diff --git a/library/HTMLPurifier/HTMLDefinition.php b/library/HTMLPurifier/HTMLDefinition.php
index 8ef4fb0e..79fc3fab 100644
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@@ -229,43 +229,45 @@ class HTMLPurifier_HTMLDefinition
// strings are used instead of arrays because if you use arrays,
// you have to do some hideous manipulation with array_merge()
- // todo: determine whether or not having allowed children
- // that aren't allowed globally affects security (it shouldn't)
- // if above works out, extend children definitions to include all
- // possible elements (allowed elements will dictate which ones
- // get dropped
+ // ALL ELEMENTS, regardless of whether or not they're allowed,
+ // are defined here. $allowed_tags then determines what to
+ // ignore
- $e_special_extra = 'img';
+ $e_special_extra = 'object | applet | img | map | iframe';
$e_special_basic = 'br | span | bdo';
$e_special = "$e_special_basic | $e_special_extra";
- $e_fontstyle_extra = 'big | small';
+ $e_fontstyle_extra = 'big | small | font | basefont';
$e_fontstyle_basic = 'tt | i | b | u | s | strike';
$e_fontstyle = "$e_fontstyle_basic | $e_fontstyle_extra";
$e_phrase_extra = 'sub | sup';
$e_phrase_basic = 'em | strong | dfn | code | q | samp | kbd | var'.
' | cite | abbr | acronym';
$e_phrase = "$e_phrase_basic | $e_phrase_extra";
- $e_misc_inline = 'ins | del';
- $e_misc = "$e_misc_inline";
- $e_inline = "a | $e_special | $e_fontstyle | $e_phrase";
+ $e_inline_forms = 'input | select | textarea | label | button';
+ $e_misc_inline = 'ins | del | script';
+ $e_misc = "noscript | $e_misc_inline";
+ $e_inline = "a | $e_special | $e_fontstyle | $e_phrase | $e_inline_forms";
// pseudo-property we created for convenience, see later on
$e__inline = "#PCDATA | $e_inline | $e_misc_inline";
// note the casing
$e_Inline = new HTMLPurifier_ChildDef_Optional($e__inline);
$e_heading = 'h1|h2|h3|h4|h5|h6';
- $e_lists = 'ul | ol | dl';
- $e_blocktext = 'pre | hr | blockquote | address';
- $e_block = "p | $e_heading | div | $e_lists | $e_blocktext | table";
+ $e_lists = 'ul | ol | dl | menu | dir';
+ $e_blocktext = 'pre | hr | blockquote | address | center | noframes';
+ $e_block = "p | $e_heading | div | $e_lists | $e_blocktext | isindex | fieldset | table";
$e_Block = new HTMLPurifier_ChildDef_Optional($e_block);
- $e__flow = "#PCDATA | $e_block | $e_inline | $e_misc";
+ $e__flow = "#PCDATA | $e_block | form | $e_inline | $e_misc";
$e_Flow = new HTMLPurifier_ChildDef_Optional($e__flow);
$e_a_content = new HTMLPurifier_ChildDef_Optional("#PCDATA".
- " | $e_special | $e_fontstyle | $e_phrase | $e_misc_inline");
+ " | $e_special | $e_fontstyle | $e_phrase | $e_inline_forms | $e_misc_inline");
$e_pre_content = new HTMLPurifier_ChildDef_Optional("#PCDATA | a".
- " | $e_special_basic | $e_fontstyle_basic | $e_phrase_basic".
+ " | $e_special_basic | $e_fontstyle_basic | $e_phrase_basic | $e_inline_forms".
" | $e_misc_inline");
- $e_form_content = new HTMLPurifier_ChildDef_Optional('');//unused
- $e_form_button_content = new HTMLPurifier_ChildDef_Optional('');//unused
+ $e_form_content = new HTMLPurifier_ChildDef_Optional("#PCDATA | $e_block | $e_inline | $e_misc");//unused
+ $e_form_button_content = new HTMLPurifier_ChildDef_Optional(
+ "#PCDATA | p | $e_heading | div | $e_lists | $e_blocktext |".
+ "table | br | span | bdo | object | applet | img | map |".
+ "$e_fontstyle | $e_phrase | $e_misc");//unused
$this->info['ins']->child =
$this->info['del']->child =