File php-pear-HTMLPurifier.changes of Package php-pear-HTMLPurifier
-------------------------------------------------------------------
Fri Dec 6 13:41:46 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Use new php-pear spec schema
- Upgraded to version 4.11.0
* # SafeScripting now matches case-sensitively against its whitelist (previously it was
case-insensitive.) Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
for reporting.
* ! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.
Thanks M. Suzuki <msuzuki1986@gmail.com> for contributing the patch.
* ! purifyArray now supports multidimensional arrays. Thanks
Sandro Miguel Marques <sandromiguel@sandromiguel.com> for contributing this patch.
* ! initial and inherit settings available for width, height, and the min-/max-
versions thereof. Thanks Michael Kliewe <info@phpgansta.de> for contributing
this patch.
* ! More color names are supported. Thanks Daijobou for contributing.
* Compatibility fixes for PHP 7.3, including new CI for PHP 7.3
(thank you Lukas Neumann <lksnmnn@gmail.com>) and removal of
reserved words in our constants (thanks Darko Hrgovic <darko@darkodev.com>
* Compatibility fixes for HHVM. Thanks Mateusz Turcza for contributing
this fix.
* HTML Purifier now never defines __autoload, fixing #196. Thanks
Michael Kliewe for reporting.
* In some situations, Config.php would report an undefined index: class
error; this has been fixed. Thanks DiLong Fa for contributing
this fix.
* We no longer produce <script /> tags; we always explicitly write
out the open and close tag. Thanks Dimitri Gritsajuk
<gritsajuk.dimitri@gmail.com> for contributing this fix.
* Better compatibility when IDNA constants are not present. Thanks
Mateusz Turcza <xemlock@gmail.com> for contributing this fix.
-------------------------------------------------------------------
Sat May 19 17:32:43 UTC 2018 - jweberhofer@weberhofer.at
- Improved spec
- Upgraded to version 4.10.0
! Relative CSS length units are now supported
- A few PHP 7.2 compatibility fixes, thanks John Flatness
<john@zerocrates.org>
- Improve portability with old versions of libxml which don't
support accessing the data of a node
- IDNA2008 is now used for converting domains to ASCII, fixing
some rather strange bugs with international domains
- Fix race condition resulting in E_WARNING when creating
directories with Serializer
- Workaround PHP 7.1 infinite loop when opcode cache is enabled.
Thanks @Xiphin (#134, #135)
- Don't use autoloader when testing for DOMDocument. Hypothetically,
this could cause your install to start using DirectLex if you had
previously been monkeypatching in a custom, autoloaded implementation
of DOMDocument. Don't do that. Thanks @Izumi-kun (#130)
-------------------------------------------------------------------
Fri Sep 1 15:25:50 UTC 2017 - jweberhofer@weberhofer.at
- Cleaned up stec
- Use new php7-macros
-------------------------------------------------------------------
Sat Aug 5 11:25:54 UTC 2017 - jweberhofer@weberhofer.at
- Explicitly obsoletes old version
-------------------------------------------------------------------
Sat Aug 5 10:59:09 UTC 2017 - jweberhofer@weberhofer.at
- Added provides section for php-pear-htmlpurifier
-------------------------------------------------------------------
Sat Aug 5 09:29:38 UTC 2017 - jweberhofer@weberhofer.at
- Splitted of a php7 package
-------------------------------------------------------------------
Sat Aug 5 09:22:58 UTC 2017 - jweberhofer@weberhofer.at
- Explicitly build for php5 not for php7
-------------------------------------------------------------------
Sat Aug 5 09:16:37 UTC 2017 - jweberhofer@weberhofer.at
- Upgraded to version 4.9.2
- Fixes PHP 5.3 compatibility
- Fix breakage when decoding decimal entities. Thanks @rybakit (#129)
- 4.9.1
! %URI.DefaultScheme can now be set to null, in which case
all relative paths are removed.
! New CSS properties: min-width, max-width, min-height, max-height (#94)
! Transparency (rgba) and hsl/hsla supported where color CSS is present.
Thanks @fxbt for contributing the patch. (#118)
- When idn_to_ascii is defined, we might accept malformed
hostnames. Apply validation to the result in such cases.
- Close directory when done in Serializer DefinitionCache (#100)
- Deleted some asserts to avoid linters from choking (#97)
- Rework Serializer cache behavior to avoid chmod'ing if possible (#32)
- Embedded semicolons in strings in CSS are now handled correctly!
