Revision history for Perl extension HTML::TagFilter.

1.03  Wed Nov 7 2005
	- updated manifest to include new tests and test subclass module. d'oh.

1.02  Wed Nov 7 2005
	- callbacks will now call method of same (triggerpoint) name if no
	  coderef has been supplied. This means that people who prefer to 
	  override in subclass just need a method with the triggerpoint name.
	- fixed silly bug where setting xss_allow_local_links to zero was ignored
	- fixed very silly operator precedence bug in xss test for local urls. 
	  (Both these last two thanks to

1.01  Sun Oct 15 2005
    - tweaked trigger points so that tag acceptability tests are called
      first: avoids situations where the callback sub is doing something
      with a tag that will then be rejected. stupido! 
    - also fixed a couple of minor bugs in sample code
    - tweaked default acceptance rules to include <strong>

1.0	  Sun Oct 15 2005
	- handy hooks added in response to various requests for added 
	  functionality. See for recipes.
	- documentation tidied up.
	- No bug reports for a year now, so we'll call this version 1.

0.091 Fri Aug 13 2004
    - silly bug fixed in mailto obfuscation (the mailto: part has to be left
      in clear, as any fule kno).

0.09 Fri Jul 9 2004
    - mailto: obfuscation added. switchable-off.
    - url filtering properly integrated with other attribute rules, so that 
      naughty url attributes are omitted instead of empty.
    - xss logging brought into line with other filters, thanks to Brian Hirt.
    - 'reason' value added to filter log, mostly for later use
    - entification of <> now switchable-off too.
    - method documentation improved. rules docs still longer than bible :(
    - xss configuration (eg attributes to watch out for) made easier to change.

0.08 Wed Jun 2 2004
    - By popular demand, a filter with only denial rules lets through everything
      that is not explicitly denied. Makes it easier to strip out a few tags and
      leave the rest.
    - bugfix: supplying an empty set of rules to allow_tags or deny_tags now
      clears that part of the rule set, as the docs promise.
    - clear_rules method added to simplify the interface.
    - Tests now use Test::More like proper grown-ups.

0.075 Wed Oct 8 2003
    - noticed that cross-site safeguards were preventing mailto: hrefs from 
      getting through. Corrected.

0.074 Tues Jul 23 2003
    - tidied up a bit
    - extended the default list of xss vulnerable tags to: src, lowsrc, 
      href, background, cite. Also made it user-modifiable in subclass.
    - a few remaining variables turned into subs to facilitate subclassing

0.073  Tues Jul 22 2003
    - cross-site scripting protection improved: parser allowed to entify
      again (that was silly), but values for certain vulnerable attributes
      are subjected to extra tests to ensure urlness not scriptness.
    - tests added for the xss protection and other recent fixes

0.072  Tues Jul 22 2003
    - attribute order now preserved (requested by GA long ago)
    - parser instructed not to de-entify: closes a loophole that
      could allow an attacker to hide forbidden tags (eg script)
      within attribute values, to be revealed when Parser turned &quot;
      into "
    - all attributes s/javascript:// just in case.
    - bug corrected where 'none' was not magic in rule set, but just 
      treated as another attribute (d'oh)

0.071  Mon Jul 21 2003
    - changed default handler to escape < and > in order
      to prevent a common cross-site attack, thanks to bug report 
      by nick cleaton

0.07  Thu Oct 25 2001
    - no more warnings
    - error() reporting. can now write 
      $foo = $tf->filter($bar) || die $tf->error 
      and get sensible output. main tests in place. 

0.06 Sun Oct 21 2001
    - Simplified interface with addition of ->filter() and ->report() methods
    - Abandoned attempts to preserve tag order: put back on to do list :(
    - Made pod even more windy.
    - Added 'echo' option to direct output to STDOUT as a proper child 
      of HTML::Parser should, at Gisle Aas' suggestion. makes it more 
      useful to networking applications, apparently.

0.05  Wed Sep 20 2001
    - Added tag/attribute removal logging, and 'log' option, in order 
      that users may be chastised in detail for putting in naughty html.

0.04  Wed Sep 19 2001
    - Added _check() method to allow testing of values deep in HoHoHo 
      without autovivification and subsequent mess. 
    - Denial rules become less ambitious, more useful. 
    - Pod grows more verbose.

0.03  Tues Sep 18 2001
    - Changed from trying to work out meaning of empty lists to using 
      reserved words 'any', 'all', 'none'. 
    - Denial rules work sporadically.

0.02  Mon Sep 17 2001
    - Added denial rules. 
    - Didn't work very well.

0.01  Fri Sep 14 01:19:43 2001
    - Only permission filter: no denial rules.
    - Worked quite well.