Add HTMLPurifier after formatters are run.

After a morning of searching, it seems there is no PHP Markdown library
that has built-in XSS/sanitization support. The recommended solution is
to use HTMLPurifier.

This actually works out OK, though, as it’s probably a good idea to
enforce sanitization regardless of which formatters are enabled, and to
not leave them with the responsibility of sanitization (it’s a big
responsibility). Since we cache rendered posts, the slow speed of
HTMLPurifier isn’t a concern.

Note that HTMLPurifier requires a file to be loaded by Composer, but
Studio does not yet support this, so for now I have included it
manually.

src/Core/Formatter/FormatterManager.php

@@ -1,6 +1,8 @@
 <?php namespace Flarum\Core\Formatter;
 
 use Illuminate\Container\Container;
+use HTMLPurifier;
+use HTMLPurifier_Config;
 
 class FormatterManager
 {
@@ -60,7 +62,20 @@ class FormatterManager
             $text = $this->container->make($formatter)->format($text, $post);
         }
 
-        return $text;
+        // Studio does not yet merge autoload_files...
+        // https://github.com/franzliedke/studio/commit/4f0f4314db4ed3e36c869a5f79b855c97bdd1be7
+        require __DIR__.'/../../../vendor/ezyang/htmlpurifier/library/HTMLPurifier.composer.php';
+
+        $config = HTMLPurifier_Config::createDefault();
+        $config->set('Core.Encoding', 'UTF-8');
+        $config->set('Core.EscapeInvalidTags', true);
+        $config->set('HTML.Doctype', 'HTML 4.01 Strict');
+        $config->set('HTML.Allowed', 'p,em,strong,a[href|title],ul,ol,li,code,pre,blockquote,h1,h2,h3,h4,h5,h6,br');
+        $config->set('HTML.Nofollow', true);
+
+        $purifier = new HTMLPurifier($config);
+
+        return $purifier->purify($text);
     }
 
     public function strip($text)