to
- foreach ($definition->info[$token->name]->attr_transform_pre as $transform) { - $attr = $transform->transform($o = $attr, $config, $context); - if ($e) { - if ($attr != $o) { - $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); - } - } - } - - // create alias to this element's attribute definition array, see - // also $d_defs (global attribute definition array) - // DEFINITION CALL - $defs = $definition->info[$token->name]->attr; - - $attr_key = false; - $context->register('CurrentAttr', $attr_key); - - // iterate through all the attribute keypairs - // Watch out for name collisions: $key has previously been used - foreach ($attr as $attr_key => $value) { - - // call the definition - if (isset($defs[$attr_key])) { - // there is a local definition defined - if ($defs[$attr_key] === false) { - // We've explicitly been told not to allow this element. - // This is usually when there's a global definition - // that must be overridden. - // Theoretically speaking, we could have a - // AttrDef_DenyAll, but this is faster! - $result = false; - } else { - // validate according to the element's definition - $result = $defs[$attr_key]->validate( - $value, - $config, - $context - ); - } - } elseif (isset($d_defs[$attr_key])) { - // there is a global definition defined, validate according - // to the global definition - $result = $d_defs[$attr_key]->validate( - $value, - $config, - $context - ); - } else { - // system never heard of the attribute? DELETE! - $result = false; - } - - // put the results into effect - if ($result === false || $result === null) { - // this is a generic error message that should replaced - // with more specific ones when possible - if ($e) { - $e->send(E_ERROR, 'AttrValidator: Attribute removed'); - } - - // remove the attribute - unset($attr[$attr_key]); - } elseif (is_string($result)) { - // generally, if a substitution is happening, there - // was some sort of implicit correction going on. We'll - // delegate it to the attribute classes to say exactly what. - - // simple substitution - $attr[$attr_key] = $result; - } else { - // nothing happens - } - - // we'd also want slightly more complicated substitution - // involving an array as the return value, - // although we're not sure how colliding attributes would - // resolve (certain ones would be completely overriden, - // others would prepend themselves). - } - - $context->destroy('CurrentAttr'); - - // post transforms - - // global (error reporting untested) - foreach ($definition->info_attr_transform_post as $transform) { - $attr = $transform->transform($o = $attr, $config, $context); - if ($e) { - if ($attr != $o) { - $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); - } - } - } - - // local (error reporting untested) - foreach ($definition->info[$token->name]->attr_transform_post as $transform) { - $attr = $transform->transform($o = $attr, $config, $context); - if ($e) { - if ($attr != $o) { - $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); - } - } - } - - $token->attr = $attr; - - // destroy CurrentToken if we made it ourselves - if (!$current_token) { - $context->destroy('CurrentToken'); - } - - } - - -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Bootstrap.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Bootstrap.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Bootstrap.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Bootstrap.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,124 +0,0 @@ - -if (!defined('PHP_EOL')) { - switch (strtoupper(substr(PHP_OS, 0, 3))) { - case 'WIN': - define('PHP_EOL', "\r\n"); - break; - case 'DAR': - define('PHP_EOL', "\r"); - break; - default: - define('PHP_EOL', "\n"); - } -} - -/** - * Bootstrap class that contains meta-functionality for HTML Purifier such as - * the autoload function. - * - * @note - * This class may be used without any other files from HTML Purifier. - */ -class HTMLPurifier_Bootstrap -{ - - /** - * Autoload function for HTML Purifier - * @param string $class Class to load - * @return bool - */ - public static function autoload($class) - { - $file = HTMLPurifier_Bootstrap::getPath($class); - if (!$file) { - return false; - } - // Technically speaking, it should be ok and more efficient to - // just do 'require', but Antonio Parraga reports that with - // Zend extensions such as Zend debugger and APC, this invariant - // may be broken. Since we have efficient alternatives, pay - // the cost here and avoid the bug. - require_once HTMLPURIFIER_PREFIX . '/' . $file; - return true; - } - - /** - * Returns the path for a specific class. - * @param string $class Class path to get - * @return string - */ - public static function getPath($class) - { - if (strncmp('HTMLPurifier', $class, 12) !== 0) { - return false; - } - // Custom implementations - if (strncmp('HTMLPurifier_Language_', $class, 22) === 0) { - $code = str_replace('_', '-', substr($class, 22)); - $file = 'HTMLPurifier/Language/classes/' . $code . '.php'; - } else { - $file = str_replace('_', '/', $class) . '.php'; - } - if (!file_exists(HTMLPURIFIER_PREFIX . '/' . $file)) { - return false; - } - return $file; - } - - /** - * "Pre-registers" our autoloader on the SPL stack. - */ - public static function registerAutoload() - { - $autoload = array('HTMLPurifier_Bootstrap', 'autoload'); - if (($funcs = spl_autoload_functions()) === false) { - spl_autoload_register($autoload); - } elseif (function_exists('spl_autoload_unregister')) { - if (version_compare(PHP_VERSION, '5.3.0', '>=')) { - // prepend flag exists, no need for shenanigans - spl_autoload_register($autoload, true, true); - } else { - $buggy = version_compare(PHP_VERSION, '5.2.11', '<'); - $compat = version_compare(PHP_VERSION, '5.1.2', '<=') && - version_compare(PHP_VERSION, '5.1.0', '>='); - foreach ($funcs as $func) { - if ($buggy && is_array($func)) { - // :TRICKY: There are some compatibility issues and some - // places where we need to error out - $reflector = new ReflectionMethod($func[0], $func[1]); - if (!$reflector->isStatic()) { - throw new Exception( - 'HTML Purifier autoloader registrar is not compatible - with non-static object methods due to PHP Bug #44144; - Please do not use HTMLPurifier.autoload.php (or any - file that includes this file); instead, place the code: - spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\')) - after your own autoloaders.' - ); - } - // Suprisingly, spl_autoload_register supports the - // Class::staticMethod callback format, although call_user_func doesn't - if ($compat) { - $func = implode('::', $func); - } - } - spl_autoload_unregister($func); - } - spl_autoload_register($autoload); - foreach ($funcs as $func) { - spl_autoload_register($func); - } - } - } - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Chameleon.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Chameleon.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Chameleon.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Chameleon.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -inline = new HTMLPurifier_ChildDef_Optional($inline); - $this->block = new HTMLPurifier_ChildDef_Optional($block); - $this->elements = $this->block->elements; - } - - /** - * @param HTMLPurifier_Node[] $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function validateChildren($children, $config, $context) - { - if ($context->get('IsInline') === false) { - return $this->block->validateChildren( - $children, - $config, - $context - ); - } else { - return $this->inline->validateChildren( - $children, - $config, - $context - ); - } - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Custom.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Custom.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Custom.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Custom.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,102 +0,0 @@ -dtd_regex = $dtd_regex; - $this->_compileRegex(); - } - - /** - * Compiles the PCRE regex from a DTD regex ($dtd_regex to $_pcre_regex) - */ - protected function _compileRegex() - { - $raw = str_replace(' ', '', $this->dtd_regex); - if ($raw{0} != '(') { - $raw = "($raw)"; - } - $el = '[#a-zA-Z0-9_.-]+'; - $reg = $raw; - - // COMPLICATED! AND MIGHT BE BUGGY! I HAVE NO CLUE WHAT I'M - // DOING! Seriously: if there's problems, please report them. - - // collect all elements into the $elements array - preg_match_all("/$el/", $reg, $matches); - foreach ($matches[0] as $match) { - $this->elements[$match] = true; - } - - // setup all elements as parentheticals with leading commas - $reg = preg_replace("/$el/", '(,\\0)', $reg); - - // remove commas when they were not solicited - $reg = preg_replace("/([^,(|]\(+),/", '\\1', $reg); - - // remove all non-paranthetical commas: they are handled by first regex - $reg = preg_replace("/,\(/", '(', $reg); - - $this->_pcre_regex = $reg; - } - - /** - * @param HTMLPurifier_Node[] $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function validateChildren($children, $config, $context) - { - $list_of_children = ''; - $nesting = 0; // depth into the nest - foreach ($children as $node) { - if (!empty($node->is_whitespace)) { - continue; - } - $list_of_children .= $node->name . ','; - } - // add leading comma to deal with stray comma declarations - $list_of_children = ',' . rtrim($list_of_children, ','); - $okay = - preg_match( - '/^,?' . $this->_pcre_regex . '$/', - $list_of_children - ); - return (bool)$okay; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Empty.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Empty.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Empty.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Empty.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ - true, 'ul' => true, 'ol' => true); - - /** - * @param array $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return array - */ - public function validateChildren($children, $config, $context) - { - // Flag for subclasses - $this->whitespace = false; - - // if there are no tokens, delete parent node - if (empty($children)) { - return false; - } - - // if li is not allowed, delete parent node - if (!isset($config->getHTMLDefinition()->info['li'])) { - trigger_error("Cannot allow ul/ol without allowing li", E_USER_WARNING); - return false; - } - - // the new set of children - $result = array(); - - // a little sanity check to make sure it's not ALL whitespace - $all_whitespace = true; - - $current_li = null; - - foreach ($children as $node) { - if (!empty($node->is_whitespace)) { - $result[] = $node; - continue; - } - $all_whitespace = false; // phew, we're not talking about whitespace - - if ($node->name === 'li') { - // good - $current_li = $node; - $result[] = $node; - } else { - // we want to tuck this into the previous li - // Invariant: we expect the node to be ol/ul - // ToDo: Make this more robust in the case of not ol/ul - // by distinguishing between existing li and li created - // to handle non-list elements; non-list elements should - // not be appended to an existing li; only li created - // for non-list. This distinction is not currently made. - if ($current_li === null) { - $current_li = new HTMLPurifier_Node_Element('li'); - $result[] = $current_li; - } - $current_li->children[] = $node; - $current_li->empty = false; // XXX fascinating! Check for this error elsewhere ToDo - } - } - if (empty($result)) { - return false; - } - if ($all_whitespace) { - return false; - } - return $result; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Optional.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Optional.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Optional.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Optional.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -whitespace) { - return $children; - } else { - return array(); - } - } - return $result; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Required.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Required.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Required.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Required.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,118 +0,0 @@ - $x) { - $elements[$i] = true; - if (empty($i)) { - unset($elements[$i]); - } // remove blank - } - } - $this->elements = $elements; - } - - /** - * @type bool - */ - public $allow_empty = false; - - /** - * @type string - */ - public $type = 'required'; - - /** - * @param array $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return array - */ - public function validateChildren($children, $config, $context) - { - // Flag for subclasses - $this->whitespace = false; - - // if there are no tokens, delete parent node - if (empty($children)) { - return false; - } - - // the new set of children - $result = array(); - - // whether or not parsed character data is allowed - // this controls whether or not we silently drop a tag - // or generate escaped HTML from it - $pcdata_allowed = isset($this->elements['#PCDATA']); - - // a little sanity check to make sure it's not ALL whitespace - $all_whitespace = true; - - $stack = array_reverse($children); - while (!empty($stack)) { - $node = array_pop($stack); - if (!empty($node->is_whitespace)) { - $result[] = $node; - continue; - } - $all_whitespace = false; // phew, we're not talking about whitespace - - if (!isset($this->elements[$node->name])) { - // special case text - // XXX One of these ought to be redundant or something - if ($pcdata_allowed && $node instanceof HTMLPurifier_Node_Text) { - $result[] = $node; - continue; - } - // spill the child contents in - // ToDo: Make configurable - if ($node instanceof HTMLPurifier_Node_Element) { - for ($i = count($node->children) - 1; $i >= 0; $i--) { - $stack[] = $node->children[$i]; - } - continue; - } - continue; - } - $result[] = $node; - } - if (empty($result)) { - return false; - } - if ($all_whitespace) { - $this->whitespace = true; - return false; - } - return $result; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/StrictBlockquote.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/StrictBlockquote.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/StrictBlockquote.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/StrictBlockquote.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -init($config); - return $this->fake_elements; - } - - /** - * @param array $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return array - */ - public function validateChildren($children, $config, $context) - { - $this->init($config); - - // trick the parent class into thinking it allows more - $this->elements = $this->fake_elements; - $result = parent::validateChildren($children, $config, $context); - $this->elements = $this->real_elements; - - if ($result === false) { - return array(); - } - if ($result === true) { - $result = $children; - } - - $def = $config->getHTMLDefinition(); - $block_wrap_name = $def->info_block_wrapper; - $block_wrap = false; - $ret = array(); - - foreach ($result as $node) { - if ($block_wrap === false) { - if (($node instanceof HTMLPurifier_Node_Text && !$node->is_whitespace) || - ($node instanceof HTMLPurifier_Node_Element && !isset($this->elements[$node->name]))) { - $block_wrap = new HTMLPurifier_Node_Element($def->info_block_wrapper); - $ret[] = $block_wrap; - } - } else { - if ($node instanceof HTMLPurifier_Node_Element && isset($this->elements[$node->name])) { - $block_wrap = false; - - } - } - if ($block_wrap) { - $block_wrap->children[] = $node; - } else { - $ret[] = $node; - } - } - return $ret; - } - - /** - * @param HTMLPurifier_Config $config - */ - private function init($config) - { - if (!$this->init) { - $def = $config->getHTMLDefinition(); - // allow all inline elements - $this->real_elements = $this->elements; - $this->fake_elements = $def->info_content_sets['Flow']; - $this->fake_elements['#PCDATA'] = true; - $this->init = true; - } - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Table.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Table.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Table.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ChildDef/Table.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,224 +0,0 @@ - true, - 'tbody' => true, - 'thead' => true, - 'tfoot' => true, - 'caption' => true, - 'colgroup' => true, - 'col' => true - ); - - public function __construct() - { - } - - /** - * @param array $children - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return array - */ - public function validateChildren($children, $config, $context) - { - if (empty($children)) { - return false; - } - - // only one of these elements is allowed in a table - $caption = false; - $thead = false; - $tfoot = false; - - // whitespace - $initial_ws = array(); - $after_caption_ws = array(); - $after_thead_ws = array(); - $after_tfoot_ws = array(); - - // as many of these as you want - $cols = array(); - $content = array(); - - $tbody_mode = false; // if true, then we need to wrap any stray - //
- This directive turns on auto-paragraphing, where double newlines are - converted in to paragraphs whenever possible. Auto-paragraphing: -
-
- p
tags must be allowed for this directive to take effect.
- We do not use br
tags for paragraphing, as that is
- semantically incorrect.
-
- To prevent auto-paragraphing as a content-producer, refrain from using
- double-newlines except to specify a new paragraph or in contexts where
- it has special meaning (whitespace usually has no meaning except in
- tags like pre
, so this should not be difficult.) To prevent
- the paragraphing of inline text adjacent to block elements, wrap them
- in div
tags (the behavior is slightly different outside of
- the root node.)
-
- This directive can be used to add custom auto-format injectors. - Specify an array of injector names (class name minus the prefix) - or concrete implementations. Injector class must exist. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -AutoFormat.DisplayLinkURI -TYPE: bool -VERSION: 3.2.0 -DEFAULT: false ---DESCRIPTION-- -- This directive turns on the in-text display of URIs in <a> tags, and disables - those links. For example, example becomes - example (http://example.com). -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -AutoFormat.Linkify -TYPE: bool -VERSION: 2.0.1 -DEFAULT: false ---DESCRIPTION-- - -
- This directive turns on linkification, auto-linking http, ftp and
- https URLs. a
tags with the href
attribute
- must be allowed.
-
- Location of configuration documentation to link to, let %s substitute - into the configuration's namespace and directive names sans the percent - sign. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -AutoFormat.PurifierLinkify -TYPE: bool -VERSION: 2.0.1 -DEFAULT: false ---DESCRIPTION-- - -
- Internal auto-formatter that converts configuration directives in
- syntax %Namespace.Directive to links. a
tags
- with the href
attribute must be allowed.
-
- Given that an element has no contents, it will be removed by default, unless
- this predicate dictates otherwise. The predicate can either be an associative
- map from tag name to list of attributes that must be present for the element
- to be considered preserved: thus, the default always preserves colgroup
,
- th
and td
, and also iframe
if it
- has a src
.
-
- When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp - are enabled, this directive defines what HTML elements should not be - removede if they have only a non-breaking space in them. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -AutoFormat.RemoveEmpty.RemoveNbsp -TYPE: bool -VERSION: 4.0.0 -DEFAULT: false ---DESCRIPTION-- -- When enabled, HTML Purifier will treat any elements that contain only - non-breaking spaces as well as regular whitespace as empty, and remove - them when %AutoForamt.RemoveEmpty is enabled. -
-- See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements - that don't have this behavior applied to them. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,46 +0,0 @@ -AutoFormat.RemoveEmpty -TYPE: bool -VERSION: 3.2.0 -DEFAULT: false ---DESCRIPTION-- -- When enabled, HTML Purifier will attempt to remove empty elements that - contribute no semantic information to the document. The following types - of nodes will be removed: -
-<a></a>
but not
- <br />
), and
- colgroup
element, orid
or name
attribute,
- when those attributes are permitted on those elements.
- - Please be very careful when using this functionality; while it may not - seem that empty elements contain useful information, they can alter the - layout of a document given appropriate styling. This directive is most - useful when you are processing machine-generated HTML, please avoid using - it on regular user HTML. -
-- Elements that contain only whitespace will be treated as empty. Non-breaking - spaces, however, do not count as whitespace. See - %AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior. -
-- This algorithm is not perfect; you may still notice some empty tags, - particularly if a node had elements, but those elements were later removed - because they were not permitted in that context, or tags that, after - being auto-closed by another tag, where empty. This is for safety reasons - to prevent clever code from breaking validation. The general rule of thumb: - if a tag looked empty on the way in, it will get removed; if HTML Purifier - made it empty, it will stay. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -AutoFormat.RemoveSpansWithoutAttributes -TYPE: bool -VERSION: 4.0.1 -DEFAULT: false ---DESCRIPTION-- -
- This directive causes span
tags without any attributes
- to be removed. It will also remove spans that had all attributes
- removed during processing.
-
- Absolute path with no trailing slash to store serialized definitions in. - Default is within the - HTML Purifier library inside DefinitionCache/Serializer. This - path must be writable by the webserver. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Cache.SerializerPermissions -TYPE: int/null -VERSION: 4.3.0 -DEFAULT: 0755 ---DESCRIPTION-- - -- Directory permissions of the files and directories created inside - the DefinitionCache/Serializer or other custom serializer path. -
-
- In HTML Purifier 4.8.0, this also supports NULL
,
- which means that no chmod'ing or directory creation shall
- occur.
-
- This directive enables aggressive pre-filter fixes HTML Purifier can - perform in order to ensure that open angled-brackets do not get killed - during parsing stage. Enabling this will result in two preg_replace_callback - calls and at least two preg_replace calls for every HTML document parsed; - if your users make very well-formed HTML, you can set this directive false. - This has no effect when DirectLex is used. -
-- Notice: This directive's default turned from false to true - in HTML Purifier 3.2.0. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Core.AggressivelyRemoveScript -TYPE: bool -VERSION: 4.9.0 -DEFAULT: true ---DESCRIPTION-- -- This directive enables aggressive pre-filter removal of - script tags. This is not necessary for security, - but it can help work around a bug in libxml where embedded - HTML elements inside script sections cause the parser to - choke. To revert to pre-4.9.0 behavior, set this to false. - This directive has no effect if %Core.Trusted is true, - %Core.RemoveScriptContents is false, or %Core.HiddenElements - does not contain script. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Core.AllowHostnameUnderscore -TYPE: bool -VERSION: 4.6.0 -DEFAULT: false ---DESCRIPTION-- -- By RFC 1123, underscores are not permitted in host names. - (This is in contrast to the specification for DNS, RFC - 2181, which allows underscores.) - However, most browsers do the right thing when faced with - an underscore in the host name, and so some poorly written - websites are written with the expectation this should work. - Setting this parameter to true relaxes our allowed character - check so that underscores are permitted. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -Core.CollectErrors -TYPE: bool -VERSION: 2.0.0 -DEFAULT: false ---DESCRIPTION-- - -Whether or not to collect errors found while filtering the document. This -is a useful way to give feedback to your users. Warning: -Currently this feature is very patchy and experimental, with lots of -possible error messages not yet implemented. It will not cause any -problems, but it may not help your users either. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -Core.ColorKeywords -TYPE: hash -VERSION: 2.0.0 ---DEFAULT-- -array ( - 'maroon' => '#800000', - 'red' => '#FF0000', - 'orange' => '#FFA500', - 'yellow' => '#FFFF00', - 'olive' => '#808000', - 'purple' => '#800080', - 'fuchsia' => '#FF00FF', - 'white' => '#FFFFFF', - 'lime' => '#00FF00', - 'green' => '#008000', - 'navy' => '#000080', - 'blue' => '#0000FF', - 'aqua' => '#00FFFF', - 'teal' => '#008080', - 'black' => '#000000', - 'silver' => '#C0C0C0', - 'gray' => '#808080', -) ---DESCRIPTION-- - -Lookup array of color names to six digit hexadecimal number corresponding -to color, with preceding hash mark. Used when parsing colors. The lookup -is done in a case-insensitive manner. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -Core.ConvertDocumentToFragment -TYPE: bool -DEFAULT: true ---DESCRIPTION-- - -This parameter determines whether or not the filter should convert -input that is a full document with html and body tags to a fragment -of just the contents of a body tag. This parameter is simply something -HTML Purifier can do during an edge-case: for most inputs, this -processing is not necessary. - ---ALIASES-- -Core.AcceptFullDocuments ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -Core.DirectLexLineNumberSyncInterval -TYPE: int -VERSION: 2.0.0 -DEFAULT: 0 ---DESCRIPTION-- - -- Specifies the number of tokens the DirectLex line number tracking - implementations should process before attempting to resyncronize the - current line count by manually counting all previous new-lines. When - at 0, this functionality is disabled. Lower values will decrease - performance, and this is only strictly necessary if the counting - algorithm is buggy (in which case you should report it as a bug). - This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is - not being used. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -Core.DisableExcludes -TYPE: bool -DEFAULT: false -VERSION: 4.5.0 ---DESCRIPTION-- -
- This directive disables SGML-style exclusions, e.g. the exclusion of
- <object>
in any descendant of a
- <pre>
tag. Disabling excludes will allow some
- invalid documents to pass through HTML Purifier, but HTML Purifier
- will also be less likely to accidentally remove large documents during
- processing.
-
Warning: this configuration option is no longer does anything as of 4.6.0.
- -When true, a child is found that is not allowed in the context of the -parent element will be transformed into text as if it were ASCII. When -false, that element and all internal tags will be dropped, though text will -be preserved. There is no option for dropping the element but preserving -child nodes.
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -Core.EscapeInvalidTags -TYPE: bool -DEFAULT: false ---DESCRIPTION-- -When true, invalid tags will be written back to the document as plain text. -Otherwise, they are silently dropped. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -Core.EscapeNonASCIICharacters -TYPE: bool -VERSION: 1.4.0 -DEFAULT: false ---DESCRIPTION-- -This directive overcomes a deficiency in %Core.Encoding by blindly -converting all non-ASCII characters into decimal numeric entities before -converting it to its native encoding. This means that even characters that -can be expressed in the non-UTF-8 encoding will be entity-ized, which can -be a real downer for encodings like Big5. It also assumes that the ASCII -repetoire is available, although this is the case for almost all encodings. -Anyway, use UTF-8! ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -Core.HiddenElements -TYPE: lookup ---DEFAULT-- -array ( - 'script' => true, - 'style' => true, -) ---DESCRIPTION-- - -
- This directive is a lookup array of elements which should have their
- contents removed when they are not allowed by the HTML definition.
- For example, the contents of a script
tag are not
- normally shown in a document, so if script tags are to be removed,
- their contents should be removed to. This is opposed to a b
- tag, which defines some presentational changes but does not hide its
- contents.
-
- Prior to HTML Purifier 4.9.0, entities were decoded by performing - a global search replace for all entities whose decoded versions - did not have special meanings under HTML, and replaced them with - their decoded versions. We would match all entities, even if they did - not have a trailing semicolon, but only if there weren't any trailing - alphanumeric characters. -
-Original | Text | Attribute |
---|---|---|
¥ | ¥ | ¥ |
¥ | ¥ | ¥ |
¥a | ¥a | ¥a |
¥= | ¥= | ¥= |
- In HTML Purifier 4.9.0, we changed the behavior of entity parsing - to match entities that had missing trailing semicolons in less - cases, to more closely match HTML5 parsing behavior: -
-Original | Text | Attribute |
---|---|---|
¥ | ¥ | ¥ |
¥ | ¥ | ¥ |
¥a | ¥a | ¥a |
¥= | ¥= | ¥= |
- This flag reverts back to pre-HTML Purifier 4.9.0 behavior. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -Core.LexerImpl -TYPE: mixed/null -VERSION: 2.0.0 -DEFAULT: NULL ---DESCRIPTION-- - -- This parameter determines what lexer implementation can be used. The - valid values are: -
-HTMLPurifier_Lexer
.
- I may remove this option simply because I don't expect anyone
- to use it.
- - If true, HTML Purifier will add line number information to all tokens. - This is useful when error reporting is turned on, but can result in - significant performance degradation and should not be used when - unnecessary. This directive must be used with the DirectLex lexer, - as the DOMLex lexer does not (yet) support this functionality. - If the value is null, an appropriate value will be selected based - on other configuration. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -Core.NormalizeNewlines -TYPE: bool -VERSION: 4.2.0 -DEFAULT: true ---DESCRIPTION-- -
- Whether or not to normalize newlines to the operating
- system default. When false
, HTML Purifier
- will attempt to preserve mixed newline files.
-
- This directive enables pre-emptive URI checking in img
- tags, as the attribute validation strategy is not authorized to
- remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
-
<? ...
-?>
, remove it out-right. This may be useful if the HTML
-you are validating contains XML processing instruction gunk, however,
-it can also be user-unfriendly for people attempting to post PHP
-snippets.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,12 +0,0 @@
-Core.RemoveScriptContents
-TYPE: bool/null
-DEFAULT: NULL
-VERSION: 2.0.0
-DEPRECATED-VERSION: 2.1.0
-DEPRECATED-USE: Core.HiddenElements
---DESCRIPTION--
-- This directive enables HTML Purifier to remove not only script tags - but all of their contents. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -CSS.AllowDuplicates -TYPE: bool -DEFAULT: false -VERSION: 4.8.0 ---DESCRIPTION-- -
- By default, HTML Purifier removes duplicate CSS properties,
- like color:red; color:blue
. If this is set to
- true, duplicate properties are allowed.
-
- Allows you to manually specify a set of allowed fonts. If
- NULL
, all fonts are allowed. This directive
- affects generic names (serif, sans-serif, monospace, cursive,
- fantasy) as well as specific font families.
-
- If HTML Purifier's style attributes set is unsatisfactory for your needs, - you can overload it with your own list of tags to allow. Note that this - method is subtractive: it does its job by taking away from HTML Purifier - usual feature set, so you cannot add an attribute that HTML Purifier never - supported in the first place. -
-- Warning: If another directive conflicts with the - elements here, that directive will win and override. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -CSS.AllowImportant -TYPE: bool -DEFAULT: false -VERSION: 3.1.0 ---DESCRIPTION-- -This parameter determines whether or not !important cascade modifiers should -be allowed in user CSS. If false, !important will stripped. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -CSS.AllowTricky -TYPE: bool -DEFAULT: false -VERSION: 3.1.0 ---DESCRIPTION-- -This parameter determines whether or not to allow "tricky" CSS properties and -values. Tricky CSS properties/values can drastically modify page layout or -be used for deceptive practices but do not directly constitute a security risk. -For example,display:none;
is considered a tricky property that
-will only be allowed if this directive is set to true.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,11 +0,0 @@
-CSS.DefinitionRev
-TYPE: int
-VERSION: 2.0.0
-DEFAULT: 1
---DESCRIPTION--
-
-- Revision identifier for your custom definition. See - %HTML.DefinitionRev for details. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -CSS.ForbiddenProperties -TYPE: lookup -VERSION: 4.2.0 -DEFAULT: array() ---DESCRIPTION-- -- This is the logical inverse of %CSS.AllowedProperties, and it will - override that directive or any other directive. If possible, - %CSS.AllowedProperties is recommended over this directive, - because it can sometimes be difficult to tell whether or not you've - forbidden all of the CSS properties you truly would like to disallow. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -CSS.MaxImgLength -TYPE: string/null -DEFAULT: '1200px' -VERSION: 3.1.1 ---DESCRIPTION-- -
- This parameter sets the maximum allowed length on img
tags,
- effectively the width
and height
properties.
- Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
- in place to prevent imagecrash attacks, disable with null at your own risk.
- This directive is similar to %HTML.MaxImgLength, and both should be
- concurrently edited, although there are
- subtle differences in the input format (the CSS max is a number with
- a unit).
-
- Whether or not to allow safe, proprietary CSS values. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -CSS.Trusted -TYPE: bool -VERSION: 4.2.1 -DEFAULT: false ---DESCRIPTION-- -Indicates whether or not the user's CSS input is trusted or not. If the -input is trusted, a more expansive set of allowed properties. See -also %HTML.Trusted. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -Filter.Custom -TYPE: list -VERSION: 3.1.0 -DEFAULT: array() ---DESCRIPTION-- -
- This directive can be used to add custom filters; it is nearly the
- equivalent of the now deprecated HTMLPurifier->addFilter()
- method. Specify an array of concrete implementations.
