New version 1.2.15 of htmLawed released on 4 August 2023:
Proper checking of attribute formaction for security
Transformation for deprecated attribute bgcolor for tbody, tfoot, and thead
Support for URL schemes ws and wss
New version 1.2.14 of htmLawed released on 25 May 2023 fixes an issue that prevented use of the srcset attribute in source and link elements.
New version 1.2.13 of htmLawed released on 1 May 2023 to fix issues with nesting for 'details' /'ruby' attributes, handling of self-closing tags, parsing of $config 'schemes', and handling of multiple values in 'sizes' attribute.
New version 1.2.12 of htmLawed released on 25 Apr 2023: Fixes issue that prevented use of attribute 'sizes' in 'img' and 'source' elements.
New version 1.2.11 of htmLawed released on 23 Jan. 2023: Fixes an XSS vulnerability arising from a lack of inspection for the alphabetical HTML entity for colon character in URLs
New version 1.2.10 of htmLawed released on 5 Nov. 2022: class methods can now be specified as $config hook and hook_tag functions; corrects a PHP notice if $config["schemes"] mistakenly lacks colons.
htmLawed 1.2.9 released on 2 July 2022. Improves parsing of $config["deny_attribute"] to permit spaces flanking comma characters and allow references to sets of all ARIA, data- and event attributes; fixes parsing of $spec for data- attribute rules; now permits use of aria, data, and on* in $spec; now covers all named HTML entities of current standard specification (this increased htmLawed code size by ~40%); recognizes that closing tag may be omitted for caption, optgroup, rp, rt, and tbody as well; recognizes that archive and poster attribute values can have URLs, which can be multiple; recognizes onloadend as global attribute; renames some internal functions; improved standards-compliance for element nesting.
htmLawed 1.2.8 released on 6 Jun. 2022 – Fixes incorrect formatting of HTML comments when $config["comment"] = 4; fixes misreading of entity-fied colon characters in style attribute values; $config["show_setting"] now includes htmLawed version; improved PHP 8.2 code compatibility, and readability.
htmLawed 1.2.7 released on 10 Apr. 2022 – Support for elements dialog, picture, slot, and template; support for custom HTML elements; support for global attributes autocapitalize, autofocus, enterkeyhint, inputmode, is, and nonce; support for 17 additional ARIA and 11 additional on* event handler attributes; support for attributes with names not beginning with a-z; fix for a minor bug arising during deprecated height/weight attribute transformation
htmLawed 1.2.6 released on 4 Sept. 2021 – Fixes a bug that arises when $config["deny_attribute"] has a data-* attribute with > 1 hyphen character
The current version of htmLawed (1.2.5) is compatible with PHP 8.0. (PHP 8.0.0 tested with htmLawed version 1.2.5.).
htmLawed 1.2.4.2 released
Corrects a minor issue that made PHP issue a ntoice.
Corrects a function re-declaration bug introduced in version 1.2.4
Removes use of PHP create_function function and $php_errormsg reserved variable (deprecated in PHP 7.2)
New option value of 4 for $config["comments"] to stop enforcing a space character before the --> comment-closing marker
Fix for a bug in parsing $spec that got introduced in version 1.2; also, $spec is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules
htmLawed 1.2.1.1 released on 17 May 2017; fixes a security vulnerability
(First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-star and microdata attributes; app, data, javascript and tel URL schemes (thus, javascript: is not filtered in default mode). Removed support for code using Kses functions (see section 2.6). Changes in revisions to the beta releases are not noted here.
Improved testing of attribute value rules specified in $spec.
Improvement and security fix in transforming 'font' element.
Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML4) standard 'allowfullscreen' attribute of 'iframe.'
Fix for a bug in cleaning of soft-hyphens in URL values, etc.
Fix for a potential security vulnerability arising from specially encoded text with serial opening tags
Removed use of PHP function preg_replace with e modifier for compatibility with PHP 5.5