CHANGES.txt

Changelog
=========

2.1.3 (unreleased)
------------------


2.1.2 (2012-12-09)
------------------

- Adjust safe_html transform to block various XSS vulnerabilities. This fixes
  https://plone.org/products/plone/security/advisories/20121106/18
  [davisagli]


2.1.1 (2012-10-05)
------------------

- Do not try to handle invalid tags : we take for granted that html coming out
  of converters do not hold any of embed, script, object or applet tags.


2.1 (2012-10-05)
----------------

- Avoid throwing exceptions on js attrs and invalid tags in word_to_html
  transform
  [gotcha]

- Handle charrefs & entityrefs in data and attributes equaly (unchanged)
  if converting to safe_html
  [tom_gross]

2.0.7 - 2011-07-04
------------------

The following three changes collectively fix
http://plone.org/products/plone/security/advisories/CVE-2011-1949

- In the safe_html transform, abort parsing if a broken declaration is found.
  [evilbungle, davisagli]

- In the safe_html transform, remove data URIs.
  [davisagli]

- In the safe_html transform, ignore null bytes when checking for unsafe
  attributes with scripts.
  [davisagli]

2.0.6 - 2011-04-03
------------------

- Update RoleManager import to avoid deprecation warning on Zope 2.13.
  [davisagli]

2.0.5 - 2011-02-26
------------------

- Fix regression due to the security declarations added in 2.0.4: convertTo
  should still be public, but not publishable.
  [davisagli]

2.0.4 - 2011-02-25
------------------

- Fix missing security declarations.
  [davisagli]

2.0.3 - 2010-11-24
------------------

- Fix manage_options which accidentally got turned into a tuple in some
  refactoring.
  [swampmonkey]

- Added missing `url` metadata.
  [hannosch]

2.0.2 - 2010-10-27
------------------

* Close ``<p>`` tags properly in ``configureTransform.zpt``.
  [swampmonkey]

* Add HTML5 tags as valid: `article`, `aside`, `audio`, `canvas`, `command`,
  `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `hgroup`,
  `keygen`, `mark`, `rp`, `rt`, `ruby`, `section`, `source`, `summary`,
  `time`, `video`.
  [limi]

2.0.1 - 2010-07-18
------------------

* Use the standard libraries doctest module.
  [hannosch]

* Added `padding-left` to the style whitelist, to let TinyMCE's indent work.
  This closes http://dev.plone.org/plone/ticket/10557.
  [hannosch]

* PEP8 adjustments for the safe_html transform.
  [hannosch]

2.0 - 2010-07-16
----------------

* Lower test requirements for transform tests to only check the start of each
  file. There's too many subtle differences in the exact output on different
  machines.
  [hannosch]

* PEP8 cleanup of the transform engine code.
  [hannosch]

2.0b6 - 2010-06-13
------------------

* Repeat safe_html transform to block a malicious HTML injection vector. 
  Thanks to evilbungle for the report.
  [MatthewWilkes]

2.0b5 - 2010-04-10
------------------

* Let mimetype maps with empty transform lists be handled more gracefully.
  Fixes: http://dev.plone.org/plone/ticket/10402, refs: r12421.
  [thet]

* Fixed a problem where the cache would return data from transforms
  which are sensitive to virtual hosting (such as the resolve UID
  transforms used by visual editors) which had been cached for a
  different virtual host.
  [rossp]

2.0b4 - 2010-03-01
------------------

* Restore output/logo.jpg and output/logo.bmp from 1.6 branch.
  [stefan]

2.0b3 - 2010-02-19
------------------

* Make tests pass with poppler's pdftohtml converter. Standalone
  pdftohtml produces different output and should be avoided.
  [stefan]

2.0b2 - 2010-02-05
------------------

* Updated expected output images to most current format.
  [hannosch]

2.0b1 - 2010-01-03
------------------

* Fixed a serious performance issue in the find transform path algorithm.
  This refs http://dev.plone.org/plone/ticket/9497.
  [hannosch, sig]

* Protect against failures in the transform engine, which prevented zexp
  imports of sites.
  [hannosch]

* Fixed package dependency declaration.
  [hannosch]

2.0a2 - 2009-12-02
------------------

* Added HTML5 tags as allowed tags.
  [limi]

