feat: Support PHP 8.5 versions (#453)

Co-authored-by: Viktor Szépe <viktor@szepe.net>
Co-authored-by: Edward Z. Yang <ezyang@mit.edu>

.gitattributes

@@ -5,6 +5,8 @@
 /benchmarks export-ignore
 /configdoc export-ignore
 /configdoc/usage.xml -crlf
+/docker-compose.yaml export-ignore
+/Dockerfile export-ignore
 /docs export-ignore
 /Doxyfile export-ignore
 /extras export-ignore

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: ['5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php: ['5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5']
 
     name: PHP ${{ matrix.php }}
 

.gitignore

@@ -26,3 +26,4 @@ composer.lock
 *.orig
 *.bak
 core
+.idea

Dockerfile

@@ -0,0 +1,30 @@
+FROM ubuntu:24.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+ENV PHP_VERSION="8.4"
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+
+RUN apt update -y && apt -y install git curl locales doxygen software-properties-common
+
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
+    locale-gen en_US.UTF-8 && \
+    update-locale LANG=en_US.UTF-8 \
+
+RUN echo -y | add-apt-repository ppa:ondrej/php && apt update -y
+
+RUN apt install -y  \
+    php${PHP_VERSION}  \
+    php${PHP_VERSION}-dev \
+    php${PHP_VERSION}-xdebug \
+    php${PHP_VERSION}-iconv  \
+    php${PHP_VERSION}-bcmath  \
+    php${PHP_VERSION}-tidy \
+    php${PHP_VERSION}-xml
+
+RUN echo "xdebug.mode=debug,coverage" >> /etc/php/${PHP_VERSION}/cli/php.ini
+
+COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
+
+WORKDIR /opt/htmlpurifier

INSTALL

@@ -99,7 +99,7 @@ Autoload compatibility
 
     HTML Purifier attempts to be as smart as possible when registering an
     autoloader, but there are some cases where you will need to change
-    your own code to accomodate HTML Purifier. These are those cases:
+    your own code to accommodate HTML Purifier. These are those cases:
 
     AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
         spl_autoload_register() has the curious behavior of disabling

NEWS

@@ -482,7 +482,7 @@ real release we decided to skip this version number.
 
 3.3.0, released 2009-02-16
 ! Implement CSS property 'overflow' when %CSS.AllowTricky is true.
-! Implement generic property list classess
+! Implement generic property list classes
 - Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation
   does not do the "right thing" with characters not supported in the output
   set.
@@ -522,7 +522,7 @@ real release we decided to skip this version number.
 ! %Core.AggressivelyFixLt is on by default. This causes more sensible
   processing of left angled brackets in smileys and other whatnot.
 ! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
-  'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
+  'phpt', 'vtest', etc. in order to only execute those tests. This supersedes
   the --only-phpt parameter, although for backwards-compatibility the flag
   will still work.
 ! AutoParagraph auto-formatter will now preserve double-newlines upon output.
@@ -573,7 +573,7 @@ real release we decided to skip this version number.
 . Added --quick option to multitest.php, which tests only the most recent
   release for each series.
 . Added --distro option to multitest.php, which accepts either 'normal' or
-  'standalone'. This supercedes --exclude-normal and --exclude-standalone
+  'standalone'. This supersedes --exclude-normal and --exclude-standalone
 
 3.1.1, released 2008-06-19
 # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
@@ -723,7 +723,7 @@ real release we decided to skip this version number.
 # HTMLPurifier->addFilter is deprecated; built-in filters can now be
   enabled using %Filter.$filter_name or by setting your own filters using
   %Filter.Custom
-# Directive-level safety properties superceded in favor of module-level
+# Directive-level safety properties superseded in favor of module-level
   safety. Internal method HTMLModule->addElement() has changed, although
   the externally visible HTMLDefinition->addElement has *not* changed.
 ! Extra utility classes for testing and non-library operations can
@@ -769,7 +769,7 @@ real release we decided to skip this version number.
 . A couple of new historical maintenance scripts were added.
 . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
 . tests/index.php can now be run from any directory.
-. HTMLPurifier_Token subclasses split into seperate files
+. HTMLPurifier_Token subclasses split into separate files
 . HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php
 . HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier
 . New --php=php flag added, allows PHP executable to be specified (command
@@ -835,7 +835,7 @@ real release we decided to skip this version number.
 - Fix warning emitted when a non-supported URI scheme is passed to the
   MakeAbsolute URIFilter, thanks NykO18 (again)
 - Further refine AutoParagraph injector. Behavior inside of elements
-  allowing paragraph tags clarified: only inline content delimeted by
+  allowing paragraph tags clarified: only inline content delimited by
   double newlines (not block elements) are paragraphed.
 - Buggy treatment of end tags of elements that have required attributes
   fixed (does not manifest on default tag-set)
@@ -881,7 +881,7 @@ real release we decided to skip this version number.
 ! CSS property border-spacing implemented
 - Fix non-visible parsing error in DirectLex with empty tags that have
   slashes inside attribute values.
-- Fix typo in CSS definition: border-collapse:seperate; was incorrectly
+- Fix typo in CSS definition: border-collapse:separate; was incorrectly
   accepted as valid CSS. Usually non-visible, because this styling is the
   default for tables in most browsers. Thanks Brett Zamir for pointing
   this out.
@@ -932,7 +932,7 @@ real release we decided to skip this version number.
 . HTMLPurifier_Config->getSerial() implemented, this is extremely useful
   for output cache invalidation
 . ConfigForm printer now can retrieve CSS and JS files as strings, in
-  case HTML Purifier's directory is not publically accessible
+  case HTML Purifier's directory is not publicly accessible
 . Introduce new text/itext configuration directive values: these represent
   longer strings that would be more appropriately edited with a textarea
 . Allow newlines to act as separators for lists, hashes, lookups and

TODO

@@ -41,7 +41,7 @@ FUTURE VERSIONS
  - Config: Add examples to everything (make built-in which also automatically
    gives output)
  - Add "register" field to config schemas to eliminate dependence on
-   naming conventions (try to remember why we ultimately decided on tihs)
+   naming conventions (try to remember why we ultimately decided on this)
 
 5.0 release [HTML 5]
  # Swap out code to use html5lib tokenizer and tree-builder
@@ -112,7 +112,7 @@ Neat feature related
    Also, enable disabling of directionality
  ? Externalize inline CSS to promote clean HTML, proposed by Sander Tekelenburg
  ? Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes:
-    1. Analyzing which tags to remove duplicants
+    1. Analyzing which tags to remove duplicates
     2. Ensure attributes are merged into the parent tag
     3. Extend the tag exclusion system to specify whether or not the
     contents should be dropped or not (currently, there's code that could do

benchmarks/samples/Lexer/4.html

@@ -392,7 +392,7 @@ Women practicing non-martial T'ai Chi in <a href="/wiki/Chinatown_%28Manhattan%2
 <li><a href="http://www.scheele.org/lee/tcclinks.html" class="external text" title="http://www.scheele.org/lee/tcclinks.html">Lee Scheele's Links to T'ai Chi Ch'uan Web Sites</a></li>
 <li><a href="http://news.bbc.co.uk/1/hi/health/3543907.stm" class="external text" title="http://news.bbc.co.uk/1/hi/health/3543907.stm">BBC article</a></li>
 <li><a href="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html" class="external text" title="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html">Tai Chi: Good for the Mind, Good for the Body</a></li>
-<li><a href="http://www.taichiunion.com/" class="external text" title="http://www.taichiunion.com/">Tai Chi Chuan Union for Great Britian: The largest collective of independent Tai Chi Chuan Instructors in the British Isles</a></li>
+<li><a href="http://www.taichiunion.com/" class="external text" title="http://www.taichiunion.com/">Tai Chi Chuan Union for Great Britain: The largest collective of independent Tai Chi Chuan Instructors in the British Isles</a></li>
 </ul>
 
