Release 4.15.0
[htmlpurifier-web.git] / news / 2008 / 0619-3.1.1-released.xhtml
blobfe74c34d274528744f999cc86aa1b8c898049a16
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xc:news="yes"
9 xml:lang="en">
10 <head>
11 <title>HTML Purifier 3.1.1 released - News - HTML Purifier</title>
12 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
13 <meta name="Date" content="Thu, 19 June 2008 17:57:00 EST" />
14 </head>
15 <body>
17 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
19 <div id="main">
20 <h1 id="title">HTML Purifier 3.1.1 released</h1>
22 <div id="content">
23 <p>
24 HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
25 two security vulnerabilities, both related to <abbr>CSS</abbr>, and one of which only
26 applies to users using Shift_JIS as their output encoding. There is also
27 a security improvement regarding the imagecrash attack. There is a backwards
28 incompatible change with %URI.Munge, in which resources are no longer munged
29 by default; please enable using %URI.MungeResources. Besides this, there
30 are numerous improvements to <abbr>URI</abbr> munging, esp. with the addition of
31 %URI.MungeSecretKey, as well as an experimental implementation of
32 %HTML.SafeObject and %HTML.SafeEmbed. There are also some memory optimizations.
33 </p>
34 <p>
35 As a security release, please update as quickly as possible. Care has been
36 taken to prevent backwards-compatibiilty breakage this time (something that
37 plagued users who tried to upgrade to 3.1.0), there is only one slight break
38 related to a bugfix that can be easily undone with %URI.MungeResources.
39 </p>
40 <p>
41 See <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/3.1.1/NEWS">NEWS</a>
42 for a complete changelog. There were numerous added configuration directives
43 not mentioned above.
44 </p>
45 <p>
46 Along with this release, we would like to announce full disclosure on
47 the security vulnerability patched in 3.1.0. Please see
48 <a href="security/2008/http-protocol-removal.html" xc:absolute="href"><abbr>HTTP</abbr> Protocol Removal</a>
49 for more information about the vulnerability affecting versions prior
50 to 3.1.0 and 2.1.4.
51 </p>
52 <p>
53 Finally, the security fixes and bug fixes were backported to our PHP4
54 branch with the release of HTML Purifier 2.1.5. See
55 <a href="http://htmlpurifier.org/svnroot/htmlpurifier/tags/2.1.5/NEWS">NEWS (PHP4)</a>
56 for a complete changelog.
57 </p>
58 </div>
59 </div>
60 </body>
61 </html>