Add Git specific files and configuration

* Setup usage.xml to be binary, as XMLWriter does not honor operating
  system's newline format.
* Setup various files to ignore (svn:ignore was not carried over)
* Add dummy files to prevent git from ignoring empty directories

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>

.gitattributes

@@ -0,0 +1 @@
+configdoc/usage.xml -crlf

.gitignore

@@ -0,0 +1,9 @@
+conf/
+library/HTMLPurifier/DefinitionCache/Serializer/*/
+library/standalone/
+library/HTMLPurifier.standalone.php
+*.phpt.diff
+*.phpt.exp
+*.phpt.log
+*.phpt.out
+*.phpt.php

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or 
 # if some version control system is used.
 
-PROJECT_NUMBER         = 3.1.0rc1
+PROJECT_NUMBER         = 3.1.1
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
 # base path where the generated documentation will be put. 

FOCUS

@@ -0,0 +1,13 @@
+9 - Major security fixes
+
+[ Appendix A: Release focus IDs ]
+0 - N/A
+1 - Initial freshmeat announcement
+2 - Documentation
+3 - Code cleanup
+4 - Minor feature enhancements
+5 - Major feature enhancements
+6 - Minor bugfixes
+7 - Major bugfixes
+8 - Minor security fixes
+9 - Major security fixes

INSTALL

@@ -23,8 +23,9 @@ August 8, 2008.
 
 These optional extensions can enhance the capabilities of HTML Purifier:
 
-    * iconv : Converts text to and from non-UTF-8 encodings
-    * tidy  : Used for pretty-printing HTML
+    * iconv  : Converts text to and from non-UTF-8 encodings
+    * bcmath : Used for unit conversion and imagecrash protection
+    * tidy   : Used for pretty-printing HTML
 
 
 ---------------------------------------------------------------------------

INSTALL.fr.utf8

@@ -17,7 +17,7 @@ ce document pour quelques choses.
 
 1.  Compatibilité
 
-HTML Purifier fonctionne dans PHP 5. PHP 5.0.0 est le dernier
+HTML Purifier fonctionne dans PHP 5. PHP 5.0.5 est le dernier
 version que je le testais.  Il ne dépend de les autre librairies.
 
 Les extensions optionnel est iconv (en général déjà installer) et 
@@ -34,19 +34,15 @@ Utilisez:
 ...quand vous devez utiliser HTML Purifier (ne inclure pas quand vous
 ne devez pas, parce que HTML Purifier est trés grand.)
 
-Si vous n'aime pas que HTML Purifier change vos include_path, on peut
-change vos include_path, et:
+HTML Purifier utilise 'autoload'. Si vous avez définu la fonction
+__autoload, vous doivez ajoute cet programme:
 
-    require_once 'HTMLPurifier.php';
+    spl_autoload_register('__autoload')
 
-Seuleument les contents dans library/ est essentiel; vous peut enlever
-les autre fichiers quand vous est dans une atmosphère professionnel.
+Plus d'information est dans le document 'INSTALL'.
 
 
-[En cours de construction]
-
-
-6.   Installation vite
+3.   Installation vite
 
 Si votre site web est en UTF-8 et XHTML Transitional, utilisez:
 

NEWS

@@ -9,6 +9,138 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+3.2.0, unknown release date
+
+3.1.2, unknown release date
+
+3.1.1, released 2008-06-19
+# %URI.Munge now, by default, does not munge resources (for example, <img src="">)
+  In order to enable this again, please set %URI.MungeResources to true. 
+! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
+  and height/width HTML with %HTML.MaxImgLength.
+! %URI.MungeSecretKey for secure URI munging. Thanks Chris
+  for sponsoring this feature. Check out the corresponding documentation
+  for details. (Att Nightly testers: The API for this feature changed before
+  the general release. Namely, rename your directives %URI.SecureMungeSecretKey =>
+  %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge)
+! Implemented post URI filtering. Set member variable $post to true to set
+  a URIFilter as such.
+! Allow modules to define injectors via $info_injector. Injectors are 
+  automatically disabled if injector's needed elements are not found.
+! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
+  Thanks Chris for sponsoring. If you've been using ad hoc code from the
+  forums, PLEASE use this instead.
+! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order,
+  embedded, tag name, attribute name, CSS property name). See %URI.Munge
+  for more details. Requested by Jochem Blok.
+- Disable percent height/width attributes for img.
+- AttrValidator operations are now atomic; updates to attributes are not
+  manifest in token until end of operations. This prevents naughty internal
+  code from directly modifying CurrentToken when they're not supposed to.
+  This semantics change was requested by frank farmer.
+- Percent encoding checks enabled for URI query and fragment
+- Fix stray backslashes in font-family; CSS Unicode character escapes are
+  now properly resolved (although *only* in font-family). Thanks Takeshi Terada
+  for reporting.
+- Improve parseCDATA algorithm to take into account newline normalization
+- Account for browser confusion between Yen character and backslash in
+  Shift_JIS encoding. This fix generalizes to any other encoding which is not
+  a strict superset of printable ASCII. Thanks Takeshi Terada for reporting.
+- Fix missing configuration parameter in Generator calls. Thanks vs for the
+  partial patch.
+- Improved adherence to Unicode by checking for non-character codepoints.
+  Thanks Geoffrey Sneddon for reporting. This may result in degraded
+  performance for extremely large inputs.
+- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok
+  for reporting.
+. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
+  handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
+  this class.
+. API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative)
+  to __construct($min, $max). __construct(true) is equivalent to
+  __construct('0').
+. Added HTMLPurifier_AttrDef_Switch class
+. Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method
+  up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules
+  get this called with the configuration object.  All modules now
+  use this rather than __construct(), although legacy code using constructors
+  will still work--the new format, however, lets modules access the
+  configuration object for HTML namespace dependant tweaks.
+. AttrDef_HTML_Pixels now takes a single construction parameter, pixels.
+. ConfigSchema data-structure heavily optimized; on average it uses a third
+  the memory it did previously. The interface has changed accordingly,
+  consult changes to HTMLPurifier_Config for details.
+. Variable parsing types now are magic integers instead of strings
+. Added benchmark for ConfigSchema
+. HTMLPurifier_Generator requires $config and $context parameters. If you 
+  don't know what they should be, use HTMLPurifier_Config::createDefault()
+  and new HTMLPurifier_Context().
+. Printers now properly distinguish between output configuration, and 
+  target configuration. This is not applicable to scripts using
+  the Printers for HTML Purifier related tasks.
+. HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise
+  fatal errors will ensue.
+. URIFilter->prepare can return false in order to abort loading of the filter
+. Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds
+  an external resource.
+. %URI.Munge functionality factored out into a post-filter class.
+. Added CurrentCSSProperty context variable during CSS validation
+
+3.1.0, released 2008-05-18
+# Unnecessary references to objects (vestiges of PHP4) removed from method
+  signatures.  The following methods do not need references when assigning from
+  them and will result in E_STRICT errors if you try:
+    + HTMLPurifier_Config->get*Definition() [* = HTML, CSS]
+    + HTMLPurifier_ConfigSchema::instance()
+    + HTMLPurifier_DefinitionCacheFactory::instance()
+    + HTMLPurifier_DefinitionCacheFactory->create()
+    + HTMLPurifier_DoctypeRegistry->register()
+    + HTMLPurifier_DoctypeRegistry->get()
+    + HTMLPurifier_HTMLModule->addElement()
+    + HTMLPurifier_HTMLModule->addBlankElement()
+    + HTMLPurifier_LanguageFactory::instance()
+# Printer_ConfigForm's get*() functions were static-ified
+# %HTML.ForbiddenAttributes requires attribute declarations to be in the
+  form of tag@attr, NOT tag.attr (which will throw an error and won't do
+  anything). This is for forwards compatibility with XML; you'd do best
+  to migrate an %HTML.AllowedAttributes directives to this syntax too.
+! Allow index to be false for config from form creation
+! Added HTMLPurifier::VERSION constant
+! Commas, not dashes, used for serializer IDs. This change is forwards-compatible
+  and allows for version numbers like "3.1.0-dev".
+! %HTML.Allowed deals gracefully with whitespace anywhere, anytime!
+! HTML Purifier's URI handling is a lot more robust, with much stricter
+  validation checks and better percent encoding handling. Thanks Gareth Heyes
+  for indicating security vulnerabilities from lax percent encoding.
+! Bootstrap autoloader deals more robustly with classes that don't exist,
+  preventing class_exists($class, true) from barfing.
+- InterchangeBuilder now alphabetizes its lists
+- Validation error in configdoc output fixed
+- Iconv and other encoding errors muted even with custom error handlers that
+  do not honor error_reporting
+- Add protection against imagecrash attack with CSS height/width
+- HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
+- Fixed and revamped broken ConfigForm smoketest
+- Bug with bool/null fields in Printer_ConfigForm fixed
+- Bug with global forbidden attributes fixed
+- Improved error messages for allowed and forbidden HTML elements and attributes
+- Missing (or null) in configdoc documentation restored
+- If DOM throws and exception during parsing with PH5P (occurs in newer versions
+  of DOM), HTML Purifier punts to DirectLex
+- Fatal error with unserialization of ScriptRequired
+- Created directories are now chmod'ed properly
+- Fixed bug with fallback languages in LanguageFactory
+- Standalone testing setup properly with autoload
+. Out-of-date documentation revised
+. UTF-8 encoding check optimization as suggested by Diego
+. HTMLPurifier_Error removed in favor of exceptions
+. More copy() function removed; should use clone instead
+. More extensive unit tests for HTMLDefinition
+. assertPurification moved to central harness
+. HTMLPurifier_Generator accepts $config and $context parameters during
+  instantiation, not runtime
+. Double-quotes outside of attribute values are now unescaped
+
 3.1.0rc1, released 2008-04-22
 # Autoload support added. Internal require_once's removed in favor of an
   explicit require list or autoloading. To use HTML Purifier,

TODO

@@ -7,48 +7,36 @@ TODO List
     ? Maybe I'll Do It
 ==========================
 
-If no interest is expressed for a feature that may required a considerable
+If no interest is expressed for a feature that may require a considerable
 amount of effort to implement, it may get endlessly delayed. Do not be
 afraid to cast your vote for the next feature to be implemented!
 
-
-UPCOMING RELEASE
-----------------
-
-IMPORTANT
- - Release candidate, because of the major changes
-
-DOCUMENTATION
- - Update French translation of README
-
-IMPORTANT FEATURES
- - Factor out command line parser into its own class, and unit test it
-
-NICE FEATURES
- - Factor demo.php into a set of Printer classes, and then create a stub
-   file for users here (inside the actual HTML Purifier library)
- - Support exporting configuration, so users can easily tweak settings
-   in the demo, and then copy-paste into their own setup
-
-BUGS
- - Style attribute height/width limiting for images
- - Easy way to blacklist elements and attributes
- - Investigate iconv error emitting
- - Investigate UTF-8 optimization <http://htmlpurifier.org/phorum/read.php?3,1496>
- - Figure out what to do about target="" and name="", since they show up so often
+- Investigate how early internal structures can be accessed; this would
+  prevent structures from being parsed and serialized multiple times.
+- Built-in support for target="_blank" on all external links
+- Gitify the repository
 
 FUTURE VERSIONS
 ---------------
 
-3.2 release [Error'ed]
- # Error logging for filtering/cleanup procedures
- - XSS-attempt detection
+3.2 release [It's All About Trust] (floating)
+ # Implement untrusted, dangerous elements/attributes
+    - Forms are especially wanted
+ # Implement IDREF support (harder than it seems, since you cannot have
+   IDREFs to non-existent IDs)
+ # Frameset XHTML 1.0 and HTML 4.01 doctypes
+ - Implement <area>
+ - Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)
 
-3.3 release [Do What I Mean, Not What I Say]
+3.3 release [Error'ed]
+ # Error logging for filtering/cleanup procedures
+ - XSS-attempt detection--certain errors are flagged XSS-like
+
+3.4 release [Do What I Mean, Not What I Say]
  # Additional support for poorly written HTML
     - Microsoft Word HTML cleaning (i.e. MsoNormal, but research essential!)
     - Friendly strict handling of <address> (block -> <br>)
- - Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes:
+ ? Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes:
     1. Analyzing which tags to remove duplicants
     2. Ensure attributes are merged into the parent tag
     3. Extend the tag exclusion system to specify whether or not the
@@ -58,27 +46,21 @@ FUTURE VERSIONS
  - Remove empty inline tags<i></i>
  - Append something to duplicate IDs so they're still usable (impl. note: the
    dupe detector would also need to detect the suffix as well)
- - Externalize inline CSS to promote clean HTML
-
-3.4 release [It's All About Trust] (floating)
- # Implement untrusted, dangerous elements/attributes
-    - Objects and Forms are especially wanted
- # Implement IDREF support (harder than it seems, since you cannot have
-   IDREFs to non-existent IDs)
- # Frameset XHTML 1.0 and HTML 4.01 doctypes
+ - Externalize inline CSS to promote clean HTML, proposed by Sander Tekelenburg
 