* Made sure the meta tag is stripped, since not doing it can let things like
  HTML redirects slip through, which makes for unpredictable behavior.
  [limi]

* Added style to nasty tags, addresses http://dev.plone.org/plone/ticket/9015.
  [jonstahl]

2.0a1 - 2009-11-13
------------------

* Added stripped_attributes, stripped_combinations, style_whitelist and
  class_blacklist attributes to the safe_html transform.
  [robgietema]

* Avoid acquiring `mimetypes_registry` and call it via a proper API.
  [hannosch]

* Downgraded log messages about unavailable binaries to debug level.
  [hannosch]

* Updated test output to be compatible with docutils 0.5.
  [hannosch]

* Removed z3 sub-package. Interfaces are in the interfaces module.
  [hannosch]

* Cleaned up package metadata.
  [hannosch]

* Declare test dependencies in an extra and fixed deprecation warnings
  for use of Globals.
  [hannosch]

* Made the graph tests conditional on the availability of the external
  binaries for the transform.
  [hannosch]

* Removed useless assert statements.
  [hannosch]

* Structured Text is gone in Zope 2.12.
  [hannosch]

* Transforms to target mimetype with multiple alias mimetypes in
  mimetypes_registry failed. This closes
  http://dev.plone.org/plone/ticket/8187.
  [hannosch]

* Added logging to markdown and textile transforms if the libraries are not
  installed. This closes http://dev.plone.org/plone/ticket/8285.
  [hannosch]

* Purge old zope2 Interface interfaces for Zope 2.12 compatibility.
  Consider branching before this checkin if releases required before Plone 4.
  [elro]

1.6.4 - 2009-10-08
------------------

* Clean up temporary files/directories after memory errors and failed
  conversions.
  [witsch]

1.6.3 - 2009-09-09
------------------

* Fix handling of CDATA sections.
  [optilude]

1.6.2 - 2009-06-18
------------------

* Fix NameError in the purgeCache method.
  [davisagli]

* Fix the way that unsafe transforms calls the input file for the command line
  plugin.
  [encolpe]

* Make markdown transformation unicode safe and depend on Markdown>=1.7
  [tomster]

1.6.1 - 2008-09-30
------------------

* Fixed rest tests when run on Zope 2.11. The raw and include directives are
  disabled but no longer removed.
  [hannosch]

* Disabled markdown and textile tests when their libraries aren't installed
  [fschulze]

* Implemented entity conversion in html to plain text transform.
  [fschulze]

* Added metadata.xml file to the profile.
  [hannosch]

* Allowed the abbr, acronym, var, dfn, samp, address, bdo, thead, tfoot,
  col, and colgroup tags by default, since they are harmless, valid XHTML
  and shouldn't be filtered. Fixes:
  http://dev.plone.org/plone/ticket/6712 and
  http://dev.plone.org/plone/ticket/7251
  [limi]

* Added proper Z3 interfaces and added direct implements statements instead
  of applying the changes later on with zcml. Reduced number of zcml files
  to one.
  [hannosch]

1.6.0 - 2007-08-16
------------------

1.6.0-rc2 - 2007-07-27
----------------------

* Updated componentregisty.xml to new style.
  [hannosch]

1.6.0-rc1 - 2007-07-04
----------------------

1.6.0-b4 - 2007-04-28
---------------------

* Go back to using getToolByName for CMF tools.
  [wichert]

1.6.0-b3 - 2007-03-20
---------------------

* Removed tests/runalltests.py and tests/framework.py as they have
  outlived their usefulness. To run tests use Zope's testrunner:
  ./bin/zopectl test --nowarn -s Products.PortalTransforms
  [stefan]

1.6.0-b2 - 2007-03-05
---------------------

* Adjusted rest tests for Zope 2.10 output.
  [hannosch]

1.6.0-b1 - 2007-02-27
---------------------

* XXX Please use HISTORY.txt when you make changes

1.6.0-a1 - 2007-02-06
---------------------

* Implemented PLIP 149
  [tomster]

1.5.2 - Unreleased
------------------

* Add another XSS fix from for handling extraneous brackets.
  [dunny]

* Add XSS fixes from Anton Stonor to safe_html transform.
  [alecm, stonor]