 

composer.json

@@ -13,7 +13,7 @@
         }
     ],
     "require": {
-        "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0"
+        "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 || ~8.5.0"
     },
     "require-dev": {
         "cerdic/css-tidy": "^1.7 || ^2.0",

configdoc/generate.php

@@ -16,7 +16,7 @@ TODO:
 */
 
 if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.');
-error_reporting(E_ALL | E_STRICT);
+error_reporting(E_ALL);
 
 // load dual-libraries
 require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php';

configdoc/usage.xml

@@ -608,4 +608,9 @@
    <line>35</line>
   </file>
  </directive>
+ <directive id="URI.SafeIframeHosts">
+  <file name="HTMLPurifier/URIFilter/SafeIframe.php">
+   <line>67</line>
+  </file>
+ </directive>
 </usage>

docker-compose.yaml

@@ -0,0 +1,9 @@
+services:
+  htmlpurifier:
+    build:
+      context: "."
+      dockerfile: Dockerfile
+    container_name: 'htmlpurifier'
+    tty: true
+    volumes:
+      - .:/opt/htmlpurifier

docs/dev-config-naming.txt

@@ -49,7 +49,7 @@ the properties:
     AllowedFrameTargets -> heavily <a> specific, but also used by <area>
         and <form>. Transitional DTD %FrameTarget, not present in strict,
         HTML5 calls them "browsing contexts"
-    Default*Image* -> as a default parameter, is almost entirely exlcusive
+    Default*Image* -> as a default parameter, is almost entirely exclusive
         to <img>
     EnableID -> global attribute
     Name.UseCDATA -> heavily <a> specific, but has heavy other usage by

docs/dev-progress.html

@@ -122,7 +122,7 @@ thead th {text-align:left;padding:0.1em;background-color:#EEE;}
 
 <tbody>
 <tr><th colspan="2">Table</th></tr>
-<tr class="impl-yes"><td>border-collapse</td><td>ENUM(collapse, seperate)</td></tr>
+<tr class="impl-yes"><td>border-collapse</td><td>ENUM(collapse, separate)</td></tr>
 <tr class="impl-yes"><td>border-space</td><td>MULTIPLE</td></tr>
 <tr class="impl-yes"><td>caption-side</td><td>ENUM(top, bottom)</td></tr>
 <tr class="feature"><td>empty-cells</td><td>ENUM(show, hide), No IE support makes this useless,

docs/enduser-tidy.html

@@ -163,7 +163,7 @@ smoketest</a>.</p>
 
 <p>So you want HTML Purifier to clean up your HTML, but you're not
 so happy about the br@clear implementation. That's perfectly fine!
-HTML Purifier will make accomodations:</p>
+HTML Purifier will make accommodations:</p>
 
 <pre>$config-&gt;set('HTML.Doctype', 'XHTML 1.0 Transitional');
 $config-&gt;set('HTML.TidyLevel', 'heavy'); // all changes, minus...

docs/proposal-filter-levels.txt

@@ -60,7 +60,7 @@ These are special use tags, they should be enabled on a blanket basis.
 Lists - dd, dl, dt, li, ol, ul ~ menu, dir
 Tables - caption, table, td, th, tr / col, colgroup, tbody, tfoot, thead
 
-Forms - fieldset, form, input, lable, legend, optgroup, option, select, textarea
+Forms - fieldset, form, input, label, legend, optgroup, option, select, textarea
 XSS - noscript, object, script ~ applet
 Meta - base, basefont, body, head, html, link, meta, style, title
 Frames - frame, frameset, iframe
@@ -91,7 +91,7 @@ attribute and put URI filtering higher up on the priority list.
 
 == Attribute Risk Analysis ==
 
-We actually have a suprisingly small assortment of allowed attributes (the
+We actually have a surprisingly small assortment of allowed attributes (the
 rest are deprecated in strict, and thus we opted not to allow them, even
 though our output is XHTML Transitional by default.)
 

docs/proposal-plists.txt

@@ -70,7 +70,7 @@ Backfills/Data integrity:
 Type systems:
     - Flags: ReadOnly, Permanent, DontEnum
     - Typed properties isn't that useful [It's also Not-PHP]
-    - Seperate meta-list of directive properties IS useful
+    - Separate meta-list of directive properties IS useful
     - Duck typing is useful for systems designed fully around properties pattern
 
 Trade-off:

library/HTMLPurifier/AttrDef/CSS/FontFamily.php

@@ -195,7 +195,7 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
             // transforms don't pose a security risk (as \\ and \"
             // might--these escapes are not supported by most browsers).
             // We could try to be clever and use single-quote wrapping
-            // when there is a double quote present, but I have choosen
+            // when there is a double quote present, but I have chosen
             // not to implement that.  (NOTE: you can reduce the amount
             // of escapes by one depending on what quoting style you use)
             // $font = str_replace('\\', '\\5C ', $font);

library/HTMLPurifier/AttrDef/HTML/LinkTypes.php

@@ -25,12 +25,7 @@ class HTMLPurifier_AttrDef_HTML_LinkTypes extends HTMLPurifier_AttrDef
             'rev' => 'AllowedRev'
         );
         if (!isset($configLookup[$name])) {
-            trigger_error(
+            throw new Exception('Unrecognized attribute name for link relationship.');
-                'Unrecognized attribute name for link ' .
-                'relationship.',
-                E_USER_ERROR
-            );
-            return;
         }
         $this->name = $configLookup[$name];
     }

library/HTMLPurifier/AttrDef/URI/IPv6.php

@@ -37,7 +37,7 @@ class HTMLPurifier_AttrDef_URI_IPv6 extends HTMLPurifier_AttrDef_URI_IPv4
             }
         }
 
-        //      IPv4-compatiblity check
+        //      IPv4-compatibility check
         if (preg_match('#(?<=:' . ')' . $this->ip4 . '$#s', $aIP, $find)) {
             $aIP = substr($aIP, 0, 0 - strlen($find[0]));
             $ip = explode('.', $find[0]);

library/HTMLPurifier/AttrTransform/BdoDir.php

@@ -3,7 +3,7 @@
 // this MUST be placed in post, as it assumes that any value in dir is valid
 
 /**
- * Post-trasnform that ensures that bdo tags have the dir attribute set.
+ * Post-transform that ensures that bdo tags have the dir attribute set.
  */
 class HTMLPurifier_AttrTransform_BdoDir extends HTMLPurifier_AttrTransform
 {

library/HTMLPurifier/AttrTypes.php

@@ -77,7 +77,7 @@ class HTMLPurifier_AttrTypes
         }
 
         if (!isset($this->info[$type])) {
-            trigger_error('Cannot retrieve undefined attribute type ' . $type, E_USER_ERROR);
+            throw new Exception('Cannot retrieve undefined attribute type ' . $type);
             return;
         }
         return $this->info[$type]->make($string);

library/HTMLPurifier/AttrValidator.php

@@ -135,7 +135,7 @@ class HTMLPurifier_AttrValidator
             // we'd also want slightly more complicated substitution
             // involving an array as the return value,
             // although we're not sure how colliding attributes would
-            // resolve (certain ones would be completely overriden,
+            // resolve (certain ones would be completely overridden,
             // others would prepend themselves).
         }
 

library/HTMLPurifier/Bootstrap.php

@@ -5,7 +5,7 @@ if (!defined('HTMLPURIFIER_PREFIX')) {
     define('HTMLPURIFIER_PREFIX', realpath(dirname(__FILE__) . '/..'));
 }
 
-// accomodations for versions earlier than 5.0.2
+// accommodations for versions earlier than 5.0.2
 // borrowed from PHP_Compat, LGPL licensed, by Aidan Lister <aidan@php.net>
 if (!defined('PHP_EOL')) {
     switch (strtoupper(substr(PHP_OS, 0, 3))) {

library/HTMLPurifier/CSSDefinition.php

@@ -26,6 +26,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             false
         );
 