 4.0 release [Beyond HTML]
  # Legit token based CSS parsing (will require revamping almost every
-   AttrDef class). Probably will use CSSTidy class
- # More control over allowed CSS properties (maybe modularize it in the
-   same fashion!)
+   AttrDef class). Probably will use CSSTidy class?
+ # More control over allowed CSS properties using a modularization
  # HTML 5 support
+ # IRI support
  - Standardize token armor for all areas of processing
  - Convert RTL/LTR override characters to <bdo> tags, or vice versa on demand.
    Also, enable disabling of directionality
- - Table of Contents generation (XHTML Compiler might be reusable)
 
 5.0 release [To XML and Beyond]
+ - AllowedAttributes and ForbiddenAttributes step on the toes of XML by
+   using periods; this needs to be changed.
  - Extended HTML capabilities based on namespacing and tag transforms (COMPLEX)
     - Hooks for adding custom processors to custom namespaced tags and
       attributes, offer default implementation
@@ -86,45 +68,64 @@ FUTURE VERSIONS
 
 Ongoing
  - More refactoring to take advantage of PHP5's facilities 
- - Lots of profiling, make it faster!
+ - Refactor unit tests into lots of test methods
  - Plugins for major CMSes (COMPLEX)
     - phpBB
+    - Drupal needs loving!
+    - Phorum need loving!
     - more! (look for ones that use WYSIWYGs)
- - Complete basic smoketests
+    - Also, maybe a FAQ for extension writers with HTML Purifier
 
 AutoFormat
  - Smileys
- - Syntax highlighting with <pre> and possibly <?php
+ - Syntax highlighting (with GeSHi) with <pre> and possibly <?php
  - Look at http://drupal.org/project/Modules/category/63 for ideas
 
-Unknown release (on a scratch-an-itch basis)
- # CHMOD install script for PEAR installs
- ? Have 'lang' attribute be checked against official lists, achieved by
-   encoding all characters that have string entity equivalents
- - Abstract ChildDef_BlockQuote to work with all elements that only
-   allow blocks in them, required or optional
- - Reorganize Unit Tests
+Optimizations
+ - Reduce size of internal data-structures (esp. HTMLDefinition)
+ - Research memory usage of objects versus arrays
+ - Combine multiple strategies into a single, single-pass strategy
+ - Get PH5P working with the latest versions of DOM, which have much more
+   stringent error checking procedures. Maybe convert straight to tokens.
+ - Get rid of set_include_path(). Save this for another major release.
+
+Neat feature related
+ ! Factor demo.php into a set of Printer classes, and then create a stub
+   file for users here (inside the actual HTML Purifier library)
+ ! Support exporting configuration, so users can easily tweak settings
+   in the demo, and then copy-paste into their own setup
  - Advanced URI filtering schemes (see docs/proposal-new-directives.txt)
- - Implement lenient <ruby> child validation
+ - Allow scoped="scoped" attribute in <style> tags; may be troublesome
+   because regular CSS has no way of uniquely identifying nodes, so we'd
+   have to generate IDs
  - Explain how to use HTML Purifier in non-PHP languages / create
    a simple command line stub (or complicated?)
  - Fixes for Firefox's inability to handle COL alignment props (Bug 915)
  - Automatically add non-breaking spaces to empty table cells when
    empty-cells:show is applied to have compatibility with Internet Explorer
+ - Table of Contents generation (XHTML Compiler might be reusable). May also
+   be out-of-band information.
+ - Full set of color keywords. Also, a way to add onto them without
+   finalizing the configuration object.
+ - Write a var_export and memcached DefinitionCache - Denis
+ - Allow restriction of allowed class values
+
+Maintenance related (slightly boring)
+ # CHMOD install script for PEAR installs
+ ! Factor out command line parser into its own class, and unit test it
+ ! Nested configuration namespaces
  - Distinguish between default settings and explicitly set settings, so
    configurations can be merged
- - Nested configuration namespaces
- - Allow scoped="scoped" attribute in <style> tags; may be troublesome
-   because regular CSS has no way of uniquely identifying nodes, so we'd
-   have to generate IDs
  - Time PHPT tests
 
-Requested
+ChildDef related (very boring)
+ - Abstract ChildDef_BlockQuote to work with all elements that only
+   allow blocks in them, required or optional
+ - Implement lenient <ruby> child validation
 
 Wontfix
  - Non-lossy smart alternate character encoding transformations (unless
    patch provided)
  - Pretty-printing HTML: users can use Tidy on the output on entire page
- - Native content compression, whitespace stripping (don't rely on Tidy, make
-   sure we don't remove from <pre> or related tags): use gzip if this is
+ - Native content compression, whitespace stripping: use gzip if this is
    really important

VERSION

@@ -1 +1 @@
-3.1.0rc1
+3.1.1

WHATSNEW

@@ -1,8 +1,8 @@
-Release 3.1.0rc1 is a release candidate aimed primarily at ironing out bugs
-in HTML Purifier's shiny new __autoload system.  There are lots of new features,
-however; some notable ones include support for the !important CSS modifier,
-display and visibility CSS properties with %CSS.AllowTricky, marquee
-with %HTML.Proprietary (had you scared for a moment, hmm?), a kses() wrapper,
-%CSS.AllowedProperties, %HTML.ForbiddenAttributes and %HTML.ForbiddenElements
-and a totally revamped ConfigDoc system. And of course, the usual slew of
-bugfixes.
+HTML Purifier 3.1.1 is a security and bugfix release. This release addresses
+two security vulnerabilities, both related to CSS, and one of which only
+applies to users using Shift_JIS as their output encoding. There is also
+a security improvement regarding the imagecrash attack. There is a backwards
+incompatible change in which resources are no longer munged
+by default; please enable using %URI.MungeResources. Besides this, there
+are numerous improvements to URI munging, esp. with the addition of
+%URI.MungeSecretKey, as well as an experimental %HTML.SafeObject and %HTML.SafeEmbed.

benchmarks/ConfigSchema.php

@@ -0,0 +1,14 @@
+<?php
+
+chdir(dirname(__FILE__));
+
+//require_once '../library/HTMLPurifier.path.php';
+shell_exec('php ../maintenance/generate-schema-cache.php');
+require_once '../library/HTMLPurifier.path.php';
+require_once 'HTMLPurifier.includes.php';
+
+$begin = xdebug_memory_usage();
+
+$schema = HTMLPurifier_ConfigSchema::makeFromSerial();
+
+echo xdebug_memory_usage() - $begin;

configdoc/generate.php

@@ -15,7 +15,7 @@ TODO:
 - add blurbs to ToC
 */
 
-if (version_compare(PHP_VERSION, '5.2.0', '<')) exit('PHP 5.2.0 or greater required.');
+if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.');
 error_reporting(E_ALL | E_STRICT);
 
 chdir(dirname(__FILE__));
@@ -38,6 +38,7 @@ $configdoc_xml = 'configdoc.xml';
 $xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml();
 $xml_builder->openURI($configdoc_xml);
 $xml_builder->build($interchange);
+unset($xml_builder); // free handle
 
 $xslt = new ConfigDoc_HTMLXSLTProcessor();
 $xslt->importStylesheet(dirname(__FILE__) . "/styles/$style.xsl");

configdoc/styles/plain.xsl

@@ -19,7 +19,7 @@
     <xsl:variable name="usageLookup" select="document('../usage.xml')/usage" />
     
     <!-- Twiddle this variable to get the columns as even as possible -->
-    <xsl:variable name="maxNumberAdjust" select="1" />
+    <xsl:variable name="maxNumberAdjust" select="2" />
     
     <xsl:template match="/">
         <html lang="en" xml:lang="en">
@@ -227,7 +227,7 @@
         </tr>
     </xsl:template>
     <xsl:template match="constraints/external/project">
-        <xsl:value-of select="." />
+        <li><xsl:value-of select="." /></li>
     </xsl:template>
     
 </xsl:stylesheet>

configdoc/usage.xml

@@ -5,7 +5,7 @@
    <line>131</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>93</line>
+   <line>85</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>50</line>
@@ -16,24 +16,29 @@
    <line>44</line>
   </file>
  </directive>
+ <directive id="CSS.MaxImgLength">
+  <file name="HTMLPurifier/CSSDefinition.php">
+   <line>157</line>
+  </file>
+ </directive>
  <directive id="CSS.Proprietary">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>201</line>
+   <line>214</line>
   </file>
  </directive>
  <directive id="CSS.AllowTricky">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>205</line>
+   <line>218</line>
   </file>
  </directive>
  <directive id="CSS.AllowImportant">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>209</line>
+   <line>222</line>
   </file>
  </directive>
  <directive id="CSS.AllowedProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>261</line>
+   <line>274</line>
   </file>
  </directive>
  <directive id="Cache.DefinitionImpl">
@@ -64,18 +69,18 @@
  <directive id="Core.Encoding">
   <file name="HTMLPurifier/Encoder.php">
    <line>267</line>
-   <line>285</line>
+   <line>294</line>
   </file>
  </directive>
  <directive id="Test.ForceNoIconv">
   <file name="HTMLPurifier/Encoder.php">
-   <line>269</line>
-   <line>290</line>
+   <line>272</line>
+   <line>302</line>
   </file>
  </directive>
  <directive id="Core.EscapeNonASCIICharacters">
   <file name="HTMLPurifier/Encoder.php">
-   <line>287</line>
+   <line>298</line>
   </file>
  </directive>
  <directive id="Core.MaintainLineNumbers">
@@ -83,7 +88,7 @@
    <line>81</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>90</line>
+   <line>82</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>45</line>
@@ -96,47 +101,47 @@
  </directive>
  <directive id="Output.TidyFormat">
   <file name="HTMLPurifier/Generator.php">
-   <line>61</line>
+   <line>69</line>
   </file>
  </directive>
  <directive id="Output.Newline">
   <file name="HTMLPurifier/Generator.php">
-   <line>86</line>
+   <line>83</line>
   </file>
  </directive>
  <directive id="HTML.BlockWrapper">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>213</line>
+   <line>222</line>
   </file>
  </directive>
  <directive id="HTML.Parent">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>221</line>
+   <line>230</line>
   </file>
  </directive>
  <directive id="HTML.AllowedElements">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>238</line>
+   <line>247</line>
   </file>
  </directive>
  <directive id="HTML.AllowedAttributes">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>239</line>
+   <line>248</line>
   </file>
  </directive>
  <directive id="HTML.Allowed">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>242</line>
+   <line>251</line>
   </file>
  </directive>
  <directive id="HTML.ForbiddenElements">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>303</line>
+   <line>337</line>
   </file>
  </directive>
  <directive id="HTML.ForbiddenAttributes">
   <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>304</line>
+   <line>338</line>
   </file>
  </directive>
  <directive id="HTML.Trusted">
@@ -144,7 +149,10 @@
    <line>198</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>245</line>
+   <line>238</line>
+  </file>
+  <file name="HTMLPurifier/HTMLModule/Image.php">
+   <line>27</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>34</line>
@@ -165,6 +173,16 @@
    <line>220</line>
   </file>
  </directive>
+ <directive id="HTML.SafeObject">
+  <file name="HTMLPurifier/HTMLModuleManager.php">
+   <line>225</line>
+  </file>
+ </directive>
+ <directive id="HTML.SafeEmbed">
+  <file name="HTMLPurifier/HTMLModuleManager.php">
+   <line>228</line>
+  </file>
+ </directive>
  <directive id="Attr.IDBlacklist">
   <file name="HTMLPurifier/IDAccumulator.php">
    <line>26</line>
@@ -172,22 +190,22 @@
  </directive>
  <directive id="Core.Language">
   <file name="HTMLPurifier/LanguageFactory.php">
-   <line>85</line>
+   <line>88</line>
   </file>
  </directive>
  <directive id="Core.LexerImpl">
   <file name="HTMLPurifier/Lexer.php">
-   <line>78</line>
+   <line>70</line>
   </file>
  </directive>
  <directive id="Core.ConvertDocumentToFragment">
   <file name="HTMLPurifier/Lexer.php">
-   <line>237</line>
+   <line>230</line>
   </file>
  </directive>
  <directive id="URI.Host">
   <file name="HTMLPurifier/URIDefinition.php">
-   <line>57</line>
+   <line>64</line>
   </file>
   <file name="HTMLPurifier/URIFilter/DisableExternal.php">
    <line>8</line>
@@ -195,12 +213,12 @@
  </directive>
  <directive id="URI.Base">
   <file name="HTMLPurifier/URIDefinition.php">
-   <line>58</line>
+   <line>65</line>
   </file>
  </directive>
  <directive id="URI.DefaultScheme">
   <file name="HTMLPurifier/URIDefinition.php">
-   <line>65</line>
+   <line>72</line>
   </file>
  </directive>
  <directive id="URI.AllowedSchemes">
@@ -215,12 +233,7 @@
  </directive>
  <directive id="URI.Disable">
   <file name="HTMLPurifier/AttrDef/URI.php">
-   <line>24</line>
-  </file>
- </directive>
- <directive id="URI.Munge">
-  <file name="HTMLPurifier/AttrDef/URI.php">
-   <line>78</line>
+   <line>28</line>
   </file>
  </directive>
  <directive id="Core.ColorKeywords">
@@ -305,6 +318,17 @@
    <line>123</line>
   </file>
  </directive>
+ <directive id="HTML.MaxImgLength">
+  <file name="HTMLPurifier/HTMLModule/Image.php">
+   <line>14</line>
+  </file>
+  <file name="HTMLPurifier/HTMLModule/SafeEmbed.php">
+   <line>13</line>
+  </file>
+  <file name="HTMLPurifier/HTMLModule/SafeObject.php">
+   <line>19</line>
+  </file>
+ </directive>
  <directive id="HTML.TidyLevel">
   <file name="HTMLPurifier/HTMLModule/Tidy.php">
    <line>45</line>
@@ -358,4 +382,14 @@
    <line>8</line>
   </file>
  </directive>
+ <directive id="URI.MungeResources">
+  <file name="HTMLPurifier/URIFilter/Munge.php">
+   <line>14</line>
+  </file>
+ </directive>
+ <directive id="URI.MungeSecretKey">
+  <file name="HTMLPurifier/URIFilter/Munge.php">
+   <line>15</line>
+  </file>
+ </directive>
 </usage>

docs/dev-config-schema.html

@@ -367,7 +367,7 @@ Test.Example</pre>
       For example, <code>HTMLPurifier_ConfigSchema_Builder_ConfigSchema</code>
       generates a runtime <code>HTMLPurifier_ConfigSchema</code> object,
       which <code>HTMLPurifier_Config</code> uses to validate its incoming
-      data. There is also a planned documentation builder.
+      data. There is also an XML serializer, which is used to build documentation.
     </p>
     