1.5.1-final - 2007-04-17
------------------------

* note for release-managers: The version-bump to 1.5 was a bit early, but now
  as we have it, i keep it and next release number in the cycle needed for
  Archetypes 1.4.2 (used for Plone 2.5.2) of PortalTransforms is then the 1.5
  final.
  We dont need increasing of release numbers because of Plone 3.0,
  Archetypes 1.5, ... if theres no change in the dependen product, like
  this one.
  [jensens]

1.5.0-final - 2006-12-15
------------------------

1.5.0-a1 - 2006-10-25
---------------------

* casting to int is evil without previous check of the type. so we assume as
  in CMFPlone just zero for non-int-castable values.
  [jensens]

* the values in the safe_html valid tag dictionary can become strings when
  modifying them via the ZMI. Explicitly convert them to integers before
  testing their value.
  [wichert]

1.4.1-final - 2006-09-08
------------------------

* Shut down a noisy logging message to DEBUG level.
  [hannosch]

* Converted logging infrastructure from zLOG usage to Python's logging module.
  [hannosch]

* Avoid DeprecationWarning for manageAddDelete.
  [hannosch]

* Spring-cleaning of tests infrastructure.
  [hannosch]

1.4.0-beta1 - 2006-03-26
------------------------

* removed odd archetypes 1.3 style version checking
  [jensens]

* Removed BBB code for CMFCorePermissions import location.
  [hannosch]

* removed deprecation-warning for ToolInit
  [jensens]

1.3.9-final02 - 2006-01-15
--------------------------

* nothing - the odd version checking needs a version change to stick to
  Archetypes version.
  [yenzenz]

1.3.9-RC1 - 2005-12-29
----------------------

* Fixed [ 1293684 ], unregistered Transforms are not unmaped,
  Transformation was deleted from portal_transforms, but remained
  active.
  http://sourceforge.net/tracker/index.php?func-detail&aid-1293684&group_id-75272&atid-543430
  Added a cleanup that unmaps deleted transforms on reinstall
  [csenger]

* Replaced the safe_html transformation with a configurable version
  with the same functionality. Migration is handled on reinstall.
  http://trac.plone.org/plone/ticket/4538
  [csenger] [dreamcatcher]

* Removed CoUnInitialize call. According to Mark Hammond: The
  right thing to do is call that function, although almost noone
  does (including pywin32 itself, which does CoInitialize the main
  thread) and I've never heard of problem caused by this
  omission.
  [sidnei]

* Fix a long outstanding issue with improper COM thread model
  initialization. Initialize COM for multi-threading, ignoring any
  errors when someone else has already initialized differently.
  https://trac.plone.org/plone/ticket/4712
  [sidnei]

* Correct some wrong security settings.
  [hannosch]

* Fixed the requirements look-up from the policy
  (#1358085)


1.3.8-final02 - 2005-10-11
--------------------------

* nothing - the odd version checking needs a version change to stick to
  Archetypes version.
  [yenzenz]

1.3.7-final01 - 2005-08-30
--------------------------

* nothing - the odd version checking needs a version change to stick to
  Archetypes version.
  [yenzenz]

1.3.6-final02 - 2005-08-07
--------------------------

* nothing - the odd version checking needs a version change to stick to
  Archetypes version.
  [yenzenz]

1.3.6-final - 2005-08-01
------------------------

* Added q to the list of valid and safe html tags by limi's request.
  Wrote test for safe_html parsing.
  [hannosch]

* Added ins and del to the list of valid and safe html tags.
  [ 1199917 ] XHTML DEL tag is removed during the safe_html conversion
  [tiran]

1.3.5-final02 - 2005-07-17
--------------------------

* changed version to stick to appropiate Archetypes Version.
  [yenzenz]

1.3.5-final - 2005-07-06
------------------------

* pdf_to_html can show images now. Revert it to command transformer and
  make it work under windows.
  [panjunyong]

* refined command based unsafe transform to make it work with windows.
  [panjunyong]

* Disabled office_uno by default because it doesn't support multithread yet
  [panjunyong]

* Rewrote office_uno to make it work for the recent PyUNO.
  [panjunyong]