-
- Whether or not to escape the dangerous characters <, > and & - as \3C, \3E and \26, respectively. This is can be safely set to false - if the contents of StyleBlocks will be placed in an external stylesheet, - where there is no risk of it being interpreted as HTML. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -Filter.ExtractStyleBlocks.Scope -TYPE: string/null -VERSION: 3.0.0 -DEFAULT: NULL -ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope ---DESCRIPTION-- - -
- If you would like users to be able to define external stylesheets, but
- only allow them to specify CSS declarations for a specific node and
- prevent them from fiddling with other elements, use this directive.
- It accepts any valid CSS selector, and will prepend this to any
- CSS declaration extracted from the document. For example, if this
- directive is set to #user-content
and a user uses the
- selector a:hover
, the final selector will be
- #user-content a:hover
.
-
- The comma shorthand may be used; consider the above example, with
- #user-content, #user-content2
, the final selector will
- be #user-content a:hover, #user-content2 a:hover
.
-
- Warning: It is possible for users to bypass this measure - using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML - Purifier, and I am working to get it fixed. Until then, HTML Purifier - performs a basic check to prevent this. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Filter.ExtractStyleBlocks.TidyImpl -TYPE: mixed/null -VERSION: 3.1.0 -DEFAULT: NULL -ALIASES: FilterParam.ExtractStyleBlocksTidyImpl ---DESCRIPTION-- -
- If left NULL, HTML Purifier will attempt to instantiate a csstidy
- class to use for internal cleaning. This will usually be good enough.
-
- However, for trusted user input, you can set this to false
to
- disable cleaning. In addition, you can supply your own concrete implementation
- of Tidy's interface to use, although I don't know why you'd want to do that.
-
- This directive turns on the style block extraction filter, which removes
- style
blocks from input HTML, cleans them up with CSSTidy,
- and places them in the StyleBlocks
context variable, for further
- use by you, usually to be placed in an external stylesheet, or a
- style
block in the head
of your document.
-
- Sample usage: -
-'; -?> - - - --Filter.ExtractStyleBlocks -body {color:#F00;} Some text'; - - $config = HTMLPurifier_Config::createDefault(); - $config->set('Filter', 'ExtractStyleBlocks', true); - $purifier = new HTMLPurifier($config); - - $html = $purifier->purify($dirty); - - // This implementation writes the stylesheets to the styles/ directory. - // You can also echo the styles inside the document, but it's a bit - // more difficult to make sure they get interpreted properly by - // browsers; try the usual CSS armoring techniques. - $styles = $purifier->context->get('StyleBlocks'); - $dir = 'styles/'; - if (!is_dir($dir)) mkdir($dir); - $hash = sha1($_GET['html']); - foreach ($styles as $i => $style) { - file_put_contents($name = $dir . $hash . "_$i"); - echo ''; - } -?> - - -- -- - -]]>
- Warning: It is possible for a user to mount an - imagecrash attack using this CSS. Counter-measures are difficult; - it is not simply enough to limit the range of CSS lengths (using - relative lengths with many nesting levels allows for large values - to be attained without actually specifying them in the stylesheet), - and the flexible nature of selectors makes it difficult to selectively - disable lengths on image tags (HTML Purifier, however, does disable - CSS width and height in inline styling). There are probably two effective - counter measures: an explicit width and height set to auto in all - images in your document (unlikely) or the disabling of width and - height (somewhat reasonable). Whether or not these measures should be - used is left to the reader. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Filter.YouTube -TYPE: bool -VERSION: 3.1.0 -DEFAULT: false ---DESCRIPTION-- -- Warning: Deprecated in favor of %HTML.SafeObject and - %Output.FlashCompat (turn both on to allow YouTube videos and other - Flash content). -
-- This directive enables YouTube video embedding in HTML Purifier. Check - this document - on embedding videos for more information on what this filter does. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -HTML.AllowedAttributes -TYPE: lookup/null -VERSION: 1.3.0 -DEFAULT: NULL ---DESCRIPTION-- - -- If HTML Purifier's attribute set is unsatisfactory, overload it! - The syntax is "tag.attr" or "*.attr" for the global attributes - (style, id, class, dir, lang, xml:lang). -
-- Warning: If another directive conflicts with the - elements here, that directive will win and override. For - example, %HTML.EnableAttrID will take precedence over *.id in this - directive. You must set that directive to true before you can use - IDs at all. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -HTML.AllowedCommentsRegexp -TYPE: string/null -VERSION: 4.4.0 -DEFAULT: NULL ---DESCRIPTION-- -A regexp, which if it matches the body of a comment, indicates that -it should be allowed. Trailing and leading spaces are removed prior -to running this regular expression. -Warning: Make sure you specify -correct anchor metacharacters^regex$
, otherwise you may accept
-comments that you did not mean to! In particular, the regex /foo|bar/
-is probably not sufficiently strict, since it also allows foobar
.
-See also %HTML.AllowedComments (these directives are union'ed together,
-so a comment is considered valid if any directive deems it valid.)
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,10 +0,0 @@
-HTML.AllowedComments
-TYPE: lookup
-VERSION: 4.4.0
-DEFAULT: array()
---DESCRIPTION--
-A whitelist which indicates what explicit comment bodies should be
-allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
-(these directives are union'ed together, so a comment is considered
-valid if any directive deems it valid.)
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-HTML.AllowedElements
-TYPE: lookup/null
-VERSION: 1.3.0
-DEFAULT: NULL
---DESCRIPTION--
-- If HTML Purifier's tag set is unsatisfactory for your needs, you can - overload it with your own list of tags to allow. If you change - this, you probably also want to change %HTML.AllowedAttributes; see - also %HTML.Allowed which lets you set allowed elements and - attributes at the same time. -
-- If you attempt to allow an element that HTML Purifier does not know - about, HTML Purifier will raise an error. You will need to manually - tell HTML Purifier about this element by using the - advanced customization features. -
-- Warning: If another directive conflicts with the - elements here, that directive will win and override. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -HTML.AllowedModules -TYPE: lookup/null -VERSION: 2.0.0 -DEFAULT: NULL ---DESCRIPTION-- - -- A doctype comes with a set of usual modules to use. Without having - to mucking about with the doctypes, you can quickly activate or - disable these modules by specifying which modules you wish to allow - with this directive. This is most useful for unit testing specific - modules, although end users may find it useful for their own ends. -
-- If you specify a module that does not exist, the manager will silently - fail to use it, so be careful! User-defined modules are not affected - by this directive. Modules defined in %HTML.CoreModules are not - affected by this directive. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -HTML.Allowed -TYPE: itext/null -VERSION: 2.0.0 -DEFAULT: NULL ---DESCRIPTION-- - -
- This is a preferred convenience directive that combines
- %HTML.AllowedElements and %HTML.AllowedAttributes.
- Specify elements and attributes that are allowed using:
- element1[attr1|attr2],element2...
. For example,
- if you would like to only allow paragraphs and links, specify
- a[href],p
. You can specify attributes that apply
- to all elements using an asterisk, e.g. *[lang]
.
- You can also use newlines instead of commas to separate elements.
-
- Warning:
- All of the constraints on the component directives are still enforced.
- The syntax is a subset of TinyMCE's valid_elements
- whitelist: directly copy-pasting it here will probably result in
- broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
- are set, this directive has no effect.
-
- String name of element to wrap inline elements that are inside a block - context. This only occurs in the children of blockquote in strict mode. -
-
- Example: by default value,
- <blockquote>Foo</blockquote>
would become
- <blockquote><p>Foo</p></blockquote>
.
- The <p>
tags can be replaced with whatever you desire,
- as long as it is a block level element.
-
- Certain modularized doctypes (XHTML, namely), have certain modules - that must be included for the doctype to be an conforming document - type: put those modules here. By default, XHTML's core modules - are used. You can set this to a blank array to disable core module - protection, but this is not recommended. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -HTML.CustomDoctype -TYPE: string/null -VERSION: 2.0.1 -DEFAULT: NULL ---DESCRIPTION-- - -A custom doctype for power-users who defined their own document -type. This directive only applies when %HTML.Doctype is blank. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -HTML.DefinitionID -TYPE: string/null -DEFAULT: NULL -VERSION: 2.0.0 ---DESCRIPTION-- - -- Unique identifier for a custom-built HTML definition. If you edit - the raw version of the HTMLDefinition, introducing changes that the - configuration object does not reflect, you must specify this variable. - If you change your custom edits, you should change this directive, or - clear your cache. Example: -
--$config = HTMLPurifier_Config::createDefault(); -$config->set('HTML', 'DefinitionID', '1'); -$def = $config->getHTMLDefinition(); -$def->addAttribute('a', 'tabindex', 'Number'); --
- In the above example, the configuration is still at the defaults, but - using the advanced API, an extra attribute has been added. The - configuration object normally has no way of knowing that this change - has taken place, so it needs an extra directive: %HTML.DefinitionID. - If someone else attempts to use the default configuration, these two - pieces of code will not clobber each other in the cache, since one has - an extra directive attached to it. -
-- You must specify a value to this directive to use the - advanced API features. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -HTML.DefinitionRev -TYPE: int -VERSION: 2.0.0 -DEFAULT: 1 ---DESCRIPTION-- - -- Revision identifier for your custom definition specified in - %HTML.DefinitionID. This serves the same purpose: uniquely identifying - your custom definition, but this one does so in a chronological - context: revision 3 is more up-to-date then revision 2. Thus, when - this gets incremented, the cache handling is smart enough to clean - up any older revisions of your definition as well as flush the - cache. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -HTML.Doctype -TYPE: string/null -DEFAULT: NULL ---DESCRIPTION-- -Doctype to use during filtering. Technically speaking this is not actually -a doctype (as it does not identify a corresponding DTD), but we are using -this name for sake of simplicity. When non-blank, this will override any -older directives like %HTML.XHTML or %HTML.Strict. ---ALLOWED-- -'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1' ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -HTML.FlashAllowFullScreen -TYPE: bool -VERSION: 4.2.0 -DEFAULT: false ---DESCRIPTION-- -
- Whether or not to permit embedded Flash content from
- %HTML.SafeObject to expand to the full screen. Corresponds to
- the allowFullScreen
parameter.
-
- While this directive is similar to %HTML.AllowedAttributes, for
- forwards-compatibility with XML, this attribute has a different syntax. Instead of
- tag.attr
, use tag@attr
. To disallow href
- attributes in a
tags, set this directive to
- a@href
. You can also disallow an attribute globally with
- attr
or *@attr
(either syntax is fine; the latter
- is provided for consistency with %HTML.AllowedAttributes).
-
- Warning: This directive complements %HTML.ForbiddenElements, - accordingly, check - out that directive for a discussion of why you - should think twice before using this directive. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -HTML.ForbiddenElements -TYPE: lookup -VERSION: 3.1.0 -DEFAULT: array() ---DESCRIPTION-- -- This was, perhaps, the most requested feature ever in HTML - Purifier. Please don't abuse it! This is the logical inverse of - %HTML.AllowedElements, and it will override that directive, or any - other directive. -
-
- If possible, %HTML.Allowed is recommended over this directive, because it
- can sometimes be difficult to tell whether or not you've forbidden all of
- the behavior you would like to disallow. If you forbid img
- with the expectation of preventing images on your site, you'll be in for
- a nasty surprise when people start using the background-image
- CSS property.
-
- This directive controls the maximum number of pixels in the width and
- height attributes in img
tags. This is
- in place to prevent imagecrash attacks, disable with null at your own risk.
- This directive is similar to %CSS.MaxImgLength, and both should be
- concurrently edited, although there are
- subtle differences in the input format (the HTML max is an integer).
-
- String name of element that HTML fragment passed to library will be - inserted in. An interesting variation would be using span as the - parent element, meaning that only inline tags would be allowed. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -HTML.Proprietary -TYPE: bool -VERSION: 3.1.0 -DEFAULT: false ---DESCRIPTION-- -
- Whether or not to allow proprietary elements and attributes in your
- documents, as per HTMLPurifier_HTMLModule_Proprietary
.
- Warning: This can cause your documents to stop
- validating!
-
- Whether or not to permit embed tags in documents, with a number of extra - security features added to prevent script execution. This is similar to - what websites like MySpace do to embed tags. Embed is a proprietary - element and will cause your website to stop validating; you should - see if you can use %Output.FlashCompat with %HTML.SafeObject instead - first.
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -HTML.SafeIframe -TYPE: bool -VERSION: 4.4.0 -DEFAULT: false ---DESCRIPTION-- -- Whether or not to permit iframe tags in untrusted documents. This - directive must be accompanied by a whitelist of permitted iframes, - such as %URI.SafeIframeRegexp, otherwise it will fatally error. - This directive has no effect on strict doctypes, as iframes are not - valid. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -HTML.SafeObject -TYPE: bool -VERSION: 3.1.1 -DEFAULT: false ---DESCRIPTION-- -- Whether or not to permit object tags in documents, with a number of extra - security features added to prevent script execution. This is similar to - what websites like MySpace do to object tags. You should also enable - %Output.FlashCompat in order to generate Internet Explorer - compatibility code for your object tags. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -HTML.SafeScripting -TYPE: lookup -VERSION: 4.5.0 -DEFAULT: array() ---DESCRIPTION-- -- Whether or not to permit script tags to external scripts in documents. - Inline scripting is not allowed, and the script must match an explicit whitelist. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -HTML.Strict -TYPE: bool -VERSION: 1.3.0 -DEFAULT: false -DEPRECATED-VERSION: 1.7.0 -DEPRECATED-USE: HTML.Doctype ---DESCRIPTION-- -Determines whether or not to use Transitional (loose) or Strict rulesets. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -HTML.TargetBlank -TYPE: bool -VERSION: 4.4.0 -DEFAULT: FALSE ---DESCRIPTION-- -If enabled,target=blank
attributes are added to all outgoing links.
-(This includes links from an HTTPS version of a page to an HTTP version.)
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,10 +0,0 @@
---# vim: et sw=4 sts=4
-HTML.TargetNoopener
-TYPE: bool
-VERSION: 4.8.0
-DEFAULT: TRUE
---DESCRIPTION--
-If enabled, noopener rel attributes are added to links which have
-a target attribute associated with them. This prevents malicious
-destinations from overwriting the original window.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-HTML.TargetNoreferrer
-TYPE: bool
-VERSION: 4.8.0
-DEFAULT: TRUE
---DESCRIPTION--
-If enabled, noreferrer rel attributes are added to links which have
-a target attribute associated with them. This prevents malicious
-destinations from overwriting the original window.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,8 +0,0 @@
-HTML.TidyAdd
-TYPE: lookup
-VERSION: 2.0.0
-DEFAULT: array()
---DESCRIPTION--
-
-Fixes to add to the default set of Tidy fixes as per your level.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,24 +0,0 @@
-HTML.TidyLevel
-TYPE: string
-VERSION: 2.0.0
-DEFAULT: 'medium'
---DESCRIPTION--
-
-General level of cleanliness the Tidy module should enforce. -There are four allowed values:
-
- If true, HTML Purifier will protect against Internet Explorer's
- mishandling of the innerHTML
attribute by appending
- a space to any attribute that does not contain angled brackets, spaces
- or quotes, but contains a backtick. This slightly changes the
- semantics of any given attribute, so if this is unacceptable and
- you do not use innerHTML
on any of your pages, you can
- turn this directive off.
-
- If true, HTML Purifier will generate Internet Explorer compatibility - code for all object code. This is highly recommended if you enable - %HTML.SafeObject. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -Output.Newline -TYPE: string/null -VERSION: 2.0.1 -DEFAULT: NULL ---DESCRIPTION-- - -- Newline string to format final output with. If left null, HTML Purifier - will auto-detect the default newline type of the system and use that; - you can manually override it here. Remember, \r\n is Windows, \r - is Mac, and \n is Unix. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -Output.SortAttr -TYPE: bool -VERSION: 3.2.0 -DEFAULT: false ---DESCRIPTION-- -
- If true, HTML Purifier will sort attributes by name before writing them back
- to the document, converting a tag like: <el b="" a="" c="" />
- to <el a="" b="" c="" />
. This is a workaround for
- a bug in FCKeditor which causes it to swap attributes order, adding noise
- to text diffs. If you're not seeing this bug, chances are, you don't need
- this directive.
-
- Determines whether or not to run Tidy on the final output for pretty - formatting reasons, such as indentation and wrap. -
-- This can greatly improve readability for editors who are hand-editing - the HTML, but is by no means necessary as HTML Purifier has already - fixed all major errors the HTML may have had. Tidy is a non-default - extension, and this directive will silently fail if Tidy is not - available. -
-- If you are looking to make the overall look of your page's source - better, I recommend running Tidy on the entire page rather than just - user-content (after all, the indentation relative to the containing - blocks will be incorrect). -
---ALIASES-- -Core.TidyFormat ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -Test.ForceNoIconv -TYPE: bool -DEFAULT: false ---DESCRIPTION-- -When set to true, HTMLPurifier_Encoder will act as if iconv does not exist -and use only pure PHP implementations. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -URI.AllowedSchemes -TYPE: lookup ---DEFAULT-- -array ( - 'http' => true, - 'https' => true, - 'mailto' => true, - 'ftp' => true, - 'nntp' => true, - 'news' => true, - 'tel' => true, -) ---DESCRIPTION-- -Whitelist that defines the schemes that a URI is allowed to have. This -prevents XSS attacks from using pseudo-schemes like javascript or mocha. -There is also support for thedata
and file
-URI schemes, but they are not enabled by default.
---# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt 2018-02-23 02:08:20.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt 1970-01-01 00:00:00.000000000 +0000
@@ -1,17 +0,0 @@
-URI.Base
-TYPE: string/null
-VERSION: 2.1.0
-DEFAULT: NULL
---DESCRIPTION--
-
-- The base URI is the URI of the document this purified HTML will be - inserted into. This information is important if HTML Purifier needs - to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute - is on. You may use a non-absolute URI for this value, but behavior - may vary (%URI.MakeAbsolute deals nicely with both absolute and - relative paths, but forwards-compatibility is not guaranteed). - Warning: If set, the scheme on this URI - overrides the one specified by %URI.DefaultScheme. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -URI.DefaultScheme -TYPE: string/null -DEFAULT: 'http' ---DESCRIPTION-- - -- Defines through what scheme the output will be served, in order to - select the proper object validator when no scheme information is present. -
- -- Starting with HTML Purifier 4.9.0, the default scheme can be null, in - which case we reject all URIs which do not have explicit schemes. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -URI.DefinitionID -TYPE: string/null -VERSION: 2.1.0 -DEFAULT: NULL ---DESCRIPTION-- - -- Unique identifier for a custom-built URI definition. If you want - to add custom URIFilters, you must specify this value. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -URI.DefinitionRev -TYPE: int -VERSION: 2.1.0 -DEFAULT: 1 ---DESCRIPTION-- - -- Revision identifier for your custom definition. See - %HTML.DefinitionRev for details. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -URI.DisableExternalResources -TYPE: bool -VERSION: 1.3.0 -DEFAULT: false ---DESCRIPTION-- -Disables the embedding of external resources, preventing users from -embedding things like images from other hosts. This prevents access -tracking (good for email viewers), bandwidth leeching, cross-site request -forging, goatse.cx posting, and other nasties, but also results in a loss -of end-user functionality (they can't directly post a pic they posted from -Flickr anymore). Use it if you don't have a robust user-content moderation -team. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -URI.DisableExternal -TYPE: bool -VERSION: 1.2.0 -DEFAULT: false ---DESCRIPTION-- -Disables links to external websites. This is a highly effective anti-spam -and anti-pagerank-leech measure, but comes at a hefty price: nolinks or -images outside of your domain will be allowed. Non-linkified URIs will -still be preserved. If you want to be able to link to subdomains or use -absolute URIs, specify %URI.Host for your website. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -URI.DisableResources -TYPE: bool -VERSION: 4.2.0 -DEFAULT: false ---DESCRIPTION-- -- Disables embedding resources, essentially meaning no pictures. You can - still link to them though. See %URI.DisableExternalResources for why - this might be a good idea. -
-- Note: While this directive has been available since 1.3.0, - it didn't actually start doing anything until 4.2.0. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -URI.Disable -TYPE: bool -VERSION: 1.3.0 -DEFAULT: false ---DESCRIPTION-- - -- Disables all URIs in all forms. Not sure why you'd want to do that - (after all, the Internet's founded on the notion of a hyperlink). -
- ---ALIASES-- -Attr.DisableURI ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -URI.HostBlacklist -TYPE: list -VERSION: 1.3.0 -DEFAULT: array() ---DESCRIPTION-- -List of strings that are forbidden in the host of any URI. Use it to kill -domain names of spam, etc. Note that it will catch anything in the domain, -so moo.com will catch moo.com.example.com. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -URI.Host -TYPE: string/null -VERSION: 1.2.0 -DEFAULT: NULL ---DESCRIPTION-- - -- Defines the domain name of the server, so we can determine whether or - an absolute URI is from your website or not. Not strictly necessary, - as users should be using relative URIs to reference resources on your - website. It will, however, let you use absolute URIs to link to - subdomains of the domain you post here: i.e. example.com will allow - sub.example.com. However, higher up domains will still be excluded: - if you set %URI.Host to sub.example.com, example.com will be blocked. - Note: This directive overrides %URI.Base because - a given page may be on a sub-domain, but you wish HTML Purifier to be - more relaxed and allow some of the parent domains too. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -URI.MakeAbsolute -TYPE: bool -VERSION: 2.1.0 -DEFAULT: false ---DESCRIPTION-- - -- Converts all URIs into absolute forms. This is useful when the HTML - being filtered assumes a specific base path, but will actually be - viewed in a different context (and setting an alternate base URI is - not possible). %URI.Base must be set for this directive to work. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -URI.MungeResources -TYPE: bool -VERSION: 3.1.1 -DEFAULT: false ---DESCRIPTION-- -
- If true, any URI munging directives like %URI.Munge
- will also apply to embedded resources, such as <img src="">
.
- Be careful enabling this directive if you have a redirector script
- that does not use the Location
HTTP header; all of your images
- and other embedded resources will break.
-
- Warning: It is strongly advised you use this in conjunction - %URI.MungeSecretKey to mitigate the security risk of an open redirector. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -URI.MungeSecretKey -TYPE: string/null -VERSION: 3.1.1 -DEFAULT: NULL ---DESCRIPTION-- -- This directive enables secure checksum generation along with %URI.Munge. - It should be set to a secure key that is not shared with anyone else. - The checksum can be placed in the URI using %t. Use of this checksum - affords an additional level of protection by allowing a redirector - to check if a URI has passed through HTML Purifier with this line: -
- -$checksum === hash_hmac("sha256", $url, $secret_key)- -
- If the output is TRUE, the redirector script should accept the URI. -
- -- Please note that it would still be possible for an attacker to procure - secure hashes en-mass by abusing your website's Preview feature or the - like, but this service affords an additional level of protection - that should be combined with website blacklisting. -
- -- Remember this has no effect if %URI.Munge is not on. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,83 +0,0 @@ -URI.Munge -TYPE: string/null -VERSION: 1.3.0 -DEFAULT: NULL ---DESCRIPTION-- - -
- Munges all browsable (usually http, https and ftp)
- absolute URIs into another URI, usually a URI redirection service.
- This directive accepts a URI, formatted with a %s
where
- the url-encoded original URI should be inserted (sample:
- http://www.google.com/url?q=%s
).
-
- Uses for this directive: -
-
- Prior to HTML Purifier 3.1.1, this directive also enabled the munging
- of browsable external resources, which could break things if your redirection
- script was a splash page or used meta
tags. To revert to
- previous behavior, please use %URI.MungeResources.
-
- You may want to also use %URI.MungeSecretKey along with this directive - in order to enforce what URIs your redirector script allows. Open - redirector scripts can be a security risk and negatively affect the - reputation of your domain name. -
-- Starting with HTML Purifier 3.1.1, there is also these substitutions: -
-Key | -Description | -Example <a href=""> |
-
---|---|---|
%r | -1 - The URI embeds a resource (blank) - The URI is merely a link |
- - |
%n | -The name of the tag this URI came from | -a | -
%m | -The name of the attribute this URI came from | -href | -
%p | -The name of the CSS property this URI came from, or blank if irrelevant | -- |
- Admittedly, these letters are somewhat arbitrary; the only stipulation - was that they couldn't be a through f. r is for resource (I would have preferred - e, but you take what you can get), n is for name, m - was picked because it came after n (and I couldn't use a), p is for - property. -
---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -URI.OverrideAllowedSchemes -TYPE: bool -DEFAULT: true ---DESCRIPTION-- -If this is set to true (which it is by default), you can override -%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme to the -registry. If false, you will also have to update that directive in order -to add more schemes. ---# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -URI.SafeIframeRegexp -TYPE: string/null -VERSION: 4.4.0 -DEFAULT: NULL ---DESCRIPTION-- -- A PCRE regular expression that will be matched against an iframe URI. This is - a relatively inflexible scheme, but works well enough for the most common - use-case of iframes: embedded video. This directive only has an effect if - %HTML.SafeIframe is enabled. Here are some example values: -
-%^http://www.youtube.com/embed/%
- Allow YouTube videos%^http://player.vimeo.com/video/%
- Allow Vimeo videos%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%
- Allow both
- Note that this directive does not give you enough granularity to, say, disable
- all autoplay
videos. Pipe up on the HTML Purifier forums if this
- is a capability you want.
