Final classes, custom sanitization defaults & phpinfo() flags

• 2.0.1 removes the @param non-empty-string annotation from addSanitization() added in 2.0.0.

The original 2.0.0 release notes:

Breaking changes

• PhpInfo and SensitiveValueSanitizer are now final - they're security-related and not designed to be extended (#27)

New features

• Custom default sanitization replacement string via new SensitiveValueSanitizer('[REDACTED]') (#26)
• getHtml() and getFullPageHtml() now accept $flags parameter to control phpinfo() output sections (#21 & #23, thanks @compwright)

Internal changes

• Add phpstan/phpstan-strict-rules (#24)
• Bump actions/checkout from 5 to 6 (#20)
• Add CLAUDE.md (#22)
• Use use for all functions for those free extra nanoseconds (#25)
• Correct the path in the inline styles comment (#29)

Final classes, custom sanitization defaults & phpinfo() flags

Breaking changes

• PhpInfo and SensitiveValueSanitizer are now final - they're security-related and not designed to be extended (#27)

New features

• Custom default sanitization replacement string via new SensitiveValueSanitizer('[REDACTED]') (#26)
• getHtml() and getFullPageHtml() now accept $flags parameter to control phpinfo() output sections (#21 & #23, thanks @compwright)
• addSanitization() annotated as @param non-empty-string to clarify the contract (#28) (removed in 2.0.1)

Internal changes

• Add phpstan/phpstan-strict-rules (#24)
• Bump actions/checkout from 5 to 6 (#20)
• Add CLAUDE.md (#22)
• Use use for all functions for those free extra nanoseconds (#25)
• Correct the path in the inline styles comment (#29)

Support PHP 8.5, drop 7.4 support

• Run tests on PHP 8.5 too (#19)
• Drop PHP 7.4 support (#18)
• Newer dev dependencies (#16)
• Bump actions/checkout (#17)

Test on PHP 8.4

• Support PHP 8.4 (#15), officially, by running tests on PHP 8.4

getFullPageHtml() and reading cookies to find session id

• Read $_COOKIE[session_name()] directly to find session id if session is not active (#13)

Previously, only the output from session_id() was sanitized, but session has to be started for the function to return anything. So now the cookie is also read directly, and I'd still recommend you explicitly add the string with something like addSanitization($this0>sessionHandler->getId(), '[***]') which is now mentioned in the README too.

• Add getFullPageHtml() (#14)

getFullPageHtml() doesn't remove HEAD & BODY and preserve inline styles while still sanitizing what it's supposed to be sanitized. The method was added to make using this package easier in a simple pages like the old school /info.php with just <?php phpinfo();

The README now also warns that using getHtml() removes the HEAD element with the meta name="ROBOTS" tag, so you should somehow add it back. That's also why getFullPageHtml() was added.

Sanitizing arbitrary strings

• Can configure the sanitizer as a standalone object to sanitize arbitrary strings too (#12)

Support PHP 7.4-8.3

• Support PHP 7.4 too (#11)

Dark mode, CSS matches PHP 8.3

This release updates phpinfo() CSS to match PHP 8.3, brings dark mode (#10)

Sanitize session id by default

• Sanitize session id by default, to protect against some session hijacking attacks. More strings can be added with addSanitization (#8, #9)

Support PHP 8.3

What's Changed

• Support PHP 8.3 (#7)
• Bump actions/checkout from 3 to 4 (#6) Did you know you can use @dependabot to update your actions, not just your code? I've updated my article which mentions Dependabot https://www.michalspacek.com/dont-let-security-bugs-catch-you-off-guard#github-dependabot