From 0f7b138aaf25ec7bc2fbcdfb73efc13cb9c9e49c Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Sun, 11 Nov 2018 16:21:34 -0500
Subject: [PATCH] Make SafeScripting case-sensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS                                                | 4 +++-
 library/HTMLPurifier/HTMLModule/SafeScripting.php   | 2 +-
 tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php | 4 ++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 24c8588d..326f4e97 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ==========================
 
 4.10.1, unknown release date
-(nothing here yet)
+# SafeScripting is now case-sensitive (previously it was
+  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
+  for reporting.
 
 4.10.0, released 2018-02-22
 # PHP 5.3 is no longer officially supported by HTML Purifier
diff --git a/library/HTMLPurifier/HTMLModule/SafeScripting.php b/library/HTMLPurifier/HTMLModule/SafeScripting.php
index 93d0966f..aea7584c 100644
--- a/library/HTMLPurifier/HTMLModule/SafeScripting.php
+++ b/library/HTMLPurifier/HTMLModule/SafeScripting.php
@@ -29,7 +29,7 @@ class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
                 // While technically not required by the spec, we're forcing
                 // it to this value.
                 'type' => 'Enum#text/javascript',
-                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
             )
         );
         $script->attr_transform_pre[] =
diff --git a/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php b/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
index 17c0763a..462b336d 100644
--- a/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
+++ b/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
@@ -38,6 +38,10 @@ class HTMLPurifier_HTMLModule_SafeScriptingTest extends HTMLPurifier_HTMLModuleH
             '<script type="text/javascript" src="http://localhost/foobar.js" />',
             ''
         );
+        $this->assertResult(
+            '<script type="text/javascript" src="http://localhost/FOO.JS" />',
+            ''
+        );
     }
 
 }