-
' . $this->locale->getMessage('ErrorCollector: No errors') . '
'; - } else { - return ''; - //$string .= ''; - //$string .= ''; - $ret[] = $string; - } - foreach ($current->children as $array) { - $context[] = $current; - $stack = array_merge($stack, array_reverse($array, true)); - for ($i = count($array); $i > 0; $i--) { - $context_stack[] = $context; - } - } - } - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ErrorStruct.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ErrorStruct.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/ErrorStruct.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/ErrorStruct.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -children[$type][$id])) { - $this->children[$type][$id] = new HTMLPurifier_ErrorStruct(); - $this->children[$type][$id]->type = $type; - } - return $this->children[$type][$id]; - } - - /** - * @param int $severity - * @param string $message - */ - public function addError($severity, $message) - { - $this->errors[] = array($severity, $message); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Exception.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Exception.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Exception.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Exception.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ - blocks from input HTML, cleans them up - * using CSSTidy, and then places them in $purifier->context->get('StyleBlocks') - * so they can be used elsewhere in the document. - * - * @note - * See tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php for - * sample usage. - * - * @note - * This filter can also be used on stylesheets not included in the - * document--something purists would probably prefer. Just directly - * call HTMLPurifier_Filter_ExtractStyleBlocks->cleanCSS() - */ -class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter -{ - /** - * @type string - */ - public $name = 'ExtractStyleBlocks'; - - /** - * @type array - */ - private $_styleMatches = array(); - - /** - * @type csstidy - */ - private $_tidy; - - /** - * @type HTMLPurifier_AttrDef_HTML_ID - */ - private $_id_attrdef; - - /** - * @type HTMLPurifier_AttrDef_CSS_Ident - */ - private $_class_attrdef; - - /** - * @type HTMLPurifier_AttrDef_Enum - */ - private $_enum_attrdef; - - public function __construct() - { - $this->_tidy = new csstidy(); - $this->_tidy->set_cfg('lowercase_s', false); - $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true); - $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident(); - $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum( - array( - 'first-child', - 'link', - 'visited', - 'active', - 'hover', - 'focus' - ) - ); - } - - /** - * Save the contents of CSS blocks to style matches - * @param array $matches preg_replace style $matches array - */ - protected function styleCallback($matches) - { - $this->_styleMatches[] = $matches[1]; - } - - /** - * Removes inline - // we must not grab foo in a font-family prop). - if ($config->get('Filter.ExtractStyleBlocks.Escaping')) { - $css = str_replace( - array('<', '>', '&'), - array('\3C ', '\3E ', '\26 '), - $css - ); - } - return $css; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter/YouTube.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter/YouTube.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter/YouTube.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter/YouTube.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,65 +0,0 @@ -]+>.+?' . - '(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?#s'; - $pre_replace = ' '; - return preg_replace($pre_regex, $pre_replace, $html); - } - - /** - * @param string $html - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return string - */ - public function postFilter($html, $config, $context) - { - $post_regex = '# #'; - return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); - } - - /** - * @param $url - * @return string - */ - protected function armorUrl($url) - { - return str_replace('--', '--', $url); - } - - /** - * @param array $matches - * @return string - */ - protected function postFilterCallback($matches) - { - $url = $this->armorUrl($matches[1]); - return ''; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Filter.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -preFilter, - * 2->preFilter, 3->preFilter, purify, 3->postFilter, 2->postFilter, - * 1->postFilter. - * - * @note Methods are not declared abstract as it is perfectly legitimate - * for an implementation not to want anything to happen on a step - */ - -class HTMLPurifier_Filter -{ - - /** - * Name of the filter for identification purposes. - * @type string - */ - public $name; - - /** - * Pre-processor function, handles HTML before HTML Purifier - * @param string $html - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return string - */ - public function preFilter($html, $config, $context) - { - return $html; - } - - /** - * Post-processor function, handles HTML after HTML Purifier - * @param string $html - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return string - */ - public function postFilter($html, $config, $context) - { - return $html; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Generator.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Generator.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Generator.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Generator.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,286 +0,0 @@ - tags. - * @type bool - */ - private $_scriptFix = false; - - /** - * Cache of HTMLDefinition during HTML output to determine whether or - * not attributes should be minimized. - * @type HTMLPurifier_HTMLDefinition - */ - private $_def; - - /** - * Cache of %Output.SortAttr. - * @type bool - */ - private $_sortAttr; - - /** - * Cache of %Output.FlashCompat. - * @type bool - */ - private $_flashCompat; - - /** - * Cache of %Output.FixInnerHTML. - * @type bool - */ - private $_innerHTMLFix; - - /** - * Stack for keeping track of object information when outputting IE - * compatibility code. - * @type array - */ - private $_flashStack = array(); - - /** - * Configuration for the generator - * @type HTMLPurifier_Config - */ - protected $config; - - /** - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - */ - public function __construct($config, $context) - { - $this->config = $config; - $this->_scriptFix = $config->get('Output.CommentScriptContents'); - $this->_innerHTMLFix = $config->get('Output.FixInnerHTML'); - $this->_sortAttr = $config->get('Output.SortAttr'); - $this->_flashCompat = $config->get('Output.FlashCompat'); - $this->_def = $config->getHTMLDefinition(); - $this->_xhtml = $this->_def->doctype->xml; - } - - /** - * Generates HTML from an array of tokens. - * @param HTMLPurifier_Token[] $tokens Array of HTMLPurifier_Token - * @return string Generated HTML - */ - public function generateFromTokens($tokens) - { - if (!$tokens) { - return ''; - } - - // Basic algorithm - $html = ''; - for ($i = 0, $size = count($tokens); $i < $size; $i++) { - if ($this->_scriptFix && $tokens[$i]->name === 'script' - && $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) { - // script special case - // the contents of the script block must be ONE token - // for this to work. - $html .= $this->generateFromToken($tokens[$i++]); - $html .= $this->generateScriptFromToken($tokens[$i++]); - } - $html .= $this->generateFromToken($tokens[$i]); - } - - // Tidy cleanup - if (extension_loaded('tidy') && $this->config->get('Output.TidyFormat')) { - $tidy = new Tidy; - $tidy->parseString( - $html, - array( - 'indent'=> true, - 'output-xhtml' => $this->_xhtml, - 'show-body-only' => true, - 'indent-spaces' => 2, - 'wrap' => 68, - ), - 'utf8' - ); - $tidy->cleanRepair(); - $html = (string) $tidy; // explicit cast necessary - } - - // Normalize newlines to system defined value - if ($this->config->get('Core.NormalizeNewlines')) { - $nl = $this->config->get('Output.Newline'); - if ($nl === null) { - $nl = PHP_EOL; - } - if ($nl !== "\n") { - $html = str_replace("\n", $nl, $html); - } - } - return $html; - } - - /** - * Generates HTML from a single token. - * @param HTMLPurifier_Token $token HTMLPurifier_Token object. - * @return string Generated HTML - */ - public function generateFromToken($token) - { - if (!$token instanceof HTMLPurifier_Token) { - trigger_error('Cannot generate HTML from non-HTMLPurifier_Token object', E_USER_WARNING); - return ''; - - } elseif ($token instanceof HTMLPurifier_Token_Start) { - $attr = $this->generateAttributes($token->attr, $token->name); - if ($this->_flashCompat) { - if ($token->name == "object") { - $flash = new stdClass(); - $flash->attr = $token->attr; - $flash->param = array(); - $this->_flashStack[] = $flash; - } - } - return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>'; - - } elseif ($token instanceof HTMLPurifier_Token_End) { - $_extra = ''; - if ($this->_flashCompat) { - if ($token->name == "object" && !empty($this->_flashStack)) { - // doesn't do anything for now - } - } - return $_extra . '' . $token->name . '>'; - - } elseif ($token instanceof HTMLPurifier_Token_Empty) { - if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) { - $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value']; - } - $attr = $this->generateAttributes($token->attr, $token->name); - return '<' . $token->name . ($attr ? ' ' : '') . $attr . - ( $this->_xhtml ? ' /': '' ) //
tags? - if ($this->allowsElement('p')) { - if (empty($this->currentNesting) || strpos($text, "\n\n") !== false) { - // Note that we have differing behavior when dealing with text - // in the anonymous root node, or a node inside the document. - // If the text as a double-newline, the treatment is the same; - // if it doesn't, see the next if-block if you're in the document. - - $i = $nesting = null; - if (!$this->forwardUntilEndToken($i, $current, $nesting) && $token->is_whitespace) { - // State 1.1: ... ^ (whitespace, then document end) - // ---- - // This is a degenerate case - } else { - if (!$token->is_whitespace || $this->_isInline($current)) { - // State 1.2: PAR1 - // ---- - - // State 1.3: PAR1\n\nPAR2 - // ------------ - - // State 1.4:
tag? - } elseif (!empty($this->currentNesting) && - $this->currentNesting[count($this->currentNesting) - 1]->name == 'p') { - // State 3.1: ...
PAR1 - // ---- - - // State 3.2: ...
PAR1\n\nPAR2 - // ------------ - $token = array(); - $this->_splitText($text, $token); - // Abort! - } else { - // State 4.1: ...PAR1 - // ---- - - // State 4.2: ...PAR1\n\nPAR2 - // ------------ - } - } - - /** - * @param HTMLPurifier_Token $token - */ - public function handleElement(&$token) - { - // We don't have to check if we're already in a
tag for block - // tokens, because the tag would have been autoclosed by MakeWellFormed. - if ($this->allowsElement('p')) { - if (!empty($this->currentNesting)) { - if ($this->_isInline($token)) { - // State 1:
PAR1
\n\n - // --- - // Quite frankly, this should be handled by splitText - $token = array($this->_pStart(), $token); - } else { - // State 1.1.1:PAR1
- // --- - // State 1.1.2:is needed. - if ($this->_pLookAhead()) { - // State 1.3.1:
tags. - } - } - } - } else { - // State 2.2:
- // --- - } - } - - /** - * Splits up a text in paragraph tokens and appends them - * to the result stream that will replace the original - * @param string $data String text data that will be processed - * into paragraphs - * @param HTMLPurifier_Token[] $result Reference to array of tokens that the - * tags will be appended onto - */ - private function _splitText($data, &$result) - { - $raw_paragraphs = explode("\n\n", $data); - $paragraphs = array(); // without empty paragraphs - $needs_start = false; - $needs_end = false; - - $c = count($raw_paragraphs); - if ($c == 1) { - // There were no double-newlines, abort quickly. In theory this - // should never happen. - $result[] = new HTMLPurifier_Token_Text($data); - return; - } - for ($i = 0; $i < $c; $i++) { - $par = $raw_paragraphs[$i]; - if (trim($par) !== '') { - $paragraphs[] = $par; - } else { - if ($i == 0) { - // Double newline at the front - if (empty($result)) { - // The empty result indicates that the AutoParagraph - // injector did not add any start paragraph tokens. - // This means that we have been in a paragraph for - // a while, and the newline means we should start a new one. - $result[] = new HTMLPurifier_Token_End('p'); - $result[] = new HTMLPurifier_Token_Text("\n\n"); - // However, the start token should only be added if - // there is more processing to be done (i.e. there are - // real paragraphs in here). If there are none, the - // next start paragraph tag will be handled by the - // next call to the injector - $needs_start = true; - } else { - // We just started a new paragraph! - // Reinstate a double-newline for presentation's sake, since - // it was in the source code. - array_unshift($result, new HTMLPurifier_Token_Text("\n\n")); - } - } elseif ($i + 1 == $c) { - // Double newline at the end - // There should be a trailing
when we're finally done. - $needs_end = true; - } - } - } - - // Check if this was just a giant blob of whitespace. Move this earlier, - // perhaps? - if (empty($paragraphs)) { - return; - } - - // Add the start tag indicated by \n\n at the beginning of $data - if ($needs_start) { - $result[] = $this->_pStart(); - } - - // Append the paragraphs onto the result - foreach ($paragraphs as $par) { - $result[] = new HTMLPurifier_Token_Text($par); - $result[] = new HTMLPurifier_Token_End('p'); - $result[] = new HTMLPurifier_Token_Text("\n\n"); - $result[] = $this->_pStart(); - } - - // Remove trailing start token; Injector will handle this later if - // it was indeed needed. This prevents from needing to do a lookahead, - // at the cost of a lookbehind later. - array_pop($result); - - // If there is no need for an end tag, remove all of it and let - // MakeWellFormed close it later. - if (!$needs_end) { - array_pop($result); // removes \n\n - array_pop($result); // removes - } - } - - /** - * Returns true if passed token is inline (and, ergo, allowed in - * paragraph tags) - * @param HTMLPurifier_Token $token - * @return bool - */ - private function _isInline($token) - { - return isset($this->htmlDefinition->info['p']->child->elements[$token->name]); - } - - /** - * Looks ahead in the token list and determines whether or not we need - * to insert atag. - * @return bool - */ - private function _pLookAhead() - { - if ($this->currentToken instanceof HTMLPurifier_Token_Start) { - $nesting = 1; - } else { - $nesting = 0; - } - $ok = false; - $i = null; - while ($this->forwardUntilEndToken($i, $current, $nesting)) { - $result = $this->_checkNeedsP($current); - if ($result !== null) { - $ok = $result; - break; - } - } - return $ok; - } - - /** - * Determines if a particular token requires an earlier inline token - * to get a paragraph. This should be used with _forwardUntilEndToken - * @param HTMLPurifier_Token $current - * @return bool - */ - private function _checkNeedsP($current) - { - if ($current instanceof HTMLPurifier_Token_Start) { - if (!$this->_isInline($current)) { - //
n"; - //echo "$n\nsigfigs = $sigfigs\nnew_log = $new_log\nlog = $log\nrp = $rp\n\n"; - - $n = $this->round($n, $sigfigs); - if (strpos($n, '.') !== false) { - $n = rtrim($n, '0'); - } - $n = rtrim($n, '.'); - - return new HTMLPurifier_Length($n, $unit); - } - - /** - * Returns the number of significant figures in a string number. - * @param string $n Decimal number - * @return int number of sigfigs - */ - public function getSigFigs($n) - { - $n = ltrim($n, '0+-'); - $dp = strpos($n, '.'); // decimal position - if ($dp === false) { - $sigfigs = strlen(rtrim($n, '0')); - } else { - $sigfigs = strlen(ltrim($n, '0.')); // eliminate extra decimal character - if ($dp !== 0) { - $sigfigs--; - } - } - return $sigfigs; - } - - /** - * Adds two numbers, using arbitrary precision when available. - * @param string $s1 - * @param string $s2 - * @param int $scale - * @return string - */ - private function add($s1, $s2, $scale) - { - if ($this->bcmath) { - return bcadd($s1, $s2, $scale); - } else { - return $this->scale((float)$s1 + (float)$s2, $scale); - } - } - - /** - * Multiples two numbers, using arbitrary precision when available. - * @param string $s1 - * @param string $s2 - * @param int $scale - * @return string - */ - private function mul($s1, $s2, $scale) - { - if ($this->bcmath) { - return bcmul($s1, $s2, $scale); - } else { - return $this->scale((float)$s1 * (float)$s2, $scale); - } - } - - /** - * Divides two numbers, using arbitrary precision when available. - * @param string $s1 - * @param string $s2 - * @param int $scale - * @return string - */ - private function div($s1, $s2, $scale) - { - if ($this->bcmath) { - return bcdiv($s1, $s2, $scale); - } else { - return $this->scale((float)$s1 / (float)$s2, $scale); - } - } - - /** - * Rounds a number according to the number of sigfigs it should have, - * using arbitrary precision when available. - * @param float $n - * @param int $sigfigs - * @return string - */ - private function round($n, $sigfigs) - { - $new_log = (int)floor(log(abs($n), 10)); // Number of digits left of decimal - 1 - $rp = $sigfigs - $new_log - 1; // Number of decimal places needed - $neg = $n < 0 ? '-' : ''; // Negative sign - if ($this->bcmath) { - if ($rp >= 0) { - $n = bcadd($n, $neg . '0.' . str_repeat('0', $rp) . '5', $rp + 1); - $n = bcdiv($n, '1', $rp); - } else { - // This algorithm partially depends on the standardized - // form of numbers that comes out of bcmath. - $n = bcadd($n, $neg . '5' . str_repeat('0', $new_log - $sigfigs), 0); - $n = substr($n, 0, $sigfigs + strlen($neg)) . str_repeat('0', $new_log - $sigfigs + 1); - } - return $n; - } else { - return $this->scale(round($n, $sigfigs - $new_log - 1), $rp + 1); - } - } - - /** - * Scales a float to $scale digits right of decimal point, like BCMath. - * @param float $r - * @param int $scale - * @return string - */ - private function scale($r, $scale) - { - if ($scale < 0) { - // The f sprintf type doesn't support negative numbers, so we - // need to cludge things manually. First get the string. - $r = sprintf('%.0f', (float)$r); - // Due to floating point precision loss, $r will more than likely - // look something like 4652999999999.9234. We grab one more digit - // than we need to precise from $r and then use that to round - // appropriately. - $precise = (string)round(substr($r, 0, strlen($r) + $scale), -1); - // Now we return it, truncating the zero that was rounded off. - return substr($precise, 0, -1) . str_repeat('0', -$scale + 1); - } - return sprintf('%.' . $scale . 'f', (float)$r); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIDefinition.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIDefinition.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIDefinition.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIDefinition.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,112 +0,0 @@ -registerFilter(new HTMLPurifier_URIFilter_DisableExternal()); - $this->registerFilter(new HTMLPurifier_URIFilter_DisableExternalResources()); - $this->registerFilter(new HTMLPurifier_URIFilter_DisableResources()); - $this->registerFilter(new HTMLPurifier_URIFilter_HostBlacklist()); - $this->registerFilter(new HTMLPurifier_URIFilter_SafeIframe()); - $this->registerFilter(new HTMLPurifier_URIFilter_MakeAbsolute()); - $this->registerFilter(new HTMLPurifier_URIFilter_Munge()); - } - - public function registerFilter($filter) - { - $this->registeredFilters[$filter->name] = $filter; - } - - public function addFilter($filter, $config) - { - $r = $filter->prepare($config); - if ($r === false) return; // null is ok, for backwards compat - if ($filter->post) { - $this->postFilters[$filter->name] = $filter; - } else { - $this->filters[$filter->name] = $filter; - } - } - - protected function doSetup($config) - { - $this->setupMemberVariables($config); - $this->setupFilters($config); - } - - protected function setupFilters($config) - { - foreach ($this->registeredFilters as $name => $filter) { - if ($filter->always_load) { - $this->addFilter($filter, $config); - } else { - $conf = $config->get('URI.' . $name); - if ($conf !== false && $conf !== null) { - $this->addFilter($filter, $config); - } - } - } - unset($this->registeredFilters); - } - - protected function setupMemberVariables($config) - { - $this->host = $config->get('URI.Host'); - $base_uri = $config->get('URI.Base'); - if (!is_null($base_uri)) { - $parser = new HTMLPurifier_URIParser(); - $this->base = $parser->parse($base_uri); - $this->defaultScheme = $this->base->scheme; - if (is_null($this->host)) $this->host = $this->base->host; - } - if (is_null($this->defaultScheme)) $this->defaultScheme = $config->get('URI.DefaultScheme'); - } - - public function getDefaultScheme($config, $context) - { - return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context); - } - - public function filter(&$uri, $config, $context) - { - foreach ($this->filters as $name => $f) { - $result = $f->filter($uri, $config, $context); - if (!$result) return false; - } - return true; - } - - public function postFilter(&$uri, $config, $context) - { - foreach ($this->postFilters as $name => $f) { - $result = $f->filter($uri, $config, $context); - if (!$result) return false; - } - return true; - } - -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternal.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternal.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternal.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternal.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -getDefinition('URI')->host; - if ($our_host !== null) { - $this->ourHostParts = array_reverse(explode('.', $our_host)); - } - } - - /** - * @param HTMLPurifier_URI $uri Reference - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function filter(&$uri, $config, $context) - { - if (is_null($uri->host)) { - return true; - } - if ($this->ourHostParts === false) { - return false; - } - $host_parts = array_reverse(explode('.', $uri->host)); - foreach ($this->ourHostParts as $i => $x) { - if (!isset($host_parts[$i])) { - return false; - } - if ($host_parts[$i] != $this->ourHostParts[$i]) { - return false; - } - } - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternalResources.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternalResources.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternalResources.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableExternalResources.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -get('EmbeddedURI', true)) { - return true; - } - return parent::filter($uri, $config, $context); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableResources.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableResources.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableResources.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/DisableResources.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -get('EmbeddedURI', true); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/HostBlacklist.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/HostBlacklist.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/HostBlacklist.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/HostBlacklist.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,46 +0,0 @@ -blacklist = $config->get('URI.HostBlacklist'); - return true; - } - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function filter(&$uri, $config, $context) - { - foreach ($this->blacklist as $blacklisted_host_fragment) { - if (strpos($uri->host, $blacklisted_host_fragment) !== false) { - return false; - } - } - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/MakeAbsolute.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/MakeAbsolute.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/MakeAbsolute.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/MakeAbsolute.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,158 +0,0 @@ -getDefinition('URI'); - $this->base = $def->base; - if (is_null($this->base)) { - trigger_error( - 'URI.MakeAbsolute is being ignored due to lack of ' . - 'value for URI.Base configuration', - E_USER_WARNING - ); - return false; - } - $this->base->fragment = null; // fragment is invalid for base URI - $stack = explode('/', $this->base->path); - array_pop($stack); // discard last segment - $stack = $this->_collapseStack($stack); // do pre-parsing - $this->basePathStack = $stack; - return true; - } - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function filter(&$uri, $config, $context) - { - if (is_null($this->base)) { - return true; - } // abort early - if ($uri->path === '' && is_null($uri->scheme) && - is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment)) { - // reference to current document - $uri = clone $this->base; - return true; - } - if (!is_null($uri->scheme)) { - // absolute URI already: don't change - if (!is_null($uri->host)) { - return true; - } - $scheme_obj = $uri->getSchemeObj($config, $context); - if (!$scheme_obj) { - // scheme not recognized - return false; - } - if (!$scheme_obj->hierarchical) { - // non-hierarchal URI with explicit scheme, don't change - return true; - } - // special case: had a scheme but always is hierarchical and had no authority - } - if (!is_null($uri->host)) { - // network path, don't bother - return true; - } - if ($uri->path === '') { - $uri->path = $this->base->path; - } elseif ($uri->path[0] !== '/') { - // relative path, needs more complicated processing - $stack = explode('/', $uri->path); - $new_stack = array_merge($this->basePathStack, $stack); - if ($new_stack[0] !== '' && !is_null($this->base->host)) { - array_unshift($new_stack, ''); - } - $new_stack = $this->_collapseStack($new_stack); - $uri->path = implode('/', $new_stack); - } else { - // absolute path, but still we should collapse - $uri->path = implode('/', $this->_collapseStack(explode('/', $uri->path))); - } - // re-combine - $uri->scheme = $this->base->scheme; - if (is_null($uri->userinfo)) { - $uri->userinfo = $this->base->userinfo; - } - if (is_null($uri->host)) { - $uri->host = $this->base->host; - } - if (is_null($uri->port)) { - $uri->port = $this->base->port; - } - return true; - } - - /** - * Resolve dots and double-dots in a path stack - * @param array $stack - * @return array - */ - private function _collapseStack($stack) - { - $result = array(); - $is_folder = false; - for ($i = 0; isset($stack[$i]); $i++) { - $is_folder = false; - // absorb an internally duplicated slash - if ($stack[$i] == '' && $i && isset($stack[$i + 1])) { - continue; - } - if ($stack[$i] == '..') { - if (!empty($result)) { - $segment = array_pop($result); - if ($segment === '' && empty($result)) { - // error case: attempted to back out too far: - // restore the leading slash - $result[] = ''; - } elseif ($segment === '..') { - $result[] = '..'; // cannot remove .. with .. - } - } else { - // relative path, preserve the double-dots - $result[] = '..'; - } - $is_folder = true; - continue; - } - if ($stack[$i] == '.') { - // silently absorb - $is_folder = true; - continue; - } - $result[] = $stack[$i]; - } - if ($is_folder) { - $result[] = ''; - } - return $result; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/Munge.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/Munge.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/Munge.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/Munge.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,115 +0,0 @@ -target = $config->get('URI.' . $this->name); - $this->parser = new HTMLPurifier_URIParser(); - $this->doEmbed = $config->get('URI.MungeResources'); - $this->secretKey = $config->get('URI.MungeSecretKey'); - if ($this->secretKey && !function_exists('hash_hmac')) { - throw new Exception("Cannot use %URI.MungeSecretKey without hash_hmac support."); - } - return true; - } - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function filter(&$uri, $config, $context) - { - if ($context->get('EmbeddedURI', true) && !$this->doEmbed) { - return true; - } - - $scheme_obj = $uri->getSchemeObj($config, $context); - if (!$scheme_obj) { - return true; - } // ignore unknown schemes, maybe another postfilter did it - if (!$scheme_obj->browsable) { - return true; - } // ignore non-browseable schemes, since we can't munge those in a reasonable way - if ($uri->isBenign($config, $context)) { - return true; - } // don't redirect if a benign URL - - $this->makeReplace($uri, $config, $context); - $this->replace = array_map('rawurlencode', $this->replace); - - $new_uri = strtr($this->target, $this->replace); - $new_uri = $this->parser->parse($new_uri); - // don't redirect if the target host is the same as the - // starting host - if ($uri->host === $new_uri->host) { - return true; - } - $uri = $new_uri; // overwrite - return true; - } - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - */ - protected function makeReplace($uri, $config, $context) - { - $string = $uri->toString(); - // always available - $this->replace['%s'] = $string; - $this->replace['%r'] = $context->get('EmbeddedURI', true); - $token = $context->get('CurrentToken', true); - $this->replace['%n'] = $token ? $token->name : null; - $this->replace['%m'] = $context->get('CurrentAttr', true); - $this->replace['%p'] = $context->get('CurrentCSSProperty', true); - // not always available - if ($this->secretKey) { - $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey); - } - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/SafeIframe.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/SafeIframe.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/SafeIframe.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter/SafeIframe.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -regexp = $config->get('URI.SafeIframeRegexp'); - return true; - } - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function filter(&$uri, $config, $context) - { - // check if filter not applicable - if (!$config->get('HTML.SafeIframe')) { - return true; - } - // check if the filter should actually trigger - if (!$context->get('EmbeddedURI', true)) { - return true; - } - $token = $context->get('CurrentToken', true); - if (!($token && $token->name == 'iframe')) { - return true; - } - // check if we actually have some whitelists enabled - if ($this->regexp === null) { - return false; - } - // actually check the whitelists - return preg_match($this->regexp, $uri->toString()); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIFilter.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -percentEncoder = new HTMLPurifier_PercentEncoder(); - } - - /** - * Parses a URI. - * @param $uri string URI to parse - * @return HTMLPurifier_URI representation of URI. This representation has - * not been validated yet and may not conform to RFC. - */ - public function parse($uri) - { - $uri = $this->percentEncoder->normalize($uri); - - // Regexp is as per Appendix B. - // Note that ["<>] are an addition to the RFC's recommended - // characters, because they represent external delimeters. - $r_URI = '!'. - '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme - '(//([^/?#"<>]*))?'. // 4. Authority - '([^?#"<>]*)'. // 5. Path - '(\?([^#"<>]*))?'. // 7. Query - '(#([^"<>]*))?'. // 8. Fragment - '!'; - - $matches = array(); - $result = preg_match($r_URI, $uri, $matches); - - if (!$result) return false; // *really* invalid URI - - // seperate out parts - $scheme = !empty($matches[1]) ? $matches[2] : null; - $authority = !empty($matches[3]) ? $matches[4] : null; - $path = $matches[5]; // always present, can be empty - $query = !empty($matches[6]) ? $matches[7] : null; - $fragment = !empty($matches[8]) ? $matches[9] : null; - - // further parse authority - if ($authority !== null) { - $r_authority = "/^((.+?)@)?(\[[^\]]+\]|[^:]*)(:(\d*))?/"; - $matches = array(); - preg_match($r_authority, $authority, $matches); - $userinfo = !empty($matches[1]) ? $matches[2] : null; - $host = !empty($matches[3]) ? $matches[3] : ''; - $port = !empty($matches[4]) ? (int) $matches[5] : null; - } else { - $port = $host = $userinfo = null; - } - - return new HTMLPurifier_URI( - $scheme, $userinfo, $host, $port, $path, $query, $fragment); - } - -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URI.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URI.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URI.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URI.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,316 +0,0 @@ -scheme = is_null($scheme) || ctype_lower($scheme) ? $scheme : strtolower($scheme); - $this->userinfo = $userinfo; - $this->host = $host; - $this->port = is_null($port) ? $port : (int)$port; - $this->path = $path; - $this->query = $query; - $this->fragment = $fragment; - } - - /** - * Retrieves a scheme object corresponding to the URI's scheme/default - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return HTMLPurifier_URIScheme Scheme object appropriate for validating this URI - */ - public function getSchemeObj($config, $context) - { - $registry = HTMLPurifier_URISchemeRegistry::instance(); - if ($this->scheme !== null) { - $scheme_obj = $registry->getScheme($this->scheme, $config, $context); - if (!$scheme_obj) { - return false; - } // invalid scheme, clean it out - } else { - // no scheme: retrieve the default one - $def = $config->getDefinition('URI'); - $scheme_obj = $def->getDefaultScheme($config, $context); - if (!$scheme_obj) { - if ($def->defaultScheme !== null) { - // something funky happened to the default scheme object - trigger_error( - 'Default scheme object "' . $def->defaultScheme . '" was not readable', - E_USER_WARNING - ); - } // suppress error if it's null - return false; - } - } - return $scheme_obj; - } - - /** - * Generic validation method applicable for all schemes. May modify - * this URI in order to get it into a compliant form. - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool True if validation/filtering succeeds, false if failure - */ - public function validate($config, $context) - { - // ABNF definitions from RFC 3986 - $chars_sub_delims = '!$&\'()*+,;='; - $chars_gen_delims = ':/?#[]@'; - $chars_pchar = $chars_sub_delims . ':@'; - - // validate host - if (!is_null($this->host)) { - $host_def = new HTMLPurifier_AttrDef_URI_Host(); - $this->host = $host_def->validate($this->host, $config, $context); - if ($this->host === false) { - $this->host = null; - } - } - - // validate scheme - // NOTE: It's not appropriate to check whether or not this - // scheme is in our registry, since a URIFilter may convert a - // URI that we don't allow into one we do. So instead, we just - // check if the scheme can be dropped because there is no host - // and it is our default scheme. - if (!is_null($this->scheme) && is_null($this->host) || $this->host === '') { - // support for relative paths is pretty abysmal when the - // scheme is present, so axe it when possible - $def = $config->getDefinition('URI'); - if ($def->defaultScheme === $this->scheme) { - $this->scheme = null; - } - } - - // validate username - if (!is_null($this->userinfo)) { - $encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . ':'); - $this->userinfo = $encoder->encode($this->userinfo); - } - - // validate port - if (!is_null($this->port)) { - if ($this->port < 1 || $this->port > 65535) { - $this->port = null; - } - } - - // validate path - $segments_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/'); - if (!is_null($this->host)) { // this catches $this->host === '' - // path-abempty (hier and relative) - // http://www.example.com/my/path - // //www.example.com/my/path (looks odd, but works, and - // recognized by most browsers) - // (this set is valid or invalid on a scheme by scheme - // basis, so we'll deal with it later) - // file:///my/path - // ///my/path - $this->path = $segments_encoder->encode($this->path); - } elseif ($this->path !