+        $this->info['direction'] = new HTMLPurifier_AttrDef_Enum(
+            ['ltr', 'rtl'],
+            false
+        );
+
         $border_style =
             $this->info['border-bottom-style'] =
             $this->info['border-right-style'] =

library/HTMLPurifier/Config.php

@@ -898,7 +898,11 @@ class HTMLPurifier_Config
                 break;
             }
         }
-        trigger_error($msg . $extra, $no);
+        if ($no == E_USER_ERROR) {
+          throw new Exception($msg . $extra);
+        } else {
+          trigger_error($msg . $extra, $no);
+        }
     }
 
     /**

library/HTMLPurifier/ConfigSchema.php

@@ -72,7 +72,7 @@ class HTMLPurifier_ConfigSchema
         $r = unserialize($contents);
         if (!$r) {
             $hash = sha1($contents);
-            trigger_error("Unserialization of configuration schema failed, sha1 of file was $hash", E_USER_ERROR);
+            throw new Exception("Unserialization of configuration schema failed, sha1 of file was $hash");
         }
         return $r;
     }

library/HTMLPurifier/ConfigSchema/Interchange/Directive.php

@@ -66,7 +66,7 @@ class HTMLPurifier_ConfigSchema_Interchange_Directive
     public $version;
 
     /**
-     * ID of directive that supercedes this old directive.
+     * ID of directive that supersedes this old directive.
      * Null if not deprecated.
      * @type HTMLPurifier_ConfigSchema_Interchange_Id
      */

library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt

@@ -5,10 +5,10 @@ DEFAULT: ''
 --DESCRIPTION--
 Temporary prefix for IDs used in conjunction with %Attr.IDPrefix.  If you
 need to allow multiple sets of user content on web page, you may need to
-have a seperate prefix that changes with each iteration.  This way,
+have a separate prefix that changes with each iteration.  This way,
-seperately submitted user content displayed on the same page doesn't
+separately submitted user content displayed on the same page doesn't
 clobber each other. Ideal values are unique identifiers for the content it
 represents (i.e. the id of the row in the database). Be sure to add a
-seperator (like an underscore) at the end.  Warning: this directive will
+separator (like an underscore) at the end.  Warning: this directive will
 not work unless %Attr.IDPrefix is set to a non-empty value!
 --# vim: et sw=4 sts=4

library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt

@@ -1,6 +1,6 @@
 CSS.MaxImgLength
 TYPE: string/null
-DEFAULT: '1200px'
+DEFAULT: null
 VERSION: 3.1.1
 --DESCRIPTION--
 <p>

library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt

@@ -7,7 +7,8 @@ This parameter determines whether or not the filter should convert
 input that is a full document with html and body tags to a fragment
 of just the contents of a body tag. This parameter is simply something
 HTML Purifier can do during an edge-case: for most inputs, this
-processing is not necessary.
+processing is not necessary. Warning: Full HTML purification has not
+been implemented. See GitHub issue #7.
 
 --ALIASES--
 Core.AcceptFullDocuments

library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt

@@ -8,6 +8,6 @@ converting all non-ASCII characters into decimal numeric entities before
 converting it to its native encoding. This means that even characters that
 can be expressed in the non-UTF-8 encoding will be entity-ized, which can
 be a real downer for encodings like Big5. It also assumes that the ASCII
-repetoire is available, although this is the case for almost all encodings.
+repertoire is available, although this is the case for almost all encodings.
 Anyway, use UTF-8!
 --# vim: et sw=4 sts=4

library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt

@@ -16,7 +16,7 @@ DEFAULT: NULL
   </dd>
   <dt><em>string</em> lexer identifier</dt>
   <dd>
-    This is a slim way of manually overridding the implementation.
+    This is a slim way of manually overriding the implementation.
     Currently recognized values are: DOMLex (the default PHP5
 implementation)
     and DirectLex (the default PHP4 implementation). Only use this if

library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt

@@ -1,6 +1,6 @@
 HTML.MaxImgLength
 TYPE: int/null
-DEFAULT: 1200
+DEFAULT: null
 VERSION: 3.1.1
 --DESCRIPTION--
 <p>

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt

@@ -6,7 +6,7 @@ DEFAULT: false
 <p>
     Whether or not to permit iframe tags in untrusted documents.  This
     directive must be accompanied by a whitelist of permitted iframes,
-    such as %URI.SafeIframeRegexp, otherwise it will fatally error.
+    such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
     This directive has no effect on strict doctypes, as iframes are not
     valid.
 </p>

library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSymbols.txt

@@ -0,0 +1,7 @@
+URI.AllowedSymbols
+TYPE: string/null
+DEFAULT: '!$&\'()*+,;='
+--DESCRIPTION--
+If a system permits templated URLs, then the URI encoder may need extra
+hints about which symbols to preserve.
+--# vim: et sw=4 sts=4

library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt

@@ -0,0 +1,14 @@
+URI.SafeIframeHosts
+TYPE: lookup/null
+DEFAULT: null
+--DESCRIPTION--
+<p>
+    A whitelist which indicates what explicit hosts should be
+    allowed to embed iframe.  See also %HTML.SafeIframeRegexp,
+    it has precedence over this config. Here are some example values:
+</p>
+<ul>
+    <li><code>www.youtube.com</code> - Allow YouTube videos</li>
+    <li><code>maps.google.com</code> - Allow Embedding a Google map</li>
+</ul>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/ContentSets.php

@@ -142,12 +142,11 @@ class HTMLPurifier_ContentSets
         if ($return !== false) {
             return $return;
         }
-        // error-out
+
-        trigger_error(
+        throw new Exception(
             'Could not determine which ChildDef class to instantiate',
             E_USER_ERROR
         );
-        return false;
     }
 
     /**

library/HTMLPurifier/Context.php

@@ -24,11 +24,7 @@ class HTMLPurifier_Context
     public function register($name, &$ref)
     {
         if (array_key_exists($name, $this->_storage)) {
-            trigger_error(
+            throw new Exception("Name $name produces collision, cannot re-register");
-                "Name $name produces collision, cannot re-register",
-                E_USER_ERROR
-            );
-            return;
         }
         $this->_storage[$name] =& $ref;
     }
@@ -43,10 +39,7 @@ class HTMLPurifier_Context
     {
         if (!array_key_exists($name, $this->_storage)) {
             if (!$ignore_error) {
-                trigger_error(
+                throw new Exception("Attempted to retrieve non-existent variable $name");
-                    "Attempted to retrieve non-existent variable $name",
-                    E_USER_ERROR
-                );
             }
             $var = null; // so we can return by reference
             return $var;
@@ -61,11 +54,7 @@ class HTMLPurifier_Context
     public function destroy($name)
     {
         if (!array_key_exists($name, $this->_storage)) {
-            trigger_error(
+            throw new Exception("Attempted to destroy non-existent variable $name");
-                "Attempted to destroy non-existent variable $name",
-                E_USER_ERROR
-            );
-            return;
         }
         unset($this->_storage[$name]);
     }

library/HTMLPurifier/DefinitionCache/Serializer.php

@@ -139,8 +139,9 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
                 continue;
             }
             $key = substr($filename, 0, strlen($filename) - 4);
-            if ($this->isOld($key, $config)) {
+            $file = $dir . '/' . $filename;
-                unlink($dir . '/' . $filename);
+            if ($this->isOld($key, $config) && file_exists($file)) {
+                unlink($file);
             }
         }
         closedir($dh);

library/HTMLPurifier/DoctypeRegistry.php

@@ -86,7 +86,7 @@ class HTMLPurifier_DoctypeRegistry
             $doctype = $this->aliases[$doctype];
         }
         if (!isset($this->doctypes[$doctype])) {
-            trigger_error('Doctype ' . htmlspecialchars($doctype) . ' does not exist', E_USER_ERROR);
+            throw new Exception('Doctype ' . htmlspecialchars($doctype) . ' does not exist');
             $anon = new HTMLPurifier_Doctype($doctype);
             return $anon;
         }

library/HTMLPurifier/Encoder.php

@@ -12,7 +12,7 @@ class HTMLPurifier_Encoder
      */
     private function __construct()
     {
-        trigger_error('Cannot instantiate encoder, call methods statically', E_USER_ERROR);
+        throw new Exception('Cannot instantiate encoder, call methods statically');
     }
 
