Rewrite CSS url() and font-family output logic.

The new logic is as follows:

* Given a URL to insert into url(), check that it is properly URL
  encoded (in particular, a doublequote and backslash never occurs
  within it) and then place it as url("http://example.com").

* Given a font name, if it is strictly alphanumeric, it is safe to omit
  quotes. Otherwise, wrap in double quotes and replace '"' with '\22 '
  (note trailing space) and '\' with '\5C ' (ditto).

We introduce expandCSSEscape() which is a hack for common parsing
idioms in CSS; this means that CSS escapes are now recognized inside
URLs as well as unquoted font names.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

tests/HTMLPurifier/AttrDef/CSS/URITest.php

@@ -12,20 +12,16 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
         // we could be nice but we won't be
         $this->assertDef('http://www.example.com/', false);
 
-        // no quotes are used, since that's the most widely supported
-        // syntax
         $this->assertDef('url(', false);
-        $this->assertDef('url(\'\')', true);
-        $result = "url('http://www.example.com/')";
+        $this->assertDef('url("")', true);
+        $result = 'url("http://www.example.com/")';
         $this->assertDef('url(http://www.example.com/)', $result);
         $this->assertDef('url("http://www.example.com/")', $result);
         $this->assertDef("url('http://www.example.com/')", $result);
         $this->assertDef(
             '  url(  "http://www.example.com/" )   ', $result);
-
-        // escaping
         $this->assertDef("url(http://www.example.com/foo,bar\))",
-            "url('http://www.example.com/foo\,bar\)')");
+            'url("http://www.example.com/foo,bar)")');
     }
 
 }