Don't suggest chmod to 777

Signed-off-by: Edward Z. Yang <ezyang@meta.com>
[refactor] Use range() function instead of string increment (#367 )
2025-08-12 09:04:31 +02:00 · 2023-04-29 16:38:00 -04:00 · 2023-02-23 13:11:13 -05:00 · 2023-02-05 21:40:57 -05:00 · 2023-01-26 19:06:28 -05:00 · 2023-01-21 22:44:44 -05:00
8 changed files with 204 additions and 184 deletions
--- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -10,23 +10,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
    public function __construct()
    {
-        $this->mask = '_- ';
+        // Lowercase letters
-        for ($c = 'a'; $c <= 'z'; $c++) {
+        $l = range('a', 'z');
-            $this->mask .= $c;
+        // Uppercase letters
-        }
+        $u = range('A', 'Z');
-        for ($c = 'A'; $c <= 'Z'; $c++) {
+        // Digits
-            $this->mask .= $c;
+        $d = range('0', '9');
-        }
+        // Special bytes used by UTF-8
-        for ($c = '0'; $c <= '9'; $c++) {
+        $b = array_map('chr', range(0x80, 0xFF));
-            $this->mask .= $c;
+        // All valid characters for the mask
-        } // cast-y, but should be fine
+        $c = array_merge($l, $u, $d, $b);
-        // special bytes used by UTF-8
+        // Concatenate all valid characters into a string 
-        for ($i = 0x80; $i <= 0xFF; $i++) {
+        // Use '_- ' as an initial value
-            // We don't bother excluding invalid bytes in this range,
+        $this->mask = array_reduce($c, function ($carry, $value) {
-            // because the our restriction of well-formed UTF-8 will
+            return $carry . $value;
-            // prevent these from ever occurring.
+        }, '_- ');
            $this->mask .= chr($i);
        }
        /*
            PHP's internal strcspn implementation is
--- a/library/HTMLPurifier/AttrTransform/TargetBlank.php
+++ b/library/HTMLPurifier/AttrTransform/TargetBlank.php
@@ -33,7 +33,11 @@ class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform
        // XXX Kind of inefficient
        $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
+        
        // Ignore invalid schemes (e.g. `javascript:`)
        if (!($scheme = $url->getSchemeObj($config, $context))) {
            return $attr;
        }
        if ($scheme->browsable && !$url->isBenign($config, $context)) {
            $attr['target'] = '_blank';
--- a/library/HTMLPurifier/DefinitionCache/Serializer.php
+++ b/library/HTMLPurifier/DefinitionCache/Serializer.php
@@ -287,13 +287,14 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
            } elseif (filegroup($dir) === posix_getgid()) {
                $chmod = $chmod | 0070;
            } else {
-                // PHP's probably running as nobody, so we'll
+              // PHP's probably running as nobody, it is
-                // need to give global permissions
+              // not obvious how to fix this (777 is probably
-                $chmod = $chmod | 0777;
+              // bad if you are multi-user), let the user figure it out
                $chmod = null;
            }
            trigger_error(
-                'Directory ' . $dir . ' not writable, ' .
+                'Directory ' . $dir . ' not writable. ' .
-                'please chmod to ' . decoct($chmod),
+                ($chmod === null ? '' : 'Please chmod to ' . decoct($chmod)),
                E_USER_WARNING
            );
        } else {
--- a/library/HTMLPurifier/DefinitionCacheFactory.php
+++ b/library/HTMLPurifier/DefinitionCacheFactory.php
@@ -71,7 +71,7 @@ class HTMLPurifier_DefinitionCacheFactory
            return $this->caches[$method][$type];
        }
        if (isset($this->implementations[$method]) &&
-            class_exists($class = $this->implementations[$method], false)) {
+            class_exists($class = $this->implementations[$method])) {
            $cache = new $class($type);
        } else {
            if ($method != 'Serializer') {
--- a/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
+++ b/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
@@ -146,6 +146,7 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
        foreach ($this->_tidy->css as $k => $decls) {
            // $decls are all CSS declarations inside an @ selector
            $new_decls = array();
            if (is_array($decls)) {
                foreach ($decls as $selector => $style) {
                    $selector = trim($selector);
                    if ($selector === '') {
@@ -316,6 +317,9 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
                    }
                    $new_decls[$selector] = $style;
                }
            } else {
                continue;
            }
            $new_css[$k] = $new_decls;
        }
        // remove stuff that shouldn't be used, could be reenabled
--- a/library/HTMLPurifier/LanguageFactory.php
+++ b/library/HTMLPurifier/LanguageFactory.php
@@ -109,7 +109,7 @@ class HTMLPurifier_LanguageFactory
        } else {
            $class = 'HTMLPurifier_Language_' . $pcode;
            $file  = $this->dir . '/Language/classes/' . $code . '.php';
-            if (file_exists($file) || class_exists($class, false)) {
+            if (file_exists($file) || class_exists($class)) {
                $lang = new $class($config, $context);
            } else {
                // Go fallback
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@@ -101,7 +101,7 @@ class HTMLPurifier_Lexer
                        break;
                    }
-                    if (class_exists('DOMDocument', false) &&
+                    if (class_exists('DOMDocument') &&
                        method_exists('DOMDocument', 'loadHTML') &&
                        !extension_loaded('domxml')
                    ) {
--- a/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
+++ b/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
@@ -214,6 +214,19 @@ text-align:right
        );
    }
    public function test_keepImportantComments()
    {
        $this->assertCleanCSS(
            "/*! Important */
 div {
 text-align:right /*! Important2 */
 }",
            "div {
 text-align:right
 }"
        );
    }
    public function test_atSelector()
    {
        $this->assertCleanCSS(
Author	SHA1	Message	Date
Edward Z. Yang	4317c387fb	Don't suggest chmod to 777 Signed-off-by: Edward Z. Yang <ezyang@meta.com>	2023-04-29 16:38:00 -04:00
George Peter Banyard	c05639e0c9	[refactor] Use range() function instead of string increment (#367 ) This was found during the analysis for https://wiki.php.net/rfc/saner-inc-dec-operators I don't know what is the minimal version targeted, so the line which defines ``$c`` may need to be changes to use ``array_merge()``	2023-02-23 13:11:13 -05:00
Steve Bauman	b4136da73c	Remove unnecessary disablement of autoload (#364 )	2023-02-05 21:40:57 -05:00
Jeff Standen	0176ef4bb6	fix: Invalid scheme check in Attr.TargetBlank (#363 )	2023-01-26 19:06:28 -05:00
Francis Lévesque	78a9b4d0da	fix: CSSTidy ImportantComments not handled properly (#359 ) * fix: CSSTidy ImportantComments not handled properly Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com> * fix: CSSTidy ImportantComments not handled properly -> remove comments Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com> Co-authored-by: Edward Z. Yang <ezyang@meta.com>	2023-01-21 22:44:44 -05:00
Edward Z. Yang	9ec687c904	fix: fix CI (#361 ) Signed-off-by: Edward Z. Yang <ezyang@meta.com> Signed-off-by: Edward Z. Yang <ezyang@meta.com>	2023-01-21 22:42:38 -05:00