     /**
@@ -390,7 +390,7 @@ class HTMLPurifier_Encoder
             $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
             if ($str === false) {
                 // $encoding is not a valid encoding
-                trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR);
+                throw new Exception('Invalid encoding ' . $encoding);
                 return '';
             }
             // If the string is bjorked by Shift_JIS or a similar encoding
@@ -404,12 +404,11 @@ class HTMLPurifier_Encoder
         }
         $bug = HTMLPurifier_Encoder::testIconvTruncateBug();
         if ($bug == self::ICONV_OK) {
-            trigger_error('Encoding not supported, please install iconv', E_USER_ERROR);
+            throw new Exception('Encoding not supported, please install iconv');
         } else {
-            trigger_error(
+            throw new Exception(
                 'You have a buggy version of iconv, see https://bugs.php.net/bug.php?id=48147 ' .
-                'and http://sourceware.org/bugzilla/show_bug.cgi?id=13541',
+                'and http://sourceware.org/bugzilla/show_bug.cgi?id=13541'
-                E_USER_ERROR
             );
         }
     }
@@ -454,7 +453,7 @@ class HTMLPurifier_Encoder
             $str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
             return $str;
         }
-        trigger_error('Encoding not supported', E_USER_ERROR);
+        throw new Exception('Encoding not supported');
         // You might be tempted to assume that the ASCII representation
         // might be OK, however, this is *not* universally true over all
         // encodings.  So we take the conservative route here, rather
@@ -545,10 +544,9 @@ class HTMLPurifier_Encoder
             } elseif (($c = strlen($r)) < 9000) {
                 $code = self::ICONV_TRUNCATES;
             } elseif ($c > 9000) {
-                trigger_error(
+                throw new Exception(
                     'Your copy of iconv is extremely buggy. Please notify HTML Purifier maintainers: ' .
-                    'include your iconv version as per phpversion()',
+                    'include your iconv version as per phpversion()'
-                    E_USER_ERROR
                 );
             } else {
                 $code = self::ICONV_OK;

library/HTMLPurifier/EntityParser.php

@@ -5,7 +5,7 @@
 // $config or $context to the callback functions.
 
 /**
- * Handles referencing and derefencing character entities
+ * Handles referencing and dereferencing character entities
  */
 class HTMLPurifier_EntityParser
 {

library/HTMLPurifier/Filter.php

@@ -4,7 +4,7 @@
  * Represents a pre or post processing filter on HTML Purifier's output
  *
  * Sometimes, a little ad-hoc fixing of HTML has to be done before
- * it gets sent through HTML Purifier: you can use filters to acheive
+ * it gets sent through HTML Purifier: you can use filters to achieve
  * this effect. For instance, YouTube videos can be preserved using
  * this manner. You could have used a decorator for this task, but
  * PHP's support for them is not terribly robust, so we're going

library/HTMLPurifier/Filter/YouTube.php

@@ -19,7 +19,7 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
         $pre_regex = '#<object[^>]+>.+?' .
             '(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
         $pre_replace = '<span class="youtube-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
+        return preg_replace($pre_regex, $pre_replace, (string)$html);
     }
 
     /**
@@ -31,7 +31,7 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
     public function postFilter($html, $config, $context)
     {
         $post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
-        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
+        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), (string)$html);
     }
 
     /**

library/HTMLPurifier/Generator.php

@@ -244,7 +244,7 @@ class HTMLPurifier_Generator
             // whitespace (in fact, most don't, at least for attributes
             // like alt, but an extra space at the end is barely
             // noticeable).  Still, we have a configuration knob for
-            // this, since this transformation is not necesary if you
+            // this, since this transformation is not necessary if you
             // don't process user input with innerHTML or you don't plan
             // on supporting Internet Explorer.
             if ($this->_innerHTMLFix) {

library/HTMLPurifier/HTMLDefinition.php

@@ -264,9 +264,8 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
         if (isset($this->info_content_sets['Block'][$block_wrapper])) {
             $this->info_block_wrapper = $block_wrapper;
         } else {
-            trigger_error(
+            throw new Exception(
-                'Cannot use non-block element as block wrapper',
+                'Cannot use non-block element as block wrapper'
-                E_USER_ERROR
             );
         }
 
@@ -276,11 +275,7 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
             $this->info_parent = $parent;
             $this->info_parent_def = $def;
         } else {
-            trigger_error(
+            throw new Exception('Cannot use unrecognized element as parent');
-                'Cannot use unrecognized element as parent',
-                E_USER_ERROR
-            );
-            $this->info_parent_def = $this->manager->getElement($this->info_parent, true);
         }
 
         // support template text

library/HTMLPurifier/HTMLModule/Edit.php

@@ -28,7 +28,7 @@ class HTMLPurifier_HTMLModule_Edit extends HTMLPurifier_HTMLModule
 
     // HTML 4.01 specifies that ins/del must not contain block
     // elements when used in an inline context, chameleon is
-    // a complicated workaround to acheive this effect
+    // a complicated workaround to achieve this effect
 
     // Inline context ! Block context (exclamation mark is
     // separator, see getChildDef for parsing)

library/HTMLPurifier/HTMLModule/Ruby.php

@@ -2,7 +2,7 @@
 
 /**
  * XHTML 1.1 Ruby Annotation Module, defines elements that indicate
- * short runs of text alongside base text for annotation or pronounciation.
+ * short runs of text alongside base text for annotation or pronunciation.
  */
 class HTMLPurifier_HTMLModule_Ruby extends HTMLPurifier_HTMLModule
 {

library/HTMLPurifier/HTMLModule/Tidy.php

@@ -112,9 +112,8 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
             return;
         }
         if (!isset($this->fixesForLevel[$this->defaultLevel])) {
-            trigger_error(
+            throw new Exception(
-                'Default level ' . $this->defaultLevel . ' does not exist',
+                'Default level ' . $this->defaultLevel . ' does not exist'
-                E_USER_ERROR
             );
             return;
         }
@@ -162,8 +161,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                     $e->$type = $fix;
                     break;
                 default:
-                    trigger_error("Fix type $type not supported", E_USER_ERROR);
+                    throw new Exception("Fix type $type not supported");
-                    break;
             }
         }
     }

library/HTMLPurifier/HTMLModule/Tidy/Name.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Name is deprecated, but allowed in strict doctypes, so onl
+ * Name is deprecated, but allowed in strict doctypes, so only
  */
 class HTMLPurifier_HTMLModule_Tidy_Name extends HTMLPurifier_HTMLModule_Tidy
 {

library/HTMLPurifier/HTMLModuleManager.php

@@ -183,11 +183,7 @@ class HTMLPurifier_HTMLModuleManager
             if (!$ok) {
                 $module = $original_module;
                 if (!class_exists($module)) {
-                    trigger_error(
+                    throw new Exception($original_module . ' module does not exist');
-                        $original_module . ' module does not exist',
-                        E_USER_ERROR
-                    );
-                    return;
                 }
             }
             $module = new $module();

library/HTMLPurifier/LanguageFactory.php

@@ -173,14 +173,8 @@ class HTMLPurifier_LanguageFactory
 
             // infinite recursion guard
             if (isset($languages_seen[$code])) {
-                trigger_error(
+                throw new Exception('Circular fallback reference in language ' . $code);
-                    'Circular fallback reference in language ' .
-                    $code,
-                    E_USER_ERROR
-                );
-                $fallback = 'en';
             }
-            $language_seen[$code] = true;
 
             // load the fallback recursively
             $this->loadLanguage($fallback);

library/HTMLPurifier/Lexer.php

@@ -238,7 +238,7 @@ class HTMLPurifier_Lexer
      */
     public function tokenizeHTML($string, $config, $context)
     {
-        trigger_error('Call to abstract class', E_USER_ERROR);
+        throw new Exception('Call to abstract class');
     }
 