     <div id="version">$Id$</div>

docs/enduser-customize.html

@@ -158,7 +158,7 @@
 <pre>$config = HTMLPurifier_Config::createDefault();
 $config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial');
 $config->set('HTML', 'DefinitionRev', 1);
-$def =& $config->getHTMLDefinition(true);</pre>
+$def = $config->getHTMLDefinition(true);</pre>
 
 <p>
   Assuming that HTML Purifier has already been properly loaded (hint:
@@ -214,7 +214,7 @@ $def =& $config->getHTMLDefinition(true);</pre>
 $config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial');
 $config->set('HTML', 'DefinitionRev', 1);
 <strong>$config->set('Core', 'DefinitionCache', null); // remove this later!</strong>
-$def =& $config->getHTMLDefinition(true);</pre>
+$def = $config->getHTMLDefinition(true);</pre>
 
 <p>
   A few things should be mentioned about the caching mechanism before
@@ -270,7 +270,7 @@ $def =& $config->getHTMLDefinition(true);</pre>
 $config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial');
 $config->set('HTML', 'DefinitionRev', 1);
 $config->set('Core', 'DefinitionCache', null); // remove this later!
-$def =& $config->getHTMLDefinition(true);
+$def = $config->getHTMLDefinition(true);
 <strong>$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');</strong></pre>
 
 <p>
@@ -388,7 +388,7 @@ $def =& $config->getHTMLDefinition(true);
 $config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial');
 $config->set('HTML', 'DefinitionRev', 1);
 $config->set('Core', 'DefinitionCache', null); // remove this later!
-$def =& $config->getHTMLDefinition(true);
+$def = $config->getHTMLDefinition(true);
 <strong>$def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
   array('_blank','_self','_target','_top')
 ));</strong></pre>
@@ -735,11 +735,11 @@ $def =& $config->getHTMLDefinition(true);
 $config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial');
 $config->set('HTML', 'DefinitionRev', 1);
 $config->set('Core', 'DefinitionCache', null); // remove this later!
-$def =& $config->getHTMLDefinition(true);
+$def = $config->getHTMLDefinition(true);
 $def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
   array('_blank','_self','_target','_top')
 ));
-<strong>$form =& $def->addElement(
+<strong>$form = $def->addElement(
   'form',   // name
   'Block',  // content set
   'Flow', // allowed children

docs/enduser-uri-filter.html

@@ -35,7 +35,7 @@
 {
     public $name = '<strong>NameOfFilter</strong>';
     public function prepare($config) {}
-    public function filter(&$uri, $config, &$context) {}
+    public function filter(&$uri, $config, $context) {}
 }</pre>
 
 <p>
@@ -60,8 +60,8 @@
     public function HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment);
     public function toString();
     public function copy();
-    public function getSchemeObj($config, &$context);
-    public function validate($config, &$context);
+    public function getSchemeObj($config, $context);
+    public function validate($config, $context);
 }</pre>
 
 <p>
@@ -130,30 +130,26 @@
 </p>
 
 <p>
-  Let's suppose I wanted to write a filter that de-internationalized domain
-  names by converting them to <a href="http://en.wikipedia.org/wiki/Punycode">Punycode</a>.
-  Assuming that <code>punycode_encode($input)</code> converts <code>$input</code> to
-  Punycode and returns <code>false</code> on failure:
+  Let's suppose I wanted to write a filter that converted links with a
+  custom <code>image</code> scheme to its corresponding real path on
+  our website:
 </p>
 
-<pre>class HTMLPurifier_URIFilter_ConvertIDNToPunycode extends HTMLPurifier_URIFilter
+<pre>class HTMLPurifier_URIFilter_TransformImageScheme extends HTMLPurifier_URIFilter
 {
-    public $name = 'ConvertIDNToPunycode';
-    public function filter(&$uri, $config, &$context) {
-        if (is_null($uri->host)) return true;
-        if ($uri->host == utf8_decode($uri->host)) {
-            // is ASCII, abort
-            return true;
-        }
-        $host = punycode_encode($uri->host);
-        if ($host === false) return false;
-        $uri->host = $host;
+    public $name = 'TransformImageScheme';
+    public function filter(&$uri, $config, $context) {
+        if ($uri->scheme !== 'image') return true;
+        $img_name = $uri->path;
+        // Overwrite the previous URI object
+        $uri = new HTMLPurifier_URI('http', null, null, null, '/img/' . $img_name . '.png', null, null);
         return true;
     }
 }</pre>
 
 <p>
-  Notice I did not <code>return $uri;</code>.
+  Notice I did not <code>return $uri;</code>. This filter would turn
+  <code>image:Foo</code> into <code>/img/Foo.png</code>.
 </p>
 
 <h2>Activating your filter</h2>
@@ -163,7 +159,7 @@
   to use it. Fortunately, this part's simple:
 </p>
 
-<pre>$uri =& $config->getDefinition('URI');
+<pre>$uri = $config->getDefinition('URI');
 $uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>());</pre>
 
 <p>
@@ -177,7 +173,7 @@ $uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>());</pr
     'URI', '<strong>NameOfFilter</strong>', false, 'bool',
     '<strong>What your filter does.</strong>'
 );
-$uri =& $config->getDefinition('URI', true);
+$uri = $config->getDefinition('URI', true);
 $uri->registerFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>());
 </pre>
 
@@ -186,6 +182,25 @@ $uri->registerFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>())
   is set to true.
 </p>
 
+<h2>Post-filter</h2>
+
+<p>
+    Remember our TransformImageScheme filter? That filter acted before we had
+    performed scheme validation; otherwise, the URI would have been filtered
+    out when it was discovered that there was no image scheme. Well, a post-filter
+    is run after scheme specific validation, so it's ideal for bulk
+    post-processing of URIs, including munging. To specify a URI as a post-filter,
+    set the <code>$post</code> member variable to TRUE.
+</p>
+
+<pre>class HTMLPurifier_URIFilter_MyPostFilter extends HTMLPurifier_URIFilter
+{
+    public $name = 'MyPostFilter';
+    public $post = true;
+    // ... extra code here
+}
+</pre>
+
 <h2>Examples</h2>
 
 <p>

docs/enduser-youtube.html

@@ -75,9 +75,7 @@ passes through HTML Purifier <em>unharmed</em>.
 <p>And the corresponding usage:</p>
 
 <pre>&lt;?php
-    // assuming $purifier is an instance of HTMLPurifier
-    require_once 'HTMLPurifier/Filter/YouTube.php';
-    $purifier-&gt;addFilter(new HTMLPurifier_Filter_YouTube());
+    $config->set('Filter', 'YouTube', true);
 ?&gt;</pre>
 
 <p>There is a bit going in the two code snippets, so let's explain.</p>

docs/specimens/LICENSE

@@ -1,8 +1,8 @@
-Licensing of Specimens
-
-Some files in this directory have different licenses:
-
-windows-live-mail-desktop-beta.html - donated by laacz, public domain
-img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png>
-
-All other files are by me, and are licensed under LGPL.
+Licensing of Specimens
+
+Some files in this directory have different licenses:
+
+windows-live-mail-desktop-beta.html - donated by laacz, public domain
+img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png>
+
+All other files are by me, and are licensed under LGPL.

docs/specimens/jochem-blok-word.html

@@ -0,0 +1,129 @@
+<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
+
+<head>
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
+<meta name=Generator content="Microsoft Word 12 (filtered medium)">
+<!--[if !mso]>
+<style>
+v\:* {behavior:url(#default#VML);}
+o\:* {behavior:url(#default#VML);}
+w\:* {behavior:url(#default#VML);}
+..shape {behavior:url(#default#VML);}
+</style>
+<![endif]-->
+<style>
+<!--
+ /* Font Definitions */
+ @font-face
+	{font-family:"Cambria Math";
+	panose-1:2 4 5 3 5 4 6 3 2 4;}
+@font-face
+	{font-family:Calibri;
+	panose-1:2 15 5 2 2 2 4 3 2 4;}
+@font-face
+	{font-family:Tahoma;
+	panose-1:2 11 6 4 3 5 4 4 2 4;}
+@font-face
+	{font-family:Verdana;
+	panose-1:2 11 6 4 3 5 4 4 2 4;}
+ /* Style Definitions */
+ p.MsoNormal, li.MsoNormal, div.MsoNormal
+	{margin:0cm;
+	margin-bottom:.0001pt;
+	font-size:10.0pt;
+	font-family:"Verdana","sans-serif";}
+a:link, span.MsoHyperlink
+	{mso-style-priority:99;
+	color:blue;
+	text-decoration:underline;}
+a:visited, span.MsoHyperlinkFollowed
+	{mso-style-priority:99;
+	color:purple;
+	text-decoration:underline;}
+p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
+	{mso-style-priority:99;
+	mso-style-link:"Balloon Text Char";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	font-size:8.0pt;
+	font-family:"Tahoma","sans-serif";}
+span.EmailStyle17
+	{mso-style-type:personal-compose;
+	font-family:"Verdana","sans-serif";
+	color:windowtext;}
+span.BalloonTextChar
+	{mso-style-name:"Balloon Text Char";
+	mso-style-priority:99;
+	mso-style-link:"Balloon Text";
+	font-family:"Tahoma","sans-serif";}
+..MsoChpDefault
+	{mso-style-type:export-only;}
+@page Section1
+	{size:612.0pt 792.0pt;
+	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
+div.Section1
+	{page:Section1;}
+-->
+</style>
+<!--[if gte mso 9]><xml>
+ <o:shapedefaults v:ext="edit" spidmax="2050" />
+</xml><![endif]--><!--[if gte mso 9]><xml>
+ <o:shapelayout v:ext="edit">
+  <o:idmap v:ext="edit" data="1" />
+ </o:shapelayout></xml><![endif]-->
+</head>
+
+<body lang=NL link=blue vlink=purple>
+
+<div class=Section1>
+
+<p class=MsoNormal><img width=1277 height=994 id="Picture_x0020_1"
+src="cid:image001.png@01C8CBDF.5D1BAEE0"><o:p></o:p></p>
+
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+<p class=MsoNormal><b>Name<o:p></o:p></b></p>
+
+<p class=MsoNormal>E-mail : <a href="mailto:mail@example.com"><span
+style='color:windowtext'>mail@example.com</span></a><o:p></o:p></p>
+
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+<p class=MsoNormal><b>Company<o:p></o:p></b></p>
+
+<p class=MsoNormal>Address 1<o:p></o:p></p>
+
+<p class=MsoNormal>Address 2<o:p></o:p></p>
+
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+<p class=MsoNormal>Telefoon&nbsp; : +xx xx xxx xxx xx <span style='color:black'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US style='color:black'>Fax&nbsp; : +xx xx xxx xx xx<o:p></o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US style='color:black'>Internet : </span><span
+style='color:black'><a href="http://www.example.com/"><span lang=EN-US
+style='color:black'>http://www.example.com</span></a></span><span
+lang=EN-US style='color:black'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US style='color:black'>Kamer van koophandel
+xxxxxxxxx<o:p></o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US style='color:black'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;color:black'>Op deze
+e-mail is een disclaimer van toepassing, ga naar </span><span lang=EN-US
+style='font-size:7.5pt'><a
+href="http://www.example.com/disclaimer"><span
+style='color:black'>www.example.com/disclaimer</span></a><br>
+<span style='color:black'>A disclaimer is applicable to this email, please
+refer to </span><a href="http://www.example.com/disclaimer"><span
+style='color:black'>www.example.com/disclaimer</span></a><o:p></o:p></span></p>
+
+<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>
+
+</div>
+
+</body>
+
+</html>

