HTML Purifier

Release Notes: This is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts, and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions.

Release Notes: This is a minor release that implements a number of feature requests accumulated over half a year. New configuration options include %Core.RemoveProcessingInstructions, %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen, and %Core.NormalizeNewlines. Additionally, %URI.DisableResources is now functional and "file:" is an optionally supported URI scheme. There are also some minor bugfixes, usability improvements, and documentation updates.

Release Notes: This is a major security and bugfix release that improves on version 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.

Release Notes: This is a major security release that fixes an XSS vulnerability exploitable on Internet Explorer. It also contains a number of new features, including dramatically more flexible Flash support, including %Output.FlashCompat to replace %HTML.SafeEmbed, optional support for the data: URI scheme, and better HTML parsing capabilities.

Release Notes: This is a major feature release focused on configuration. It deprecates the $config->set('Ns', 'Directive', $value) syntax in favor of $config->set('Ns.Directive', $value). Both syntaxes work, but the former will throw errors. There are also some new features: robust support for name/id, configuration inheritance, removal of nbsp in the RemoveEmpty autoformatter, userland configuration directives, and configuration serialization.