- We accidentally dropped certain Unicode characters if there was
one or more invalid characters. This has been fixed, thanks
to mpyw <ryosuke_i_628@yahoo.co.jp>
- Fix for "Don't truncate upon encountering </div> when using DOMLex"
caused a regression with HTML 4.01 Strict parsing with libxml 2.9.1
(and maybe later versions, but known OK with libxml 2.9.4). The
fix is to go about handling truncation a bit more cleverly so that
we can wrap with divs (sidestepping the bug) but slurping out the
rest of the text in case it ran off the end. (#78)
- Fix PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyle.
Thanks @breathbath for contributing the report and fix (#120)
- Fix entity decoding algorithm to be more conservative about
decoding entities that are missing trailing semicolon.
To get old behavior, set %Core.LegacyEntityDecoder to true.
(#119)
- Workaround libxml bug when HTML tags are embedded inside
script tags. To disable workaround set %Core.AggressivelyRemoveScript
to false. (#83)
# By default, when a link has a target attribute associated
with it, we now also add rel="noopener" in order to
prevent the new window from being able to overwrite
the original frame. To disable this protection,
set %HTML.TargetNoopener to FALSE.
-------------------------------------------------------------------
Sun Sep 18 19:05:55 UTC 2016 - jweberhofer@weberhofer.at
- Upgraded to version 4.8.0
# By default, when a link has a target attribute associated
with it, we now also add rel="noreferrer" in order to
prevent the new window from being able to overwrite
the original frame. To disable this protection,
set %HTML.TargetNoreferrer to FALSE.
! Full PHP 7 compatibility, the test suite is ALL GO.
! %CSS.AllowDuplicates permits duplicate CSS properties.
! Support for 'tel' URIs.
! Partial support for 'border-radius' properties when %CSS.AllowProprietary is true.
The slash syntax, i.e., 'border-radius: 2em 1em 4em / 0.5em 3em' is not
yet supported.
! %Attr.ID.HTML5 turns on HTML5-style ID handling.
- alt truncation could result in malformed UTF-8 sequence. Don't
truncate. Thanks Brandon Farber for reporting.
- Linkify regex is smarter, based off of Gruber's regex.
- IDNA supported natively on PHP 5.3 and later.
- Non all-numeric top-level names (e.g., foo.1f, 1f) are now
allowed.
- Minor bounds error fix to squash a PHP 7 notice.
- Support non-/tmp temporary directories for data:// validation
- Give a better error message when a user attempts to allow
ul/ol without allowing li.
- On some versions of PHP, the Serializer DefinitionCache could
infinite loop when the directory exists but is not listable. (#49)
- Don't match for <body> inside comments with
%Core.ConvertDocumentToFragment. (#67)
- SafeObject is now less case sensitive. (#57)
- AutoFormat.RemoveEmpty.Predicate now correctly renders in
web form. (#85)
-------------------------------------------------------------------
Tue May 17 07:51:40 UTC 2016 - jweberhofer@weberhofer.at
- Upgraded to Version 4.7.0
* opacity is now considered a "tricky" CSS property rather than a
proprietary one.
* %AutoFormat.RemoveEmpty.Predicate for specifying exactly when
an element should be considered "empty" (maybe preserve if it
has attributes), and modify iframe support so that the iframe
is removed if it is missing a src attribute. Thanks meeva for
reporting.
* Don't truncate upon encountering </div> when using DOMLex.
Thanks Myrto Christina for finally convincing me to fix this.
* Update YouTube filter for new code.
* Fix parsing of rgb() values with spaces in them for 'border'
attribute.
* Don't remove foo="" attributes if foo is a boolean attribute.
Thanks valME for reporting.
- cleaned up spec file
-------------------------------------------------------------------
Fri Jan 10 16:15:27 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to Version 4.6.0
* Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url,
$secret). Please update any verification scripts you may have.
* URI parsing algorithm was made more strict, so only prefixes which
looks like schemes will actually be schemes. Thanks Michael Gusev
<mgusev@sugarcrm.com> for fixing.
* %Core.EscapeInvalidChildren is no longer supported, and no longer does
anything.
* New directive %Core.AllowHostnameUnderscore which allows underscores
in hostnames.
* Eliminate quadratic behavior in DOMLex by using a proper queue.
Thanks Ole Laursen for noticing this.
* Rewritten MakeWellFormed/FixNesting implementation eliminates quadratic
behavior in the rest of the purificaiton pipeline. Thanks Chedburn
Networks for sponsoring this work.
* Made Linkify URL parser a bit less permissive, so that non-breaking
spaces and commas are not included as part of URL. Thanks nAS for fixing.
* Fix some bad interactions with %HTML.Allowed and injectors. Thanks
David Hirtz for reporting.