== '') { - if ($this->path[0] === '/') { - // path-absolute (hier and relative) - // http:/my/path - // /my/path - if (strlen($this->path) >= 2 && $this->path[1] === '/') { - // This could happen if both the host gets stripped - // out - // http://my/path - // //my/path - $this->path = ''; - } else { - $this->path = $segments_encoder->encode($this->path); - } - } elseif (!is_null($this->scheme)) { - // path-rootless (hier) - // http:my/path - // Short circuit evaluation means we don't need to check nz - $this->path = $segments_encoder->encode($this->path); - } else { - // path-noscheme (relative) - // my/path - // (once again, not checking nz) - $segment_nc_encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . '@'); - $c = strpos($this->path, '/'); - if ($c !== false) { - $this->path = - $segment_nc_encoder->encode(substr($this->path, 0, $c)) . - $segments_encoder->encode(substr($this->path, $c)); - } else { - $this->path = $segment_nc_encoder->encode($this->path); - } - } - } else { - // path-empty (hier and relative) - $this->path = ''; // just to be safe - } - - // qf = query and fragment - $qf_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/?'); - - if (!is_null($this->query)) { - $this->query = $qf_encoder->encode($this->query); - } - - if (!is_null($this->fragment)) { - $this->fragment = $qf_encoder->encode($this->fragment); - } - return true; - } - - /** - * Convert URI back to string - * @return string URI appropriate for output - */ - public function toString() - { - // reconstruct authority - $authority = null; - // there is a rendering difference between a null authority - // (http:foo-bar) and an empty string authority - // (http:///foo-bar). - if (!is_null($this->host)) { - $authority = ''; - if (!is_null($this->userinfo)) { - $authority .= $this->userinfo . '@'; - } - $authority .= $this->host; - if (!is_null($this->port)) { - $authority .= ':' . $this->port; - } - } - - // Reconstruct the result - // One might wonder about parsing quirks from browsers after - // this reconstruction. Unfortunately, parsing behavior depends - // on what *scheme* was employed (file:///foo is handled *very* - // differently than http:///foo), so unfortunately we have to - // defer to the schemes to do the right thing. - $result = ''; - if (!is_null($this->scheme)) { - $result .= $this->scheme . ':'; - } - if (!is_null($authority)) { - $result .= '//' . $authority; - } - $result .= $this->path; - if (!is_null($this->query)) { - $result .= '?' . $this->query; - } - if (!is_null($this->fragment)) { - $result .= '#' . $this->fragment; - } - - return $result; - } - - /** - * Returns true if this URL might be considered a 'local' URL given - * the current context. This is true when the host is null, or - * when it matches the host supplied to the configuration. - * - * Note that this does not do any scheme checking, so it is mostly - * only appropriate for metadata that doesn't care about protocol - * security. isBenign is probably what you actually want. - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function isLocal($config, $context) - { - if ($this->host === null) { - return true; - } - $uri_def = $config->getDefinition('URI'); - if ($uri_def->host === $this->host) { - return true; - } - return false; - } - - /** - * Returns true if this URL should be considered a 'benign' URL, - * that is: - * - * - It is a local URL (isLocal), and - * - It has a equal or better level of security - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function isBenign($config, $context) - { - if (!$this->isLocal($config, $context)) { - return false; - } - - $scheme_obj = $this->getSchemeObj($config, $context); - if (!$scheme_obj) { - return false; - } // conservative approach - - $current_scheme_obj = $config->getDefinition('URI')->getDefaultScheme($config, $context); - if ($current_scheme_obj->secure) { - if (!$scheme_obj->secure) { - return false; - } - } - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/data.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/data.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/data.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/data.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,136 +0,0 @@ - true, - 'image/gif' => true, - 'image/png' => true, - ); - // this is actually irrelevant since we only write out the path - // component - /** - * @type bool - */ - public $may_omit_host = true; - - /** - * @param HTMLPurifier_URI $uri - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool - */ - public function doValidate(&$uri, $config, $context) - { - $result = explode(',', $uri->path, 2); - $is_base64 = false; - $charset = null; - $content_type = null; - if (count($result) == 2) { - list($metadata, $data) = $result; - // do some legwork on the metadata - $metas = explode(';', $metadata); - while (!empty($metas)) { - $cur = array_shift($metas); - if ($cur == 'base64') { - $is_base64 = true; - break; - } - if (substr($cur, 0, 8) == 'charset=') { - // doesn't match if there are arbitrary spaces, but - // whatever dude - if ($charset !== null) { - continue; - } // garbage - $charset = substr($cur, 8); // not used - } else { - if ($content_type !== null) { - continue; - } // garbage - $content_type = $cur; - } - } - } else { - $data = $result[0]; - } - if ($content_type !== null && empty($this->allowed_types[$content_type])) { - return false; - } - if ($charset !== null) { - // error; we don't allow plaintext stuff - $charset = null; - } - $data = rawurldecode($data); - if ($is_base64) { - $raw_data = base64_decode($data); - } else { - $raw_data = $data; - } - if ( strlen($raw_data) < 12 ) { - // error; exif_imagetype throws exception with small files, - // and this likely indicates a corrupt URI/failed parse anyway - return false; - } - // XXX probably want to refactor this into a general mechanism - // for filtering arbitrary content types - if (function_exists('sys_get_temp_dir')) { - $file = tempnam(sys_get_temp_dir(), ""); - } else { - $file = tempnam("/tmp", ""); - } - file_put_contents($file, $raw_data); - if (function_exists('exif_imagetype')) { - $image_code = exif_imagetype($file); - unlink($file); - } elseif (function_exists('getimagesize')) { - set_error_handler(array($this, 'muteErrorHandler')); - $info = getimagesize($file); - restore_error_handler(); - unlink($file); - if ($info == false) { - return false; - } - $image_code = $info[2]; - } else { - trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR); - } - $real_content_type = image_type_to_mime_type($image_code); - if ($real_content_type != $content_type) { - // we're nice guys; if the content type is something else we - // support, change it over - if (empty($this->allowed_types[$real_content_type])) { - return false; - } - $content_type = $real_content_type; - } - // ok, it's kosher, rewrite what we need - $uri->userinfo = null; - $uri->host = null; - $uri->port = null; - $uri->fragment = null; - $uri->query = null; - $uri->path = "$content_type;base64," . base64_encode($raw_data); - return true; - } - - /** - * @param int $errno - * @param string $errstr - */ - public function muteErrorHandler($errno, $errstr) - { - } -} diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/file.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/file.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/file.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/file.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,44 +0,0 @@ -userinfo = null; - // file:// makes no provisions for accessing the resource - $uri->port = null; - // While it seems to work on Firefox, the querystring has - // no possible effect and is thus stripped. - $uri->query = null; - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/ftp.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/ftp.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/ftp.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/ftp.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -query = null; - - // typecode check - $semicolon_pos = strrpos($uri->path, ';'); // reverse - if ($semicolon_pos !== false) { - $type = substr($uri->path, $semicolon_pos + 1); // no semicolon - $uri->path = substr($uri->path, 0, $semicolon_pos); - $type_ret = ''; - if (strpos($type, '=') !== false) { - // figure out whether or not the declaration is correct - list($key, $typecode) = explode('=', $type, 2); - if ($key !== 'type') { - // invalid key, tack it back on encoded - $uri->path .= '%3B' . $type; - } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') { - $type_ret = ";type=$typecode"; - } - } else { - $uri->path .= '%3B' . $type; - } - $uri->path = str_replace(';', '%3B', $uri->path); - $uri->path .= $type_ret; - } - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/http.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/http.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/http.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/http.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -userinfo = null; - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/https.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/https.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/https.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/https.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -userinfo = null; - $uri->host = null; - $uri->port = null; - // we need to validate path against RFC 2368's addr-spec - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/news.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/news.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/news.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/news.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -userinfo = null; - $uri->host = null; - $uri->port = null; - $uri->query = null; - // typecode check needed on path - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/nntp.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/nntp.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/nntp.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/nntp.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -userinfo = null; - $uri->query = null; - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/tel.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/tel.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/tel.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme/tel.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,46 +0,0 @@ -userinfo = null; - $uri->host = null; - $uri->port = null; - - // Delete all non-numeric characters, non-x characters - // from phone number, EXCEPT for a leading plus sign. - $uri->path = preg_replace('/(?!^\+)[^\dx]/', '', - // Normalize e(x)tension to lower-case - str_replace('X', 'x', $uri->path)); - - return true; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URIScheme.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,102 +0,0 @@ -, resolves edge cases - * with making relative URIs absolute - * @type bool - */ - public $hierarchical = false; - - /** - * Whether or not the URI may omit a hostname when the scheme is - * explicitly specified, ala file:///path/to/file. As of writing, - * 'file' is the only scheme that browsers support his properly. - * @type bool - */ - public $may_omit_host = false; - - /** - * Validates the components of a URI for a specific scheme. - * @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool success or failure - */ - abstract public function doValidate(&$uri, $config, $context); - - /** - * Public interface for validating components of a URI. Performs a - * bunch of default actions. Don't overload this method. - * @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object - * @param HTMLPurifier_Config $config - * @param HTMLPurifier_Context $context - * @return bool success or failure - */ - public function validate(&$uri, $config, $context) - { - if ($this->default_port == $uri->port) { - $uri->port = null; - } - // kludge: browsers do funny things when the scheme but not the - // authority is set - if (!$this->may_omit_host && - // if the scheme is present, a missing host is always in error - (!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) || - // if the scheme is not present, a *blank* host is in error, - // since this translates into '///path' which most browsers - // interpret as being 'http://path'. - (is_null($uri->scheme) && $uri->host === '') - ) { - do { - if (is_null($uri->scheme)) { - if (substr($uri->path, 0, 2) != '//') { - $uri->host = null; - break; - } - // URI is '////path', so we cannot nullify the - // host to preserve semantics. Try expanding the - // hostname instead (fall through) - } - // first see if we can manually insert a hostname - $host = $config->get('URI.Host'); - if (!is_null($host)) { - $uri->host = $host; - } else { - // we can't do anything sensible, reject the URL. - return false; - } - } while (false); - } - return $this->doValidate($uri, $config, $context); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URISchemeRegistry.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URISchemeRegistry.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/URISchemeRegistry.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/URISchemeRegistry.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,81 +0,0 @@ -get('URI.AllowedSchemes'); - if (!$config->get('URI.OverrideAllowedSchemes') && - !isset($allowed_schemes[$scheme]) - ) { - return; - } - - if (isset($this->schemes[$scheme])) { - return $this->schemes[$scheme]; - } - if (!isset($allowed_schemes[$scheme])) { - return; - } - - $class = 'HTMLPurifier_URIScheme_' . $scheme; - if (!class_exists($class)) { - return; - } - $this->schemes[$scheme] = new $class(); - return $this->schemes[$scheme]; - } - - /** - * Registers a custom scheme to the cache, bypassing reflection. - * @param string $scheme Scheme name - * @param HTMLPurifier_URIScheme $scheme_obj - */ - public function register($scheme, $scheme_obj) - { - $this->schemes[$scheme] = $scheme_obj; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Flexible.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Flexible.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Flexible.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Flexible.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,130 +0,0 @@ - $j) { - $var[$i] = trim($j); - } - if ($type === self::HASH) { - // key:value,key2:value2 - $nvar = array(); - foreach ($var as $keypair) { - $c = explode(':', $keypair, 2); - if (!isset($c[1])) { - continue; - } - $nvar[trim($c[0])] = trim($c[1]); - } - $var = $nvar; - } - } - if (!is_array($var)) { - break; - } - $keys = array_keys($var); - if ($keys === array_keys($keys)) { - if ($type == self::ALIST) { - return $var; - } elseif ($type == self::LOOKUP) { - $new = array(); - foreach ($var as $key) { - $new[$key] = true; - } - return $new; - } else { - break; - } - } - if ($type === self::ALIST) { - trigger_error("Array list did not have consecutive integer indexes", E_USER_WARNING); - return array_values($var); - } - if ($type === self::LOOKUP) { - foreach ($var as $key => $value) { - if ($value !== true) { - trigger_error( - "Lookup array has non-true value at key '$key'; " . - "maybe your input array was not indexed numerically", - E_USER_WARNING - ); - } - $var[$key] = true; - } - } - return $var; - default: - $this->errorInconsistent(__CLASS__, $type); - } - $this->errorGeneric($var, $type); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Native.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Native.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Native.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParser/Native.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -evalExpression($var); - } - - /** - * @param string $expr - * @return mixed - * @throws HTMLPurifier_VarParserException - */ - protected function evalExpression($expr) - { - $var = null; - $result = eval("\$var = $expr;"); - if ($result === false) { - throw new HTMLPurifier_VarParserException("Fatal error in evaluated code"); - } - return $var; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParserException.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParserException.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParserException.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/VarParserException.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ - self::STRING, - 'istring' => self::ISTRING, - 'text' => self::TEXT, - 'itext' => self::ITEXT, - 'int' => self::INT, - 'float' => self::FLOAT, - 'bool' => self::BOOL, - 'lookup' => self::LOOKUP, - 'list' => self::ALIST, - 'hash' => self::HASH, - 'mixed' => self::MIXED - ); - - /** - * Lookup table of types that are string, and can have aliases or - * allowed value lists. - */ - public static $stringTypes = array( - self::STRING => true, - self::ISTRING => true, - self::TEXT => true, - self::ITEXT => true, - ); - - /** - * Validate a variable according to type. - * It may return NULL as a valid type if $allow_null is true. - * - * @param mixed $var Variable to validate - * @param int $type Type of variable, see HTMLPurifier_VarParser->types - * @param bool $allow_null Whether or not to permit null as a value - * @return string Validated and type-coerced variable - * @throws HTMLPurifier_VarParserException - */ - final public function parse($var, $type, $allow_null = false) - { - if (is_string($type)) { - if (!isset(HTMLPurifier_VarParser::$types[$type])) { - throw new HTMLPurifier_VarParserException("Invalid type '$type'"); - } else { - $type = HTMLPurifier_VarParser::$types[$type]; - } - } - $var = $this->parseImplementation($var, $type, $allow_null); - if ($allow_null && $var === null) { - return null; - } - // These are basic checks, to make sure nothing horribly wrong - // happened in our implementations. - switch ($type) { - case (self::STRING): - case (self::ISTRING): - case (self::TEXT): - case (self::ITEXT): - if (!is_string($var)) { - break; - } - if ($type == self::ISTRING || $type == self::ITEXT) { - $var = strtolower($var); - } - return $var; - case (self::INT): - if (!is_int($var)) { - break; - } - return $var; - case (self::FLOAT): - if (!is_float($var)) { - break; - } - return $var; - case (self::BOOL): - if (!is_bool($var)) { - break; - } - return $var; - case (self::LOOKUP): - case (self::ALIST): - case (self::HASH): - if (!is_array($var)) { - break; - } - if ($type === self::LOOKUP) { - foreach ($var as $k) { - if ($k !== true) { - $this->error('Lookup table contains value other than true'); - } - } - } elseif ($type === self::ALIST) { - $keys = array_keys($var); - if (array_keys($keys) !== $keys) { - $this->error('Indices for list are not uniform'); - } - } - return $var; - case (self::MIXED): - return $var; - default: - $this->errorInconsistent(get_class($this), $type); - } - $this->errorGeneric($var, $type); - } - - /** - * Actually implements the parsing. Base implementation does not - * do anything to $var. Subclasses should overload this! - * @param mixed $var - * @param int $type - * @param bool $allow_null - * @return string - */ - protected function parseImplementation($var, $type, $allow_null) - { - return $var; - } - - /** - * Throws an exception. - * @throws HTMLPurifier_VarParserException - */ - protected function error($msg) - { - throw new HTMLPurifier_VarParserException($msg); - } - - /** - * Throws an inconsistency exception. - * @note This should not ever be called. It would be called if we - * extend the allowed values of HTMLPurifier_VarParser without - * updating subclasses. - * @param string $class - * @param int $type - * @throws HTMLPurifier_Exception - */ - protected function errorInconsistent($class, $type) - { - throw new HTMLPurifier_Exception( - "Inconsistency in $class: " . HTMLPurifier_VarParser::getTypeName($type) . - " not implemented" - ); - } - - /** - * Generic error for if a type didn't work. - * @param mixed $var - * @param int $type - */ - protected function errorGeneric($var, $type) - { - $vtype = gettype($var); - $this->error("Expected type " . HTMLPurifier_VarParser::getTypeName($type) . ", got $vtype"); - } - - /** - * @param int $type - * @return string - */ - public static function getTypeName($type) - { - static $lookup; - if (!$lookup) { - // Lazy load the alternative lookup table - $lookup = array_flip(HTMLPurifier_VarParser::$types); - } - if (!isset($lookup[$type])) { - return 'unknown'; - } - return $lookup[$type]; - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Zipper.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Zipper.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier/Zipper.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier/Zipper.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,157 +0,0 @@ -front = $front; - $this->back = $back; - } - - /** - * Creates a zipper from an array, with a hole in the - * 0-index position. - * @param Array to zipper-ify. - * @return Tuple of zipper and element of first position. - */ - static public function fromArray($array) { - $z = new self(array(), array_reverse($array)); - $t = $z->delete(); // delete the "dummy hole" - return array($z, $t); - } - - /** - * Convert zipper back into a normal array, optionally filling in - * the hole with a value. (Usually you should supply a $t, unless you - * are at the end of the array.) - */ - public function toArray($t = NULL) { - $a = $this->front; - if ($t !== NULL) $a[] = $t; - for ($i = count($this->back)-1; $i >= 0; $i--) { - $a[] = $this->back[$i]; - } - return $a; - } - - /** - * Move hole to the next element. - * @param $t Element to fill hole with - * @return Original contents of new hole. - */ - public function next($t) { - if ($t !== NULL) array_push($this->front, $t); - return empty($this->back) ? NULL : array_pop($this->back); - } - - /** - * Iterated hole advancement. - * @param $t Element to fill hole with - * @param $i How many forward to advance hole - * @return Original contents of new hole, i away - */ - public function advance($t, $n) { - for ($i = 0; $i < $n; $i++) { - $t = $this->next($t); - } - return $t; - } - - /** - * Move hole to the previous element - * @param $t Element to fill hole with - * @return Original contents of new hole. - */ - public function prev($t) { - if ($t !== NULL) array_push($this->back, $t); - return empty($this->front) ? NULL : array_pop($this->front); - } - - /** - * Delete contents of current hole, shifting hole to - * next element. - * @return Original contents of new hole. - */ - public function delete() { - return empty($this->back) ? NULL : array_pop($this->back); - } - - /** - * Returns true if we are at the end of the list. - * @return bool - */ - public function done() { - return empty($this->back); - } - - /** - * Insert element before hole. - * @param Element to insert - */ - public function insertBefore($t) { - if ($t !== NULL) array_push($this->front, $t); - } - - /** - * Insert element after hole. - * @param Element to insert - */ - public function insertAfter($t) { - if ($t !== NULL) array_push($this->back, $t); - } - - /** - * Splice in multiple elements at hole. Functional specification - * in terms of array_splice: - * - * $arr1 = $arr; - * $old1 = array_splice($arr1, $i, $delete, $replacement); - * - * list($z, $t) = HTMLPurifier_Zipper::fromArray($arr); - * $t = $z->advance($t, $i); - * list($old2, $t) = $z->splice($t, $delete, $replacement); - * $arr2 = $z->toArray($t); - * - * assert($old1 === $old2); - * assert($arr1 === $arr2); - * - * NB: the absolute index location after this operation is - * *unchanged!* - * - * @param Current contents of hole. - */ - public function splice($t, $delete, $replacement) { - // delete - $old = array(); - $r = $t; - for ($i = $delete; $i > 0; $i--) { - $old[] = $r; - $r = $this->delete(); - } - // insert - for ($i = count($replacement)-1; $i >= 0; $i--) { - $this->insertAfter($r); - $r = $replacement[$i]; - } - return array($old, $r); - } -} diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.autoload-legacy.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.autoload-legacy.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.autoload-legacy.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.autoload-legacy.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -purify($html, $config); -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.includes.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.includes.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.includes.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.includes.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,234 +0,0 @@ - $attributes) { - $allowed_elements[$element] = true; - foreach ($attributes as $attribute => $x) { - $allowed_attributes["$element.$attribute"] = true; - } - } - $config->set('HTML.AllowedElements', $allowed_elements); - $config->set('HTML.AllowedAttributes', $allowed_attributes); - if ($allowed_protocols !== null) { - $config->set('URI.AllowedSchemes', $allowed_protocols); - } - $purifier = new HTMLPurifier($config); - return $purifier->purify($string); -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,292 +0,0 @@ -config = HTMLPurifier_Config::create($config); - $this->strategy = new HTMLPurifier_Strategy_Core(); - } - - /** - * Adds a filter to process the output. First come first serve - * - * @param HTMLPurifier_Filter $filter HTMLPurifier_Filter object - */ - public function addFilter($filter) - { - trigger_error( - 'HTMLPurifier->addFilter() is deprecated, use configuration directives' . - ' in the Filter namespace or Filter.Custom', - E_USER_WARNING - ); - $this->filters[] = $filter; - } - - /** - * Filters an HTML snippet/document to be XSS-free and standards-compliant. - * - * @param string $html String of HTML to purify - * @param HTMLPurifier_Config $config Config object for this operation, - * if omitted, defaults to the config object specified during this - * object's construction. The parameter can also be any type - * that HTMLPurifier_Config::create() supports. - * - * @return string Purified HTML - */ - public function purify($html, $config = null) - { - // :TODO: make the config merge in, instead of replace - $config = $config ? HTMLPurifier_Config::create($config) : $this->config; - - // implementation is partially environment dependant, partially - // configuration dependant - $lexer = HTMLPurifier_Lexer::create($config); - - $context = new HTMLPurifier_Context(); - - // setup HTML generator - $this->generator = new HTMLPurifier_Generator($config, $context); - $context->register('Generator', $this->generator); - - // set up global context variables - if ($config->get('Core.CollectErrors')) { - // may get moved out if other facilities use it - $language_factory = HTMLPurifier_LanguageFactory::instance(); - $language = $language_factory->create($config, $context); - $context->register('Locale', $language); - - $error_collector = new HTMLPurifier_ErrorCollector($context); - $context->register('ErrorCollector', $error_collector); - } - - // setup id_accumulator context, necessary due to the fact that - // AttrValidator can be called from many places - $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); - $context->register('IDAccumulator', $id_accumulator); - - $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); - - // setup filters - $filter_flags = $config->getBatch('Filter'); - $custom_filters = $filter_flags['Custom']; - unset($filter_flags['Custom']); - $filters = array(); - foreach ($filter_flags as $filter => $flag) { - if (!$flag) { - continue; - } - if (strpos($filter, '.') !== false) { - continue; - } - $class = "HTMLPurifier_Filter_$filter"; - $filters[] = new $class; - } - foreach ($custom_filters as $filter) { - // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat - $filters[] = $filter; - } - $filters = array_merge($filters, $this->filters); - // maybe prepare(), but later - - for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { - $html = $filters[$i]->preFilter($html, $config, $context); - } - - // purified HTML - $html = - $this->generator->generateFromTokens( - // list of tokens - $this->strategy->execute( - // list of un-purified tokens - $lexer->tokenizeHTML( - // un-purified HTML - $html, - $config, - $context - ), - $config, - $context - ) - ); - - for ($i = $filter_size - 1; $i >= 0; $i--) { - $html = $filters[$i]->postFilter($html, $config, $context); - } - - $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); - $this->context =& $context; - return $html; - } - - /** - * Filters an array of HTML snippets - * - * @param string[] $array_of_html Array of html snippets - * @param HTMLPurifier_Config $config Optional config object for this operation. - * See HTMLPurifier::purify() for more details. - * - * @return string[] Array of purified HTML - */ - public function purifyArray($array_of_html, $config = null) - { - $context_array = array(); - foreach ($array_of_html as $key => $html) { - $array_of_html[$key] = $this->purify($html, $config); - $context_array[$key] = $this->context; - } - $this->context = $context_array; - return $array_of_html; - } - - /** - * Singleton for enforcing just one HTML Purifier in your system - * - * @param HTMLPurifier|HTMLPurifier_Config $prototype Optional prototype - * HTMLPurifier instance to overload singleton with, - * or HTMLPurifier_Config instance to configure the - * generated version with. - * - * @return HTMLPurifier - */ - public static function instance($prototype = null) - { - if (!self::$instance || $prototype) { - if ($prototype instanceof HTMLPurifier) { - self::$instance = $prototype; - } elseif ($prototype) { - self::$instance = new HTMLPurifier($prototype); - } else { - self::$instance = new HTMLPurifier(); - } - } - return self::$instance; - } - - /** - * Singleton for enforcing just one HTML Purifier in your system - * - * @param HTMLPurifier|HTMLPurifier_Config $prototype Optional prototype - * HTMLPurifier instance to overload singleton with, - * or HTMLPurifier_Config instance to configure the - * generated version with. - * - * @return HTMLPurifier - * @note Backwards compatibility, see instance() - */ - public static function getInstance($prototype = null) - { - return HTMLPurifier::instance($prototype); - } -} - -// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.safe-includes.php php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.safe-includes.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.10.0/HTMLPurifier.safe-includes.php 2018-02-23 02:08:20.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.10.0/HTMLPurifier.safe-includes.php 1970-01-01 00:00:00.000000000 +0000 @@ -1,228 +0,0 @@ -getHTMLDefinition(); + $parent = new HTMLPurifier_Token_Start($definition->info_parent); + $stack = array($parent->toNode()); + foreach ($tokens as $token) { + $token->skip = null; // [MUT] + $token->carryover = null; // [MUT] + if ($token instanceof HTMLPurifier_Token_End) { + $token->start = null; // [MUT] + $r = array_pop($stack); + //assert($r->name === $token->name); + //assert(empty($token->attr)); + $r->endCol = $token->col; + $r->endLine = $token->line; + $r->endArmor = $token->armor; + continue; + } + $node = $token->toNode(); + $stack[count($stack)-1]->children[] = $node; + if ($token instanceof HTMLPurifier_Token_Start) { + $stack[] = $node; + } + } + //assert(count($stack) == 1); + return $stack[0]; + } + + public static function flatten($node, $config, $context) { + $level = 0; + $nodes = array($level => new HTMLPurifier_Queue(array($node))); + $closingTokens = array(); + $tokens = array(); + do { + while (!$nodes[$level]->isEmpty()) { + $node = $nodes[$level]->shift(); // FIFO + list($start, $end) = $node->toTokenPair(); + if ($level > 0) { + $tokens[] = $start; + } + if ($end !== NULL) { + $closingTokens[$level][] = $end; + } + if ($node instanceof HTMLPurifier_Node_Element) { + $level++; + $nodes[$level] = new HTMLPurifier_Queue(); + foreach ($node->children as $childNode) { + $nodes[$level]->push($childNode); + } + } + } + $level--; + if ($level && isset($closingTokens[$level])) { + while ($token = array_pop($closingTokens[$level])) { + $tokens[] = $token; + } + } + } while ($level > 0); + return $tokens; + } +} diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrCollections.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrCollections.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrCollections.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrCollections.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,148 @@ +doConstruct($attr_types, $modules); + } + + public function doConstruct($attr_types, $modules) + { + // load extensions from the modules + foreach ($modules as $module) { + foreach ($module->attr_collections as $coll_i => $coll) { + if (!isset($this->info[$coll_i])) { + $this->info[$coll_i] = array(); + } + foreach ($coll as $attr_i => $attr) { + if ($attr_i === 0 && isset($this->info[$coll_i][$attr_i])) { + // merge in includes + $this->info[$coll_i][$attr_i] = array_merge( + $this->info[$coll_i][$attr_i], + $attr + ); + continue; + } + $this->info[$coll_i][$attr_i] = $attr; + } + } + } + // perform internal expansions and inclusions + foreach ($this->info as $name => $attr) { + // merge attribute collections that include others + $this->performInclusions($this->info[$name]); + // replace string identifiers with actual attribute objects + $this->expandIdentifiers($this->info[$name], $attr_types); + } + } + + /** + * Takes a reference to an attribute associative array and performs + * all inclusions specified by the zero index. + * @param array &$attr Reference to attribute array + */ + public function performInclusions(&$attr) + { + if (!isset($attr[0])) { + return; + } + $merge = $attr[0]; + $seen = array(); // recursion guard + // loop through all the inclusions + for ($i = 0; isset($merge[$i]); $i++) { + if (isset($seen[$merge[$i]])) { + continue; + } + $seen[$merge[$i]] = true; + // foreach attribute of the inclusion, copy it over + if (!isset($this->info[$merge[$i]])) { + continue; + } + foreach ($this->info[$merge[$i]] as $key => $value) { + if (isset($attr[$key])) { + continue; + } // also catches more inclusions + $attr[$key] = $value; + } + if (isset($this->info[$merge[$i]][0])) { + // recursion + $merge = array_merge($merge, $this->info[$merge[$i]][0]); + } + } + unset($attr[0]); + } + + /** + * Expands all string identifiers in an attribute array by replacing + * them with the appropriate values inside HTMLPurifier_AttrTypes + * @param array &$attr Reference to attribute array + * @param HTMLPurifier_AttrTypes $attr_types HTMLPurifier_AttrTypes instance + */ + public function expandIdentifiers(&$attr, $attr_types) + { + // because foreach will process new elements we add, make sure we + // skip duplicates + $processed = array(); + + foreach ($attr as $def_i => $def) { + // skip inclusions + if ($def_i === 0) { + continue; + } + + if (isset($processed[$def_i])) { + continue; + } + + // determine whether or not attribute is required + if ($required = (strpos($def_i, '*') !== false)) { + // rename the definition + unset($attr[$def_i]); + $def_i = trim($def_i, '*'); + $attr[$def_i] = $def; + } + + $processed[$def_i] = true; + + // if we've already got a literal object, move on + if (is_object($def)) { + // preserve previous required + $attr[$def_i]->required = ($required || $attr[$def_i]->required); + continue; + } + + if ($def === false) { + unset($attr[$def_i]); + continue; + } + + if ($t = $attr_types->get($def)) { + $attr[$def_i] = $t; + $attr[$def_i]->required = $required; + } else { + unset($attr[$def_i]); + } + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/Clone.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/Clone.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/Clone.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/Clone.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,44 @@ +clone = $clone; + } + + /** + * @param string $v + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool|string + */ + public function validate($v, $config, $context) + { + return $this->clone->validate($v, $config, $context); + } + + /** + * @param string $string + * @return HTMLPurifier_AttrDef + */ + public function make($string) + { + return clone $this->clone; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/AlphaValue.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/AlphaValue.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/AlphaValue.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/AlphaValue.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,34 @@ + 1.0) { + $result = '1'; + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/Background.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/Background.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/Background.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/Background.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,111 @@ +getCSSDefinition(); + $this->info['background-color'] = $def->info['background-color']; + $this->info['background-image'] = $def->info['background-image']; + $this->info['background-repeat'] = $def->info['background-repeat']; + $this->info['background-attachment'] = $def->info['background-attachment']; + $this->info['background-position'] = $def->info['background-position']; + } + + /** + * @param string $string + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool|string + */ + public function validate($string, $config, $context) + { + // regular pre-processing + $string = $this->parseCDATA($string); + if ($string === '') { + return false; + } + + // munge rgb() decl if necessary + $string = $this->mungeRgb($string); + + // assumes URI doesn't have spaces in it + $bits = explode(' ', $string); // bits to process + + $caught = array(); + $caught['color'] = false; + $caught['image'] = false; + $caught['repeat'] = false; + $caught['attachment'] = false; + $caught['position'] = false; + + $i = 0; // number of catches + + foreach ($bits as $bit) { + if ($bit === '') { + continue; + } + foreach ($caught as $key => $status) { + if ($key != 'position') { + if ($status !== false) { + continue; + } + $r = $this->info['background-' . $key]->validate($bit, $config, $context); + } else { + $r = $bit; + } + if ($r === false) { + continue; + } + if ($key == 'position') { + if ($caught[$key] === false) { + $caught[$key] = ''; + } + $caught[$key] .= $r . ' '; + } else { + $caught[$key] = $r; + } + $i++; + break; + } + } + + if (!$i) { + return false; + } + if ($caught['position'] !== false) { + $caught['position'] = $this->info['background-position']-> + validate($caught['position'], $config, $context); + } + + $ret = array(); + foreach ($caught as $value) { + if ($value === false) { + continue; + } + $ret[] = $value; + } + + if (empty($ret)) { + return false; + } + return implode(' ', $ret); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,157 @@ + |