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  * 
- * @version 3.0.0
+ * @version 3.1.1
  * 
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,
@@ -29,7 +29,6 @@ require 'HTMLPurifier/Definition.php';
 require 'HTMLPurifier/CSSDefinition.php';
 require 'HTMLPurifier/ChildDef.php';
 require 'HTMLPurifier/Config.php';
-require 'HTMLPurifier/ConfigDef.php';
 require 'HTMLPurifier/ConfigSchema.php';
 require 'HTMLPurifier/ContentSets.php';
 require 'HTMLPurifier/Context.php';
@@ -41,7 +40,6 @@ require 'HTMLPurifier/ElementDef.php';
 require 'HTMLPurifier/Encoder.php';
 require 'HTMLPurifier/EntityLookup.php';
 require 'HTMLPurifier/EntityParser.php';
-require 'HTMLPurifier/Error.php';
 require 'HTMLPurifier/ErrorCollector.php';
 require 'HTMLPurifier/Exception.php';
 require 'HTMLPurifier/Filter.php';
@@ -53,6 +51,7 @@ require 'HTMLPurifier/IDAccumulator.php';
 require 'HTMLPurifier/Injector.php';
 require 'HTMLPurifier/Language.php';
 require 'HTMLPurifier/LanguageFactory.php';
+require 'HTMLPurifier/Length.php';
 require 'HTMLPurifier/Lexer.php';
 require 'HTMLPurifier/PercentEncoder.php';
 require 'HTMLPurifier/Strategy.php';
@@ -67,12 +66,14 @@ require 'HTMLPurifier/URIFilter.php';
 require 'HTMLPurifier/URIParser.php';
 require 'HTMLPurifier/URIScheme.php';
 require 'HTMLPurifier/URISchemeRegistry.php';
+require 'HTMLPurifier/UnitConverter.php';
 require 'HTMLPurifier/VarParser.php';
 require 'HTMLPurifier/VarParserException.php';
 require 'HTMLPurifier/AttrDef/CSS.php';
 require 'HTMLPurifier/AttrDef/Enum.php';
 require 'HTMLPurifier/AttrDef/Integer.php';
 require 'HTMLPurifier/AttrDef/Lang.php';
+require 'HTMLPurifier/AttrDef/Switch.php';
 require 'HTMLPurifier/AttrDef/Text.php';
 require 'HTMLPurifier/AttrDef/URI.php';
 require 'HTMLPurifier/AttrDef/CSS/Number.php';
@@ -82,6 +83,7 @@ require 'HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
 require 'HTMLPurifier/AttrDef/CSS/Border.php';
 require 'HTMLPurifier/AttrDef/CSS/Color.php';
 require 'HTMLPurifier/AttrDef/CSS/Composite.php';
+require 'HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php';
 require 'HTMLPurifier/AttrDef/CSS/Filter.php';
 require 'HTMLPurifier/AttrDef/CSS/Font.php';
 require 'HTMLPurifier/AttrDef/CSS/FontFamily.php';
@@ -116,6 +118,10 @@ require 'HTMLPurifier/AttrTransform/ImgSpace.php';
 require 'HTMLPurifier/AttrTransform/Lang.php';
 require 'HTMLPurifier/AttrTransform/Length.php';
 require 'HTMLPurifier/AttrTransform/Name.php';
+require 'HTMLPurifier/AttrTransform/SafeEmbed.php';
+require 'HTMLPurifier/AttrTransform/SafeObject.php';
+require 'HTMLPurifier/AttrTransform/SafeParam.php';
+require 'HTMLPurifier/AttrTransform/ScriptRequired.php';
 require 'HTMLPurifier/ChildDef/Chameleon.php';
 require 'HTMLPurifier/ChildDef/Custom.php';
 require 'HTMLPurifier/ChildDef/Empty.php';
@@ -123,9 +129,6 @@ require 'HTMLPurifier/ChildDef/Required.php';
 require 'HTMLPurifier/ChildDef/Optional.php';
 require 'HTMLPurifier/ChildDef/StrictBlockquote.php';
 require 'HTMLPurifier/ChildDef/Table.php';
-require 'HTMLPurifier/ConfigDef/Directive.php';
-require 'HTMLPurifier/ConfigDef/DirectiveAlias.php';
-require 'HTMLPurifier/ConfigDef/Namespace.php';
 require 'HTMLPurifier/DefinitionCache/Decorator.php';
 require 'HTMLPurifier/DefinitionCache/Null.php';
 require 'HTMLPurifier/DefinitionCache/Serializer.php';
@@ -143,6 +146,8 @@ require 'HTMLPurifier/HTMLModule/Object.php';
 require 'HTMLPurifier/HTMLModule/Presentation.php';
 require 'HTMLPurifier/HTMLModule/Proprietary.php';
 require 'HTMLPurifier/HTMLModule/Ruby.php';
+require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
+require 'HTMLPurifier/HTMLModule/SafeObject.php';
 require 'HTMLPurifier/HTMLModule/Scripting.php';
 require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
 require 'HTMLPurifier/HTMLModule/Tables.php';
@@ -158,6 +163,7 @@ require 'HTMLPurifier/HTMLModule/Tidy/XHTML.php';
 require 'HTMLPurifier/Injector/AutoParagraph.php';
 require 'HTMLPurifier/Injector/Linkify.php';
 require 'HTMLPurifier/Injector/PurifierLinkify.php';
+require 'HTMLPurifier/Injector/SafeObject.php';
 require 'HTMLPurifier/Lexer/DOMLex.php';
 require 'HTMLPurifier/Lexer/DirectLex.php';
 require 'HTMLPurifier/Strategy/Composite.php';
@@ -178,6 +184,7 @@ require 'HTMLPurifier/URIFilter/DisableExternal.php';
 require 'HTMLPurifier/URIFilter/DisableExternalResources.php';
 require 'HTMLPurifier/URIFilter/HostBlacklist.php';
 require 'HTMLPurifier/URIFilter/MakeAbsolute.php';
+require 'HTMLPurifier/URIFilter/Munge.php';
 require 'HTMLPurifier/URIScheme/ftp.php';
 require 'HTMLPurifier/URIScheme/http.php';
 require 'HTMLPurifier/URIScheme/https.php';

library/HTMLPurifier.php

@@ -15,13 +15,11 @@
  *  -# Generating HTML from the purified tokens.
  * 
  * However, most users will only need to interface with the HTMLPurifier
- * class, so this massive amount of infrastructure is usually concealed.
- * If you plan on working with the internals, be sure to include
- * HTMLPurifier_ConfigSchema and HTMLPurifier_Config.
+ * and HTMLPurifier_Config.
  */
 
 /*
-    HTML Purifier 3.1.0rc1 - Standards Compliant HTML Filtering
+    HTML Purifier 3.1.1 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -57,7 +55,10 @@ class HTMLPurifier
 {
     
     /** Version of HTML Purifier */
-    public $version = '3.1.0rc1';
+    public $version = '3.1.1';
+    
+    /** Constant with version of HTML Purifier */
+    const VERSION = '3.1.1';
     
     /** Global configuration object */
     public $config;
@@ -89,7 +90,6 @@ class HTMLPurifier
         $this->config = HTMLPurifier_Config::create($config);
         
         $this->strategy     = new HTMLPurifier_Strategy_Core();
-        $this->generator    = new HTMLPurifier_Generator();
         
     }
     
@@ -123,8 +123,8 @@ class HTMLPurifier
         
         $context = new HTMLPurifier_Context();
         
-        // our friendly neighborhood generator, all primed with configuration too!
-        $this->generator->generateFromTokens(array(), $config, $context);
+        // setup HTML generator
+        $this->generator = new HTMLPurifier_Generator($config, $context);
         $context->register('Generator', $this->generator);
         
         // set up global context variables
@@ -177,8 +177,7 @@ class HTMLPurifier
                         $html, $config, $context
                     ),
                     $config, $context
-                ),
-                $config, $context
+                )
             );
         
         for ($i = $filter_size - 1; $i >= 0; $i--) {
@@ -209,9 +208,10 @@ class HTMLPurifier
     /**
      * Singleton for enforcing just one HTML Purifier in your system
      * @param $prototype Optional prototype HTMLPurifier instance to
-     *                   overload singleton with.
+     *                   overload singleton with, or HTMLPurifier_Config
+     *                   instance to configure the generated version with.
      */
-    public static function getInstance($prototype = null) {
+    public static function instance($prototype = null) {
         if (!self::$instance || $prototype) {
             if ($prototype instanceof HTMLPurifier) {
                 self::$instance = $prototype;
@@ -224,4 +224,11 @@ class HTMLPurifier
         return self::$instance;
     }
     
+    /**
+     * @note Backwards compatibility, see instance()
+     */
+    public static function getInstance($prototype = null) {
+        return HTMLPurifier::instance($prototype);
+    }
+    
 }