* Fix infinite loop in DirectLex. Thanks Ashar Javed (@soaj1664ashar)
for reporting.
-------------------------------------------------------------------
Mon Apr 29 11:24:29 UTC 2013 - jweberhofer@weberhofer.at
- Fixed a wrong channel dependency
-------------------------------------------------------------------
Mon Apr 29 07:57:56 UTC 2013 - jweberhofer@weberhofer.at
- Upgraded to Version 4.5.0
* Fix bug where stacked attribute transforms clobber each other; this also
means it's no longer possible to override attribute transforms in later
modules. No internal code was using this but this may break some clients.
* We now use SHA-1 to identify cached definitions, instead of MD5.
* Support display:inline-block
* Support for more white-space CSS values.
* Permit underscores in font families
* Support for page-break-* CSS3 properties when proprietary properties
are enabled.
* New directive %Core.DisableExcludes; can be set to 'true' to turn off
SGML excludes checking. If HTML Purifier is removing too much text
and you don't care about full standards compliance, try setting this to
'true'.
* Use prepend for SPL autoloading on PHP 5.3 and later.
* Fix bug with nofollow transform when pre-existing rel exists.
* Fix bug where background:url() always gets lower-cased
(but not background-image:url())
* Fix bug with non lower-case color names in HTML
* Fix bug where data URI validation doesn't remove temporary files.
Thanks Javier Marín Ros <javiermarinros@gmail.com> for reporting.
* Don't remove certain empty tags on RemoveEmpty.
- improved spec
-------------------------------------------------------------------
Sat Apr 14 16:54:33 UTC 2012 - jweberhofer@weberhofer.at
- fix requirements for non opensuse based distributions
-------------------------------------------------------------------
Wed Mar 7 10:11:55 UTC 2012 - jweberhofer@weberhofer.at
- Version 4.4.0
- Removed PEARSax3 handler.
- URI.Munge now munges URIs inside the same host that go from https
to http. Reported by Neike Taika-Tessaro.
- Core.EscapeNonASCIICharacters now always transforms entities to
entities, even if target encoding is UTF-8.
- Tighten up selector validation in ExtractStyleBlocks.
Non-syntactically valid selectors are now rejected, along with
some of the more obscure ones such as attribute selectors, the
:lang pseudoselector, and anything not in CSS2.1. Furthermore,
ID and class selectors now work properly with the relevant
configuration attributes. Also, mute errors when parsing CSS
with CSS Tidy.
- Added support for 'scope' attribute on tables.
- Added %HTML.TargetBlank, which adds target="blank" to all outgoing links.
- Properly handle sub-lists directly nested inside of lists in
a standards compliant way, by moving them into the preceding <li>
- Added %HTML.AllowedComments and %HTML.AllowedCommentsRegexp for
limited allowed comments in untrusted situations.
- Implement iframes, and allow them to be used in untrusted mode with
%HTML.SafeIframe and %URI.SafeIframeRegexp. Thanks Bradley M. Froehle
<brad.froehle@gmail.com> for submitting an initial version of the patch.
- The Forms module now works properly for transitional doctypes.
- Added support for internationalized domain names. You need the PEAR
Net_IDNA2 module to be in your path; if it is installed, ensure the
class can be loaded and then set %Core.EnableIDNA to true.
- Color keywords are now case insensitive. Thanks Yzmir Ramirez
<yramirez-htmlpurifier@adicio.com> for reporting.
- Explicitly initialize anonModule variable to null.
- Do not duplicate nofollow if already present. Thanks 178
for reporting.
- Do not add nofollow if hostname matches our current host. Thanks 178
for reporting, and Neike Taika-Tessaro for helping diagnose.
- Do not unset parser variable; this fixes intermittent serialization
problems. Thanks Neike Taika-Tessaro for reporting, bill
<10010tiger@gmail.com> for diagnosing.
- Fix iconv truncation bug, where non-UTF-8 target encodings see
output truncated after around 8000 characters. Thanks Jörg Ludwig
<joerg.ludwig@iserv.eu> for reporting.
- Fix broken table content model for XHTML1.1 (and also earlier
versions, although the W3C validator doesn't catch those violations).
Thanks GlitchMr <glitch.mr@gmail.com> for reporting.
-------------------------------------------------------------------
Wed May 25 00:16:00 CET 2011 - opendevel@weberhofer.at
- corrected project homepage
-------------------------------------------------------------------
Fri May 20 16:51:00 CET 2011 - opendevel@weberhofer.at
- package version 4.3.0
- fixed some dependency issues
