnerability was discovered internally, and no known exploits have been found in the wild. For a detailed migration guide, please see the 3.1.0 release page. If you had been using the release candidate, you do not need to worry about this. [Less]

I assure you, this has never happened before to HTML Purifier; never before have we had a release candidate. I assure you, there is something big with this release, and that's why I am painstakingly doing a release candidate before the official 3.1 series begins. To read more about it, please check out the 3.1.0rc1 release candidate page.

Release 3.0.0 is the first release of 2008 and also HTML Purifier's first PHP 5 only release. The 2.1 series will still be supported for bug and security fixes, but will not get new features. This release a number of improvements in CSS handling ... [More] , including the filter HTMLPurifier_Filter_ExtractStyleBlocks which integrates HTML Purifier with CSSTidy for cleaning style sheets (see the source code file for more information on usage), contains experimental support for proprietary CSS properties with %CSS.Proprietary, case-insensitive CSS properties, and more lenient hexadecimal color codes. Also, all code has been upgraded to full PHP 5 and is E_STRICT clean for all versions of PHP 5 (including the 5.0 series, which previously had parse-time errors). See NEWS for a complete changelog. [Less]

Stability release 2.1.3 fixes a slew of minor bugs found in HTML Purifier, and also includes some internal code enhancements and refactorings. Notably, tests/multitest.php automates testing in multiple versions, fatal AttrDef_URI_Email error fixed ... [More] , blockquote contents are more lenient in HTML 4.01 Strict and fatal errors involving ID tags in img tags were fixed. See NEWS for a complete changelog. [Less]