library/HTMLPurifier.safe-includes.php

@@ -1,182 +1,189 @@
-<?php
-
-/**
- * @file
- * This file was auto-generated by generate-includes.php and includes all of
- * the core files required by HTML Purifier. This is a convenience stub that
- * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT
- * EDIT THIS FILE, changes will be overwritten the next time the script is run.
- * 
- * Changes to include_path are not necessary.
- */
-
-$__dir = dirname(__FILE__);
-
-require_once $__dir . '/HTMLPurifier.php';
-require_once $__dir . '/HTMLPurifier/AttrCollections.php';
-require_once $__dir . '/HTMLPurifier/AttrDef.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform.php';
-require_once $__dir . '/HTMLPurifier/AttrTypes.php';
-require_once $__dir . '/HTMLPurifier/AttrValidator.php';
-require_once $__dir . '/HTMLPurifier/Bootstrap.php';
-require_once $__dir . '/HTMLPurifier/Definition.php';
-require_once $__dir . '/HTMLPurifier/CSSDefinition.php';
-require_once $__dir . '/HTMLPurifier/ChildDef.php';
-require_once $__dir . '/HTMLPurifier/Config.php';
-require_once $__dir . '/HTMLPurifier/ConfigDef.php';
-require_once $__dir . '/HTMLPurifier/ConfigSchema.php';
-require_once $__dir . '/HTMLPurifier/ContentSets.php';
-require_once $__dir . '/HTMLPurifier/Context.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCacheFactory.php';
-require_once $__dir . '/HTMLPurifier/Doctype.php';
-require_once $__dir . '/HTMLPurifier/DoctypeRegistry.php';
-require_once $__dir . '/HTMLPurifier/ElementDef.php';
-require_once $__dir . '/HTMLPurifier/Encoder.php';
-require_once $__dir . '/HTMLPurifier/EntityLookup.php';
-require_once $__dir . '/HTMLPurifier/EntityParser.php';
-require_once $__dir . '/HTMLPurifier/Error.php';
-require_once $__dir . '/HTMLPurifier/ErrorCollector.php';
-require_once $__dir . '/HTMLPurifier/Exception.php';
-require_once $__dir . '/HTMLPurifier/Filter.php';
-require_once $__dir . '/HTMLPurifier/Generator.php';
-require_once $__dir . '/HTMLPurifier/HTMLDefinition.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule.php';
-require_once $__dir . '/HTMLPurifier/HTMLModuleManager.php';
-require_once $__dir . '/HTMLPurifier/IDAccumulator.php';
-require_once $__dir . '/HTMLPurifier/Injector.php';
-require_once $__dir . '/HTMLPurifier/Language.php';
-require_once $__dir . '/HTMLPurifier/LanguageFactory.php';
-require_once $__dir . '/HTMLPurifier/Lexer.php';
-require_once $__dir . '/HTMLPurifier/PercentEncoder.php';
-require_once $__dir . '/HTMLPurifier/Strategy.php';
-require_once $__dir . '/HTMLPurifier/StringHash.php';
-require_once $__dir . '/HTMLPurifier/StringHashParser.php';
-require_once $__dir . '/HTMLPurifier/TagTransform.php';
-require_once $__dir . '/HTMLPurifier/Token.php';
-require_once $__dir . '/HTMLPurifier/TokenFactory.php';
-require_once $__dir . '/HTMLPurifier/URI.php';
-require_once $__dir . '/HTMLPurifier/URIDefinition.php';
-require_once $__dir . '/HTMLPurifier/URIFilter.php';
-require_once $__dir . '/HTMLPurifier/URIParser.php';
-require_once $__dir . '/HTMLPurifier/URIScheme.php';
-require_once $__dir . '/HTMLPurifier/URISchemeRegistry.php';
-require_once $__dir . '/HTMLPurifier/VarParser.php';
-require_once $__dir . '/HTMLPurifier/VarParserException.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/Enum.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/Integer.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/Lang.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/Text.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Number.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/AlphaValue.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Background.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Border.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Color.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Composite.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Filter.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Font.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/FontFamily.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Multiple.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv6.php';
-require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/BdoDir.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/BgColor.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/BoolToCSS.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/Border.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/EnumToCSS.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/ImgRequired.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
-require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Required.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Optional.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/StrictBlockquote.php';
-require_once $__dir . '/HTMLPurifier/ChildDef/Table.php';
-require_once $__dir . '/HTMLPurifier/ConfigDef/Directive.php';
-require_once $__dir . '/HTMLPurifier/ConfigDef/DirectiveAlias.php';
-require_once $__dir . '/HTMLPurifier/ConfigDef/Namespace.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache/Null.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache/Serializer.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php';
-require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Memory.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Bdo.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/CommonAttributes.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Edit.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Hypertext.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Image.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Legacy.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/List.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Target.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Text.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/XMLCommonAttributes.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Proprietary.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Strict.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Transitional.php';
-require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTML.php';
-require_once $__dir . '/HTMLPurifier/Injector/AutoParagraph.php';
-require_once $__dir . '/HTMLPurifier/Injector/Linkify.php';
-require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php';
-require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php';
-require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php';
-require_once $__dir . '/HTMLPurifier/Strategy/Composite.php';
-require_once $__dir . '/HTMLPurifier/Strategy/Core.php';
-require_once $__dir . '/HTMLPurifier/Strategy/FixNesting.php';
-require_once $__dir . '/HTMLPurifier/Strategy/MakeWellFormed.php';
-require_once $__dir . '/HTMLPurifier/Strategy/RemoveForeignElements.php';
-require_once $__dir . '/HTMLPurifier/Strategy/ValidateAttributes.php';
-require_once $__dir . '/HTMLPurifier/TagTransform/Font.php';
-require_once $__dir . '/HTMLPurifier/TagTransform/Simple.php';
-require_once $__dir . '/HTMLPurifier/Token/Comment.php';
-require_once $__dir . '/HTMLPurifier/Token/Tag.php';
-require_once $__dir . '/HTMLPurifier/Token/Empty.php';
-require_once $__dir . '/HTMLPurifier/Token/End.php';
-require_once $__dir . '/HTMLPurifier/Token/Start.php';
-require_once $__dir . '/HTMLPurifier/Token/Text.php';
-require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
-require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
-require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
-require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/http.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/https.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/mailto.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/news.php';
-require_once $__dir . '/HTMLPurifier/URIScheme/nntp.php';
-require_once $__dir . '/HTMLPurifier/VarParser/Flexible.php';
-require_once $__dir . '/HTMLPurifier/VarParser/Native.php';
+<?php
+
+/**
+ * @file
+ * This file was auto-generated by generate-includes.php and includes all of
+ * the core files required by HTML Purifier. This is a convenience stub that
+ * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT
+ * EDIT THIS FILE, changes will be overwritten the next time the script is run.
+ * 
+ * Changes to include_path are not necessary.
+ */
+
+$__dir = dirname(__FILE__);
+
+require_once $__dir . '/HTMLPurifier.php';
+require_once $__dir . '/HTMLPurifier/AttrCollections.php';
+require_once $__dir . '/HTMLPurifier/AttrDef.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform.php';
+require_once $__dir . '/HTMLPurifier/AttrTypes.php';
+require_once $__dir . '/HTMLPurifier/AttrValidator.php';
+require_once $__dir . '/HTMLPurifier/Bootstrap.php';
+require_once $__dir . '/HTMLPurifier/Definition.php';
+require_once $__dir . '/HTMLPurifier/CSSDefinition.php';
+require_once $__dir . '/HTMLPurifier/ChildDef.php';
+require_once $__dir . '/HTMLPurifier/Config.php';
+require_once $__dir . '/HTMLPurifier/ConfigSchema.php';
+require_once $__dir . '/HTMLPurifier/ContentSets.php';
+require_once $__dir . '/HTMLPurifier/Context.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCacheFactory.php';
+require_once $__dir . '/HTMLPurifier/Doctype.php';
+require_once $__dir . '/HTMLPurifier/DoctypeRegistry.php';
+require_once $__dir . '/HTMLPurifier/ElementDef.php';
+require_once $__dir . '/HTMLPurifier/Encoder.php';
+require_once $__dir . '/HTMLPurifier/EntityLookup.php';
+require_once $__dir . '/HTMLPurifier/EntityParser.php';
+require_once $__dir . '/HTMLPurifier/ErrorCollector.php';
+require_once $__dir . '/HTMLPurifier/Exception.php';
+require_once $__dir . '/HTMLPurifier/Filter.php';
+require_once $__dir . '/HTMLPurifier/Generator.php';
+require_once $__dir . '/HTMLPurifier/HTMLDefinition.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule.php';
+require_once $__dir . '/HTMLPurifier/HTMLModuleManager.php';
+require_once $__dir . '/HTMLPurifier/IDAccumulator.php';
+require_once $__dir . '/HTMLPurifier/Injector.php';
+require_once $__dir . '/HTMLPurifier/Language.php';
+require_once $__dir . '/HTMLPurifier/LanguageFactory.php';
+require_once $__dir . '/HTMLPurifier/Length.php';
+require_once $__dir . '/HTMLPurifier/Lexer.php';
+require_once $__dir . '/HTMLPurifier/PercentEncoder.php';
+require_once $__dir . '/HTMLPurifier/Strategy.php';
+require_once $__dir . '/HTMLPurifier/StringHash.php';
+require_once $__dir . '/HTMLPurifier/StringHashParser.php';
+require_once $__dir . '/HTMLPurifier/TagTransform.php';
+require_once $__dir . '/HTMLPurifier/Token.php';
+require_once $__dir . '/HTMLPurifier/TokenFactory.php';
+require_once $__dir . '/HTMLPurifier/URI.php';
+require_once $__dir . '/HTMLPurifier/URIDefinition.php';
+require_once $__dir . '/HTMLPurifier/URIFilter.php';
+require_once $__dir . '/HTMLPurifier/URIParser.php';
+require_once $__dir . '/HTMLPurifier/URIScheme.php';
+require_once $__dir . '/HTMLPurifier/URISchemeRegistry.php';
+require_once $__dir . '/HTMLPurifier/UnitConverter.php';
+require_once $__dir . '/HTMLPurifier/VarParser.php';
+require_once $__dir . '/HTMLPurifier/VarParserException.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Enum.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Integer.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Lang.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Switch.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Text.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Number.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/AlphaValue.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Background.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Border.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Composite.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Filter.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Font.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/FontFamily.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Multiple.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv6.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BdoDir.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BgColor.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BoolToCSS.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Border.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/EnumToCSS.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ImgRequired.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Required.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Optional.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/StrictBlockquote.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Table.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Null.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Serializer.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Memory.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Bdo.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/CommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Edit.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Hypertext.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Image.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Legacy.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/List.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Target.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Text.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/XMLCommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Proprietary.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Strict.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Transitional.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTML.php';
+require_once $__dir . '/HTMLPurifier/Injector/AutoParagraph.php';
+require_once $__dir . '/HTMLPurifier/Injector/Linkify.php';
+require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php';
+require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php';
+require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php';
+require_once $__dir . '/HTMLPurifier/Strategy/Composite.php';
+require_once $__dir . '/HTMLPurifier/Strategy/Core.php';
+require_once $__dir . '/HTMLPurifier/Strategy/FixNesting.php';
+require_once $__dir . '/HTMLPurifier/Strategy/MakeWellFormed.php';
+require_once $__dir . '/HTMLPurifier/Strategy/RemoveForeignElements.php';
+require_once $__dir . '/HTMLPurifier/Strategy/ValidateAttributes.php';
+require_once $__dir . '/HTMLPurifier/TagTransform/Font.php';
+require_once $__dir . '/HTMLPurifier/TagTransform/Simple.php';
+require_once $__dir . '/HTMLPurifier/Token/Comment.php';
+require_once $__dir . '/HTMLPurifier/Token/Tag.php';
+require_once $__dir . '/HTMLPurifier/Token/Empty.php';
+require_once $__dir . '/HTMLPurifier/Token/End.php';
+require_once $__dir . '/HTMLPurifier/Token/Start.php';
+require_once $__dir . '/HTMLPurifier/Token/Text.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/http.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/https.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/mailto.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/news.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/nntp.php';
+require_once $__dir . '/HTMLPurifier/VarParser/Flexible.php';
+require_once $__dir . '/HTMLPurifier/VarParser/Native.php';

library/HTMLPurifier/AttrDef.php

@@ -51,16 +51,13 @@ abstract class HTMLPurifier_AttrDef
      * 
      * @warning This processing is inconsistent with XML's whitespace handling
      *          as specified by section 3.3.3 and referenced XHTML 1.0 section
-     *          4.7.  Compliant processing requires all line breaks normalized
-     *          to "\n", so the fix is not as simple as fixing it in this
-     *          function.  Trim and whitespace collapsing are supposed to only
-     *          occur in NMTOKENs.  However, note that we are NOT necessarily
-     *          parsing XML, thus, this behavior may still be correct.
+     *          4.7.  However, note that we are NOT necessarily
+     *          parsing XML, thus, this behavior may still be correct. We
+     *          assume that newlines have been normalized.
      */
     public function parseCDATA($string) {
         $string = trim($string);
-        $string = str_replace("\n", '', $string);
-        $string = str_replace(array("\r", "\t"), ' ', $string);
+        $string = str_replace(array("\n", "\t", "\r"), ' ', $string);
         return $string;
     }
     
@@ -70,9 +67,10 @@ abstract class HTMLPurifier_AttrDef
      * @return Created AttrDef object corresponding to $string
      */
     public function make($string) {
-        // default implementation, return flyweight of this object
-        // if overloaded, it is *necessary* for you to clone the
-        // object (usually by instantiating a new copy) and return that
+        // default implementation, return a flyweight of this object.
+        // If $string has an effect on the returned object (i.e. you
+        // need to overload this method), it is best
+        // to clone or instantiate new copies. (Instantiation is safer.)
         return $this;
     }
     

library/HTMLPurifier/AttrDef/CSS.php

@@ -29,6 +29,12 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
         $declarations = explode(';', $css);
         $propvalues = array();
         
+        /**
+         * Name of the current CSS property being validated.
+         */
+        $property = false;
+        $context->register('CurrentCSSProperty', $property);
+        
         foreach ($declarations as $declaration) {
             if (!$declaration) continue;
             if (!strpos($declaration, ':')) continue;
@@ -61,6 +67,8 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
             $propvalues[$property] = $result;
         }
         
+        $context->destroy('CurrentCSSProperty');
+        
         // procedure does not write the new CSS simultaneously, so it's
         // slightly inefficient, but it's the only way of getting rid of
         // duplicates. Perhaps config to optimize it, but not now.

library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php

@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * Decorator which enables CSS properties to be disabled for specific elements.
+ */
+class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef
+{
+    protected $def, $element;
+    
+    /**
+     * @param $def Definition to wrap
+     * @param $element Element to deny
+     */
+    public function __construct($def, $element) {
+        $this->def = $def;
+        $this->element = $element;
+    }
+    /**
+     * Checks if CurrentToken is set and equal to $this->element
+     */
+    public function validate($string, $config, $context) {
+        $token = $context->get('CurrentToken', true);
+        if ($token && $token->name == $this->element) return false;
+        return $this->def->validate($string, $config, $context);
+    }
+}

library/HTMLPurifier/AttrDef/CSS/FontFamily.php

@@ -16,7 +16,6 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
             'cursive' => true
         );
         
-        $string = $this->parseCDATA($string);
         // assume that no font names contain commas in them
         $fonts = explode(',', $string);
         $final = '';
@@ -35,13 +34,40 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
                 $quote = $font[0];
                 if ($font[$length - 1] !== $quote) continue;
                 $font = substr($font, 1, $length - 2);
-                // double-backslash processing is buggy
-                $font = str_replace("\\$quote", $quote, $font); // de-escape quote
-                $font = str_replace("\\\n", "\n", $font);       // de-escape newlines
+                
+                $new_font = '';
+                for ($i = 0, $c = strlen($font); $i < $c; $i++) {
+                    if ($font[$i] === '\\') {
+                        $i++;
+                        if ($i >= $c) {
+                            $new_font .= '\\';
+                            break;
+                        }
+                        if (ctype_xdigit($font[$i])) {
+                            $code = $font[$i];
+                            for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+                                if (!ctype_xdigit($font[$i])) break;
+                                $code .= $font[$i];
+                            }
+                            // We have to be extremely careful when adding
+                            // new characters, to make sure we're not breaking
+                            // the encoding.
+                            $char = HTMLPurifier_Encoder::unichr(hexdec($code));
+                            if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+                            $new_font .= $char;
+                            if ($i < $c && trim($font[$i]) !== '') $i--;
+                            continue;
+                        }
+                        if ($font[$i] === "\n") continue;
+                    }
+                    $new_font .= $font[$i];
+                }
+                
+                $font = $new_font;
             }
             // $font is a pure representation of the font name
             
-            if (ctype_alnum($font)) {
+            if (ctype_alnum($font) && $font !== '') {
                 // very simple font, allow it in unharmed
                 $final .= $font . ', ';
                 continue;
@@ -50,8 +76,8 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
             // complicated font, requires quoting
             
             // armor single quotes and new lines
+            $font = str_replace("\\", "\\\\", $font);
             $font = str_replace("'", "\\'", $font);
-            $font = str_replace("\n", "\\\n", $font);
             $final .= "'$font', ";
         }
         $final = rtrim($final, ', ');

library/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php

@@ -3,7 +3,7 @@
 /**
  * Decorator which enables !important to be used in CSS values.
  */
-class HTMLPurifier_AttrDef_CSS_ImportantDecorator
+class HTMLPurifier_AttrDef_CSS_ImportantDecorator extends HTMLPurifier_AttrDef
 {
     protected $def, $allow;
     

library/HTMLPurifier/AttrDef/CSS/Length.php

@@ -6,46 +6,40 @@
 class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef
 {
     