1.3.4-final01 - 2005-05-20
--------------------------

* nothing (I hate to write this. But the odd version checking needs it).
  [yenzenz]

1.3.4-rc1 - 2005-03-25
----------------------

* Better error handling for safe html transformation
  [tiran]

1.3.3-final - 2005-03-05
------------------------

* Updated link to rtf converter to http://freshmeat.net/projects/rtfconverter/
  [tiran]

* Small fix for the com office converter. COM could crash if word is
  invisible. Also a pop up might appeare when quitting word.
  [gogo]

* Fixed [ 1053846 ] Charset problem with wvware word_to_html conversion
  [flacoste]

* Fixed python and test pre transforms to use html quote special characters.
  Thx to stain. [ 1091670 ] Python source code does not escape HTML.
  [tiran]

* Fixed [ 1121812 ] fix PortalTransforms unregisterTransformation()
  unregisterTransformation() misses to remove from the zodb the persistance
  wrapper added to the trasformation
  [dan_t]

* Fixed [ 1118739 ] popentransform does not work on windows
  [duncanb]

* Fixed [ 1122175 ] extra indnt sytax error in office_uno.py
  [ryuuguu]

* fixed bug with some transformers' temp filename: it tried to use original
  filename which is encoded in utf8 and may contrain invalid charset for my
  Windows server. Just use filename as: unknown.suffix
  [panjunyong]

* STX header level is set to 2 instead of using zope.conf. Limi forced me to
  change it.
  [tiran]

* fixed bug: word_to_html uses office_com under windows

1.3.2-5 - 2004-10-17
--------------------

* Fixed [ 1041637 ] RichWidget: STX level should be set to 3 instead 1. The
  structured text transform is now using the zope.conf option or has an
  optional level paramenter in the convert method.
  [tiran]

* Added win32api.GetShortPathName to libtransforms/commandtransform
  so binaries found in directories which have spaces in their names
  will work as expected
  [runyaga]

1.3.2-4 - 2004-09-30
--------------------

* nothing changed

1.3.2-3 - 2004-09-25
--------------------

* Fixed more unit tests
  [tiran]

1.3.2-2 - 2004-09-17
--------------------

* Fixed [ 1025066 ] Serious persistency bug
  [dmaurer]

* Fixed some unit tests failurs. Some unit tests did fail because the reST
  and STX output has changed slightly.
  [tiran]

* Don't include the first three lines of the lynx output which are url,
  title and a blank line. This fixed also a unit test because the url
  which was a file in the fs did change every time.
  [tiran]

* Fixed a bug in make_unpersistent. It seemed that this method touched values
  inside the mapping.
  [dreamcatcher]

1.3.2-1 - 2004-09-04
--------------------

* Disabled filters that were introduced in 1.3.1-1. The currently used
  transform path algo is broken took too long to find a path.
  [tiran]

* Cleaned up major parts of PT by removing the python only implementation which
  was broken anyway

* Fixed [ 1019632 ] current svn bundle (rev 2942) broken

1.3.1-1 - 2004-08-16
--------------------

* Introduce the concept of filters (one-hop transforms where the source and
  destination are the same mimetype).
  [dreamcatcher]

* Add a html filter to extract the content of the body tag (so we don't get a
  double <body> when uploading full html files).
  [dreamcatcher]

* Change base class for Transform to SimpleItem which is equivalent to the
  previous base classes and provides a nice __repr__.
  [dreamcatcher]

* Lower log levels.
  [dreamcatcher]

* cache.py: Added purgeCache, fixed has cache test.
  [tiran]

* Fixed non critical typo in error message: Unvalid -> Invalid
  [tiran]

1.3.0-3 - 2004-08-06
--------------------

* Added context to the convert, convertTo and __call__ methods. The context is
  the object on which the transform was called.
  [tiran]

* Added isCacheable flag and setCacheable to idatastream (data.py). Now you can
  disable the caching of the result of a transformation.
  [tiran]

* Added __setstate__ to load new transformations from the file system.
  [tiran]

* Fixed [ 1002014 ] Add policy screen doesn't accept single entry
  [tiran]

1.3.0-2 - 2004-07-29
--------------------

* Added workaround for [ 997998 ] PT breaks ZMI/Find [tiran]