     /**

library/HTMLPurifier/Lexer/DOMLex.php

@@ -52,14 +52,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         // attempt to armor stray angled brackets that cannot possibly
         // form tags and thus are probably being used as emoticons
         if ($config->get('Core.AggressivelyFixLt')) {
-            $char = '[^a-z!\/]';
+            $html = $this->aggressivelyFixLt($html);
-            $comment = "/<!--(.*?)(-->|\z)/is";
-            $html = preg_replace_callback($comment, array($this, 'callbackArmorCommentEntities'), $html);
-            do {
-                $old = $html;
-                $html = preg_replace("/<($char)/i", '&lt;\\1', $html);
-            } while ($html !== $old);
-            $html = preg_replace_callback($comment, array($this, 'callbackUndoCommentSubst'), $html); // fix comments
         }
 
         // preprocess html, essential for UTF-8
@@ -288,7 +281,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
      */
     public function callbackUndoCommentSubst($matches)
     {
-        return '<!--' . strtr($matches[1], array('&amp;' => '&', '&lt;' => '<')) . $matches[2];
+        return '<!--' . $this->undoCommentSubstr($matches[1]) . $matches[2];
     }
 
     /**
@@ -299,7 +292,25 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
      */
     public function callbackArmorCommentEntities($matches)
     {
-        return '<!--' . str_replace('&', '&amp;', $matches[1]) . $matches[2];
+        return '<!--' . $this->armorEntities($matches[1]) . $matches[2];
+    }
+
+    /**
+     * @param string $string
+     * @return string
+     */
+    protected function armorEntities($string)
+    {
+        return str_replace('&', '&amp;', $string);
+    }
+
+    /**
+     * @param string $string
+     * @return string
+     */
+    protected function undoCommentSubstr($string)
+    {
+        return strtr($string, array('&amp;' => '&', '&lt;' => '<'));
     }
 
     /**
@@ -335,6 +346,66 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         $ret .= '</body></html>';
         return $ret;
     }
+
+    /**
+     * @param string $html
+     * @return string
+     */
+    protected function aggressivelyFixLt($html)
+    {
+        $char = '[^a-z!\/]';
+        $html = $this->manipulateHtmlComments($html, array($this, 'armorEntities'));
+
+        do {
+            $old = $html;
+            $html = preg_replace("/<($char)/i", '&lt;\\1', $html);
+        } while ($html !== $old);
+
+        return $this->manipulateHtmlComments($html, array($this, 'undoCommentSubstr'));
+    }
+
+    /**
+     * Modify HTML comments in the given HTML content using a callback.
+     *
+     * @param string $html
+     * @param callable $callback
+     * @return string
+     */
+    protected function manipulateHtmlComments($html, callable $callback)
+    {
+        $offset = 0;
+        $startTag = '<!--';
+        $endTag = '-->';
+
+        while (($startPos = strpos($html, $startTag, $offset)) !== false) {
+            $startPos += strlen($startTag); // Move past `<!--`
+            $endPos = strpos($html, $endTag, $startPos);
+
+            if ($endPos === false) {
+                // No matching ending comment tag found
+                break;
+            }
+
+            // Extract the original comment content
+            $commentContent = substr($html, $startPos, $endPos - $startPos);
+
+            // Apply the callback to the comment content
+            $newCommentContent = $callback($commentContent);
+
+            // Reconstruct the entire comment with the new content
+            $newComment = $startTag . $newCommentContent . $endTag;
+
+            // Replace the old comment in the HTML content with the new one
+            $html = substr($html, 0, $startPos - strlen($startTag)) .
+                $newComment .
+                substr($html, $endPos + strlen($endTag));
+
+            // Move offset to the end of the new comment for the next iteration
+            $offset = strpos($html, $newComment, $offset) + strlen($newComment);
+        }
+
+        return $html;
+    }
 }
 
 // vim: et sw=4 sts=4

library/HTMLPurifier/Lexer/DirectLex.php

@@ -111,7 +111,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                 if ($synchronize_interval && // synchronization is on
                     $cursor > 0 && // cursor is further than zero
                     $loops % $synchronize_interval === 0) { // time to synchronize!
-                    $current_line = 1 + $this->substrCount($html, $nl, 0, $cursor);
+                    $current_line = 1 + substr_count($html, $nl, 0, $cursor);
                 }
             }
 
@@ -139,7 +139,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                 );
                 if ($maintain_line_numbers) {
                     $token->rawPosition($current_line, $current_col);
-                    $current_line += $this->substrCount($html, $nl, $cursor, $position_next_lt - $cursor);
+                    $current_line += substr_count($html, $nl, $cursor, $position_next_lt - $cursor);
                 }
                 $array[] = $token;
                 $cursor = $position_next_lt + 1;
@@ -214,7 +214,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                     );
                     if ($maintain_line_numbers) {
                         $token->rawPosition($current_line, $current_col);
-                        $current_line += $this->substrCount($html, $nl, $cursor, $strlen_segment);
+                        $current_line += substr_count($html, $nl, $cursor, $strlen_segment);
                     }
                     $array[] = $token;
                     $cursor = $end ? $position_comment_end : $position_comment_end + 3;
@@ -229,7 +229,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                     $token = new HTMLPurifier_Token_End($type);
                     if ($maintain_line_numbers) {
                         $token->rawPosition($current_line, $current_col);
-                        $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor);
+                        $current_line += substr_count($html, $nl, $cursor, $position_next_gt - $cursor);
                     }
                     $array[] = $token;
                     $inside_tag = false;
@@ -248,7 +248,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                     $token = new HTMLPurifier_Token_Text('<');
                     if ($maintain_line_numbers) {
                         $token->rawPosition($current_line, $current_col);
-                        $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor);
+                        $current_line += substr_count($html, $nl, $cursor, $position_next_gt - $cursor);
                     }
                     $array[] = $token;
                     $inside_tag = false;
@@ -276,7 +276,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                     }
                     if ($maintain_line_numbers) {
                         $token->rawPosition($current_line, $current_col);
-                        $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor);
+                        $current_line += substr_count($html, $nl, $cursor, $position_next_gt - $cursor);
                     }
                     $array[] = $token;
                     $inside_tag = false;
@@ -310,7 +310,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                 }
                 if ($maintain_line_numbers) {
                     $token->rawPosition($current_line, $current_col);
-                    $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor);
+                    $current_line += substr_count($html, $nl, $cursor, $position_next_gt - $cursor);
                 }
                 $array[] = $token;
                 $cursor = $position_next_gt + 1;
@@ -343,28 +343,6 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
         return $array;
     }
 
-    /**
-     * PHP 5.0.x compatible substr_count that implements offset and length
-     * @param string $haystack
-     * @param string $needle
-     * @param int $offset
-     * @param int $length
-     * @return int
-     */
-    protected function substrCount($haystack, $needle, $offset, $length)
-    {
-        static $oldVersion;
-        if ($oldVersion === null) {
-            $oldVersion = version_compare(PHP_VERSION, '5.1', '<');
-        }
-        if ($oldVersion) {
-            $haystack = substr($haystack, $offset, $length);
-            return substr_count($haystack, $needle);
-        } else {
-            return substr_count($haystack, $needle, $offset, $length);
-        }
-    }
-
     /**
      * Takes the inside of an HTML tag and makes an assoc array of attributes.
      *

library/HTMLPurifier/Lexer/PH5P.php

@@ -1223,14 +1223,14 @@ class HTML5
                 'type' => self::COMMENT
             );
 
-            /* Otherwise if the next seven chacacters are a case-insensitive match
+            /* Otherwise if the next seven characters are a case-insensitive match
             for the word "DOCTYPE", then consume those characters and switch to the
             DOCTYPE state. */
         } elseif (strtolower($this->character($this->char + 1, 7)) === 'doctype') {
             $this->char += 7;
             $this->state = 'doctype';
 