-    /**
-     * Valid unit lookup table.
-     * @warning The code assumes all units are two characters long.  Be careful
-     *          if we have to change this behavior!
-     */
-    protected $units = array('em' => true, 'ex' => true, 'px' => true, 'in' => true,
-         'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true);
-    /**
-     * Instance of HTMLPurifier_AttrDef_Number to defer number validation to
-     */
-    protected $number_def;
+    protected $min, $max;
     
     /**
-     * @param $non_negative Bool indication whether or not negative values are
-     *                      allowed.
+     * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable.
+     * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable.
      */
-    public function __construct($non_negative = false) {
-        $this->number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative);
+    public function __construct($min = null, $max = null) {
+        $this->min = $min !== null ? HTMLPurifier_Length::make($min) : null;
+        $this->max = $max !== null ? HTMLPurifier_Length::make($max) : null;
     }
     
-    public function validate($length, $config, $context) {
+    public function validate($string, $config, $context) {
+        $string = $this->parseCDATA($string);
         
-        $length = $this->parseCDATA($length);
-        if ($length === '') return false;
-        if ($length === '0') return '0';
-        $strlen = strlen($length);
-        if ($strlen === 1) return false; // impossible!
+        // Optimizations
+        if ($string === '') return false;
+        if ($string === '0') return '0';
+        if (strlen($string) === 1) return false;
         
-        // we assume all units are two characters
-        $unit = substr($length, $strlen - 2);
-        if (!ctype_lower($unit)) $unit = strtolower($unit);
-        $number = substr($length, 0, $strlen - 2);
+        $length = HTMLPurifier_Length::make($string);
+        if (!$length->isValid()) return false;
         
-        if (!isset($this->units[$unit])) return false;
-        
-        $number = $this->number_def->validate($number, $config, $context);
-        if ($number === false) return false;
-        
-        return $number . $unit;
+        if ($this->min) {
+            $c = $length->compareTo($this->min);
+            if ($c === false) return false;
+            if ($c < 0) return false;
+        }
+        if ($this->max) {
+            $c = $length->compareTo($this->max);
+            if ($c === false) return false;
+            if ($c > 0) return false;
+        }
         
+        return $length->toString();
     }
     
 }

library/HTMLPurifier/AttrDef/CSS/Number.php

@@ -18,6 +18,10 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
         $this->non_negative = $non_negative;
     }
     
+    /**
+     * @warning Some contexts do not pass $config, $context. These
+     *          variables should not be used without checking HTMLPurifier_Length
+     */
     public function validate($number, $config, $context) {
         
         $number = $this->parseCDATA($number);

library/HTMLPurifier/AttrDef/CSS/TextDecoration.php

@@ -13,10 +13,13 @@ class HTMLPurifier_AttrDef_CSS_TextDecoration extends HTMLPurifier_AttrDef
         static $allowed_values = array(
             'line-through' => true,
             'overline' => true,
-            'underline' => true
+            'underline' => true,
         );
         
         $string = strtolower($this->parseCDATA($string));
+        
+        if ($string === 'none') return $string;
+        
         $parts = explode(' ', $string);
         $final = '';
         foreach ($parts as $part) {

library/HTMLPurifier/AttrDef/HTML/Pixels.php

@@ -6,6 +6,12 @@
 class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
 {
     
+    protected $max;
+    
+    public function __construct($max = null) {
+        $this->max = $max;
+    }
+    
     public function validate($string, $config, $context) {
         
         $string = trim($string);
@@ -24,11 +30,18 @@ class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
         // crash operating systems, see <http://ha.ckers.org/imagecrash.html>
         // WARNING, above link WILL crash you if you're using Windows
         
-        if ($int > 1200) return '1200';
+        if ($this->max !== null && $int > $this->max) return (string) $this->max;
         
         return (string) $int;
         
     }
     
+    public function make($string) {
+        if ($string === '') $max = null;
+        else $max = (int) $string;
+        $class = get_class($this);
+        return new $class($max);
+    }
+    
 }
 

library/HTMLPurifier/AttrDef/Switch.php

@@ -0,0 +1,32 @@
+<?php
+
+/**
+ * Decorator that, depending on a token, switches between two definitions.
+ */
+class HTMLPurifier_AttrDef_Switch
+{
+    
+    protected $tag;
+    protected $withTag, $withoutTag;
+    
+    /**
+     * @param string $tag Tag name to switch upon
+     * @param HTMLPurifier_AttrDef $with_tag Call if token matches tag
+     * @param HTMLPurifier_AttrDef $without_tag Call if token doesn't match, or there is no token
+     */
+    public function __construct($tag, $with_tag, $without_tag) {
+        $this->tag = $tag;
+        $this->withTag = $with_tag;
+        $this->withoutTag = $without_tag;
+    }
+    
+    public function validate($string, $config, $context) {
+        $token = $context->get('CurrentToken', true);
+        if (!$token || $token->name !== $this->tag) {
+            return $this->withoutTag->validate($string, $config, $context);
+        } else {
+            return $this->withTag->validate($string, $config, $context);
+        }
+    }
+    
+}

library/HTMLPurifier/AttrDef/URI.php

@@ -7,7 +7,7 @@
 class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
 {
     
-    protected $parser, $percentEncoder;
+    protected $parser;
     protected $embedsResource;
     
     /**
@@ -15,17 +15,19 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
      */
     public function __construct($embeds_resource = false) {
         $this->parser = new HTMLPurifier_URIParser();
-        $this->percentEncoder = new HTMLPurifier_PercentEncoder();
         $this->embedsResource = (bool) $embeds_resource;
     }
     
+    public function make($string) {
+        $embeds = (bool) $string;
+        return new HTMLPurifier_AttrDef_URI($embeds);
+    }
+    
     public function validate($uri, $config, $context) {
         
         if ($config->get('URI', 'Disable')) return false;
         
-        // initial operations
         $uri = $this->parseCDATA($uri);
-        $uri = $this->percentEncoder->normalize($uri);
         
         // parse the URI
         $uri = $this->parser->parse($uri);
@@ -42,7 +44,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
             if (!$result) break;
             
             // chained filtering
-            $uri_def =& $config->getDefinition('URI');
+            $uri_def = $config->getDefinition('URI');
             $result = $uri_def->filter($uri, $config, $context);
             if (!$result) break;
             
@@ -53,6 +55,10 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
             $result = $scheme_obj->validate($uri, $config, $context);
             if (!$result) break;
             
+            // Post chained filtering
+            $result = $uri_def->postFilter($uri, $config, $context);
+            if (!$result) break;
+            
             // survived gauntlet
             $ok = true;
             
@@ -61,26 +67,8 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
         $context->destroy('EmbeddedURI');
         if (!$ok) return false;
         
-        // munge scheme off if necessary (this must be last)
-        if (!is_null($uri->scheme) && is_null($uri->host)) {
-            if ($uri_def->defaultScheme == $uri->scheme) {
-                $uri->scheme = null;
-            }
-        }
-        
         // back to string
-        $result = $uri->toString();
-        
-        // munge entire URI if necessary
-        if (
-            !is_null($uri->host) && // indicator for authority
-            !empty($scheme_obj->browsable) &&
-            !is_null($munge = $config->get('URI', 'Munge'))
-        ) {
-            $result = str_replace('%s', rawurlencode($result), $munge);
-        }
-        
-        return $result;
+        return $uri->toString();
         
     }
     

library/HTMLPurifier/AttrDef/URI/Host.php

@@ -36,11 +36,23 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
         $ipv4 = $this->ipv4->validate($string, $config, $context);
         if ($ipv4 !== false) return $ipv4;
         
-        // validate a domain name here, do filtering, etc etc etc
+        // A regular domain name.
         
-        // We could use this, but it would break I18N domain names
-        //$match = preg_match('/^[a-z0-9][\w\-\.]*[a-z0-9]$/i', $string);
-        //if (!$match) return false;
+        // This breaks I18N domain names, but we don't have proper IRI support,
+        // so force users to insert Punycode. If there's complaining we'll 
+        // try to fix things into an international friendly form.
+        
+        // The productions describing this are:
+        $a   = '[a-z]';     // alpha
+        $an  = '[a-z0-9]';  // alphanum
+        $and = '[a-z0-9-]'; // alphanum | "-"
+        // domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
+        $domainlabel   = "$an($and*$an)?";
+        // toplabel    = alpha | alpha *( alphanum | "-" ) alphanum
+        $toplabel      = "$a($and*$an)?";
+        // hostname    = *( domainlabel "." ) toplabel [ "." ]
+        $match = preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string);
+        if (!$match) return false;
         
         return $string;
     }

library/HTMLPurifier/AttrTransform/SafeEmbed.php

@@ -0,0 +1,13 @@
+<?php
+
+class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform 
+{
+    public $name = "SafeEmbed";
+
+    public function transform($attr, $config, $context) {
+        $attr['allowscriptaccess'] = 'never';
+        $attr['allownetworking'] = 'internal';
+        $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrTransform/SafeObject.php

@@ -0,0 +1,14 @@
+<?php
+
+/**
+ * Writes default type for all objects. Currently only supports flash.
+ */
+class HTMLPurifier_AttrTransform_SafeObject extends HTMLPurifier_AttrTransform
+{
+    public $name = "SafeObject";
+
+    function transform($attr, $config, $context) {
+        if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrTransform/SafeParam.php

@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * Validates name/value pairs in param tags to be used in safe objects. This
+ * will only allow name values it recognizes, and pre-fill certain attributes
+ * with required values.
+ * 
+ * @note
+ *      This class only supports Flash. In the future, Quicktime support
+ *      may be added.
+ * 
+ * @warning
+ *      This class expects an injector to add the necessary parameters tags.
+ */
+class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform 
+{
+    public $name = "SafeParam";
+    private $uri;
+    
+    public function __construct() {
+        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
+    }
+    
+    public function transform($attr, $config, $context) {
+        // If we add support for other objects, we'll need to alter the
+        // transforms.
+        switch ($attr['name']) {
+            // application/x-shockwave-flash
+            // Keep this synchronized with Injector/SafeObject.php
+            case 'allowScriptAccess':
+                $attr['value'] = 'never';
+                break;
+            case 'allowNetworking':
+                $attr['value'] = 'internal';
+                break;
+            case 'wmode':
+                $attr['value'] = 'window';
+                break;
+            case 'movie':
+                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
+                break;
+            // add other cases to support other param name/value pairs
+            default:
+                $attr['name'] = $attr['value'] = null;
+        }
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrTransform/ScriptRequired.php

@@ -0,0 +1,14 @@
+<?php
+
+/**
+ * Implements required attribute stipulation for <script>
+ */
+class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform
+{
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['type'])) {
+            $attr['type'] = 'text/javascript';
+        }
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrValidator.php

@@ -43,8 +43,8 @@ class HTMLPurifier_AttrValidator
         // DEFINITION CALL
         $d_defs = $definition->info_global_attr;
         
-        // reference attributes for easy manipulation
-        $attr =& $token->attr;
+        // don't update token until the very end, to ensure an atomic update
+        $attr = $token->attr;
         
         // do global transformations (pre)
         // nothing currently utilizes this
@@ -139,6 +139,8 @@ class HTMLPurifier_AttrValidator
             if ($e && ($attr != $o)) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
         }
         
+        $token->attr = $attr;
+        
         // destroy CurrentToken if we made it ourselves
         if (!$current_token) $context->destroy('CurrentToken');
         

library/HTMLPurifier/Bootstrap.php

@@ -37,7 +37,7 @@ class HTMLPurifier_Bootstrap
     public static function autoload($class) {
         $file = HTMLPurifier_Bootstrap::getPath($class);
         if (!$file) return false;
-        require $file;
+        require HTMLPURIFIER_PREFIX . '/' . $file;
         return true;
     }
     
@@ -48,11 +48,13 @@ class HTMLPurifier_Bootstrap
         if (strncmp('HTMLPurifier', $class, 12) !== 0) return false;
         // Custom implementations
         if (strncmp('HTMLPurifier_Language_', $class, 22) === 0) {
-          $code = str_replace('_', '-', substr($class, 22));
-          return 'HTMLPurifier/Language/classes/' . $code . '.php';
+            $code = str_replace('_', '-', substr($class, 22));
+            $file = 'HTMLPurifier/Language/classes/' . $code . '.php';
+        } else {
+            $file = str_replace('_', '/', $class) . '.php';
         }
-        // Standard implementation
-        return str_replace('_', '/', $class) . '.php';
+        if (!file_exists(HTMLPURIFIER_PREFIX . '/' . $file)) return false;
+        return $file;
     }
     
     /**

library/HTMLPurifier/CSSDefinition.php

@@ -90,7 +90,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['border-left-width'] = 
         $this->info['border-right-width'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
             new HTMLPurifier_AttrDef_Enum(array('thin', 'medium', 'thick')),
-            new HTMLPurifier_AttrDef_CSS_Length(true) //disallow negative
+            new HTMLPurifier_AttrDef_CSS_Length('0') //disallow negative
         ));
         
