Rewrite CSS url() and font-family output logic.

The new logic is as follows:

* Given a URL to insert into url(), check that it is properly URL
  encoded (in particular, a doublequote and backslash never occurs
  within it) and then place it as url("http://example.com").

* Given a font name, if it is strictly alphanumeric, it is safe to omit
  quotes. Otherwise, wrap in double quotes and replace '"' with '\22 '
  (note trailing space) and '\' with '\5C ' (ditto).

We introduce expandCSSEscape() which is a hack for common parsing
idioms in CSS; this means that CSS escapes are now recognized inside
URLs as well as unquoted font names.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php

@@ -13,14 +13,14 @@ class HTMLPurifier_AttrDef_CSS_ListStyleTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('circle outside');
         $this->assertDef('inside');
         $this->assertDef('none');
-        $this->assertDef('url(\'foo.gif\')');
-        $this->assertDef('circle url(\'foo.gif\') inside');
+        $this->assertDef('url("foo.gif")');
+        $this->assertDef('circle url("foo.gif") inside');
 
         // invalid values
         $this->assertDef('outside inside', 'outside');
 
         // ordering
-        $this->assertDef('url(foo.gif) none', 'none url(\'foo.gif\')');
+        $this->assertDef('url(foo.gif) none', 'none url("foo.gif")');
         $this->assertDef('circle lower-alpha', 'circle');
         // the spec is ambiguous about what happens in these
         // cases, so we're going off the W3C CSS validator