-            /* Otherwise, is is a parse error. Switch to the bogus comment state.
+            /* Otherwise, it is a parse error. Switch to the bogus comment state.
             The next character that is consumed, if any, is the first character
             that will be in the comment. */
         } else {

library/HTMLPurifier/Strategy/FixNesting.php

@@ -20,7 +20,7 @@
  * The second objective is to ensure that explicitly excluded elements of
  * an element do not appear in its children.  Code that accomplishes this
  * task is pervasive through the strategy, though the two are distinct tasks
- * and could, theoretically, be seperated (although it's not recommended).
+ * and could, theoretically, be separated (although it's not recommended).
  *
  * @note Whether or not unrecognized children are silently dropped or
  *       translated into text depends on the child definitions.

library/HTMLPurifier/Strategy/MakeWellFormed.php

@@ -641,7 +641,7 @@ class HTMLPurifier_Strategy_MakeWellFormed extends HTMLPurifier_Strategy
 //    Needless to say, we need to UN-skip the token so it gets
 //    reprocessed.
 //
-//  - Suppose that you successfuly process a token, replace it with
+//  - Suppose that you successfully process a token, replace it with
 //    one with your skip mark, but now another injector wants to
 //    process the skipped token with another token.  Should you continue
 //    to skip that new token, or reprocess it?  If you reprocess,

library/HTMLPurifier/URI.php

@@ -108,7 +108,7 @@ class HTMLPurifier_URI
     public function validate($config, $context)
     {
         // ABNF definitions from RFC 3986
-        $chars_sub_delims = '!$&\'()*+,;=';
+        $chars_sub_delims = $config->get('URI.AllowedSymbols');
         $chars_gen_delims = ':/?#[]@';
         $chars_pchar = $chars_sub_delims . ':@';
 

library/HTMLPurifier/URIFilter/Munge.php

@@ -71,7 +71,7 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
         } // ignore unknown schemes, maybe another postfilter did it
         if (!$scheme_obj->browsable) {
             return true;
-        } // ignore non-browseable schemes, since we can't munge those in a reasonable way
+        } // ignore non-browsable schemes, since we can't munge those in a reasonable way
         if ($uri->isBenign($config, $context)) {
             return true;
         } // don't redirect if a benign URL

library/HTMLPurifier/URIFilter/SafeIframe.php

@@ -57,11 +57,12 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
             return true;
         }
         // check if we actually have some whitelists enabled
-        if ($this->regexp === null) {
+        if ($this->regexp !== null) {
-            return false;
+            return preg_match($this->regexp, $uri->toString());
         }
-        // actually check the whitelists
+        // check if the host is in a whitelist for safe iframe hosts
-        return preg_match($this->regexp, $uri->toString());
+        $safeHosts = $config->get('URI.SafeIframeHosts');
+        return $safeHosts !== null && isset($safeHosts[$uri->host]);
     }
 }
 

library/HTMLPurifier/URIParser.php

@@ -29,7 +29,7 @@ class HTMLPurifier_URIParser
 
         // Regexp is as per Appendix B.
         // Note that ["<>] are an addition to the RFC's recommended
-        // characters, because they represent external delimeters.
+        // characters, because they represent external delimiters.
         $r_URI = '!'.
             '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme
             '(//([^/?#"<>]*))?'. // 4. Authority
@@ -43,7 +43,7 @@ class HTMLPurifier_URIParser
 
         if (!$result) return false; // *really* invalid URI
 
-        // seperate out parts
+        // separate out parts
         $scheme     = !empty($matches[1]) ? $matches[2] : null;
         $authority  = !empty($matches[3]) ? $matches[4] : null;
         $path       = $matches[5]; // always present, can be empty

library/HTMLPurifier/URIScheme/data.php

@@ -105,7 +105,7 @@ class HTMLPurifier_URIScheme_data extends HTMLPurifier_URIScheme
             }
             $image_code = $info[2];
         } else {
-            trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
+            throw new Exception("could not find exif_imagetype or getimagesize functions");
         }
         $real_content_type = image_type_to_mime_type($image_code);
         if ($real_content_type != $content_type) {

maintenance/PH5P.php

@@ -800,14 +800,14 @@ class HTML5
                 'type' => self::COMMENT
             );
 
-        /* Otherwise if the next seven chacacters are a case-insensitive match
+        /* Otherwise if the next seven characters are a case-insensitive match
         for the word "DOCTYPE", then consume those characters and switch to the
         DOCTYPE state. */
         } elseif(strtolower($this->character($this->char + 1, 7)) === 'doctype') {
             $this->char += 7;
             $this->state = 'doctype';
 
-        /* Otherwise, is is a parse error. Switch to the bogus comment state.
+        /* Otherwise, it is a parse error. Switch to the bogus comment state.
         The next character that is consumed, if any, is the first character
         that will be in the comment. */
         } else {

plugins/phorum/settings.php

@@ -14,7 +14,7 @@ if(!defined("PHORUM_ADMIN")) exit;
 // error reporting is good!
 error_reporting(E_ALL ^ E_NOTICE);
 
-// load library and other paraphenalia
+// load library and other paraphernalia
 require_once './include/admin/PhorumInputForm.php';
 require_once (dirname(__FILE__) . '/htmlpurifier/HTMLPurifier.auto.php');
 require_once (dirname(__FILE__) . '/init-config.php');

smoketests/xssAttacks.php

@@ -36,7 +36,7 @@ function formatCode($string)
 <p>XSS attacks are from
 <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
 <p><strong>Caveats:</strong>
-<tt>Google.com</tt> has been programatically disallowed, but as you can
+<tt>Google.com</tt> has been programmatically disallowed, but as you can
 see, there are ways of getting around that, so coverage in this area
 is not complete. Most XSS broadcasts its presence by spawning an alert dialogue.
 The displayed code is not strictly correct, as linebreaks have been forced for
@@ -50,7 +50,7 @@ if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
 
 $xml = simplexml_load_file('xssAttacks.xml');
 
-// programatically disallow google.com for URI evasion tests
+// programmatically disallow google.com for URI evasion tests
 // not complete
 $config = HTMLPurifier_Config::createDefault();
 $config->set('URI.HostBlacklist', array('google.com'));

smoketests/xssAttacks.xml

@@ -864,7 +864,7 @@ As a side note, this was also effective against a real world XSS filter I came a
 	<attack>
 		<name>Extraneous Open Brackets</name>
 		<code>&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;</code>
-		<desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc>
+		<desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorithm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to suppress a JavaScript error.</desc>
 
 		<label>Embedded Character Attacks</label>
 		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -940,7 +940,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
 
 -onCut() (user needs to copy something or it can be exploited using the execCommand(&quot;Cut&quot;) command)
 
--onDataAvailible() (user would need to change data in an element, or attacker could perform the same function)
+-onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
 
 -onDataSetChanged() (fires when the data set exposed by a data source object changes)
 

tests/HTMLPurifier/AttrCollectionsTest.php

@@ -34,12 +34,12 @@ class HTMLPurifier_AttrCollectionsTest extends HTMLPurifier_Harness
         $modules['Module2'] = new HTMLPurifier_HTMLModule();
         $modules['Module2']->attr_collections = array(
             'Core' => array(
-                0 => array('Brocolli')
+                0 => array('Broccoli')
             ),
             'Soup' => array(
                 'attribute-3' => 'Type3'
             ),
-            'Brocolli' => array()
+            'Broccoli' => array()
         );
 