         $this->info['border-width'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_width);
@@ -116,7 +116,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['line-height'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
             new HTMLPurifier_AttrDef_Enum(array('normal')),
             new HTMLPurifier_AttrDef_CSS_Number(true), // no negatives
-            new HTMLPurifier_AttrDef_CSS_Length(true),
+            new HTMLPurifier_AttrDef_CSS_Length('0'),
             new HTMLPurifier_AttrDef_CSS_Percentage(true)
         ));
         
@@ -138,7 +138,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['padding-bottom'] = 
         $this->info['padding-left'] = 
         $this->info['padding-right'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
-            new HTMLPurifier_AttrDef_CSS_Length(true),
+            new HTMLPurifier_AttrDef_CSS_Length('0'),
             new HTMLPurifier_AttrDef_CSS_Percentage(true)
         ));
         
@@ -149,13 +149,26 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             new HTMLPurifier_AttrDef_CSS_Percentage()
         ));
         
-        $this->info['width'] =
-        $this->info['height'] = 
-        new HTMLPurifier_AttrDef_CSS_Composite(array(
-            new HTMLPurifier_AttrDef_CSS_Length(true),
+        $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(array(
+            new HTMLPurifier_AttrDef_CSS_Length('0'),
             new HTMLPurifier_AttrDef_CSS_Percentage(true),
             new HTMLPurifier_AttrDef_Enum(array('auto'))
         ));
+        $max = $config->get('CSS', 'MaxImgLength');
+        
+        $this->info['width'] =
+        $this->info['height'] =
+            $max === null ?
+            $trusted_wh : 
+            new HTMLPurifier_AttrDef_Switch('img',
+                // For img tags:
+                new HTMLPurifier_AttrDef_CSS_Composite(array(
+                    new HTMLPurifier_AttrDef_CSS_Length('0', $max),
+                    new HTMLPurifier_AttrDef_Enum(array('auto'))
+                )),
+                // For everyone else:
+                $trusted_wh
+            );
         
         $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();
         

library/HTMLPurifier/ChildDef.php

@@ -3,7 +3,7 @@
 /**
  * Defines allowed child nodes and validates tokens against it.
  */
-class HTMLPurifier_ChildDef
+abstract class HTMLPurifier_ChildDef
 {
     /**
      * Type of child definition, usually right-most part of class name lowercase.
@@ -34,9 +34,7 @@ class HTMLPurifier_ChildDef
      * @return bool false to remove parent node
      * @return array of replacement child tokens
      */
-    public function validateChildren($tokens_of_children, $config, $context) {
-        trigger_error('Call to abstract function', E_USER_ERROR);
-    }
+    abstract public function validateChildren($tokens_of_children, $config, $context);
 }
 
 

library/HTMLPurifier/ChildDef/Required.php

@@ -55,10 +55,7 @@ class HTMLPurifier_ChildDef_Required extends HTMLPurifier_ChildDef
         $escape_invalid_children = $config->get('Core', 'EscapeInvalidChildren');
         
         // generator
-        static $gen = null;
-        if ($gen === null) {
-            $gen = new HTMLPurifier_Generator();
-        }
+        $gen = new HTMLPurifier_Generator($config, $context);
         
         foreach ($tokens_of_children as $token) {
             if (!empty($token->is_whitespace)) {
@@ -83,7 +80,7 @@ class HTMLPurifier_ChildDef_Required extends HTMLPurifier_ChildDef
                         $result[] = $token;
                     } elseif ($pcdata_allowed && $escape_invalid_children) {
                         $result[] = new HTMLPurifier_Token_Text(
-                            $gen->generateFromToken($token, $config)
+                            $gen->generateFromToken($token)
                         );
                     }
                     continue;
@@ -94,7 +91,7 @@ class HTMLPurifier_ChildDef_Required extends HTMLPurifier_ChildDef
             } elseif ($pcdata_allowed && $escape_invalid_children) {
                 $result[] =
                     new HTMLPurifier_Token_Text(
-                        $gen->generateFromToken( $token, $config )
+                        $gen->generateFromToken($token)
                     );
             } else {
                 // drop silently

library/HTMLPurifier/Config.php

@@ -20,7 +20,7 @@ class HTMLPurifier_Config
     /**
      * HTML Purifier's version
      */
-    public $version = '3.1.0rc1';
+    public $version = '3.1.1';
     
     /**
      * Bool indicator whether or not to automatically finalize 
@@ -72,7 +72,7 @@ class HTMLPurifier_Config
      * @param $definition HTMLPurifier_ConfigSchema that defines what directives
      *                    are allowed.
      */
-    public function __construct(&$definition) {
+    public function __construct($definition) {
         $this->conf = $definition->defaults; // set up, copy in defaults
         $this->def  = $definition; // keep a copy around for checking
         $this->parser = new HTMLPurifier_VarParser_Flexible();
@@ -107,7 +107,7 @@ class HTMLPurifier_Config
      * @return Default HTMLPurifier_Config object.
      */
     public static function createDefault() {
-        $definition =& HTMLPurifier_ConfigSchema::instance();
+        $definition = HTMLPurifier_ConfigSchema::instance();
         $config = new HTMLPurifier_Config($definition);
         return $config;
     }
@@ -125,7 +125,7 @@ class HTMLPurifier_Config
                 E_USER_WARNING);
             return;
         }
-        if ($this->def->info[$namespace][$key]->class == 'alias') {
+        if (isset($this->def->info[$namespace][$key]->isAlias)) {
             $d = $this->def->info[$namespace][$key];
             trigger_error('Cannot get value from aliased directive, use real name ' . $d->namespace . '.' . $d->name,
                 E_USER_ERROR);
@@ -196,40 +196,48 @@ class HTMLPurifier_Config
                 E_USER_WARNING);
             return;
         }
-        if ($this->def->info[$namespace][$key]->class == 'alias') {
+        $def = $this->def->info[$namespace][$key];
+        
+        if (isset($def->isAlias)) {
             if ($from_alias) {
                 trigger_error('Double-aliases not allowed, please fix '.
                     'ConfigSchema bug with' . "$namespace.$key", E_USER_ERROR);
                 return;
             }
-            $this->set($new_ns = $this->def->info[$namespace][$key]->namespace,
-                       $new_dir = $this->def->info[$namespace][$key]->name,
+            $this->set($new_ns  = $def->namespace,
+                       $new_dir = $def->name,
                        $value, true);
             trigger_error("$namespace.$key is an alias, preferred directive name is $new_ns.$new_dir", E_USER_NOTICE);
             return;
         }
+        
+        // Raw type might be negative when using the fully optimized form
+        // of stdclass, which indicates allow_null == true
+        $rtype = is_int($def) ? $def : $def->type;
+        if ($rtype < 0) {
+            $type = -$rtype;
+            $allow_null = true;
+        } else {
+            $type = $rtype;
+            $allow_null = isset($def->allow_null);
+        }
+        
         try {
-            $value = $this->parser->parse(
-                        $value,
-                        $type = $this->def->info[$namespace][$key]->type,
-                        $this->def->info[$namespace][$key]->allow_null
-                     );
+            $value = $this->parser->parse($value, $type, $allow_null);
         } catch (HTMLPurifier_VarParserException $e) {
-            trigger_error('Value for ' . "$namespace.$key" . ' is of invalid type, should be ' . $type, E_USER_WARNING);
+            trigger_error('Value for ' . "$namespace.$key" . ' is of invalid type, should be ' . HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING);
             return;
         }
-        if (is_string($value)) {
+        if (is_string($value) && is_object($def)) {
             // resolve value alias if defined
-            if (isset($this->def->info[$namespace][$key]->aliases[$value])) {
-                $value = $this->def->info[$namespace][$key]->aliases[$value];
+            if (isset($def->aliases[$value])) {
+                $value = $def->aliases[$value];
             }
-            if ($this->def->info[$namespace][$key]->allowed !== true) {
-                // check to see if the value is allowed
-                if (!isset($this->def->info[$namespace][$key]->allowed[$value])) {
-                    trigger_error('Value not supported, valid values are: ' .
-                        $this->_listify($this->def->info[$namespace][$key]->allowed), E_USER_WARNING);
-                    return;
-                }
+            // check to see if the value is allowed
+            if (isset($def->allowed) && !isset($def->allowed[$value])) {
+                trigger_error('Value not supported, valid values are: ' .
+                    $this->_listify($def->allowed), E_USER_WARNING);
+                return;
             }
         }
         $this->conf[$namespace][$key] = $value;
@@ -254,21 +262,21 @@ class HTMLPurifier_Config
     }
     
     /**
-     * Retrieves reference to the HTML definition.
+     * Retrieves object reference to the HTML definition.
      * @param $raw Return a copy that has not been setup yet. Must be
      *             called before it's been setup, otherwise won't work.
      */
-    public function &getHTMLDefinition($raw = false) {
-        $def =& $this->getDefinition('HTML', $raw);
-        return $def; // prevent PHP 4.4.0 from complaining
+    public function getHTMLDefinition($raw = false) {
+        return $this->getDefinition('HTML', $raw);
     }
     
     /**
-     * Retrieves reference to the CSS definition
+     * Retrieves object reference to the CSS definition
+     * @param $raw Return a copy that has not been setup yet. Must be
+     *             called before it's been setup, otherwise won't work.
      */
-    public function &getCSSDefinition($raw = false) {
-        $def =& $this->getDefinition('CSS', $raw);
-        return $def;
+    public function getCSSDefinition($raw = false) {
+        return $this->getDefinition('CSS', $raw);
     }
     
     /**
@@ -276,7 +284,7 @@ class HTMLPurifier_Config
      * @param $type Type of definition: HTML, CSS, etc
      * @param $raw  Whether or not definition should be returned raw
      */
-    public function &getDefinition($type, $raw = false) {
+    public function getDefinition($type, $raw = false) {
         if (!$this->finalized && $this->autoFinalize) $this->finalize();
         $factory = HTMLPurifier_DefinitionCacheFactory::instance();
         $cache = $factory->create($type, $this);
@@ -310,17 +318,13 @@ class HTMLPurifier_Config
         } elseif ($type == 'URI') {
             $this->definitions[$type] = new HTMLPurifier_URIDefinition();
         } else {
-            trigger_error("Definition of $type type not supported");
-            $false = false;
-            return $false;
+            throw new HTMLPurifier_Exception("Definition of $type type not supported");
         }
         // quick abort if raw
         if ($raw) {
             if (is_null($this->get($type, 'DefinitionID'))) {
                 // fatally error out if definition ID not set
-                trigger_error("Cannot retrieve raw version without specifying %$type.DefinitionID", E_USER_ERROR);
-                $false = new HTMLPurifier_Error();
-                return $false;
+                throw new HTMLPurifier_Exception("Cannot retrieve raw version without specifying %$type.DefinitionID");
             }
             return $this->definitions[$type];
         }
@@ -390,7 +394,7 @@ class HTMLPurifier_Config
                     if (isset($blacklisted_directives["$ns.$directive"])) continue;
                     if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) continue;
                 }
-                if ($def->class == 'alias') continue;
+                if (isset($def->isAlias)) continue;
                 if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') continue;
                 $ret[] = array($ns, $directive);
             }
@@ -407,7 +411,7 @@ class HTMLPurifier_Config
      * @param $mq_fix Boolean whether or not to enable magic quotes fix
      * @param $schema Instance of HTMLPurifier_ConfigSchema to use, if not global copy
      */
-    public static function loadArrayFromForm($array, $index, $allowed = true, $mq_fix = true, $schema = null) {
+    public static function loadArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
         $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $schema);
         $config = HTMLPurifier_Config::create($ret, $schema);
         return $config;
@@ -417,7 +421,7 @@ class HTMLPurifier_Config
      * Merges in configuration values from $_GET/$_POST to object. NOT STATIC.
      * @note Same parameters as loadArrayFromForm
      */
-    public function mergeArrayFromForm($array, $index, $allowed = true, $mq_fix = true) {
+    public function mergeArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true) {
          $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $this->def);
          $this->loadArray($ret);
     }
@@ -426,8 +430,8 @@ class HTMLPurifier_Config
      * Prepares an array from a form into something usable for the more
      * strict parts of HTMLPurifier_Config
      */
-    public static function prepareArrayFromForm($array, $index, $allowed = true, $mq_fix = true, $schema = null) {
-        $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
+    public static function prepareArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
+        if ($index !== false) $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
         $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
         