to
+ foreach ($definition->info[$token->name]->attr_transform_pre as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) { + $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + } + + // create alias to this element's attribute definition array, see + // also $d_defs (global attribute definition array) + // DEFINITION CALL + $defs = $definition->info[$token->name]->attr; + + $attr_key = false; + $context->register('CurrentAttr', $attr_key); + + // iterate through all the attribute keypairs + // Watch out for name collisions: $key has previously been used + foreach ($attr as $attr_key => $value) { + + // call the definition + if (isset($defs[$attr_key])) { + // there is a local definition defined + if ($defs[$attr_key] === false) { + // We've explicitly been told not to allow this element. + // This is usually when there's a global definition + // that must be overridden. + // Theoretically speaking, we could have a + // AttrDef_DenyAll, but this is faster! + $result = false; + } else { + // validate according to the element's definition + $result = $defs[$attr_key]->validate( + $value, + $config, + $context + ); + } + } elseif (isset($d_defs[$attr_key])) { + // there is a global definition defined, validate according + // to the global definition + $result = $d_defs[$attr_key]->validate( + $value, + $config, + $context + ); + } else { + // system never heard of the attribute? DELETE! + $result = false; + } + + // put the results into effect + if ($result === false || $result === null) { + // this is a generic error message that should replaced + // with more specific ones when possible + if ($e) { + $e->send(E_ERROR, 'AttrValidator: Attribute removed'); + } + + // remove the attribute + unset($attr[$attr_key]); + } elseif (is_string($result)) { + // generally, if a substitution is happening, there + // was some sort of implicit correction going on. We'll + // delegate it to the attribute classes to say exactly what. + + // simple substitution + $attr[$attr_key] = $result; + } else { + // nothing happens + } + + // we'd also want slightly more complicated substitution + // involving an array as the return value, + // although we're not sure how colliding attributes would + // resolve (certain ones would be completely overriden, + // others would prepend themselves). + } + + $context->destroy('CurrentAttr'); + + // post transforms + + // global (error reporting untested) + foreach ($definition->info_attr_transform_post as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) { + $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + } + + // local (error reporting untested) + foreach ($definition->info[$token->name]->attr_transform_post as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) { + $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + } + + $token->attr = $attr; + + // destroy CurrentToken if we made it ourselves + if (!$current_token) { + $context->destroy('CurrentToken'); + } + + } + + +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Bootstrap.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Bootstrap.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Bootstrap.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Bootstrap.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,124 @@ + +if (!defined('PHP_EOL')) { + switch (strtoupper(substr(PHP_OS, 0, 3))) { + case 'WIN': + define('PHP_EOL', "\r\n"); + break; + case 'DAR': + define('PHP_EOL', "\r"); + break; + default: + define('PHP_EOL', "\n"); + } +} + +/** + * Bootstrap class that contains meta-functionality for HTML Purifier such as + * the autoload function. + * + * @note + * This class may be used without any other files from HTML Purifier. + */ +class HTMLPurifier_Bootstrap +{ + + /** + * Autoload function for HTML Purifier + * @param string $class Class to load + * @return bool + */ + public static function autoload($class) + { + $file = HTMLPurifier_Bootstrap::getPath($class); + if (!$file) { + return false; + } + // Technically speaking, it should be ok and more efficient to + // just do 'require', but Antonio Parraga reports that with + // Zend extensions such as Zend debugger and APC, this invariant + // may be broken. Since we have efficient alternatives, pay + // the cost here and avoid the bug. + require_once HTMLPURIFIER_PREFIX . '/' . $file; + return true; + } + + /** + * Returns the path for a specific class. + * @param string $class Class path to get + * @return string + */ + public static function getPath($class) + { + if (strncmp('HTMLPurifier', $class, 12) !== 0) { + return false; + } + // Custom implementations + if (strncmp('HTMLPurifier_Language_', $class, 22) === 0) { + $code = str_replace('_', '-', substr($class, 22)); + $file = 'HTMLPurifier/Language/classes/' . $code . '.php'; + } else { + $file = str_replace('_', '/', $class) . '.php'; + } + if (!file_exists(HTMLPURIFIER_PREFIX . '/' . $file)) { + return false; + } + return $file; + } + + /** + * "Pre-registers" our autoloader on the SPL stack. + */ + public static function registerAutoload() + { + $autoload = array('HTMLPurifier_Bootstrap', 'autoload'); + if (($funcs = spl_autoload_functions()) === false) { + spl_autoload_register($autoload); + } elseif (function_exists('spl_autoload_unregister')) { + if (version_compare(PHP_VERSION, '5.3.0', '>=')) { + // prepend flag exists, no need for shenanigans + spl_autoload_register($autoload, true, true); + } else { + $buggy = version_compare(PHP_VERSION, '5.2.11', '<'); + $compat = version_compare(PHP_VERSION, '5.1.2', '<=') && + version_compare(PHP_VERSION, '5.1.0', '>='); + foreach ($funcs as $func) { + if ($buggy && is_array($func)) { + // :TRICKY: There are some compatibility issues and some + // places where we need to error out + $reflector = new ReflectionMethod($func[0], $func[1]); + if (!$reflector->isStatic()) { + throw new Exception( + 'HTML Purifier autoloader registrar is not compatible + with non-static object methods due to PHP Bug #44144; + Please do not use HTMLPurifier.autoload.php (or any + file that includes this file); instead, place the code: + spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\')) + after your own autoloaders.' + ); + } + // Suprisingly, spl_autoload_register supports the + // Class::staticMethod callback format, although call_user_func doesn't + if ($compat) { + $func = implode('::', $func); + } + } + spl_autoload_unregister($func); + } + spl_autoload_register($autoload); + foreach ($funcs as $func) { + spl_autoload_register($func); + } + } + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Chameleon.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Chameleon.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Chameleon.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Chameleon.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,67 @@ +inline = new HTMLPurifier_ChildDef_Optional($inline); + $this->block = new HTMLPurifier_ChildDef_Optional($block); + $this->elements = $this->block->elements; + } + + /** + * @param HTMLPurifier_Node[] $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function validateChildren($children, $config, $context) + { + if ($context->get('IsInline') === false) { + return $this->block->validateChildren( + $children, + $config, + $context + ); + } else { + return $this->inline->validateChildren( + $children, + $config, + $context + ); + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Custom.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Custom.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Custom.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Custom.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,102 @@ +dtd_regex = $dtd_regex; + $this->_compileRegex(); + } + + /** + * Compiles the PCRE regex from a DTD regex ($dtd_regex to $_pcre_regex) + */ + protected function _compileRegex() + { + $raw = str_replace(' ', '', $this->dtd_regex); + if ($raw{0} != '(') { + $raw = "($raw)"; + } + $el = '[#a-zA-Z0-9_.-]+'; + $reg = $raw; + + // COMPLICATED! AND MIGHT BE BUGGY! I HAVE NO CLUE WHAT I'M + // DOING! Seriously: if there's problems, please report them. + + // collect all elements into the $elements array + preg_match_all("/$el/", $reg, $matches); + foreach ($matches[0] as $match) { + $this->elements[$match] = true; + } + + // setup all elements as parentheticals with leading commas + $reg = preg_replace("/$el/", '(,\\0)', $reg); + + // remove commas when they were not solicited + $reg = preg_replace("/([^,(|]\(+),/", '\\1', $reg); + + // remove all non-paranthetical commas: they are handled by first regex + $reg = preg_replace("/,\(/", '(', $reg); + + $this->_pcre_regex = $reg; + } + + /** + * @param HTMLPurifier_Node[] $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function validateChildren($children, $config, $context) + { + $list_of_children = ''; + $nesting = 0; // depth into the nest + foreach ($children as $node) { + if (!empty($node->is_whitespace)) { + continue; + } + $list_of_children .= $node->name . ','; + } + // add leading comma to deal with stray comma declarations + $list_of_children = ',' . rtrim($list_of_children, ','); + $okay = + preg_match( + '/^,?' . $this->_pcre_regex . '$/', + $list_of_children + ); + return (bool)$okay; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Empty.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Empty.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Empty.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Empty.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,38 @@ + true, 'ul' => true, 'ol' => true); + + /** + * @param array $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return array + */ + public function validateChildren($children, $config, $context) + { + // Flag for subclasses + $this->whitespace = false; + + // if there are no tokens, delete parent node + if (empty($children)) { + return false; + } + + // if li is not allowed, delete parent node + if (!isset($config->getHTMLDefinition()->info['li'])) { + trigger_error("Cannot allow ul/ol without allowing li", E_USER_WARNING); + return false; + } + + // the new set of children + $result = array(); + + // a little sanity check to make sure it's not ALL whitespace + $all_whitespace = true; + + $current_li = null; + + foreach ($children as $node) { + if (!empty($node->is_whitespace)) { + $result[] = $node; + continue; + } + $all_whitespace = false; // phew, we're not talking about whitespace + + if ($node->name === 'li') { + // good + $current_li = $node; + $result[] = $node; + } else { + // we want to tuck this into the previous li + // Invariant: we expect the node to be ol/ul + // ToDo: Make this more robust in the case of not ol/ul + // by distinguishing between existing li and li created + // to handle non-list elements; non-list elements should + // not be appended to an existing li; only li created + // for non-list. This distinction is not currently made. + if ($current_li === null) { + $current_li = new HTMLPurifier_Node_Element('li'); + $result[] = $current_li; + } + $current_li->children[] = $node; + $current_li->empty = false; // XXX fascinating! Check for this error elsewhere ToDo + } + } + if (empty($result)) { + return false; + } + if ($all_whitespace) { + return false; + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Optional.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Optional.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Optional.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Optional.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,45 @@ +whitespace) { + return $children; + } else { + return array(); + } + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Required.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Required.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Required.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Required.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,118 @@ + $x) { + $elements[$i] = true; + if (empty($i)) { + unset($elements[$i]); + } // remove blank + } + } + $this->elements = $elements; + } + + /** + * @type bool + */ + public $allow_empty = false; + + /** + * @type string + */ + public $type = 'required'; + + /** + * @param array $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return array + */ + public function validateChildren($children, $config, $context) + { + // Flag for subclasses + $this->whitespace = false; + + // if there are no tokens, delete parent node + if (empty($children)) { + return false; + } + + // the new set of children + $result = array(); + + // whether or not parsed character data is allowed + // this controls whether or not we silently drop a tag + // or generate escaped HTML from it + $pcdata_allowed = isset($this->elements['#PCDATA']); + + // a little sanity check to make sure it's not ALL whitespace + $all_whitespace = true; + + $stack = array_reverse($children); + while (!empty($stack)) { + $node = array_pop($stack); + if (!empty($node->is_whitespace)) { + $result[] = $node; + continue; + } + $all_whitespace = false; // phew, we're not talking about whitespace + + if (!isset($this->elements[$node->name])) { + // special case text + // XXX One of these ought to be redundant or something + if ($pcdata_allowed && $node instanceof HTMLPurifier_Node_Text) { + $result[] = $node; + continue; + } + // spill the child contents in + // ToDo: Make configurable + if ($node instanceof HTMLPurifier_Node_Element) { + for ($i = count($node->children) - 1; $i >= 0; $i--) { + $stack[] = $node->children[$i]; + } + continue; + } + continue; + } + $result[] = $node; + } + if (empty($result)) { + return false; + } + if ($all_whitespace) { + $this->whitespace = true; + return false; + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/StrictBlockquote.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/StrictBlockquote.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/StrictBlockquote.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/StrictBlockquote.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,110 @@ +init($config); + return $this->fake_elements; + } + + /** + * @param array $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return array + */ + public function validateChildren($children, $config, $context) + { + $this->init($config); + + // trick the parent class into thinking it allows more + $this->elements = $this->fake_elements; + $result = parent::validateChildren($children, $config, $context); + $this->elements = $this->real_elements; + + if ($result === false) { + return array(); + } + if ($result === true) { + $result = $children; + } + + $def = $config->getHTMLDefinition(); + $block_wrap_name = $def->info_block_wrapper; + $block_wrap = false; + $ret = array(); + + foreach ($result as $node) { + if ($block_wrap === false) { + if (($node instanceof HTMLPurifier_Node_Text && !$node->is_whitespace) || + ($node instanceof HTMLPurifier_Node_Element && !isset($this->elements[$node->name]))) { + $block_wrap = new HTMLPurifier_Node_Element($def->info_block_wrapper); + $ret[] = $block_wrap; + } + } else { + if ($node instanceof HTMLPurifier_Node_Element && isset($this->elements[$node->name])) { + $block_wrap = false; + + } + } + if ($block_wrap) { + $block_wrap->children[] = $node; + } else { + $ret[] = $node; + } + } + return $ret; + } + + /** + * @param HTMLPurifier_Config $config + */ + private function init($config) + { + if (!$this->init) { + $def = $config->getHTMLDefinition(); + // allow all inline elements + $this->real_elements = $this->elements; + $this->fake_elements = $def->info_content_sets['Flow']; + $this->fake_elements['#PCDATA'] = true; + $this->init = true; + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Table.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Table.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Table.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ChildDef/Table.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,224 @@ + true, + 'tbody' => true, + 'thead' => true, + 'tfoot' => true, + 'caption' => true, + 'colgroup' => true, + 'col' => true + ); + + public function __construct() + { + } + + /** + * @param array $children + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return array + */ + public function validateChildren($children, $config, $context) + { + if (empty($children)) { + return false; + } + + // only one of these elements is allowed in a table + $caption = false; + $thead = false; + $tfoot = false; + + // whitespace + $initial_ws = array(); + $after_caption_ws = array(); + $after_thead_ws = array(); + $after_tfoot_ws = array(); + + // as many of these as you want + $cols = array(); + $content = array(); + + $tbody_mode = false; // if true, then we need to wrap any stray + //
+ This directive turns on auto-paragraphing, where double newlines are + converted in to paragraphs whenever possible. Auto-paragraphing: +
+
+ p
tags must be allowed for this directive to take effect.
+ We do not use br
tags for paragraphing, as that is
+ semantically incorrect.
+
+ To prevent auto-paragraphing as a content-producer, refrain from using
+ double-newlines except to specify a new paragraph or in contexts where
+ it has special meaning (whitespace usually has no meaning except in
+ tags like pre
, so this should not be difficult.) To prevent
+ the paragraphing of inline text adjacent to block elements, wrap them
+ in div
tags (the behavior is slightly different outside of
+ the root node.)
+
+ This directive can be used to add custom auto-format injectors. + Specify an array of injector names (class name minus the prefix) + or concrete implementations. Injector class must exist. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +AutoFormat.DisplayLinkURI +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- ++ This directive turns on the in-text display of URIs in <a> tags, and disables + those links. For example, example becomes + example (http://example.com). +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ +AutoFormat.Linkify +TYPE: bool +VERSION: 2.0.1 +DEFAULT: false +--DESCRIPTION-- + +
+ This directive turns on linkification, auto-linking http, ftp and
+ https URLs. a
tags with the href
attribute
+ must be allowed.
+
+ Location of configuration documentation to link to, let %s substitute + into the configuration's namespace and directive names sans the percent + sign. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ +AutoFormat.PurifierLinkify +TYPE: bool +VERSION: 2.0.1 +DEFAULT: false +--DESCRIPTION-- + +
+ Internal auto-formatter that converts configuration directives in
+ syntax %Namespace.Directive to links. a
tags
+ with the href
attribute must be allowed.
+
+ Given that an element has no contents, it will be removed by default, unless
+ this predicate dictates otherwise. The predicate can either be an associative
+ map from tag name to list of attributes that must be present for the element
+ to be considered preserved: thus, the default always preserves colgroup
,
+ th
and td
, and also iframe
if it
+ has a src
.
+
+ When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp + are enabled, this directive defines what HTML elements should not be + removede if they have only a non-breaking space in them. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,15 @@ +AutoFormat.RemoveEmpty.RemoveNbsp +TYPE: bool +VERSION: 4.0.0 +DEFAULT: false +--DESCRIPTION-- ++ When enabled, HTML Purifier will treat any elements that contain only + non-breaking spaces as well as regular whitespace as empty, and remove + them when %AutoFormat.RemoveEmpty is enabled. +
++ See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements + that don't have this behavior applied to them. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,46 @@ +AutoFormat.RemoveEmpty +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- ++ When enabled, HTML Purifier will attempt to remove empty elements that + contribute no semantic information to the document. The following types + of nodes will be removed: +
+<a></a>
but not
+ <br />
), and
+ colgroup
element, orid
or name
attribute,
+ when those attributes are permitted on those elements.
+ + Please be very careful when using this functionality; while it may not + seem that empty elements contain useful information, they can alter the + layout of a document given appropriate styling. This directive is most + useful when you are processing machine-generated HTML, please avoid using + it on regular user HTML. +
++ Elements that contain only whitespace will be treated as empty. Non-breaking + spaces, however, do not count as whitespace. See + %AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior. +
++ This algorithm is not perfect; you may still notice some empty tags, + particularly if a node had elements, but those elements were later removed + because they were not permitted in that context, or tags that, after + being auto-closed by another tag, where empty. This is for safety reasons + to prevent clever code from breaking validation. The general rule of thumb: + if a tag looked empty on the way in, it will get removed; if HTML Purifier + made it empty, it will stay. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +AutoFormat.RemoveSpansWithoutAttributes +TYPE: bool +VERSION: 4.0.1 +DEFAULT: false +--DESCRIPTION-- +
+ This directive causes span
tags without any attributes
+ to be removed. It will also remove spans that had all attributes
+ removed during processing.
+
+ Absolute path with no trailing slash to store serialized definitions in. + Default is within the + HTML Purifier library inside DefinitionCache/Serializer. This + path must be writable by the webserver. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +Cache.SerializerPermissions +TYPE: int/null +VERSION: 4.3.0 +DEFAULT: 0755 +--DESCRIPTION-- + ++ Directory permissions of the files and directories created inside + the DefinitionCache/Serializer or other custom serializer path. +
+
+ In HTML Purifier 4.8.0, this also supports NULL
,
+ which means that no chmod'ing or directory creation shall
+ occur.
+
+ This directive enables aggressive pre-filter fixes HTML Purifier can + perform in order to ensure that open angled-brackets do not get killed + during parsing stage. Enabling this will result in two preg_replace_callback + calls and at least two preg_replace calls for every HTML document parsed; + if your users make very well-formed HTML, you can set this directive false. + This has no effect when DirectLex is used. +
++ Notice: This directive's default turned from false to true + in HTML Purifier 3.2.0. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +Core.AggressivelyRemoveScript +TYPE: bool +VERSION: 4.9.0 +DEFAULT: true +--DESCRIPTION-- ++ This directive enables aggressive pre-filter removal of + script tags. This is not necessary for security, + but it can help work around a bug in libxml where embedded + HTML elements inside script sections cause the parser to + choke. To revert to pre-4.9.0 behavior, set this to false. + This directive has no effect if %Core.Trusted is true, + %Core.RemoveScriptContents is false, or %Core.HiddenElements + does not contain script. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +Core.AllowHostnameUnderscore +TYPE: bool +VERSION: 4.6.0 +DEFAULT: false +--DESCRIPTION-- ++ By RFC 1123, underscores are not permitted in host names. + (This is in contrast to the specification for DNS, RFC + 2181, which allows underscores.) + However, most browsers do the right thing when faced with + an underscore in the host name, and so some poorly written + websites are written with the expectation this should work. + Setting this parameter to true relaxes our allowed character + check so that underscores are permitted. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ +Core.AllowParseManyTags +TYPE: bool +DEFAULT: false +VERSION: 4.10.1 +--DESCRIPTION-- ++ This directive allows parsing of many nested tags. + If you set true, relaxes any hardcoded limit from the parser. + However, in that case it may cause a Dos attack. + Be careful when enabling it. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ +Core.CollectErrors +TYPE: bool +VERSION: 2.0.0 +DEFAULT: false +--DESCRIPTION-- + +Whether or not to collect errors found while filtering the document. This +is a useful way to give feedback to your users. Warning: +Currently this feature is very patchy and experimental, with lots of +possible error messages not yet implemented. It will not cause any +problems, but it may not help your users either. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,160 @@ +Core.ColorKeywords +TYPE: hash +VERSION: 2.0.0 +--DEFAULT-- +array ( + 'aliceblue' => '#F0F8FF', + 'antiquewhite' => '#FAEBD7', + 'aqua' => '#00FFFF', + 'aquamarine' => '#7FFFD4', + 'azure' => '#F0FFFF', + 'beige' => '#F5F5DC', + 'bisque' => '#FFE4C4', + 'black' => '#000000', + 'blanchedalmond' => '#FFEBCD', + 'blue' => '#0000FF', + 'blueviolet' => '#8A2BE2', + 'brown' => '#A52A2A', + 'burlywood' => '#DEB887', + 'cadetblue' => '#5F9EA0', + 'chartreuse' => '#7FFF00', + 'chocolate' => '#D2691E', + 'coral' => '#FF7F50', + 'cornflowerblue' => '#6495ED', + 'cornsilk' => '#FFF8DC', + 'crimson' => '#DC143C', + 'cyan' => '#00FFFF', + 'darkblue' => '#00008B', + 'darkcyan' => '#008B8B', + 'darkgoldenrod' => '#B8860B', + 'darkgray' => '#A9A9A9', + 'darkgrey' => '#A9A9A9', + 'darkgreen' => '#006400', + 'darkkhaki' => '#BDB76B', + 'darkmagenta' => '#8B008B', + 'darkolivegreen' => '#556B2F', + 'darkorange' => '#FF8C00', + 'darkorchid' => '#9932CC', + 'darkred' => '#8B0000', + 'darksalmon' => '#E9967A', + 'darkseagreen' => '#8FBC8F', + 'darkslateblue' => '#483D8B', + 'darkslategray' => '#2F4F4F', + 'darkslategrey' => '#2F4F4F', + 'darkturquoise' => '#00CED1', + 'darkviolet' => '#9400D3', + 'deeppink' => '#FF1493', + 'deepskyblue' => '#00BFFF', + 'dimgray' => '#696969', + 'dimgrey' => '#696969', + 'dodgerblue' => '#1E90FF', + 'firebrick' => '#B22222', + 'floralwhite' => '#FFFAF0', + 'forestgreen' => '#228B22', + 'fuchsia' => '#FF00FF', + 'gainsboro' => '#DCDCDC', + 'ghostwhite' => '#F8F8FF', + 'gold' => '#FFD700', + 'goldenrod' => '#DAA520', + 'gray' => '#808080', + 'grey' => '#808080', + 'green' => '#008000', + 'greenyellow' => '#ADFF2F', + 'honeydew' => '#F0FFF0', + 'hotpink' => '#FF69B4', + 'indianred' => '#CD5C5C', + 'indigo' => '#4B0082', + 'ivory' => '#FFFFF0', + 'khaki' => '#F0E68C', + 'lavender' => '#E6E6FA', + 'lavenderblush' => '#FFF0F5', + 'lawngreen' => '#7CFC00', + 'lemonchiffon' => '#FFFACD', + 'lightblue' => '#ADD8E6', + 'lightcoral' => '#F08080', + 'lightcyan' => '#E0FFFF', + 'lightgoldenrodyellow' => '#FAFAD2', + 'lightgray' => '#D3D3D3', + 'lightgrey' => '#D3D3D3', + 'lightgreen' => '#90EE90', + 'lightpink' => '#FFB6C1', + 'lightsalmon' => '#FFA07A', + 'lightseagreen' => '#20B2AA', + 'lightskyblue' => '#87CEFA', + 'lightslategray' => '#778899', + 'lightslategrey' => '#778899', + 'lightsteelblue' => '#B0C4DE', + 'lightyellow' => '#FFFFE0', + 'lime' => '#00FF00', + 'limegreen' => '#32CD32', + 'linen' => '#FAF0E6', + 'magenta' => '#FF00FF', + 'maroon' => '#800000', + 'mediumaquamarine' => '#66CDAA', + 'mediumblue' => '#0000CD', + 'mediumorchid' => '#BA55D3', + 'mediumpurple' => '#9370DB', + 'mediumseagreen' => '#3CB371', + 'mediumslateblue' => '#7B68EE', + 'mediumspringgreen' => '#00FA9A', + 'mediumturquoise' => '#48D1CC', + 'mediumvioletred' => '#C71585', + 'midnightblue' => '#191970', + 'mintcream' => '#F5FFFA', + 'mistyrose' => '#FFE4E1', + 'moccasin' => '#FFE4B5', + 'navajowhite' => '#FFDEAD', + 'navy' => '#000080', + 'oldlace' => '#FDF5E6', + 'olive' => '#808000', + 'olivedrab' => '#6B8E23', + 'orange' => '#FFA500', + 'orangered' => '#FF4500', + 'orchid' => '#DA70D6', + 'palegoldenrod' => '#EEE8AA', + 'palegreen' => '#98FB98', + 'paleturquoise' => '#AFEEEE', + 'palevioletred' => '#DB7093', + 'papayawhip' => '#FFEFD5', + 'peachpuff' => '#FFDAB9', + 'peru' => '#CD853F', + 'pink' => '#FFC0CB', + 'plum' => '#DDA0DD', + 'powderblue' => '#B0E0E6', + 'purple' => '#800080', + 'rebeccapurple' => '#663399', + 'red' => '#FF0000', + 'rosybrown' => '#BC8F8F', + 'royalblue' => '#4169E1', + 'saddlebrown' => '#8B4513', + 'salmon' => '#FA8072', + 'sandybrown' => '#F4A460', + 'seagreen' => '#2E8B57', + 'seashell' => '#FFF5EE', + 'sienna' => '#A0522D', + 'silver' => '#C0C0C0', + 'skyblue' => '#87CEEB', + 'slateblue' => '#6A5ACD', + 'slategray' => '#708090', + 'slategrey' => '#708090', + 'snow' => '#FFFAFA', + 'springgreen' => '#00FF7F', + 'steelblue' => '#4682B4', + 'tan' => '#D2B48C', + 'teal' => '#008080', + 'thistle' => '#D8BFD8', + 'tomato' => '#FF6347', + 'turquoise' => '#40E0D0', + 'violet' => '#EE82EE', + 'wheat' => '#F5DEB3', + 'white' => '#FFFFFF', + 'whitesmoke' => '#F5F5F5', + 'yellow' => '#FFFF00', + 'yellowgreen' => '#9ACD32' +) +--DESCRIPTION-- + +Lookup array of color names to six digit hexadecimal number corresponding +to color, with preceding hash mark. Used when parsing colors. The lookup +is done in a case-insensitive manner. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,14 @@ +Core.ConvertDocumentToFragment +TYPE: bool +DEFAULT: true +--DESCRIPTION-- + +This parameter determines whether or not the filter should convert +input that is a full document with html and body tags to a fragment +of just the contents of a body tag. This parameter is simply something +HTML Purifier can do during an edge-case: for most inputs, this +processing is not necessary. + +--ALIASES-- +Core.AcceptFullDocuments +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,17 @@ +Core.DirectLexLineNumberSyncInterval +TYPE: int +VERSION: 2.0.0 +DEFAULT: 0 +--DESCRIPTION-- + ++ Specifies the number of tokens the DirectLex line number tracking + implementations should process before attempting to resyncronize the + current line count by manually counting all previous new-lines. When + at 0, this functionality is disabled. Lower values will decrease + performance, and this is only strictly necessary if the counting + algorithm is buggy (in which case you should report it as a bug). + This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is + not being used. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,14 @@ +Core.DisableExcludes +TYPE: bool +DEFAULT: false +VERSION: 4.5.0 +--DESCRIPTION-- +
+ This directive disables SGML-style exclusions, e.g. the exclusion of
+ <object>
in any descendant of a
+ <pre>
tag. Disabling excludes will allow some
+ invalid documents to pass through HTML Purifier, but HTML Purifier
+ will also be less likely to accidentally remove large documents during
+ processing.
+
Warning: this configuration option is no longer does anything as of 4.6.0.
+ +When true, a child is found that is not allowed in the context of the +parent element will be transformed into text as if it were ASCII. When +false, that element and all internal tags will be dropped, though text will +be preserved. There is no option for dropping the element but preserving +child nodes.
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,7 @@ +Core.EscapeInvalidTags +TYPE: bool +DEFAULT: false +--DESCRIPTION-- +When true, invalid tags will be written back to the document as plain text. +Otherwise, they are silently dropped. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +Core.EscapeNonASCIICharacters +TYPE: bool +VERSION: 1.4.0 +DEFAULT: false +--DESCRIPTION-- +This directive overcomes a deficiency in %Core.Encoding by blindly +converting all non-ASCII characters into decimal numeric entities before +converting it to its native encoding. This means that even characters that +can be expressed in the non-UTF-8 encoding will be entity-ized, which can +be a real downer for encodings like Big5. It also assumes that the ASCII +repetoire is available, although this is the case for almost all encodings. +Anyway, use UTF-8! +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,19 @@ +Core.HiddenElements +TYPE: lookup +--DEFAULT-- +array ( + 'script' => true, + 'style' => true, +) +--DESCRIPTION-- + +
+ This directive is a lookup array of elements which should have their
+ contents removed when they are not allowed by the HTML definition.
