news/2008/0619-3.1.1-released.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xmlns:xc="urn:xhtml-compiler"
   8   xml:lang="en">
   9 <head>
  10   <title>HTML Purifier 3.1.1 released - News - HTML Purifier</title>
  11   <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  12   <meta name="Date" content="Thu, 19 June 2008 17:57:00 EST" />
  13 </head>
  14 <body>
  15
  16 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
  17 <h1 id="title">HTML Purifier 3.1.1 released</h1>
  18
  19 <div id="content">
  20   <p>
  21     HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
  22     two security vulnerabilities, both related to <abbr>CSS</abbr>, and one of which only
  23     applies to users using Shift_JIS as their output encoding. There is also
  24     a security improvement regarding the imagecrash attack. There is a backwards
  25     incompatible change with %URI.Munge, in which resources are no longer munged
  26     by default; please enable using %URI.MungeResources. Besides this, there
  27     are numerous improvements to <abbr>URI</abbr> munging, esp. with the addition of
  28     %URI.MungeSecretKey, as well as an experimental implementation of
  29     %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
  30   </p>
  31   <p>
  32     As a security release, please update as quickly as possible. Care has been
  33     taken to prevent backwards-compatibiilty breakage this time (something that
  34     plagued users who tried to upgrade to 3.1.0), there is only one slight break
  35     related to a bugfix that can be easily undone with %URI.MungeResources.
  36   </p>
  37   <p>
  38     See <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/3.1.1/NEWS">NEWS</a>
  39     for a complete changelog. There were numerous added configuration directives
  40     not mentioned above.
  41   </p>
  42   <p>
  43     Along with this release, we would like to announce full disclosure on
  44     the security vulnerability patched in 3.1.0. Please see
  45     <a href="security/2008/http-protocol-removal.html" xc:absolute="href"><abbr>HTTP</abbr> Protocol Removal</a>
  46     for more information about the vulnerability affecting versions prior
  47     to 3.1.0 and 2.1.4.
  48   </p>
  49   <p>
  50     Finally, the security fixes and bug fixes were backported to our PHP4
  51     branch with the release of HTML Purifier 2.1.5. See
  52     <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/2.1.5/NEWS">NEWS (PHP4)</a>
  53     for a complete changelog.
  54   </p>
  55 </div>
  56 </body>
  57 </html>