HTML Purifier是一个可以用来移除所有恶意代码(XSS),而且还能确保你的页面遵循W3C的标准规范的PHP类库。该版本主要是修复安全方面的漏洞,增加新的配置项:%CSS.Trusted, %CSS.AllowedFonts, 和 %Cache.SerializerPermissions. 需要注意的是该版本在 API 上跟之前有所不同,升级时请注意。
HTML Purifier详细更新如下:
# Fixed broken caching of customized raw definitions, but requires an API change. The old API still works but will emit a warning, see http://htmlpurifier.org/docs/enduser-customize.html#optimized for how to upgrade your code.
# Protect against Internet Explorer innerHTML behavior by specially treating attributes with backticks but no angled brackets, quotes or spaces. This constitutes a slight semantic change, which can be reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro and Mario Heiderich.
# Protect against cssText/innerHTML by restricting allowed characters used in fonts further than mandated by the specification and encoding some extra special characters in URLs. Reported by Neike Taika-Tessaro and Mario Heiderich.
! Added %HTML.Nofollow to add rel="nofollow" to external links.
! More types of SPL autoloaders allowed on later versions of PHP.
! Implementations for position, top, left, right, bottom, z-index when %CSS.Trusted is on.
! Add %Cache.SerializerPermissions option for custom serializer directory/file permissions
! Fix longstanding bug in Flash support for non-IE browsers, and allow more wmode attributes.
! Add %CSS.AllowedFonts to restrict permissible font names.
- Switch to an iterative traversal of the DOM, which prevents us from running out of stack space for deeply nested documents. Thanks Maxim Krizhanovsky for contributing a patch.
- Make removal of conditional IE comments ungreedy; thanks Bernd for reporting.
- Escape CDATA before removing Internet Explorer comments.
- Fix removal of id attributes under certain conditions by ensuring armor attributes are preserved when recreating tags.
- Check if schema.ser was corrupted.
- Check if zend.ze1_compatibility_mode is on, and error out if it is. This safety check is only done for HTMLPurifier.auto.php; if you are using standalone or the specialized includes files, you're expected to know what you're doing.
- Stop repeatedly writing the cache file after I'm done customizing a raw definition. Reported by ajh.
- Switch to using require_once in the Bootstrap to work around bad interaction with Zend Debugger and APC. Reported by Antonio Parraga.
- Fix URI handling when hostname is missing but scheme is present. Reported by Neike Taika-Tessaro.
- Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro for reporting.
- Fix harmless notice from indexing into empty string. Thanks Matthijs Kooijman <matthijs@stdin.nl> for reporting.
- Don't autoclose no parent elements are able to support the element that triggered the autoclose. In particular fixes strange behavior of stray <li> tags. Thanks pkuliga@gmail.com for reporting and Neike Taika-Tessaro <pinkgothic@gmail.com> for debugging assistance.
下载地址:
http://htmlpurifier.org/releases/htmlpurifier-4.3.0.zip
http://htmlpurifier.org/releases/htmlpurifier-4.3.0.tar.gz