+ For example, the contents of a script
tag are not
+ normally shown in a document, so if script tags are to be removed,
+ their contents should be removed to. This is opposed to a b
+ tag, which defines some presentational changes but does not hide its
+ contents.
+
+ Prior to HTML Purifier 4.9.0, entities were decoded by performing + a global search replace for all entities whose decoded versions + did not have special meanings under HTML, and replaced them with + their decoded versions. We would match all entities, even if they did + not have a trailing semicolon, but only if there weren't any trailing + alphanumeric characters. +
+Original | Text | Attribute |
---|---|---|
¥ | ¥ | ¥ |
¥ | ¥ | ¥ |
¥a | ¥a | ¥a |
¥= | ¥= | ¥= |
+ In HTML Purifier 4.9.0, we changed the behavior of entity parsing + to match entities that had missing trailing semicolons in less + cases, to more closely match HTML5 parsing behavior: +
+Original | Text | Attribute |
---|---|---|
¥ | ¥ | ¥ |
¥ | ¥ | ¥ |
¥a | ¥a | ¥a |
¥= | ¥= | ¥= |
+ This flag reverts back to pre-HTML Purifier 4.9.0 behavior. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,34 @@ +Core.LexerImpl +TYPE: mixed/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + ++ This parameter determines what lexer implementation can be used. The + valid values are: +
+HTMLPurifier_Lexer
.
+ I may remove this option simply because I don't expect anyone
+ to use it.
+ + If true, HTML Purifier will add line number information to all tokens. + This is useful when error reporting is turned on, but can result in + significant performance degradation and should not be used when + unnecessary. This directive must be used with the DirectLex lexer, + as the DOMLex lexer does not (yet) support this functionality. + If the value is null, an appropriate value will be selected based + on other configuration. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +Core.NormalizeNewlines +TYPE: bool +VERSION: 4.2.0 +DEFAULT: true +--DESCRIPTION-- +
+ Whether or not to normalize newlines to the operating
+ system default. When false
, HTML Purifier
+ will attempt to preserve mixed newline files.
+
+ This directive enables pre-emptive URI checking in img
+ tags, as the attribute validation strategy is not authorized to
+ remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
+
<? ...
+?>
, remove it out-right. This may be useful if the HTML
+you are validating contains XML processing instruction gunk, however,
+it can also be user-unfriendly for people attempting to post PHP
+snippets.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,12 @@
+Core.RemoveScriptContents
+TYPE: bool/null
+DEFAULT: NULL
+VERSION: 2.0.0
+DEPRECATED-VERSION: 2.1.0
+DEPRECATED-USE: Core.HiddenElements
+--DESCRIPTION--
++ This directive enables HTML Purifier to remove not only script tags + but all of their contents. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +CSS.AllowDuplicates +TYPE: bool +DEFAULT: false +VERSION: 4.8.0 +--DESCRIPTION-- +
+ By default, HTML Purifier removes duplicate CSS properties,
+ like color:red; color:blue
. If this is set to
+ true, duplicate properties are allowed.
+
+ Allows you to manually specify a set of allowed fonts. If
+ NULL
, all fonts are allowed. This directive
+ affects generic names (serif, sans-serif, monospace, cursive,
+ fantasy) as well as specific font families.
+
+ If HTML Purifier's style attributes set is unsatisfactory for your needs, + you can overload it with your own list of tags to allow. Note that this + method is subtractive: it does its job by taking away from HTML Purifier + usual feature set, so you cannot add an attribute that HTML Purifier never + supported in the first place. +
++ Warning: If another directive conflicts with the + elements here, that directive will win and override. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,8 @@ +CSS.AllowImportant +TYPE: bool +DEFAULT: false +VERSION: 3.1.0 +--DESCRIPTION-- +This parameter determines whether or not !important cascade modifiers should +be allowed in user CSS. If false, !important will stripped. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +CSS.AllowTricky +TYPE: bool +DEFAULT: false +VERSION: 3.1.0 +--DESCRIPTION-- +This parameter determines whether or not to allow "tricky" CSS properties and +values. Tricky CSS properties/values can drastically modify page layout or +be used for deceptive practices but do not directly constitute a security risk. +For example,display:none;
is considered a tricky property that
+will only be allowed if this directive is set to true.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,11 @@
+CSS.DefinitionRev
+TYPE: int
+VERSION: 2.0.0
+DEFAULT: 1
+--DESCRIPTION--
+
++ Revision identifier for your custom definition. See + %HTML.DefinitionRev for details. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +CSS.ForbiddenProperties +TYPE: lookup +VERSION: 4.2.0 +DEFAULT: array() +--DESCRIPTION-- ++ This is the logical inverse of %CSS.AllowedProperties, and it will + override that directive or any other directive. If possible, + %CSS.AllowedProperties is recommended over this directive, + because it can sometimes be difficult to tell whether or not you've + forbidden all of the CSS properties you truly would like to disallow. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +CSS.MaxImgLength +TYPE: string/null +DEFAULT: '1200px' +VERSION: 3.1.1 +--DESCRIPTION-- +
+ This parameter sets the maximum allowed length on img
tags,
+ effectively the width
and height
properties.
+ Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
+ in place to prevent imagecrash attacks, disable with null at your own risk.
+ This directive is similar to %HTML.MaxImgLength, and both should be
+ concurrently edited, although there are
+ subtle differences in the input format (the CSS max is a number with
+ a unit).
+
+ Whether or not to allow safe, proprietary CSS values. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,9 @@ +CSS.Trusted +TYPE: bool +VERSION: 4.2.1 +DEFAULT: false +--DESCRIPTION-- +Indicates whether or not the user's CSS input is trusted or not. If the +input is trusted, a more expansive set of allowed properties. See +also %HTML.Trusted. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +Filter.Custom +TYPE: list +VERSION: 3.1.0 +DEFAULT: array() +--DESCRIPTION-- +
+ This directive can be used to add custom filters; it is nearly the
+ equivalent of the now deprecated HTMLPurifier->addFilter()
+ method. Specify an array of concrete implementations.
+
+ Whether or not to escape the dangerous characters <, > and & + as \3C, \3E and \26, respectively. This is can be safely set to false + if the contents of StyleBlocks will be placed in an external stylesheet, + where there is no risk of it being interpreted as HTML. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,29 @@ +Filter.ExtractStyleBlocks.Scope +TYPE: string/null +VERSION: 3.0.0 +DEFAULT: NULL +ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope +--DESCRIPTION-- + +
+ If you would like users to be able to define external stylesheets, but
+ only allow them to specify CSS declarations for a specific node and
+ prevent them from fiddling with other elements, use this directive.
+ It accepts any valid CSS selector, and will prepend this to any
+ CSS declaration extracted from the document. For example, if this
+ directive is set to #user-content
and a user uses the
+ selector a:hover
, the final selector will be
+ #user-content a:hover
.
+
+ The comma shorthand may be used; consider the above example, with
+ #user-content, #user-content2
, the final selector will
+ be #user-content a:hover, #user-content2 a:hover
.
+
+ Warning: It is possible for users to bypass this measure + using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML + Purifier, and I am working to get it fixed. Until then, HTML Purifier + performs a basic check to prevent this. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +Filter.ExtractStyleBlocks.TidyImpl +TYPE: mixed/null +VERSION: 3.1.0 +DEFAULT: NULL +ALIASES: FilterParam.ExtractStyleBlocksTidyImpl +--DESCRIPTION-- +
+ If left NULL, HTML Purifier will attempt to instantiate a csstidy
+ class to use for internal cleaning. This will usually be good enough.
+
+ However, for trusted user input, you can set this to false
to
+ disable cleaning. In addition, you can supply your own concrete implementation
+ of Tidy's interface to use, although I don't know why you'd want to do that.
+
+ This directive turns on the style block extraction filter, which removes
+ style
blocks from input HTML, cleans them up with CSSTidy,
+ and places them in the StyleBlocks
context variable, for further
+ use by you, usually to be placed in an external stylesheet, or a
+ style
block in the head
of your document.
+
+ Sample usage: +
+'; +?> + + + ++Filter.ExtractStyleBlocks +body {color:#F00;} Some text'; + + $config = HTMLPurifier_Config::createDefault(); + $config->set('Filter', 'ExtractStyleBlocks', true); + $purifier = new HTMLPurifier($config); + + $html = $purifier->purify($dirty); + + // This implementation writes the stylesheets to the styles/ directory. + // You can also echo the styles inside the document, but it's a bit + // more difficult to make sure they get interpreted properly by + // browsers; try the usual CSS armoring techniques. + $styles = $purifier->context->get('StyleBlocks'); + $dir = 'styles/'; + if (!is_dir($dir)) mkdir($dir); + $hash = sha1($_GET['html']); + foreach ($styles as $i => $style) { + file_put_contents($name = $dir . $hash . "_$i"); + echo ''; + } +?> + + ++ ++ + +]]>
+ Warning: It is possible for a user to mount an + imagecrash attack using this CSS. Counter-measures are difficult; + it is not simply enough to limit the range of CSS lengths (using + relative lengths with many nesting levels allows for large values + to be attained without actually specifying them in the stylesheet), + and the flexible nature of selectors makes it difficult to selectively + disable lengths on image tags (HTML Purifier, however, does disable + CSS width and height in inline styling). There are probably two effective + counter measures: an explicit width and height set to auto in all + images in your document (unlikely) or the disabling of width and + height (somewhat reasonable). Whether or not these measures should be + used is left to the reader. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +Filter.YouTube +TYPE: bool +VERSION: 3.1.0 +DEFAULT: false +--DESCRIPTION-- ++ Warning: Deprecated in favor of %HTML.SafeObject and + %Output.FlashCompat (turn both on to allow YouTube videos and other + Flash content). +
++ This directive enables YouTube video embedding in HTML Purifier. Check + this document + on embedding videos for more information on what this filter does. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,19 @@ +HTML.AllowedAttributes +TYPE: lookup/null +VERSION: 1.3.0 +DEFAULT: NULL +--DESCRIPTION-- + ++ If HTML Purifier's attribute set is unsatisfactory, overload it! + The syntax is "tag.attr" or "*.attr" for the global attributes + (style, id, class, dir, lang, xml:lang). +
++ Warning: If another directive conflicts with the + elements here, that directive will win and override. For + example, %HTML.EnableAttrID will take precedence over *.id in this + directive. You must set that directive to true before you can use + IDs at all. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,15 @@ +HTML.AllowedCommentsRegexp +TYPE: string/null +VERSION: 4.4.0 +DEFAULT: NULL +--DESCRIPTION-- +A regexp, which if it matches the body of a comment, indicates that +it should be allowed. Trailing and leading spaces are removed prior +to running this regular expression. +Warning: Make sure you specify +correct anchor metacharacters^regex$
, otherwise you may accept
+comments that you did not mean to! In particular, the regex /foo|bar/
+is probably not sufficiently strict, since it also allows foobar
.
+See also %HTML.AllowedComments (these directives are union'ed together,
+so a comment is considered valid if any directive deems it valid.)
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,10 @@
+HTML.AllowedComments
+TYPE: lookup
+VERSION: 4.4.0
+DEFAULT: array()
+--DESCRIPTION--
+A whitelist which indicates what explicit comment bodies should be
+allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
+(these directives are union'ed together, so a comment is considered
+valid if any directive deems it valid.)
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,23 @@
+HTML.AllowedElements
+TYPE: lookup/null
+VERSION: 1.3.0
+DEFAULT: NULL
+--DESCRIPTION--
++ If HTML Purifier's tag set is unsatisfactory for your needs, you can + overload it with your own list of tags to allow. If you change + this, you probably also want to change %HTML.AllowedAttributes; see + also %HTML.Allowed which lets you set allowed elements and + attributes at the same time. +
++ If you attempt to allow an element that HTML Purifier does not know + about, HTML Purifier will raise an error. You will need to manually + tell HTML Purifier about this element by using the + advanced customization features. +
++ Warning: If another directive conflicts with the + elements here, that directive will win and override. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,20 @@ +HTML.AllowedModules +TYPE: lookup/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + ++ A doctype comes with a set of usual modules to use. Without having + to mucking about with the doctypes, you can quickly activate or + disable these modules by specifying which modules you wish to allow + with this directive. This is most useful for unit testing specific + modules, although end users may find it useful for their own ends. +
++ If you specify a module that does not exist, the manager will silently + fail to use it, so be careful! User-defined modules are not affected + by this directive. Modules defined in %HTML.CoreModules are not + affected by this directive. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,25 @@ +HTML.Allowed +TYPE: itext/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +
+ This is a preferred convenience directive that combines
+ %HTML.AllowedElements and %HTML.AllowedAttributes.
+ Specify elements and attributes that are allowed using:
+ element1[attr1|attr2],element2...
. For example,
+ if you would like to only allow paragraphs and links, specify
+ a[href],p
. You can specify attributes that apply
+ to all elements using an asterisk, e.g. *[lang]
.
+ You can also use newlines instead of commas to separate elements.
+
+ Warning:
+ All of the constraints on the component directives are still enforced.
+ The syntax is a subset of TinyMCE's valid_elements
+ whitelist: directly copy-pasting it here will probably result in
+ broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
+ are set, this directive has no effect.
+
+ String name of element to wrap inline elements that are inside a block + context. This only occurs in the children of blockquote in strict mode. +
+
+ Example: by default value,
+ <blockquote>Foo</blockquote>
would become
+ <blockquote><p>Foo</p></blockquote>
.
+ The <p>
tags can be replaced with whatever you desire,
+ as long as it is a block level element.
+
+ Certain modularized doctypes (XHTML, namely), have certain modules + that must be included for the doctype to be an conforming document + type: put those modules here. By default, XHTML's core modules + are used. You can set this to a blank array to disable core module + protection, but this is not recommended. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,9 @@ +HTML.CustomDoctype +TYPE: string/null +VERSION: 2.0.1 +DEFAULT: NULL +--DESCRIPTION-- + +A custom doctype for power-users who defined their own document +type. This directive only applies when %HTML.Doctype is blank. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,33 @@ +HTML.DefinitionID +TYPE: string/null +DEFAULT: NULL +VERSION: 2.0.0 +--DESCRIPTION-- + ++ Unique identifier for a custom-built HTML definition. If you edit + the raw version of the HTMLDefinition, introducing changes that the + configuration object does not reflect, you must specify this variable. + If you change your custom edits, you should change this directive, or + clear your cache. Example: +
++$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML', 'DefinitionID', '1'); +$def = $config->getHTMLDefinition(); +$def->addAttribute('a', 'tabindex', 'Number'); ++
+ In the above example, the configuration is still at the defaults, but + using the advanced API, an extra attribute has been added. The + configuration object normally has no way of knowing that this change + has taken place, so it needs an extra directive: %HTML.DefinitionID. + If someone else attempts to use the default configuration, these two + pieces of code will not clobber each other in the cache, since one has + an extra directive attached to it. +
++ You must specify a value to this directive to use the + advanced API features. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,16 @@ +HTML.DefinitionRev +TYPE: int +VERSION: 2.0.0 +DEFAULT: 1 +--DESCRIPTION-- + ++ Revision identifier for your custom definition specified in + %HTML.DefinitionID. This serves the same purpose: uniquely identifying + your custom definition, but this one does so in a chronological + context: revision 3 is more up-to-date then revision 2. Thus, when + this gets incremented, the cache handling is smart enough to clean + up any older revisions of your definition as well as flush the + cache. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +HTML.Doctype +TYPE: string/null +DEFAULT: NULL +--DESCRIPTION-- +Doctype to use during filtering. Technically speaking this is not actually +a doctype (as it does not identify a corresponding DTD), but we are using +this name for sake of simplicity. When non-blank, this will override any +older directives like %HTML.XHTML or %HTML.Strict. +--ALLOWED-- +'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1' +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +HTML.FlashAllowFullScreen +TYPE: bool +VERSION: 4.2.0 +DEFAULT: false +--DESCRIPTION-- +
+ Whether or not to permit embedded Flash content from
+ %HTML.SafeObject to expand to the full screen. Corresponds to
+ the allowFullScreen
parameter.
+
+ While this directive is similar to %HTML.AllowedAttributes, for
+ forwards-compatibility with XML, this attribute has a different syntax. Instead of
+ tag.attr
, use tag@attr
. To disallow href
+ attributes in a
tags, set this directive to
+ a@href
. You can also disallow an attribute globally with
+ attr
or *@attr
(either syntax is fine; the latter
+ is provided for consistency with %HTML.AllowedAttributes).
+
+ Warning: This directive complements %HTML.ForbiddenElements, + accordingly, check + out that directive for a discussion of why you + should think twice before using this directive. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,20 @@ +HTML.ForbiddenElements +TYPE: lookup +VERSION: 3.1.0 +DEFAULT: array() +--DESCRIPTION-- ++ This was, perhaps, the most requested feature ever in HTML + Purifier. Please don't abuse it! This is the logical inverse of + %HTML.AllowedElements, and it will override that directive, or any + other directive. +
+
+ If possible, %HTML.Allowed is recommended over this directive, because it
+ can sometimes be difficult to tell whether or not you've forbidden all of
+ the behavior you would like to disallow. If you forbid img
+ with the expectation of preventing images on your site, you'll be in for
+ a nasty surprise when people start using the background-image
+ CSS property.
+
+ This directive controls the maximum number of pixels in the width and
+ height attributes in img
tags. This is
+ in place to prevent imagecrash attacks, disable with null at your own risk.
+ This directive is similar to %CSS.MaxImgLength, and both should be
+ concurrently edited, although there are
+ subtle differences in the input format (the HTML max is an integer).
+
+ String name of element that HTML fragment passed to library will be + inserted in. An interesting variation would be using span as the + parent element, meaning that only inline tags would be allowed. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ +HTML.Proprietary +TYPE: bool +VERSION: 3.1.0 +DEFAULT: false +--DESCRIPTION-- +
+ Whether or not to allow proprietary elements and attributes in your
+ documents, as per HTMLPurifier_HTMLModule_Proprietary
.
+ Warning: This can cause your documents to stop
+ validating!
+
+ Whether or not to permit embed tags in documents, with a number of extra + security features added to prevent script execution. This is similar to + what websites like MySpace do to embed tags. Embed is a proprietary + element and will cause your website to stop validating; you should + see if you can use %Output.FlashCompat with %HTML.SafeObject instead + first.
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +HTML.SafeIframe +TYPE: bool +VERSION: 4.4.0 +DEFAULT: false +--DESCRIPTION-- ++ Whether or not to permit iframe tags in untrusted documents. This + directive must be accompanied by a whitelist of permitted iframes, + such as %URI.SafeIframeRegexp, otherwise it will fatally error. + This directive has no effect on strict doctypes, as iframes are not + valid. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +HTML.SafeObject +TYPE: bool +VERSION: 3.1.1 +DEFAULT: false +--DESCRIPTION-- ++ Whether or not to permit object tags in documents, with a number of extra + security features added to prevent script execution. This is similar to + what websites like MySpace do to object tags. You should also enable + %Output.FlashCompat in order to generate Internet Explorer + compatibility code for your object tags. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,10 @@ +HTML.SafeScripting +TYPE: lookup +VERSION: 4.5.0 +DEFAULT: array() +--DESCRIPTION-- ++ Whether or not to permit script tags to external scripts in documents. + Inline scripting is not allowed, and the script must match an explicit whitelist. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,9 @@ +HTML.Strict +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +DEPRECATED-VERSION: 1.7.0 +DEPRECATED-USE: HTML.Doctype +--DESCRIPTION-- +Determines whether or not to use Transitional (loose) or Strict rulesets. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,8 @@ +HTML.TargetBlank +TYPE: bool +VERSION: 4.4.0 +DEFAULT: FALSE +--DESCRIPTION-- +If enabled,target=blank
attributes are added to all outgoing links.
+(This includes links from an HTTPS version of a page to an HTTP version.)
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,10 @@
+--# vim: et sw=4 sts=4
+HTML.TargetNoopener
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noopener rel attributes are added to links which have
+a target attribute associated with them. This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,9 @@
+HTML.TargetNoreferrer
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noreferrer rel attributes are added to links which have
+a target attribute associated with them. This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,8 @@
+HTML.TidyAdd
+TYPE: lookup
+VERSION: 2.0.0
+DEFAULT: array()
+--DESCRIPTION--
+
+Fixes to add to the default set of Tidy fixes as per your level.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,24 @@
+HTML.TidyLevel
+TYPE: string
+VERSION: 2.0.0
+DEFAULT: 'medium'
+--DESCRIPTION--
+
+General level of cleanliness the Tidy module should enforce. +There are four allowed values:
+
+ If true, HTML Purifier will protect against Internet Explorer's
+ mishandling of the innerHTML
attribute by appending
+ a space to any attribute that does not contain angled brackets, spaces
+ or quotes, but contains a backtick. This slightly changes the
+ semantics of any given attribute, so if this is unacceptable and
+ you do not use innerHTML
on any of your pages, you can
+ turn this directive off.
+
+ If true, HTML Purifier will generate Internet Explorer compatibility + code for all object code. This is highly recommended if you enable + %HTML.SafeObject. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +Output.Newline +TYPE: string/null +VERSION: 2.0.1 +DEFAULT: NULL +--DESCRIPTION-- + ++ Newline string to format final output with. If left null, HTML Purifier + will auto-detect the default newline type of the system and use that; + you can manually override it here. Remember, \r\n is Windows, \r + is Mac, and \n is Unix. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,14 @@ +Output.SortAttr +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- +
+ If true, HTML Purifier will sort attributes by name before writing them back
+ to the document, converting a tag like: <el b="" a="" c="" />
+ to <el a="" b="" c="" />
. This is a workaround for
+ a bug in FCKeditor which causes it to swap attributes order, adding noise
+ to text diffs. If you're not seeing this bug, chances are, you don't need
+ this directive.
+
+ Determines whether or not to run Tidy on the final output for pretty + formatting reasons, such as indentation and wrap. +
++ This can greatly improve readability for editors who are hand-editing + the HTML, but is by no means necessary as HTML Purifier has already + fixed all major errors the HTML may have had. Tidy is a non-default + extension, and this directive will silently fail if Tidy is not + available. +
++ If you are looking to make the overall look of your page's source + better, I recommend running Tidy on the entire page rather than just + user-content (after all, the indentation relative to the containing + blocks will be incorrect). +
+--ALIASES-- +Core.TidyFormat +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,7 @@ +Test.ForceNoIconv +TYPE: bool +DEFAULT: false +--DESCRIPTION-- +When set to true, HTMLPurifier_Encoder will act as if iconv does not exist +and use only pure PHP implementations. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,18 @@ +URI.AllowedSchemes +TYPE: lookup +--DEFAULT-- +array ( + 'http' => true, + 'https' => true, + 'mailto' => true, + 'ftp' => true, + 'nntp' => true, + 'news' => true, + 'tel' => true, +) +--DESCRIPTION-- +Whitelist that defines the schemes that a URI is allowed to have. This +prevents XSS attacks from using pseudo-schemes like javascript or mocha. +There is also support for thedata
and file
+URI schemes, but they are not enabled by default.
+--# vim: et sw=4 sts=4
diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt
--- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt 1970-01-01 00:00:00.000000000 +0000
+++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Base.txt 2019-07-14 19:19:38.000000000 +0000
@@ -0,0 +1,17 @@
+URI.Base
+TYPE: string/null
+VERSION: 2.1.0
+DEFAULT: NULL
+--DESCRIPTION--
+
++ The base URI is the URI of the document this purified HTML will be + inserted into. This information is important if HTML Purifier needs + to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute + is on. You may use a non-absolute URI for this value, but behavior + may vary (%URI.MakeAbsolute deals nicely with both absolute and + relative paths, but forwards-compatibility is not guaranteed). + Warning: If set, the scheme on this URI + overrides the one specified by %URI.DefaultScheme. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,15 @@ +URI.DefaultScheme +TYPE: string/null +DEFAULT: 'http' +--DESCRIPTION-- + ++ Defines through what scheme the output will be served, in order to + select the proper object validator when no scheme information is present. +
+ ++ Starting with HTML Purifier 4.9.0, the default scheme can be null, in + which case we reject all URIs which do not have explicit schemes. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +URI.DefinitionID +TYPE: string/null +VERSION: 2.1.0 +DEFAULT: NULL +--DESCRIPTION-- + ++ Unique identifier for a custom-built URI definition. If you want + to add custom URIFilters, you must specify this value. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +URI.DefinitionRev +TYPE: int +VERSION: 2.1.0 +DEFAULT: 1 +--DESCRIPTION-- + ++ Revision identifier for your custom definition. See + %HTML.DefinitionRev for details. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +URI.DisableExternalResources +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +--DESCRIPTION-- +Disables the embedding of external resources, preventing users from +embedding things like images from other hosts. This prevents access +tracking (good for email viewers), bandwidth leeching, cross-site request +forging, goatse.cx posting, and other nasties, but also results in a loss +of end-user functionality (they can't directly post a pic they posted from +Flickr anymore). Use it if you don't have a robust user-content moderation +team. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ +URI.DisableExternal +TYPE: bool +VERSION: 1.2.0 +DEFAULT: false +--DESCRIPTION-- +Disables links to external websites. This is a highly effective anti-spam +and anti-pagerank-leech measure, but comes at a hefty price: nolinks or +images outside of your domain will be allowed. Non-linkified URIs will +still be preserved. If you want to be able to link to subdomains or use +absolute URIs, specify %URI.Host for your website. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,15 @@ +URI.DisableResources +TYPE: bool +VERSION: 4.2.0 +DEFAULT: false +--DESCRIPTION-- ++ Disables embedding resources, essentially meaning no pictures. You can + still link to them though. See %URI.DisableExternalResources for why + this might be a good idea. +
++ Note: While this directive has been available since 1.3.0, + it didn't actually start doing anything until 4.2.0. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,14 @@ +URI.Disable +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +--DESCRIPTION-- + ++ Disables all URIs in all forms. Not sure why you'd want to do that + (after all, the Internet's founded on the notion of a hyperlink). +
+ +--ALIASES-- +Attr.DisableURI +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,9 @@ +URI.HostBlacklist +TYPE: list +VERSION: 1.3.0 +DEFAULT: array() +--DESCRIPTION-- +List of strings that are forbidden in the host of any URI. Use it to kill +domain names of spam, etc. Note that it will catch anything in the domain, +so moo.com will catch moo.com.example.com. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Host.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,19 @@ +URI.Host +TYPE: string/null +VERSION: 1.2.0 +DEFAULT: NULL +--DESCRIPTION-- + ++ Defines the domain name of the server, so we can determine whether or + an absolute URI is from your website or not. Not strictly necessary, + as users should be using relative URIs to reference resources on your + website. It will, however, let you use absolute URIs to link to + subdomains of the domain you post here: i.e. example.com will allow + sub.example.com. However, higher up domains will still be excluded: + if you set %URI.Host to sub.example.com, example.com will be blocked. + Note: This directive overrides %URI.Base because + a given page may be on a sub-domain, but you wish HTML Purifier to be + more relaxed and allow some of the parent domains too. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,13 @@ +URI.MakeAbsolute +TYPE: bool +VERSION: 2.1.0 +DEFAULT: false +--DESCRIPTION-- + ++ Converts all URIs into absolute forms. This is useful when the HTML + being filtered assumes a specific base path, but will actually be + viewed in a different context (and setting an alternate base URI is + not possible). %URI.Base must be set for this directive to work. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,17 @@ +URI.MungeResources +TYPE: bool +VERSION: 3.1.1 +DEFAULT: false +--DESCRIPTION-- +
+ If true, any URI munging directives like %URI.Munge
+ will also apply to embedded resources, such as <img src="">
.
+ Be careful enabling this directive if you have a redirector script
+ that does not use the Location
HTTP header; all of your images
+ and other embedded resources will break.
+
+ Warning: It is strongly advised you use this in conjunction + %URI.MungeSecretKey to mitigate the security risk of an open redirector. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,30 @@ +URI.MungeSecretKey +TYPE: string/null +VERSION: 3.1.1 +DEFAULT: NULL +--DESCRIPTION-- ++ This directive enables secure checksum generation along with %URI.Munge. + It should be set to a secure key that is not shared with anyone else. + The checksum can be placed in the URI using %t. Use of this checksum + affords an additional level of protection by allowing a redirector + to check if a URI has passed through HTML Purifier with this line: +
+ +$checksum === hash_hmac("sha256", $url, $secret_key)+ +
+ If the output is TRUE, the redirector script should accept the URI. +
+ ++ Please note that it would still be possible for an attacker to procure + secure hashes en-mass by abusing your website's Preview feature or the + like, but this service affords an additional level of protection + that should be combined with website blacklisting. +
+ ++ Remember this has no effect if %URI.Munge is not on. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,83 @@ +URI.Munge +TYPE: string/null +VERSION: 1.3.0 +DEFAULT: NULL +--DESCRIPTION-- + +
+ Munges all browsable (usually http, https and ftp)
+ absolute URIs into another URI, usually a URI redirection service.
+ This directive accepts a URI, formatted with a %s
where
+ the url-encoded original URI should be inserted (sample:
+ http://www.google.com/url?q=%s
).
+
+ Uses for this directive: +
+
+ Prior to HTML Purifier 3.1.1, this directive also enabled the munging
+ of browsable external resources, which could break things if your redirection
+ script was a splash page or used meta
tags. To revert to
+ previous behavior, please use %URI.MungeResources.