         $collections->doConstruct($types, $modules);
@@ -48,14 +48,14 @@ class HTMLPurifier_AttrCollectionsTest extends HTMLPurifier_Harness
             $collections->info,
             array(
                 'Core' => array(
-                    0 => array('Soup', 'Undefined', 'Brocolli'),
+                    0 => array('Soup', 'Undefined', 'Broccoli'),
                     'attribute' => 'Type',
                     'attribute-2' => 'Type2'
                 ),
                 'Soup' => array(
                     'attribute-3' => 'Type3'
                 ),
-                'Brocolli' => array()
+                'Broccoli' => array()
             )
         );
 

tests/HTMLPurifier/AttrDef/CSSTest.php

@@ -13,6 +13,8 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
     {
         // regular cases, singular
         $this->assertDef('text-align:right;');
+        $this->assertDef('direction:ltr;');
+        $this->assertDef('direction:rtl;');
         $this->assertDef('border-left-style:solid;');
         $this->assertDef('border-style:solid dotted;');
         $this->assertDef('clear:right;');

tests/HTMLPurifier/AttrTypesTest.php

@@ -12,7 +12,7 @@ class HTMLPurifier_AttrTypesTest extends HTMLPurifier_Harness
             new HTMLPurifier_AttrDef_Text()
         );
 
-        $this->expectError('Cannot retrieve undefined attribute type foobar');
+        $this->expectException(new Exception('Cannot retrieve undefined attribute type foobar'));
         $types->get('foobar');
 
         $this->assertIdentical(

tests/HTMLPurifier/ChildDef/StrictBlockquoteTest.php

@@ -59,7 +59,7 @@ extends HTMLPurifier_ChildDefHarness
         );
     }
 
-    public function testWrapComplicatedSring()
+    public function testWrapComplicatedString()
     {
         $this->assertResult(
             $var = 'He said<br />perhaps<br />we should <b>nuke</b> them.',
@@ -84,7 +84,7 @@ extends HTMLPurifier_ChildDefHarness
 
     public function testError()
     {
-        $this->expectError('Cannot use non-block element as block wrapper');
+        $this->expectException(new Exception('Cannot use non-block element as block wrapper'));
         $this->obj = new HTMLPurifier_ChildDef_StrictBlockquote('div | p');
         $this->config->set('HTML.BlockWrapper', 'dav');
         $this->config->set('Cache.DefinitionImpl', null);

tests/HTMLPurifier/ConfigTest.php

@@ -155,7 +155,7 @@ class HTMLPurifier_ConfigTest extends HTMLPurifier_Harness
 
         $this->assertIdentical($config->get('Home.Rug'), 3);
 
-        $this->expectError('Cannot get value from aliased directive, use real name Home.Rug');
+        $this->expectException(new Exception('Cannot get value from aliased directive, use real name Home.Rug'));
         $config->get('Home.Carpet');
 
         $this->expectError('Home.Carpet is an alias, preferred directive name is Home.Rug');
@@ -184,7 +184,7 @@ class HTMLPurifier_ConfigTest extends HTMLPurifier_Harness
             )
         );
 
-        // grab a non-existant namespace
+        // grab a non-existent namespace
         $this->expectError('Cannot retrieve undefined namespace Constants');
         $config->getBatch('Constants');
 
@@ -384,7 +384,7 @@ class HTMLPurifier_ConfigTest extends HTMLPurifier_Harness
 
         $config->finalize();
 
-        $this->expectError('Cannot set directive after finalization');
+        $this->expectException(new Exception('Cannot set directive after finalization'));
         $config->set('Poem.Meter', 'vedic');
 
         $this->expectError('Cannot load directives after finalization');

tests/HTMLPurifier/ContextTest.php

@@ -27,11 +27,11 @@ class HTMLPurifier_ContextTest extends HTMLPurifier_Harness
         $this->context->destroy('IDAccumulator');
         $this->assertFalse($this->context->exists('IDAccumulator'));
 
-        $this->expectError('Attempted to retrieve non-existent variable IDAccumulator');
+        $this->expectException(new Exception('Attempted to retrieve non-existent variable IDAccumulator'));
         $accumulator_3 =& $this->context->get('IDAccumulator');
         $this->assertNull($accumulator_3);
 
-        $this->expectError('Attempted to destroy non-existent variable IDAccumulator');
+        $this->expectException(new Exception('Attempted to destroy non-existent variable IDAccumulator'));
         $this->context->destroy('IDAccumulator');
 
     }
@@ -41,7 +41,7 @@ class HTMLPurifier_ContextTest extends HTMLPurifier_Harness
         $var = true;
         $this->context->register('OnceOnly', $var);
 
-        $this->expectError('Name OnceOnly produces collision, cannot re-register');
+        $this->expectException(new Exception('Name OnceOnly produces collision, cannot re-register'));
         $this->context->register('OnceOnly', $var);
 
         // destroy it, now registration is okay

tests/HTMLPurifier/DoctypeRegistryTest.php

@@ -36,7 +36,7 @@ class HTMLPurifier_DoctypeRegistryTest extends HTMLPurifier_Harness
 
         $registry = new HTMLPurifier_DoctypeRegistry();
 
-        $this->expectError('Doctype XHTML 2.0 does not exist');
+        $this->expectException(new Exception('Doctype XHTML 2.0 does not exist'));
         $registry->get('XHTML 2.0');
 
         // prevent XSS

tests/HTMLPurifier/EncoderTest.php

@@ -47,7 +47,7 @@ class HTMLPurifier_EncoderTest extends HTMLPurifier_Harness
     {
         if (!HTMLPurifier_Encoder::iconvAvailable()) return;
         $this->config->set('Core.Encoding', 'utf99');
-        $this->expectError('Invalid encoding utf99');
+        $this->expectException(new Exception('Invalid encoding utf99'));
         $this->assertIdentical(
             HTMLPurifier_Encoder::convertToUTF8("\xF6", $this->config, $this->context),
             ''

tests/HTMLPurifier/HTMLModule/ImageTest.php

@@ -11,6 +11,7 @@ class HTMLPurifier_HTMLModule_ImageTest extends HTMLPurifier_HTMLModuleHarness
 
     public function testLengthTooLarge()
     {
+        $this->config->set('HTML.MaxImgLength', 1200);
         $this->assertResult(
             '<img height="40000" width="40000" src="" alt="" />',
             '<img height="1200" width="1200" src="" alt="" />'
@@ -19,6 +20,7 @@ class HTMLPurifier_HTMLModule_ImageTest extends HTMLPurifier_HTMLModuleHarness
 
     public function testLengthPercentage()
     {
+        $this->config->set('HTML.MaxImgLength', 1200);
         $this->assertResult(
             '<img height="100%" width="100%" src="" alt="" />',
             '<img src="" alt="" />'

tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php

@@ -6,6 +6,7 @@ class HTMLPurifier_HTMLModule_SafeEmbedTest extends HTMLPurifier_HTMLModuleHarne
     public function setUp()
     {
         parent::setUp();
+        $this->config->set('HTML.MaxImgLength', 1200);
         $def = $this->config->getHTMLDefinition(true);
         $def->manager->addModule('SafeEmbed');
     }

tests/HTMLPurifier/HTMLModule/SafeObjectTest.php

@@ -8,6 +8,7 @@ class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarn
         parent::setUp();
         $this->config->set('HTML.DefinitionID', 'HTMLPurifier_HTMLModule_SafeObjectTest');
         $this->config->set('HTML.SafeObject', true);
+        $this->config->set('HTML.MaxImgLength', 1200);
     }
 
     public function testMinimal()

tests/HTMLPurifier/HTMLModule/TidyTest.php

@@ -134,7 +134,7 @@ class HTMLPurifier_HTMLModule_TidyTest extends HTMLPurifier_Harness
         $module = new HTMLPurifier_HTMLModule_Tidy();
         $module->defaultLevel = 'bananas';
 
-        $this->expectError('Default level bananas does not exist');
+        $this->expectException(new Exception('Default level bananas does not exist'));
 
         $module->makeFixesForLevel(array(
             'fix-1' => 0

tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt

@@ -0,0 +1,8 @@
+--INI--
+HTML.SafeIframe = true
+URI.SafeIframeHosts = www.youtube.com
+--HTML--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
+--EXPECT--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
+--# vim: et sw=4 sts=4

tests/HTMLPurifier/Injector/AutoParagraphTest.php

@@ -331,7 +331,7 @@ Par1
         );
     }
 
-    public function testBlockNodeTextDelimeterInBlockNode()
+    public function testBlockNodeTextDelimiterInBlockNode()
     {
         $this->assertResult(
 '<div>Par1
@@ -343,7 +343,7 @@ Par1
         );
     }
 