+
+ You may want to also use %URI.MungeSecretKey along with this directive + in order to enforce what URIs your redirector script allows. Open + redirector scripts can be a security risk and negatively affect the + reputation of your domain name. +
++ Starting with HTML Purifier 3.1.1, there is also these substitutions: +
+Key | +Description | +Example <a href=""> |
+
---|---|---|
%r | +1 - The URI embeds a resource (blank) - The URI is merely a link |
+ + |
%n | +The name of the tag this URI came from | +a | +
%m | +The name of the attribute this URI came from | +href | +
%p | +The name of the CSS property this URI came from, or blank if irrelevant | ++ |
+ Admittedly, these letters are somewhat arbitrary; the only stipulation + was that they couldn't be a through f. r is for resource (I would have preferred + e, but you take what you can get), n is for name, m + was picked because it came after n (and I couldn't use a), p is for + property. +
+--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,9 @@ +URI.OverrideAllowedSchemes +TYPE: bool +DEFAULT: true +--DESCRIPTION-- +If this is set to true (which it is by default), you can override +%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme to the +registry. If false, you will also have to update that directive in order +to add more schemes. +--# vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,22 @@ +URI.SafeIframeRegexp +TYPE: string/null +VERSION: 4.4.0 +DEFAULT: NULL +--DESCRIPTION-- ++ A PCRE regular expression that will be matched against an iframe URI. This is + a relatively inflexible scheme, but works well enough for the most common + use-case of iframes: embedded video. This directive only has an effect if + %HTML.SafeIframe is enabled. Here are some example values: +
+%^http://www.youtube.com/embed/%
- Allow YouTube videos%^http://player.vimeo.com/video/%
- Allow Vimeo videos%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%
- Allow both
+ Note that this directive does not give you enough granularity to, say, disable
+ all autoplay
videos. Pipe up on the HTML Purifier forums if this
+ is a capability you want.
+
' . $this->locale->getMessage('ErrorCollector: No errors') . '
'; + } else { + return ''; + //$string .= ''; + //$string .= ''; + $ret[] = $string; + } + foreach ($current->children as $array) { + $context[] = $current; + $stack = array_merge($stack, array_reverse($array, true)); + for ($i = count($array); $i > 0; $i--) { + $context_stack[] = $context; + } + } + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ErrorStruct.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ErrorStruct.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/ErrorStruct.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/ErrorStruct.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,74 @@ +children[$type][$id])) { + $this->children[$type][$id] = new HTMLPurifier_ErrorStruct(); + $this->children[$type][$id]->type = $type; + } + return $this->children[$type][$id]; + } + + /** + * @param int $severity + * @param string $message + */ + public function addError($severity, $message) + { + $this->errors[] = array($severity, $message); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Exception.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Exception.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Exception.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Exception.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,12 @@ + blocks from input HTML, cleans them up + * using CSSTidy, and then places them in $purifier->context->get('StyleBlocks') + * so they can be used elsewhere in the document. + * + * @note + * See tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php for + * sample usage. + * + * @note + * This filter can also be used on stylesheets not included in the + * document--something purists would probably prefer. Just directly + * call HTMLPurifier_Filter_ExtractStyleBlocks->cleanCSS() + */ +class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter +{ + /** + * @type string + */ + public $name = 'ExtractStyleBlocks'; + + /** + * @type array + */ + private $_styleMatches = array(); + + /** + * @type csstidy + */ + private $_tidy; + + /** + * @type HTMLPurifier_AttrDef_HTML_ID + */ + private $_id_attrdef; + + /** + * @type HTMLPurifier_AttrDef_CSS_Ident + */ + private $_class_attrdef; + + /** + * @type HTMLPurifier_AttrDef_Enum + */ + private $_enum_attrdef; + + public function __construct() + { + $this->_tidy = new csstidy(); + $this->_tidy->set_cfg('lowercase_s', false); + $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true); + $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident(); + $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum( + array( + 'first-child', + 'link', + 'visited', + 'active', + 'hover', + 'focus' + ) + ); + } + + /** + * Save the contents of CSS blocks to style matches + * @param array $matches preg_replace style $matches array + */ + protected function styleCallback($matches) + { + $this->_styleMatches[] = $matches[1]; + } + + /** + * Removes inline + // we must not grab foo in a font-family prop). + if ($config->get('Filter.ExtractStyleBlocks.Escaping')) { + $css = str_replace( + array('<', '>', '&'), + array('\3C ', '\3E ', '\26 '), + $css + ); + } + return $css; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter/YouTube.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter/YouTube.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter/YouTube.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter/YouTube.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,65 @@ +]+>.+?' . + '(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?#s'; + $pre_replace = ' '; + return preg_replace($pre_regex, $pre_replace, $html); + } + + /** + * @param string $html + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return string + */ + public function postFilter($html, $config, $context) + { + $post_regex = '# #'; + return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); + } + + /** + * @param $url + * @return string + */ + protected function armorUrl($url) + { + return str_replace('--', '--', $url); + } + + /** + * @param array $matches + * @return string + */ + protected function postFilterCallback($matches) + { + $url = $this->armorUrl($matches[1]); + return ''; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Filter.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,56 @@ +preFilter, + * 2->preFilter, 3->preFilter, purify, 3->postFilter, 2->postFilter, + * 1->postFilter. + * + * @note Methods are not declared abstract as it is perfectly legitimate + * for an implementation not to want anything to happen on a step + */ + +class HTMLPurifier_Filter +{ + + /** + * Name of the filter for identification purposes. + * @type string + */ + public $name; + + /** + * Pre-processor function, handles HTML before HTML Purifier + * @param string $html + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return string + */ + public function preFilter($html, $config, $context) + { + return $html; + } + + /** + * Post-processor function, handles HTML after HTML Purifier + * @param string $html + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return string + */ + public function postFilter($html, $config, $context) + { + return $html; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Generator.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Generator.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Generator.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Generator.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,286 @@ + tags. + * @type bool + */ + private $_scriptFix = false; + + /** + * Cache of HTMLDefinition during HTML output to determine whether or + * not attributes should be minimized. + * @type HTMLPurifier_HTMLDefinition + */ + private $_def; + + /** + * Cache of %Output.SortAttr. + * @type bool + */ + private $_sortAttr; + + /** + * Cache of %Output.FlashCompat. + * @type bool + */ + private $_flashCompat; + + /** + * Cache of %Output.FixInnerHTML. + * @type bool + */ + private $_innerHTMLFix; + + /** + * Stack for keeping track of object information when outputting IE + * compatibility code. + * @type array + */ + private $_flashStack = array(); + + /** + * Configuration for the generator + * @type HTMLPurifier_Config + */ + protected $config; + + /** + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + */ + public function __construct($config, $context) + { + $this->config = $config; + $this->_scriptFix = $config->get('Output.CommentScriptContents'); + $this->_innerHTMLFix = $config->get('Output.FixInnerHTML'); + $this->_sortAttr = $config->get('Output.SortAttr'); + $this->_flashCompat = $config->get('Output.FlashCompat'); + $this->_def = $config->getHTMLDefinition(); + $this->_xhtml = $this->_def->doctype->xml; + } + + /** + * Generates HTML from an array of tokens. + * @param HTMLPurifier_Token[] $tokens Array of HTMLPurifier_Token + * @return string Generated HTML + */ + public function generateFromTokens($tokens) + { + if (!$tokens) { + return ''; + } + + // Basic algorithm + $html = ''; + for ($i = 0, $size = count($tokens); $i < $size; $i++) { + if ($this->_scriptFix && $tokens[$i]->name === 'script' + && $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) { + // script special case + // the contents of the script block must be ONE token + // for this to work. + $html .= $this->generateFromToken($tokens[$i++]); + $html .= $this->generateScriptFromToken($tokens[$i++]); + } + $html .= $this->generateFromToken($tokens[$i]); + } + + // Tidy cleanup + if (extension_loaded('tidy') && $this->config->get('Output.TidyFormat')) { + $tidy = new Tidy; + $tidy->parseString( + $html, + array( + 'indent'=> true, + 'output-xhtml' => $this->_xhtml, + 'show-body-only' => true, + 'indent-spaces' => 2, + 'wrap' => 68, + ), + 'utf8' + ); + $tidy->cleanRepair(); + $html = (string) $tidy; // explicit cast necessary + } + + // Normalize newlines to system defined value + if ($this->config->get('Core.NormalizeNewlines')) { + $nl = $this->config->get('Output.Newline'); + if ($nl === null) { + $nl = PHP_EOL; + } + if ($nl !== "\n") { + $html = str_replace("\n", $nl, $html); + } + } + return $html; + } + + /** + * Generates HTML from a single token. + * @param HTMLPurifier_Token $token HTMLPurifier_Token object. + * @return string Generated HTML + */ + public function generateFromToken($token) + { + if (!$token instanceof HTMLPurifier_Token) { + trigger_error('Cannot generate HTML from non-HTMLPurifier_Token object', E_USER_WARNING); + return ''; + + } elseif ($token instanceof HTMLPurifier_Token_Start) { + $attr = $this->generateAttributes($token->attr, $token->name); + if ($this->_flashCompat) { + if ($token->name == "object") { + $flash = new stdClass(); + $flash->attr = $token->attr; + $flash->param = array(); + $this->_flashStack[] = $flash; + } + } + return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>'; + + } elseif ($token instanceof HTMLPurifier_Token_End) { + $_extra = ''; + if ($this->_flashCompat) { + if ($token->name == "object" && !empty($this->_flashStack)) { + // doesn't do anything for now + } + } + return $_extra . '' . $token->name . '>'; + + } elseif ($token instanceof HTMLPurifier_Token_Empty) { + if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) { + $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value']; + } + $attr = $this->generateAttributes($token->attr, $token->name); + return '<' . $token->name . ($attr ? ' ' : '') . $attr . + ( $this->_xhtml ? ' /': '' ) //
tags? + if ($this->allowsElement('p')) { + if (empty($this->currentNesting) || strpos($text, "\n\n") !== false) { + // Note that we have differing behavior when dealing with text + // in the anonymous root node, or a node inside the document. + // If the text as a double-newline, the treatment is the same; + // if it doesn't, see the next if-block if you're in the document. + + $i = $nesting = null; + if (!$this->forwardUntilEndToken($i, $current, $nesting) && $token->is_whitespace) { + // State 1.1: ... ^ (whitespace, then document end) + // ---- + // This is a degenerate case + } else { + if (!$token->is_whitespace || $this->_isInline($current)) { + // State 1.2: PAR1 + // ---- + + // State 1.3: PAR1\n\nPAR2 + // ------------ + + // State 1.4:
tag? + } elseif (!empty($this->currentNesting) && + $this->currentNesting[count($this->currentNesting) - 1]->name == 'p') { + // State 3.1: ...
PAR1 + // ---- + + // State 3.2: ...
PAR1\n\nPAR2 + // ------------ + $token = array(); + $this->_splitText($text, $token); + // Abort! + } else { + // State 4.1: ...PAR1 + // ---- + + // State 4.2: ...PAR1\n\nPAR2 + // ------------ + } + } + + /** + * @param HTMLPurifier_Token $token + */ + public function handleElement(&$token) + { + // We don't have to check if we're already in a
tag for block + // tokens, because the tag would have been autoclosed by MakeWellFormed. + if ($this->allowsElement('p')) { + if (!empty($this->currentNesting)) { + if ($this->_isInline($token)) { + // State 1:
PAR1
\n\n + // --- + // Quite frankly, this should be handled by splitText + $token = array($this->_pStart(), $token); + } else { + // State 1.1.1:PAR1
+ // --- + // State 1.1.2:is needed. + if ($this->_pLookAhead()) { + // State 1.3.1:
tags. + } + } + } + } else { + // State 2.2:
+ // --- + } + } + + /** + * Splits up a text in paragraph tokens and appends them + * to the result stream that will replace the original + * @param string $data String text data that will be processed + * into paragraphs + * @param HTMLPurifier_Token[] $result Reference to array of tokens that the + * tags will be appended onto + */ + private function _splitText($data, &$result) + { + $raw_paragraphs = explode("\n\n", $data); + $paragraphs = array(); // without empty paragraphs + $needs_start = false; + $needs_end = false; + + $c = count($raw_paragraphs); + if ($c == 1) { + // There were no double-newlines, abort quickly. In theory this + // should never happen. + $result[] = new HTMLPurifier_Token_Text($data); + return; + } + for ($i = 0; $i < $c; $i++) { + $par = $raw_paragraphs[$i]; + if (trim($par) !== '') { + $paragraphs[] = $par; + } else { + if ($i == 0) { + // Double newline at the front + if (empty($result)) { + // The empty result indicates that the AutoParagraph + // injector did not add any start paragraph tokens. + // This means that we have been in a paragraph for + // a while, and the newline means we should start a new one. + $result[] = new HTMLPurifier_Token_End('p'); + $result[] = new HTMLPurifier_Token_Text("\n\n"); + // However, the start token should only be added if + // there is more processing to be done (i.e. there are + // real paragraphs in here). If there are none, the + // next start paragraph tag will be handled by the + // next call to the injector + $needs_start = true; + } else { + // We just started a new paragraph! + // Reinstate a double-newline for presentation's sake, since + // it was in the source code. + array_unshift($result, new HTMLPurifier_Token_Text("\n\n")); + } + } elseif ($i + 1 == $c) { + // Double newline at the end + // There should be a trailing
when we're finally done. + $needs_end = true; + } + } + } + + // Check if this was just a giant blob of whitespace. Move this earlier, + // perhaps? + if (empty($paragraphs)) { + return; + } + + // Add the start tag indicated by \n\n at the beginning of $data + if ($needs_start) { + $result[] = $this->_pStart(); + } + + // Append the paragraphs onto the result + foreach ($paragraphs as $par) { + $result[] = new HTMLPurifier_Token_Text($par); + $result[] = new HTMLPurifier_Token_End('p'); + $result[] = new HTMLPurifier_Token_Text("\n\n"); + $result[] = $this->_pStart(); + } + + // Remove trailing start token; Injector will handle this later if + // it was indeed needed. This prevents from needing to do a lookahead, + // at the cost of a lookbehind later. + array_pop($result); + + // If there is no need for an end tag, remove all of it and let + // MakeWellFormed close it later. + if (!$needs_end) { + array_pop($result); // removes \n\n + array_pop($result); // removes + } + } + + /** + * Returns true if passed token is inline (and, ergo, allowed in + * paragraph tags) + * @param HTMLPurifier_Token $token + * @return bool + */ + private function _isInline($token) + { + return isset($this->htmlDefinition->info['p']->child->elements[$token->name]); + } + + /** + * Looks ahead in the token list and determines whether or not we need + * to insert atag. + * @return bool + */ + private function _pLookAhead() + { + if ($this->currentToken instanceof HTMLPurifier_Token_Start) { + $nesting = 1; + } else { + $nesting = 0; + } + $ok = false; + $i = null; + while ($this->forwardUntilEndToken($i, $current, $nesting)) { + $result = $this->_checkNeedsP($current); + if ($result !== null) { + $ok = $result; + break; + } + } + return $ok; + } + + /** + * Determines if a particular token requires an earlier inline token + * to get a paragraph. This should be used with _forwardUntilEndToken + * @param HTMLPurifier_Token $current + * @return bool + */ + private function _checkNeedsP($current) + { + if ($current instanceof HTMLPurifier_Token_Start) { + if (!$this->_isInline($current)) { + //
n"; + //echo "$n\nsigfigs = $sigfigs\nnew_log = $new_log\nlog = $log\nrp = $rp\n\n"; + + $n = $this->round($n, $sigfigs); + if (strpos($n, '.') !== false) { + $n = rtrim($n, '0'); + } + $n = rtrim($n, '.'); + + return new HTMLPurifier_Length($n, $unit); + } + + /** + * Returns the number of significant figures in a string number. + * @param string $n Decimal number + * @return int number of sigfigs + */ + public function getSigFigs($n) + { + $n = ltrim($n, '0+-'); + $dp = strpos($n, '.'); // decimal position + if ($dp === false) { + $sigfigs = strlen(rtrim($n, '0')); + } else { + $sigfigs = strlen(ltrim($n, '0.')); // eliminate extra decimal character + if ($dp !== 0) { + $sigfigs--; + } + } + return $sigfigs; + } + + /** + * Adds two numbers, using arbitrary precision when available. + * @param string $s1 + * @param string $s2 + * @param int $scale + * @return string + */ + private function add($s1, $s2, $scale) + { + if ($this->bcmath) { + return bcadd($s1, $s2, $scale); + } else { + return $this->scale((float)$s1 + (float)$s2, $scale); + } + } + + /** + * Multiples two numbers, using arbitrary precision when available. + * @param string $s1 + * @param string $s2 + * @param int $scale + * @return string + */ + private function mul($s1, $s2, $scale) + { + if ($this->bcmath) { + return bcmul($s1, $s2, $scale); + } else { + return $this->scale((float)$s1 * (float)$s2, $scale); + } + } + + /** + * Divides two numbers, using arbitrary precision when available. + * @param string $s1 + * @param string $s2 + * @param int $scale + * @return string + */ + private function div($s1, $s2, $scale) + { + if ($this->bcmath) { + return bcdiv($s1, $s2, $scale); + } else { + return $this->scale((float)$s1 / (float)$s2, $scale); + } + } + + /** + * Rounds a number according to the number of sigfigs it should have, + * using arbitrary precision when available. + * @param float $n + * @param int $sigfigs + * @return string + */ + private function round($n, $sigfigs) + { + $new_log = (int)floor(log(abs($n), 10)); // Number of digits left of decimal - 1 + $rp = $sigfigs - $new_log - 1; // Number of decimal places needed + $neg = $n < 0 ? '-' : ''; // Negative sign + if ($this->bcmath) { + if ($rp >= 0) { + $n = bcadd($n, $neg . '0.' . str_repeat('0', $rp) . '5', $rp + 1); + $n = bcdiv($n, '1', $rp); + } else { + // This algorithm partially depends on the standardized + // form of numbers that comes out of bcmath. + $n = bcadd($n, $neg . '5' . str_repeat('0', $new_log - $sigfigs), 0); + $n = substr($n, 0, $sigfigs + strlen($neg)) . str_repeat('0', $new_log - $sigfigs + 1); + } + return $n; + } else { + return $this->scale(round($n, $sigfigs - $new_log - 1), $rp + 1); + } + } + + /** + * Scales a float to $scale digits right of decimal point, like BCMath. + * @param float $r + * @param int $scale + * @return string + */ + private function scale($r, $scale) + { + if ($scale < 0) { + // The f sprintf type doesn't support negative numbers, so we + // need to cludge things manually. First get the string. + $r = sprintf('%.0f', (float)$r); + // Due to floating point precision loss, $r will more than likely + // look something like 4652999999999.9234. We grab one more digit + // than we need to precise from $r and then use that to round + // appropriately. + $precise = (string)round(substr($r, 0, strlen($r) + $scale), -1); + // Now we return it, truncating the zero that was rounded off. + return substr($precise, 0, -1) . str_repeat('0', -$scale + 1); + } + return sprintf('%.' . $scale . 'f', (float)$r); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIDefinition.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIDefinition.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIDefinition.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIDefinition.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,112 @@ +registerFilter(new HTMLPurifier_URIFilter_DisableExternal()); + $this->registerFilter(new HTMLPurifier_URIFilter_DisableExternalResources()); + $this->registerFilter(new HTMLPurifier_URIFilter_DisableResources()); + $this->registerFilter(new HTMLPurifier_URIFilter_HostBlacklist()); + $this->registerFilter(new HTMLPurifier_URIFilter_SafeIframe()); + $this->registerFilter(new HTMLPurifier_URIFilter_MakeAbsolute()); + $this->registerFilter(new HTMLPurifier_URIFilter_Munge()); + } + + public function registerFilter($filter) + { + $this->registeredFilters[$filter->name] = $filter; + } + + public function addFilter($filter, $config) + { + $r = $filter->prepare($config); + if ($r === false) return; // null is ok, for backwards compat + if ($filter->post) { + $this->postFilters[$filter->name] = $filter; + } else { + $this->filters[$filter->name] = $filter; + } + } + + protected function doSetup($config) + { + $this->setupMemberVariables($config); + $this->setupFilters($config); + } + + protected function setupFilters($config) + { + foreach ($this->registeredFilters as $name => $filter) { + if ($filter->always_load) { + $this->addFilter($filter, $config); + } else { + $conf = $config->get('URI.' . $name); + if ($conf !== false && $conf !== null) { + $this->addFilter($filter, $config); + } + } + } + unset($this->registeredFilters); + } + + protected function setupMemberVariables($config) + { + $this->host = $config->get('URI.Host'); + $base_uri = $config->get('URI.Base'); + if (!is_null($base_uri)) { + $parser = new HTMLPurifier_URIParser(); + $this->base = $parser->parse($base_uri); + $this->defaultScheme = $this->base->scheme; + if (is_null($this->host)) $this->host = $this->base->host; + } + if (is_null($this->defaultScheme)) $this->defaultScheme = $config->get('URI.DefaultScheme'); + } + + public function getDefaultScheme($config, $context) + { + return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context); + } + + public function filter(&$uri, $config, $context) + { + foreach ($this->filters as $name => $f) { + $result = $f->filter($uri, $config, $context); + if (!$result) return false; + } + return true; + } + + public function postFilter(&$uri, $config, $context) + { + foreach ($this->postFilters as $name => $f) { + $result = $f->filter($uri, $config, $context); + if (!$result) return false; + } + return true; + } + +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternal.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternal.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternal.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternal.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,54 @@ +getDefinition('URI')->host; + if ($our_host !== null) { + $this->ourHostParts = array_reverse(explode('.', $our_host)); + } + } + + /** + * @param HTMLPurifier_URI $uri Reference + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function filter(&$uri, $config, $context) + { + if (is_null($uri->host)) { + return true; + } + if ($this->ourHostParts === false) { + return false; + } + $host_parts = array_reverse(explode('.', $uri->host)); + foreach ($this->ourHostParts as $i => $x) { + if (!isset($host_parts[$i])) { + return false; + } + if ($host_parts[$i] != $this->ourHostParts[$i]) { + return false; + } + } + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternalResources.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternalResources.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternalResources.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableExternalResources.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,25 @@ +get('EmbeddedURI', true)) { + return true; + } + return parent::filter($uri, $config, $context); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableResources.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableResources.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableResources.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/DisableResources.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,22 @@ +get('EmbeddedURI', true); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/HostBlacklist.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/HostBlacklist.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/HostBlacklist.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/HostBlacklist.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,46 @@ +blacklist = $config->get('URI.HostBlacklist'); + return true; + } + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function filter(&$uri, $config, $context) + { + foreach ($this->blacklist as $blacklisted_host_fragment) { + if (strpos($uri->host, $blacklisted_host_fragment) !== false) { + return false; + } + } + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/MakeAbsolute.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/MakeAbsolute.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/MakeAbsolute.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/MakeAbsolute.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,158 @@ +getDefinition('URI'); + $this->base = $def->base; + if (is_null($this->base)) { + trigger_error( + 'URI.MakeAbsolute is being ignored due to lack of ' . + 'value for URI.Base configuration', + E_USER_WARNING + ); + return false; + } + $this->base->fragment = null; // fragment is invalid for base URI + $stack = explode('/', $this->base->path); + array_pop($stack); // discard last segment + $stack = $this->_collapseStack($stack); // do pre-parsing + $this->basePathStack = $stack; + return true; + } + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function filter(&$uri, $config, $context) + { + if (is_null($this->base)) { + return true; + } // abort early + if ($uri->path === '' && is_null($uri->scheme) && + is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment)) { + // reference to current document + $uri = clone $this->base; + return true; + } + if (!is_null($uri->scheme)) { + // absolute URI already: don't change + if (!is_null($uri->host)) { + return true; + } + $scheme_obj = $uri->getSchemeObj($config, $context); + if (!$scheme_obj) { + // scheme not recognized + return false; + } + if (!$scheme_obj->hierarchical) { + // non-hierarchal URI with explicit scheme, don't change + return true; + } + // special case: had a scheme but always is hierarchical and had no authority + } + if (!is_null($uri->host)) { + // network path, don't bother + return true; + } + if ($uri->path === '') { + $uri->path = $this->base->path; + } elseif ($uri->path[0] !== '/') { + // relative path, needs more complicated processing + $stack = explode('/', $uri->path); + $new_stack = array_merge($this->basePathStack, $stack); + if ($new_stack[0] !== '' && !is_null($this->base->host)) { + array_unshift($new_stack, ''); + } + $new_stack = $this->_collapseStack($new_stack); + $uri->path = implode('/', $new_stack); + } else { + // absolute path, but still we should collapse + $uri->path = implode('/', $this->_collapseStack(explode('/', $uri->path))); + } + // re-combine + $uri->scheme = $this->base->scheme; + if (is_null($uri->userinfo)) { + $uri->userinfo = $this->base->userinfo; + } + if (is_null($uri->host)) { + $uri->host = $this->base->host; + } + if (is_null($uri->port)) { + $uri->port = $this->base->port; + } + return true; + } + + /** + * Resolve dots and double-dots in a path stack + * @param array $stack + * @return array + */ + private function _collapseStack($stack) + { + $result = array(); + $is_folder = false; + for ($i = 0; isset($stack[$i]); $i++) { + $is_folder = false; + // absorb an internally duplicated slash + if ($stack[$i] == '' && $i && isset($stack[$i + 1])) { + continue; + } + if ($stack[$i] == '..') { + if (!empty($result)) { + $segment = array_pop($result); + if ($segment === '' && empty($result)) { + // error case: attempted to back out too far: + // restore the leading slash + $result[] = ''; + } elseif ($segment === '..') { + $result[] = '..'; // cannot remove .. with .. + } + } else { + // relative path, preserve the double-dots + $result[] = '..'; + } + $is_folder = true; + continue; + } + if ($stack[$i] == '.') { + // silently absorb + $is_folder = true; + continue; + } + $result[] = $stack[$i]; + } + if ($is_folder) { + $result[] = ''; + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/Munge.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/Munge.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/Munge.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/Munge.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,115 @@ +target = $config->get('URI.' . $this->name); + $this->parser = new HTMLPurifier_URIParser(); + $this->doEmbed = $config->get('URI.MungeResources'); + $this->secretKey = $config->get('URI.MungeSecretKey'); + if ($this->secretKey && !function_exists('hash_hmac')) { + throw new Exception("Cannot use %URI.MungeSecretKey without hash_hmac support."); + } + return true; + } + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function filter(&$uri, $config, $context) + { + if ($context->get('EmbeddedURI', true) && !$this->doEmbed) { + return true; + } + + $scheme_obj = $uri->getSchemeObj($config, $context); + if (!$scheme_obj) { + return true; + } // ignore unknown schemes, maybe another postfilter did it + if (!$scheme_obj->browsable) { + return true; + } // ignore non-browseable schemes, since we can't munge those in a reasonable way + if ($uri->isBenign($config, $context)) { + return true; + } // don't redirect if a benign URL + + $this->makeReplace($uri, $config, $context); + $this->replace = array_map('rawurlencode', $this->replace); + + $new_uri = strtr($this->target, $this->replace); + $new_uri = $this->parser->parse($new_uri); + // don't redirect if the target host is the same as the + // starting host + if ($uri->host === $new_uri->host) { + return true; + } + $uri = $new_uri; // overwrite + return true; + } + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + */ + protected function makeReplace($uri, $config, $context) + { + $string = $uri->toString(); + // always available + $this->replace['%s'] = $string; + $this->replace['%r'] = $context->get('EmbeddedURI', true); + $token = $context->get('CurrentToken', true); + $this->replace['%n'] = $token ? $token->name : null; + $this->replace['%m'] = $context->get('CurrentAttr', true); + $this->replace['%p'] = $context->get('CurrentCSSProperty', true); + // not always available + if ($this->secretKey) { + $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey); + } + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/SafeIframe.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/SafeIframe.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/SafeIframe.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter/SafeIframe.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,68 @@ +regexp = $config->get('URI.SafeIframeRegexp'); + return true; + } + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function filter(&$uri, $config, $context) + { + // check if filter not applicable + if (!$config->get('HTML.SafeIframe')) { + return true; + } + // check if the filter should actually trigger + if (!$context->get('EmbeddedURI', true)) { + return true; + } + $token = $context->get('CurrentToken', true); + if (!($token && $token->name == 'iframe')) { + return true; + } + // check if we actually have some whitelists enabled + if ($this->regexp === null) { + return false; + } + // actually check the whitelists + return preg_match($this->regexp, $uri->toString()); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIFilter.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,74 @@ +percentEncoder = new HTMLPurifier_PercentEncoder(); + } + + /** + * Parses a URI. + * @param $uri string URI to parse + * @return HTMLPurifier_URI representation of URI. This representation has + * not been validated yet and may not conform to RFC. + */ + public function parse($uri) + { + $uri = $this->percentEncoder->normalize($uri); + + // Regexp is as per Appendix B. + // Note that ["<>] are an addition to the RFC's recommended + // characters, because they represent external delimeters. + $r_URI = '!'. + '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme + '(//([^/?#"<>]*))?'. // 4. Authority + '([^?#"<>]*)'. // 5. Path + '(\?([^#"<>]*))?'. // 7. Query + '(#([^"<>]*))?'. // 8. Fragment + '!'; + + $matches = array(); + $result = preg_match($r_URI, $uri, $matches); + + if (!$result) return false; // *really* invalid URI + + // seperate out parts + $scheme = !empty($matches[1]) ? $matches[2] : null; + $authority = !empty($matches[3]) ? $matches[4] : null; + $path = $matches[5]; // always present, can be empty + $query = !empty($matches[6]) ? $matches[7] : null; + $fragment = !empty($matches[8]) ? $matches[9] : null; + + // further parse authority + if ($authority !== null) { + $r_authority = "/^((.+?)@)?(\[[^\]]+\]|[^:]*)(:(\d*))?/"; + $matches = array(); + preg_match($r_authority, $authority, $matches); + $userinfo = !empty($matches[1]) ? $matches[2] : null; + $host = !empty($matches[3]) ? $matches[3] : ''; + $port = !empty($matches[4]) ? (int) $matches[5] : null; + } else { + $port = $host = $userinfo = null; + } + + return new HTMLPurifier_URI( + $scheme, $userinfo, $host, $port, $path, $query, $fragment); + } + +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URI.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URI.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URI.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URI.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,316 @@ +scheme = is_null($scheme) || ctype_lower($scheme) ? $scheme : strtolower($scheme); + $this->userinfo = $userinfo; + $this->host = $host; + $this->port = is_null($port) ? $port : (int)$port; + $this->path = $path; + $this->query = $query; + $this->fragment = $fragment; + } + + /** + * Retrieves a scheme object corresponding to the URI's scheme/default + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return HTMLPurifier_URIScheme Scheme object appropriate for validating this URI + */ + public function getSchemeObj($config, $context) + { + $registry = HTMLPurifier_URISchemeRegistry::instance(); + if ($this->scheme !== null) { + $scheme_obj = $registry->getScheme($this->scheme, $config, $context); + if (!$scheme_obj) { + return false; + } // invalid scheme, clean it out + } else { + // no scheme: retrieve the default one + $def = $config->getDefinition('URI'); + $scheme_obj = $def->getDefaultScheme($config, $context); + if (!$scheme_obj) { + if ($def->defaultScheme !== null) { + // something funky happened to the default scheme object + trigger_error( + 'Default scheme object "' . $def->defaultScheme . '" was not readable', + E_USER_WARNING + ); + } // suppress error if it's null + return false; + } + } + return $scheme_obj; + } + + /** + * Generic validation method applicable for all schemes. May modify + * this URI in order to get it into a compliant form. + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool True if validation/filtering succeeds, false if failure + */ + public function validate($config, $context) + { + // ABNF definitions from RFC 3986 + $chars_sub_delims = '!$&\'()*+,;='; + $chars_gen_delims = ':/?#[]@'; + $chars_pchar = $chars_sub_delims . ':@'; + + // validate host + if (!is_null($this->host)) { + $host_def = new HTMLPurifier_AttrDef_URI_Host(); + $this->host = $host_def->validate($this->host, $config, $context); + if ($this->host === false) { + $this->host = null; + } + } + + // validate scheme + // NOTE: It's not appropriate to check whether or not this + // scheme is in our registry, since a URIFilter may convert a + // URI that we don't allow into one we do. So instead, we just + // check if the scheme can be dropped because there is no host + // and it is our default scheme. + if (!is_null($this->scheme) && is_null($this->host) || $this->host === '') { + // support for relative paths is pretty abysmal when the + // scheme is present, so axe it when possible + $def = $config->getDefinition('URI'); + if ($def->defaultScheme === $this->scheme) { + $this->scheme = null; + } + } + + // validate username + if (!is_null($this->userinfo)) { + $encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . ':'); + $this->userinfo = $encoder->encode($this->userinfo); + } + + // validate port + if (!is_null($this->port)) { + if ($this->port < 1 || $this->port > 65535) { + $this->port = null; + } + } + + // validate path + $segments_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/'); + if (!is_null($this->host)) { // this catches $this->host === '' + // path-abempty (hier and relative) + // http://www.example.com/my/path + // //www.example.com/my/path (looks odd, but works, and + // recognized by most browsers) + // (this set is valid or invalid on a scheme by scheme + // basis, so we'll deal with it later) + // file:///my/path + // ///my/path + $this->path = $segments_encoder->encode($this->path); + } elseif ($this->path !== '') { + if ($this->path[0] === '/') { + // path-absolute (hier and relative) + // http:/my/path + // /my/path + if (strlen($this->path) >= 2 && $this->path[1] === '/') { + // This could happen if both the host gets stripped + // out + // http://my/path + // //my/path + $this->path = ''; + } else { + $this->path = $segments_encoder->encode($this->path); + } + } elseif (!is_null($this->scheme)) { + // path-rootless (hier) + // http:my/path + // Short circuit evaluation means we don't need to check nz + $this->path = $segments_encoder->encode($this->path); + } else { + // path-noscheme (relative) + // my/path + // (once again, not checking nz) + $segment_nc_encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . '@'); + $c = strpos($this->path, '/'); + if ($c !== false) { + $this->path = + $segment_nc_encoder->encode(substr($this->path, 0, $c)) . + $segments_encoder->encode(substr($this->path, $c)); + } else { + $this->path = $segment_nc_encoder->encode($this->path); + } + } + } else { + // path-empty (hier and relative) + $this->path = ''; // just to be safe + } + + // qf = query and fragment + $qf_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/?'); + + if (!is_null($this->query)) { + $this->query = $qf_encoder->encode($this->query); + } + + if (!is_null($this->fragment)) { + $this->fragment = $qf_encoder->encode($this->fragment); + } + return true; + } + + /** + * Convert URI back to string + * @return string URI appropriate for output + */ + public function toString() + { + // reconstruct authority + $authority = null; + // there is a rendering difference between a null authority + // (http:foo-bar) and an empty string authority + // (http:///foo-bar). + if (!is_null($this->host)) { + $authority = ''; + if (!is_null($this->userinfo)) { + $authority .= $this->userinfo . '@'; + } + $authority .= $this->host; + if (!is_null($this->port)) { + $authority .= ':' . $this->port; + } + } + + // Reconstruct the result + // One might wonder about parsing quirks from browsers after + // this reconstruction. Unfortunately, parsing behavior depends + // on what *scheme* was employed (file:///foo is handled *very* + // differently than http:///foo), so unfortunately we have to + // defer to the schemes to do the right thing. + $result = ''; + if (!is_null($this->scheme)) { + $result .= $this->scheme . ':'; + } + if (!is_null($authority)) { + $result .= '//' . $authority; + } + $result .= $this->path; + if (!is_null($this->query)) { + $result .= '?' . $this->query; + } + if (!is_null($this->fragment)) { + $result .= '#' . $this->fragment; + } + + return $result; + } + + /** + * Returns true if this URL might be considered a 'local' URL given + * the current context. This is true when the host is null, or + * when it matches the host supplied to the configuration. + * + * Note that this does not do any scheme checking, so it is mostly + * only appropriate for metadata that doesn't care about protocol + * security. isBenign is probably what you actually want. + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function isLocal($config, $context) + { + if ($this->host === null) { + return true; + } + $uri_def = $config->getDefinition('URI'); + if ($uri_def->host === $this->host) { + return true; + } + return false; + } + + /** + * Returns true if this URL should be considered a 'benign' URL, + * that is: + * + * - It is a local URL (isLocal), and + * - It has a equal or better level of security + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function isBenign($config, $context) + { + if (!$this->isLocal($config, $context)) { + return false; + } + + $scheme_obj = $this->getSchemeObj($config, $context); + if (!$scheme_obj) { + return false; + } // conservative approach + + $current_scheme_obj = $config->getDefinition('URI')->getDefaultScheme($config, $context); + if ($current_scheme_obj->secure) { + if (!$scheme_obj->secure) { + return false; + } + } + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/data.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/data.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/data.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/data.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,136 @@ + true, + 'image/gif' => true, + 'image/png' => true, + ); + // this is actually irrelevant since we only write out the path + // component + /** + * @type bool + */ + public $may_omit_host = true; + + /** + * @param HTMLPurifier_URI $uri + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool + */ + public function doValidate(&$uri, $config, $context) + { + $result = explode(',', $uri->path, 2); + $is_base64 = false; + $charset = null; + $content_type = null; + if (count($result) == 2) { + list($metadata, $data) = $result; + // do some legwork on the metadata + $metas = explode(';', $metadata); + while (!empty($metas)) { + $cur = array_shift($metas); + if ($cur == 'base64') { + $is_base64 = true; + break; + } + if (substr($cur, 0, 8) == 'charset=') { + // doesn't match if there are arbitrary spaces, but + // whatever dude + if ($charset !== null) { + continue; + } // garbage + $charset = substr($cur, 8); // not used + } else { + if ($content_type !== null) { + continue; + } // garbage + $content_type = $cur; + } + } + } else { + $data = $result[0]; + } + if ($content_type !== null && empty($this->allowed_types[$content_type])) { + return false; + } + if ($charset !== null) { + // error; we don't allow plaintext stuff + $charset = null; + } + $data = rawurldecode($data); + if ($is_base64) { + $raw_data = base64_decode($data); + } else { + $raw_data = $data; + } + if ( strlen($raw_data) < 12 ) { + // error; exif_imagetype throws exception with small files, + // and this likely indicates a corrupt URI/failed parse anyway + return false; + } + // XXX probably want to refactor this into a general mechanism + // for filtering arbitrary content types + if (function_exists('sys_get_temp_dir')) { + $file = tempnam(sys_get_temp_dir(), ""); + } else { + $file = tempnam("/tmp", ""); + } + file_put_contents($file, $raw_data); + if (function_exists('exif_imagetype')) { + $image_code = exif_imagetype($file); + unlink($file); + } elseif (function_exists('getimagesize')) { + set_error_handler(array($this, 'muteErrorHandler')); + $info = getimagesize($file); + restore_error_handler(); + unlink($file); + if ($info == false) { + return false; + } + $image_code = $info[2]; + } else { + trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR); + } + $real_content_type = image_type_to_mime_type($image_code); + if ($real_content_type != $content_type) { + // we're nice guys; if the content type is something else we + // support, change it over + if (empty($this->allowed_types[$real_content_type])) { + return false; + } + $content_type = $real_content_type; + } + // ok, it's kosher, rewrite what we need + $uri->userinfo = null; + $uri->host = null; + $uri->port = null; + $uri->fragment = null; + $uri->query = null; + $uri->path = "$content_type;base64," . base64_encode($raw_data); + return true; + } + + /** + * @param int $errno + * @param string $errstr + */ + public function muteErrorHandler($errno, $errstr) + { + } +} diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/file.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/file.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/file.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/file.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,44 @@ +userinfo = null; + // file:// makes no provisions for accessing the resource + $uri->port = null; + // While it seems to work on Firefox, the querystring has + // no possible effect and is thus stripped. + $uri->query = null; + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/ftp.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/ftp.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/ftp.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/ftp.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,58 @@ +query = null; + + // typecode check + $semicolon_pos = strrpos($uri->path, ';'); // reverse + if ($semicolon_pos !== false) { + $type = substr($uri->path, $semicolon_pos + 1); // no semicolon + $uri->path = substr($uri->path, 0, $semicolon_pos); + $type_ret = ''; + if (strpos($type, '=') !== false) { + // figure out whether or not the declaration is correct + list($key, $typecode) = explode('=', $type, 2); + if ($key !== 'type') { + // invalid key, tack it back on encoded + $uri->path .= '%3B' . $type; + } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') { + $type_ret = ";type=$typecode"; + } + } else { + $uri->path .= '%3B' . $type; + } + $uri->path = str_replace(';', '%3B', $uri->path); + $uri->path .= $type_ret; + } + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/http.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/http.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/http.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/http.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,36 @@ +userinfo = null; + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/https.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/https.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/https.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/https.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,18 @@ +userinfo = null; + $uri->host = null; + $uri->port = null; + // we need to validate path against RFC 2368's addr-spec + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/news.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/news.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/news.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/news.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,35 @@ +userinfo = null; + $uri->host = null; + $uri->port = null; + $uri->query = null; + // typecode check needed on path + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/nntp.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/nntp.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/nntp.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/nntp.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,32 @@ +userinfo = null; + $uri->query = null; + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/tel.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/tel.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/tel.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme/tel.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,46 @@ +userinfo = null; + $uri->host = null; + $uri->port = null; + + // Delete all non-numeric characters, non-x characters + // from phone number, EXCEPT for a leading plus sign. + $uri->path = preg_replace('/(?!^\+)[^\dx]/', '', + // Normalize e(x)tension to lower-case + str_replace('X', 'x', $uri->path)); + + return true; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URIScheme.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,102 @@ +, resolves edge cases + * with making relative URIs absolute + * @type bool + */ + public $hierarchical = false; + + /** + * Whether or not the URI may omit a hostname when the scheme is + * explicitly specified, ala file:///path/to/file. As of writing, + * 'file' is the only scheme that browsers support his properly. + * @type bool + */ + public $may_omit_host = false; + + /** + * Validates the components of a URI for a specific scheme. + * @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool success or failure + */ + abstract public function doValidate(&$uri, $config, $context); + + /** + * Public interface for validating components of a URI. Performs a + * bunch of default actions. Don't overload this method. + * @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return bool success or failure + */ + public function validate(&$uri, $config, $context) + { + if ($this->default_port == $uri->port) { + $uri->port = null; + } + // kludge: browsers do funny things when the scheme but not the + // authority is set + if (!$this->may_omit_host && + // if the scheme is present, a missing host is always in error + (!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) || + // if the scheme is not present, a *blank* host is in error, + // since this translates into '///path' which most browsers + // interpret as being 'http://path'. + (is_null($uri->scheme) && $uri->host === '') + ) { + do { + if (is_null($uri->scheme)) { + if (substr($uri->path, 0, 2) != '//') { + $uri->host = null; + break; + } + // URI is '////path', so we cannot nullify the + // host to preserve semantics. Try expanding the + // hostname instead (fall through) + } + // first see if we can manually insert a hostname + $host = $config->get('URI.Host'); + if (!is_null($host)) { + $uri->host = $host; + } else { + // we can't do anything sensible, reject the URL. + return false; + } + } while (false); + } + return $this->doValidate($uri, $config, $context); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URISchemeRegistry.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URISchemeRegistry.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/URISchemeRegistry.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/URISchemeRegistry.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,81 @@ +get('URI.AllowedSchemes'); + if (!$config->get('URI.OverrideAllowedSchemes') && + !isset($allowed_schemes[$scheme]) + ) { + return; + } + + if (isset($this->schemes[$scheme])) { + return $this->schemes[$scheme]; + } + if (!isset($allowed_schemes[$scheme])) { + return; + } + + $class = 'HTMLPurifier_URIScheme_' . $scheme; + if (!class_exists($class)) { + return; + } + $this->schemes[$scheme] = new $class(); + return $this->schemes[$scheme]; + } + + /** + * Registers a custom scheme to the cache, bypassing reflection. + * @param string $scheme Scheme name + * @param HTMLPurifier_URIScheme $scheme_obj + */ + public function register($scheme, $scheme_obj) + { + $this->schemes[$scheme] = $scheme_obj; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Flexible.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Flexible.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Flexible.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Flexible.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,130 @@ + $j) { + $var[$i] = trim($j); + } + if ($type === self::HASH) { + // key:value,key2:value2 + $nvar = array(); + foreach ($var as $keypair) { + $c = explode(':', $keypair, 2); + if (!isset($c[1])) { + continue; + } + $nvar[trim($c[0])] = trim($c[1]); + } + $var = $nvar; + } + } + if (!is_array($var)) { + break; + } + $keys = array_keys($var); + if ($keys === array_keys($keys)) { + if ($type == self::ALIST) { + return $var; + } elseif ($type == self::LOOKUP) { + $new = array(); + foreach ($var as $key) { + $new[$key] = true; + } + return $new; + } else { + break; + } + } + if ($type === self::ALIST) { + trigger_error("Array list did not have consecutive integer indexes", E_USER_WARNING); + return array_values($var); + } + if ($type === self::LOOKUP) { + foreach ($var as $key => $value) { + if ($value !== true) { + trigger_error( + "Lookup array has non-true value at key '$key'; " . + "maybe your input array was not indexed numerically", + E_USER_WARNING + ); + } + $var[$key] = true; + } + } + return $var; + default: + $this->errorInconsistent(__CLASS__, $type); + } + $this->errorGeneric($var, $type); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Native.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Native.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Native.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParser/Native.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,38 @@ +evalExpression($var); + } + + /** + * @param string $expr + * @return mixed + * @throws HTMLPurifier_VarParserException + */ + protected function evalExpression($expr) + { + $var = null; + $result = eval("\$var = $expr;"); + if ($result === false) { + throw new HTMLPurifier_VarParserException("Fatal error in evaluated code"); + } + return $var; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParserException.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParserException.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParserException.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/VarParserException.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,11 @@ + self::C_STRING, + 'istring' => self::ISTRING, + 'text' => self::TEXT, + 'itext' => self::ITEXT, + 'int' => self::C_INT, + 'float' => self::C_FLOAT, + 'bool' => self::C_BOOL, + 'lookup' => self::LOOKUP, + 'list' => self::ALIST, + 'hash' => self::HASH, + 'mixed' => self::C_MIXED + ); + + /** + * Lookup table of types that are string, and can have aliases or + * allowed value lists. + */ + public static $stringTypes = array( + self::C_STRING => true, + self::ISTRING => true, + self::TEXT => true, + self::ITEXT => true, + ); + + /** + * Validate a variable according to type. + * It may return NULL as a valid type if $allow_null is true. + * + * @param mixed $var Variable to validate + * @param int $type Type of variable, see HTMLPurifier_VarParser->types + * @param bool $allow_null Whether or not to permit null as a value + * @return string Validated and type-coerced variable + * @throws HTMLPurifier_VarParserException + */ + final public function parse($var, $type, $allow_null = false) + { + if (is_string($type)) { + if (!isset(HTMLPurifier_VarParser::$types[$type])) { + throw new HTMLPurifier_VarParserException("Invalid type '$type'"); + } else { + $type = HTMLPurifier_VarParser::$types[$type]; + } + } + $var = $this->parseImplementation($var, $type, $allow_null); + if ($allow_null && $var === null) { + return null; + } + // These are basic checks, to make sure nothing horribly wrong + // happened in our implementations. + switch ($type) { + case (self::C_STRING): + case (self::ISTRING): + case (self::TEXT): + case (self::ITEXT): + if (!is_string($var)) { + break; + } + if ($type == self::ISTRING || $type == self::ITEXT) { + $var = strtolower($var); + } + return $var; + case (self::C_INT): + if (!is_int($var)) { + break; + } + return $var; + case (self::C_FLOAT): + if (!is_float($var)) { + break; + } + return $var; + case (self::C_BOOL): + if (!is_bool($var)) { + break; + } + return $var; + case (self::LOOKUP): + case (self::ALIST): + case (self::HASH): + if (!is_array($var)) { + break; + } + if ($type === self::LOOKUP) { + foreach ($var as $k) { + if ($k !== true) { + $this->error('Lookup table contains value other than true'); + } + } + } elseif ($type === self::ALIST) { + $keys = array_keys($var); + if (array_keys($keys) !== $keys) { + $this->error('Indices for list are not uniform'); + } + } + return $var; + case (self::C_MIXED): + return $var; + default: + $this->errorInconsistent(get_class($this), $type); + } + $this->errorGeneric($var, $type); + } + + /** + * Actually implements the parsing. Base implementation does not + * do anything to $var. Subclasses should overload this! + * @param mixed $var + * @param int $type + * @param bool $allow_null + * @return string + */ + protected function parseImplementation($var, $type, $allow_null) + { + return $var; + } + + /** + * Throws an exception. + * @throws HTMLPurifier_VarParserException + */ + protected function error($msg) + { + throw new HTMLPurifier_VarParserException($msg); + } + + /** + * Throws an inconsistency exception. + * @note This should not ever be called. It would be called if we + * extend the allowed values of HTMLPurifier_VarParser without + * updating subclasses. + * @param string $class + * @param int $type + * @throws HTMLPurifier_Exception + */ + protected function errorInconsistent($class, $type) + { + throw new HTMLPurifier_Exception( + "Inconsistency in $class: " . HTMLPurifier_VarParser::getTypeName($type) . + " not implemented" + ); + } + + /** + * Generic error for if a type didn't work. + * @param mixed $var + * @param int $type + */ + protected function errorGeneric($var, $type) + { + $vtype = gettype($var); + $this->error("Expected type " . HTMLPurifier_VarParser::getTypeName($type) . ", got $vtype"); + } + + /** + * @param int $type + * @return string + */ + public static function getTypeName($type) + { + static $lookup; + if (!$lookup) { + // Lazy load the alternative lookup table + $lookup = array_flip(HTMLPurifier_VarParser::$types); + } + if (!isset($lookup[$type])) { + return 'unknown'; + } + return $lookup[$type]; + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Zipper.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Zipper.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier/Zipper.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier/Zipper.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,157 @@ +front = $front; + $this->back = $back; + } + + /** + * Creates a zipper from an array, with a hole in the + * 0-index position. + * @param Array to zipper-ify. + * @return Tuple of zipper and element of first position. + */ + static public function fromArray($array) { + $z = new self(array(), array_reverse($array)); + $t = $z->delete(); // delete the "dummy hole" + return array($z, $t); + } + + /** + * Convert zipper back into a normal array, optionally filling in + * the hole with a value. (Usually you should supply a $t, unless you + * are at the end of the array.) + */ + public function toArray($t = NULL) { + $a = $this->front; + if ($t !== NULL) $a[] = $t; + for ($i = count($this->back)-1; $i >= 0; $i--) { + $a[] = $this->back[$i]; + } + return $a; + } + + /** + * Move hole to the next element. + * @param $t Element to fill hole with + * @return Original contents of new hole. + */ + public function next($t) { + if ($t !== NULL) array_push($this->front, $t); + return empty($this->back) ? NULL : array_pop($this->back); + } + + /** + * Iterated hole advancement. + * @param $t Element to fill hole with + * @param $i How many forward to advance hole + * @return Original contents of new hole, i away + */ + public function advance($t, $n) { + for ($i = 0; $i < $n; $i++) { + $t = $this->next($t); + } + return $t; + } + + /** + * Move hole to the previous element + * @param $t Element to fill hole with + * @return Original contents of new hole. + */ + public function prev($t) { + if ($t !== NULL) array_push($this->back, $t); + return empty($this->front) ? NULL : array_pop($this->front); + } + + /** + * Delete contents of current hole, shifting hole to + * next element. + * @return Original contents of new hole. + */ + public function delete() { + return empty($this->back) ? NULL : array_pop($this->back); + } + + /** + * Returns true if we are at the end of the list. + * @return bool + */ + public function done() { + return empty($this->back); + } + + /** + * Insert element before hole. + * @param Element to insert + */ + public function insertBefore($t) { + if ($t !== NULL) array_push($this->front, $t); + } + + /** + * Insert element after hole. + * @param Element to insert + */ + public function insertAfter($t) { + if ($t !== NULL) array_push($this->back, $t); + } + + /** + * Splice in multiple elements at hole. Functional specification + * in terms of array_splice: + * + * $arr1 = $arr; + * $old1 = array_splice($arr1, $i, $delete, $replacement); + * + * list($z, $t) = HTMLPurifier_Zipper::fromArray($arr); + * $t = $z->advance($t, $i); + * list($old2, $t) = $z->splice($t, $delete, $replacement); + * $arr2 = $z->toArray($t); + * + * assert($old1 === $old2); + * assert($arr1 === $arr2); + * + * NB: the absolute index location after this operation is + * *unchanged!* + * + * @param Current contents of hole. + */ + public function splice($t, $delete, $replacement) { + // delete + $old = array(); + $r = $t; + for ($i = $delete; $i > 0; $i--) { + $old[] = $r; + $r = $this->delete(); + } + // insert + for ($i = count($replacement)-1; $i >= 0; $i--) { + $this->insertAfter($r); + $r = $replacement[$i]; + } + return array($old, $r); + } +} diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.autoload-legacy.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.autoload-legacy.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.autoload-legacy.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.autoload-legacy.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,15 @@ +purify($html, $config); +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.includes.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.includes.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.includes.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.includes.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,234 @@ + $attributes) { + $allowed_elements[$element] = true; + foreach ($attributes as $attribute => $x) { + $allowed_attributes["$element.$attribute"] = true; + } + } + $config->set('HTML.AllowedElements', $allowed_elements); + $config->set('HTML.AllowedAttributes', $allowed_attributes); + if ($allowed_protocols !== null) { + $config->set('URI.AllowedSchemes', $allowed_protocols); + } + $purifier = new HTMLPurifier($config); + return $purifier->purify($string); +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,296 @@ +config = HTMLPurifier_Config::create($config); + $this->strategy = new HTMLPurifier_Strategy_Core(); + } + + /** + * Adds a filter to process the output. First come first serve + * + * @param HTMLPurifier_Filter $filter HTMLPurifier_Filter object + */ + public function addFilter($filter) + { + trigger_error( + 'HTMLPurifier->addFilter() is deprecated, use configuration directives' . + ' in the Filter namespace or Filter.Custom', + E_USER_WARNING + ); + $this->filters[] = $filter; + } + + /** + * Filters an HTML snippet/document to be XSS-free and standards-compliant. + * + * @param string $html String of HTML to purify + * @param HTMLPurifier_Config $config Config object for this operation, + * if omitted, defaults to the config object specified during this + * object's construction. The parameter can also be any type + * that HTMLPurifier_Config::create() supports. + * + * @return string Purified HTML + */ + public function purify($html, $config = null) + { + // :TODO: make the config merge in, instead of replace + $config = $config ? HTMLPurifier_Config::create($config) : $this->config; + + // implementation is partially environment dependant, partially + // configuration dependant + $lexer = HTMLPurifier_Lexer::create($config); + + $context = new HTMLPurifier_Context(); + + // setup HTML generator + $this->generator = new HTMLPurifier_Generator($config, $context); + $context->register('Generator', $this->generator); + + // set up global context variables + if ($config->get('Core.CollectErrors')) { + // may get moved out if other facilities use it + $language_factory = HTMLPurifier_LanguageFactory::instance(); + $language = $language_factory->create($config, $context); + $context->register('Locale', $language); + + $error_collector = new HTMLPurifier_ErrorCollector($context); + $context->register('ErrorCollector', $error_collector); + } + + // setup id_accumulator context, necessary due to the fact that + // AttrValidator can be called from many places + $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); + $context->register('IDAccumulator', $id_accumulator); + + $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); + + // setup filters + $filter_flags = $config->getBatch('Filter'); + $custom_filters = $filter_flags['Custom']; + unset($filter_flags['Custom']); + $filters = array(); + foreach ($filter_flags as $filter => $flag) { + if (!$flag) { + continue; + } + if (strpos($filter, '.') !== false) { + continue; + } + $class = "HTMLPurifier_Filter_$filter"; + $filters[] = new $class; + } + foreach ($custom_filters as $filter) { + // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat + $filters[] = $filter; + } + $filters = array_merge($filters, $this->filters); + // maybe prepare(), but later + + for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { + $html = $filters[$i]->preFilter($html, $config, $context); + } + + // purified HTML + $html = + $this->generator->generateFromTokens( + // list of tokens + $this->strategy->execute( + // list of un-purified tokens + $lexer->tokenizeHTML( + // un-purified HTML + $html, + $config, + $context + ), + $config, + $context + ) + ); + + for ($i = $filter_size - 1; $i >= 0; $i--) { + $html = $filters[$i]->postFilter($html, $config, $context); + } + + $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); + $this->context =& $context; + return $html; + } + + /** + * Filters an array of HTML snippets + * + * @param string[] $array_of_html Array of html snippets + * @param HTMLPurifier_Config $config Optional config object for this operation. + * See HTMLPurifier::purify() for more details. + * + * @return string[] Array of purified HTML + */ + public function purifyArray($array_of_html, $config = null) + { + $context_array = array(); + foreach($array_of_html as $key=>$value){ + if (is_array($value)) { + $array[$key] = $this->purifyArray($value, $config); + } else { + $array[$key] = $this->purify($value, $config); + } + $context_array[$key] = $this->context; + } + $this->context = $context_array; + return $array; + } + + /** + * Singleton for enforcing just one HTML Purifier in your system + * + * @param HTMLPurifier|HTMLPurifier_Config $prototype Optional prototype + * HTMLPurifier instance to overload singleton with, + * or HTMLPurifier_Config instance to configure the + * generated version with. + * + * @return HTMLPurifier + */ + public static function instance($prototype = null) + { + if (!self::$instance || $prototype) { + if ($prototype instanceof HTMLPurifier) { + self::$instance = $prototype; + } elseif ($prototype) { + self::$instance = new HTMLPurifier($prototype); + } else { + self::$instance = new HTMLPurifier(); + } + } + return self::$instance; + } + + /** + * Singleton for enforcing just one HTML Purifier in your system + * + * @param HTMLPurifier|HTMLPurifier_Config $prototype Optional prototype + * HTMLPurifier instance to overload singleton with, + * or HTMLPurifier_Config instance to configure the + * generated version with. + * + * @return HTMLPurifier + * @note Backwards compatibility, see instance() + */ + public static function getInstance($prototype = null) + { + return HTMLPurifier::instance($prototype); + } +} + +// vim: et sw=4 sts=4 diff -Nru php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.safe-includes.php php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.safe-includes.php --- php-htmlpurifier-4.10.0/HTMLPurifier-4.11.0/HTMLPurifier.safe-includes.php 1970-01-01 00:00:00.000000000 +0000 +++ php-htmlpurifier-4.11.0/HTMLPurifier-4.11.0/HTMLPurifier.safe-includes.php 2019-07-14 19:19:38.000000000 +0000 @@ -0,0 +1,228 @@ +admin@htmlpurifier.org