-    public function testBlockNodeTextDelimeterWithoutDoublespaceInBlockNode()
+    public function testBlockNodeTextDelimiterWithoutDoublespaceInBlockNode()
     {
         $this->assertResult(
 '<div>Par1
@@ -351,7 +351,7 @@ Par1
         );
     }
 
-    public function testBlockNodeTextDelimeterWithoutDoublespace()
+    public function testBlockNodeTextDelimiterWithoutDoublespace()
     {
         $this->assertResult(
 'Par1

tests/HTMLPurifier/Injector/PurifierLinkifyTest.php

@@ -10,7 +10,7 @@ class HTMLPurifier_Injector_PurifierLinkifyTest extends HTMLPurifier_InjectorHar
         $this->config->set('AutoFormat.PurifierLinkify.DocURL', '#%s');
     }
 
-    public function testNoTriggerCharacer()
+    public function testNoTriggerCharacter()
     {
         $this->assertResult('Foobar');
     }

tests/HTMLPurifier/Injector/RemoveEmptyTest.php

@@ -115,6 +115,12 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
         $this->assertResult('<iframe src="http://google.com"></iframe>', '');
     }
 
+    public function testRemoveDisallowedIframeDeniedByHostsList()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
+        $this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
+    }
 }
 
 // vim: et sw=4 sts=4

tests/HTMLPurifier/Lexer/DomLexTest.php

@@ -0,0 +1,40 @@
+<?php
+
+class HTMLPurifier_Lexer_DomLexTest extends HTMLPurifier_Harness
+{
+
+    protected $domLex;
+
+    public function setUp()
+    {
+        $this->domLex = new HTMLPurifier_Lexer_DOMLex();
+    }
+
+    public function testCoreAggressivelyFixLtEmojis()
+    {
+        $context = new HTMLPurifier_Context();
+        $config  = HTMLPurifier_Config::createDefault();
+        $output = $this->domLex->tokenizeHTML('<b><3</b>', $config, $context);
+
+        $this->assertIdentical($output, array(
+            new HTMLPurifier_Token_Start('b'),
+            new HTMLPurifier_Token_Text('<3'),
+            new HTMLPurifier_Token_End('b')
+        ));
+    }
+
+    public function testCoreAggressivelyFixLtComments()
+    {
+        $context = new HTMLPurifier_Context();
+        $config  = HTMLPurifier_Config::createDefault();
+        $output = $this->domLex->tokenizeHTML('<!-- Nested <!-- Not to be included --> comment -->', $config, $context);
+
+        $this->assertIdentical($output, array(
+            new HTMLPurifier_Token_Comment(' Nested <!-- Not to be included '),
+            new HTMLPurifier_Token_Text(' comment -->')
+        ));
+    }
+
+}
+
+// vim: et sw=4 sts=4

tests/HTMLPurifier/LexerTest.php

@@ -669,7 +669,7 @@ class HTMLPurifier_LexerTest extends HTMLPurifier_Harness
             return;
         } elseif (LIBXML_VERSION < 20628) {
             // libxml's behavior is wrong prior to this version, so make
-            // appropriate accomodations
+            // appropriate accommodations
             $extra['DOMLex'] = $extra['DirectLex'];
         }
         $this->assertTokenization(

tests/HTMLPurifier/PercentEncoderTest.php

@@ -29,7 +29,7 @@ class HTMLPurifier_PercentEncoderTest extends HTMLPurifier_Harness
         $this->assertDecode('%2B2B%3A3A'); // extra text
         $this->assertDecode('%2b2B%4141', '%2B2BA41'); // extra text, with normalization
         $this->assertDecode('%', '%25'); // normalize stray percent sign
-        $this->assertDecode('%5%25', '%255%25'); // permaturely terminated encoding
+        $this->assertDecode('%5%25', '%255%25'); // prematurely terminated encoding
         $this->assertDecode('%GJ', '%25GJ'); // invalid hexadecimal chars
 
         // contested behavior, if this changes, we'll also have to have

tests/HTMLPurifier/Strategy/FixNestingTest.php

@@ -115,7 +115,7 @@ class HTMLPurifier_Strategy_FixNestingTest extends HTMLPurifier_StrategyHarness
         // test fallback to div
         $this->config->set('HTML.Parent', 'obviously-impossible');
         $this->config->set('Cache.DefinitionImpl', null);
-        $this->expectError('Cannot use unrecognized element as parent');
+        $this->expectException(new Exception('Cannot use unrecognized element as parent'));
         $this->assertResult('<div>Accept</div>');
     }
 

tests/HTMLPurifier/Strategy/MakeWellFormedTest.php

@@ -157,7 +157,7 @@ class HTMLPurifier_Strategy_MakeWellFormedTest extends HTMLPurifier_StrategyHarn
         );
     }
 
-    public function testNoAutocloseIfNoParentsCanAccomodateTag()
+    public function testNoAutocloseIfNoParentsCanAccommodateTag()
     {
         $this->assertResult(
             '<table><tr><td><li>foo</li></td></tr></table>',

tests/HTMLPurifier/Strategy/ValidateAttributesTest.php

@@ -211,6 +211,7 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
 
     public function testRemoveLargeCSSWidthAndHeightOnImg()
     {
+        $this->config->set('CSS.MaxImgLength', '1200px');
         $this->assertResult(
             '<img src="" alt="" style="width:10000000px;height:10000000px;border:1px solid #000;" />',
             '<img src="" alt="" style="border:1px solid #000;" />'
@@ -244,6 +245,7 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
 
     public function testRemoveRelativeCSSWidthAndHeightOnImg()
     {
+        $this->config->set('CSS.MaxImgLength', '1200px');
         $this->assertResult(
             '<img src="" alt="" style="width:10em;height:10em;border:1px solid #000;" />',
             '<img src="" alt="" style="border:1px solid #000;" />'
@@ -252,6 +254,7 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
 
     public function testRemovePercentCSSWidthAndHeightOnImg()
     {
+        $this->config->set('CSS.MaxImgLength', '1200px');
         $this->assertResult(
             '<img src="" alt="" style="width:100%;height:100%;border:1px solid #000;" />',
             '<img src="" alt="" style="border:1px solid #000;" />'

tests/HTMLPurifier/TagTransformTest.php

@@ -1,6 +1,6 @@
 <?php
 
-// needs to be seperated into files
+// needs to be separated into files
 class HTMLPurifier_TagTransformTest extends HTMLPurifier_Harness
 {
 

tests/common.php

@@ -48,7 +48,7 @@ if ( is_string($GLOBALS['HTMLPurifierTest']['PEAR']) ) {
 }
 
 // after external libraries are loaded, turn on compile time errors
-error_reporting(E_ALL | E_STRICT);
+error_reporting(E_ALL);
 
 // initialize extra HTML Purifier libraries
 require '../extras/HTMLPurifierExtras.auto.php';

tests/index.php

@@ -23,9 +23,8 @@
  *          $test_files) do not have underscores in their names.
  */
 
-// HTML Purifier runs error free on E_STRICT, so if code reports
+// HTML Purifier runs error free.
-// errors, we want to know about it.
+error_reporting(E_ALL);
-error_reporting(E_ALL | E_STRICT);
 
 // Because we always want to know about errors, and because SimpleTest
 // will notify us about them, logging the errors to stderr is
@@ -101,7 +100,7 @@ if (!SimpleReporter::inCli()) {
 }
 
 // initialize and load HTML Purifier
-// use ?standalone to load the alterative standalone stub
+// use ?standalone to load the alternative standalone stub
 if ($AC['standalone']) {
     require '../library/HTMLPurifier.standalone.php';
 } else {