         $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);

library/HTMLPurifier/ConfigDef.php

@@ -1,9 +0,0 @@
-<?php
-
-/**
- * Base class for configuration entity
- */
-class HTMLPurifier_ConfigDef {
-    public $class = false;
-}
-

library/HTMLPurifier/ConfigDef/Directive.php

@@ -1,55 +0,0 @@
-<?php
-
-/**
- * Structure object containing definition of a directive.
- * @note This structure does not contain default values
- */
-class HTMLPurifier_ConfigDef_Directive extends HTMLPurifier_ConfigDef
-{
-    
-    public $class = 'directive';
-    
-    public function __construct(
-        $type = null,
-        $allow_null = null,
-        $allowed = null,
-        $aliases = null
-    ) {
-        if (       $type !== null)        $this->type = $type;
-        if ( $allow_null !== null)  $this->allow_null = $allow_null;
-        if (    $allowed !== null)     $this->allowed = $allowed;
-        if (    $aliases !== null)     $this->aliases = $aliases;
-    }
-    
-    /**
-     * Allowed type of the directive. Values are:
-     *      - string
-     *      - istring (case insensitive string)
-     *      - int
-     *      - float
-     *      - bool
-     *      - lookup (array of value => true)
-     *      - list (regular numbered index array)
-     *      - hash (array of key => value)
-     *      - mixed (anything goes)
-     */
-    public $type = 'mixed';
-    
-    /**
-     * Is null allowed? Has no effect for mixed type.
-     * @bool
-     */
-    public $allow_null = false;
-    
-    /**
-     * Lookup table of allowed values of the element, bool true if all allowed.
-     */
-    public $allowed = true;
-    
-    /**
-     * Hash of value aliases, i.e. values that are equivalent.
-     */
-    public $aliases = array();
-    
-}
-

library/HTMLPurifier/ConfigDef/DirectiveAlias.php

@@ -1,24 +0,0 @@
-<?php
-
-/**
- * Structure object describing a directive alias
- */
-class HTMLPurifier_ConfigDef_DirectiveAlias extends HTMLPurifier_ConfigDef
-{
-    public $class = 'alias';
-    
-    /**
-     * Namespace being aliased to
-     */
-    public $namespace;
-    /**
-     * Directive being aliased to
-     */
-    public $name;
-    
-    public function __construct($namespace, $name) {
-        $this->namespace = $namespace;
-        $this->name = $name;
-    }
-}
-

library/HTMLPurifier/ConfigDef/Namespace.php

@@ -1,10 +0,0 @@
-<?php
-
-/**
- * Structure object describing of a namespace
- */
-class HTMLPurifier_ConfigDef_Namespace extends HTMLPurifier_ConfigDef
-{
-    public $class = 'namespace';
-}
-

library/HTMLPurifier/ConfigSchema.php

@@ -12,7 +12,33 @@ class HTMLPurifier_ConfigSchema {
     public $defaults = array();
     
     /**
-     * Definition of the directives.
+     * Definition of the directives. The structure of this is:
+     * 
+     *  array(
+     *      'Namespace' => array(
+     *          'Directive' => new stdclass(),
+     *      )
+     *  )
+     * 
+     * The stdclass may have the following properties:
+     * 
+     *  - If isAlias isn't set:
+     *      - type: Integer type of directive, see HTMLPurifier_VarParser for definitions
+     *      - allow_null: If set, this directive allows null values
+     *      - aliases: If set, an associative array of value aliases to real values
+     *      - allowed: If set, a lookup array of allowed (string) values
+     *  - If isAlias is set:
+     *      - namespace: Namespace this directive aliases to
+     *      - name: Directive name this directive aliases to
+     * 
+     * In certain degenerate cases, stdclass will actually be an integer. In
+     * that case, the value is equivalent to an stdclass with the type
+     * property set to the integer. If the integer is negative, type is
+     * equal to the absolute value of integer, and allow_null is true.
+     * 
+     * This class is friendly with HTMLPurifier_Config. If you need introspection
+     * about the schema, you're better of using the ConfigSchema_Interchange,
+     * which uses more memory but has much richer information.
      */
     public $info = array();
     
@@ -21,15 +47,6 @@ class HTMLPurifier_ConfigSchema {
      */
     static protected $singleton;
     
-    /**
-     * Variable parser.
-     */
-    protected $parser;
-    
-    public function __construct() {
-        $this->parser = new HTMLPurifier_VarParser_Flexible();
-    }
-    
     /**
      * Unserializes the default ConfigSchema.
      */
@@ -40,7 +57,7 @@ class HTMLPurifier_ConfigSchema {
     /**
      * Retrieves an instance of the application-wide configuration definition.
      */
-    public static function &instance($prototype = null) {
+    public static function instance($prototype = null) {
         if ($prototype !== null) {
             HTMLPurifier_ConfigSchema::$singleton = $prototype;
         } elseif (HTMLPurifier_ConfigSchema::$singleton === null || $prototype === true) {
@@ -62,11 +79,11 @@ class HTMLPurifier_ConfigSchema {
      * @param $allow_null Whether or not to allow null values
      */
     public function add($namespace, $name, $default, $type, $allow_null) {
-        $default = $this->parser->parse($default, $type, $allow_null);
-        $this->info[$namespace][$name] = new HTMLPurifier_ConfigDef_Directive();
-        $this->info[$namespace][$name]->type = $type;
-        $this->info[$namespace][$name]->allow_null = $allow_null;
-        $this->defaults[$namespace][$name]   = $default;
+        $obj = new stdclass();
+        $obj->type = is_int($type) ? $type : HTMLPurifier_VarParser::$types[$type];
+        if ($allow_null) $obj->allow_null = true;
+        $this->info[$namespace][$name] = $obj;
+        $this->defaults[$namespace][$name] = $default;
     }
     
     /**
@@ -90,6 +107,9 @@ class HTMLPurifier_ConfigSchema {
      * @param $aliases Hash of aliased values to the real alias
      */
     public function addValueAliases($namespace, $name, $aliases) {
+        if (!isset($this->info[$namespace][$name]->aliases)) {
+            $this->info[$namespace][$name]->aliases = array();
+        }
         foreach ($aliases as $alias => $real) {
             $this->info[$namespace][$name]->aliases[$alias] = $real;
         }
@@ -104,9 +124,7 @@ class HTMLPurifier_ConfigSchema {
      * @param $allowed Lookup array of allowed values
      */
     public function addAllowedValues($namespace, $name, $allowed) {
-        $directive =& $this->info[$namespace][$name];
-        $type = $directive->type;
-        $directive->allowed = $allowed;
+        $this->info[$namespace][$name]->allowed = $allowed;
     }
     
     /**
@@ -117,7 +135,26 @@ class HTMLPurifier_ConfigSchema {
      * @param $new_name Directive that the alias will be to
      */
     public function addAlias($namespace, $name, $new_namespace, $new_name) {
-        $this->info[$namespace][$name] = new HTMLPurifier_ConfigDef_DirectiveAlias($new_namespace, $new_name);
+        $obj = new stdclass;
+        $obj->namespace = $new_namespace;
+        $obj->name = $new_name;
+        $obj->isAlias = true;
+        $this->info[$namespace][$name] = $obj;
+    }
+    
+    /**
+     * Replaces any stdclass that only has the type property with type integer.
+     */
+    public function postProcess() {
+        foreach ($this->info as $namespace => $info) {
+            foreach ($info as $directive => $v) {
+                if (count((array) $v) == 1) {
+                    $this->info[$namespace][$directive] = $v->type;
+                } elseif (count((array) $v) == 2 && isset($v->allow_null)) {
+                    $this->info[$namespace][$directive] = -$v->type;
+                }
+            }
+        }
     }
     
     // DEPRECATED METHODS
@@ -125,26 +162,25 @@ class HTMLPurifier_ConfigSchema {
     /** @see HTMLPurifier_ConfigSchema->set() */
     public static function define($namespace, $name, $default, $type, $description) {
         HTMLPurifier_ConfigSchema::deprecated(__METHOD__);
-        // process modifiers (OPTIMIZE!)
         $type_values = explode('/', $type, 2);
         $type = $type_values[0];
         $modifier = isset($type_values[1]) ? $type_values[1] : false;
         $allow_null = ($modifier === 'null');
-        $def =& HTMLPurifier_ConfigSchema::instance();
+        $def = HTMLPurifier_ConfigSchema::instance();
         $def->add($namespace, $name, $default, $type, $allow_null);
     }
     
     /** @see HTMLPurifier_ConfigSchema->addNamespace() */
     public static function defineNamespace($namespace, $description) {
         HTMLPurifier_ConfigSchema::deprecated(__METHOD__);
-        $def =& HTMLPurifier_ConfigSchema::instance();
+        $def = HTMLPurifier_ConfigSchema::instance();
         $def->addNamespace($namespace);
     }
     
     /** @see HTMLPurifier_ConfigSchema->addValueAliases() */
     public static function defineValueAliases($namespace, $name, $aliases) {
         HTMLPurifier_ConfigSchema::deprecated(__METHOD__);
-        $def =& HTMLPurifier_ConfigSchema::instance();
+        $def = HTMLPurifier_ConfigSchema::instance();
         $def->addValueAliases($namespace, $name, $aliases);
     }
     
@@ -155,21 +191,22 @@ class HTMLPurifier_ConfigSchema {
         foreach ($allowed_values as $value) {
             $allowed[$value] = true;
         }
-        $def =& HTMLPurifier_ConfigSchema::instance();
+        $def = HTMLPurifier_ConfigSchema::instance();
         $def->addAllowedValues($namespace, $name, $allowed);
     }
     
     /** @see HTMLPurifier_ConfigSchema->addAlias() */
     public static function defineAlias($namespace, $name, $new_namespace, $new_name) {
         HTMLPurifier_ConfigSchema::deprecated(__METHOD__);
-        $def =& HTMLPurifier_ConfigSchema::instance();
+        $def = HTMLPurifier_ConfigSchema::instance();
         $def->addAlias($namespace, $name, $new_namespace, $new_name);
     }
     
     /** @deprecated, use HTMLPurifier_VarParser->parse() */
     public function validate($a, $b, $c = false) {
         trigger_error("HTMLPurifier_ConfigSchema->validate deprecated, use HTMLPurifier_VarParser->parse instead", E_USER_NOTICE);
-        return $this->parser->parse($a, $b, $c);
+        $parser = new HTMLPurifier_VarParser();
+        return $parser->parse($a, $b, $c);
     }
     
     /**

library/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php

@@ -43,6 +43,7 @@ class HTMLPurifier_ConfigSchema_Builder_ConfigSchema
                 );
             }
         }
+        $schema->postProcess();
         return $schema;
     }
     

library/HTMLPurifier/ConfigSchema/Builder/Xml.php

@@ -71,8 +71,10 @@ class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
         
         $this->startElement('constraints');
             if ($directive->version) $this->writeElement('version', $directive->version);
-            $this->writeElement('type', $directive->type);
-            if ($directive->typeAllowsNull) $this->writeAttribute('allow-null', 'yes');
+            $this->startElement('type');
+                if ($directive->typeAllowsNull) $this->writeAttribute('allow-null', 'yes');
+                $this->text($directive->type);
+            $this->endElement(); // type
             if ($directive->allowed) {
                 $this->startElement('allowed');
                     foreach ($directive->allowed as $value => $x) $this->writeElement('value', $value);

library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php

@@ -17,21 +17,27 @@ class HTMLPurifier_ConfigSchema_InterchangeBuilder
         $builder     = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
         $interchange = new HTMLPurifier_ConfigSchema_Interchange();
         
-        if (!$dir) $dir = realpath(dirname(__FILE__) . '/schema/');
+        if (!$dir) $dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema/';
         $info = parse_ini_file($dir . 'info.ini');
         $interchange->name = $info['name'];
         
+        $files = array();
         $dh = opendir($dir);
         while (false !== ($file = readdir($dh))) {
             if (!$file || $file[0] == '.' || strrchr($file, '.') !== '.txt') {
                 continue;
             }
+            $files[] = $file;
+        }
+        closedir($dh);
+        
+        sort($files);
+        foreach ($files as $file) {
             $builder->build(
                 $interchange,
                 new HTMLPurifier_StringHash( $parser->parseFile($dir . $file) )
             );
         }
-        closedir($dh);
         
         return $interchange;
     }

library/HTMLPurifier/ConfigSchema/Validator.php

@@ -111,7 +111,8 @@ class HTMLPurifier_ConfigSchema_Validator
         if (!is_null($d->allowed) || !empty($d->valueAliases)) {
             // allowed and valueAliases require that we be dealing with
             // strings, so check for that early.
-            if (!isset(HTMLPurifier_VarParser::$stringTypes[$d->type])) {
+            $d_int = HTMLPurifier_VarParser::$types[$d->type];
+            if (!isset(HTMLPurifier_VarParser::$stringTypes[$d_int])) {
                 $this->error('type', 'must be a string type when used with allowed or value aliases');
             }
         }

library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt

@@ -1,11 +1,11 @@
-Attr.AllowedFrameTargets
-TYPE: lookup
-DEFAULT: array()
---DESCRIPTION--
-Lookup table of all allowed link frame targets.  Some commonly used link
-targets include _blank, _self, _parent and _top. Values should be
-lowercase, as validation will be done in a case-sensitive manner despite
-W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
-so this directive will have no effect in that doctype. XHTML 1.1 does not
-enable the Target module by default, you will have to manually enable it
-(see the module documentation for more details.)
+Attr.AllowedFrameTargets
+TYPE: lookup
+DEFAULT: array()
+--DESCRIPTION--
+Lookup table of all allowed link frame targets.  Some commonly used link
+targets include _blank, _self, _parent and _top. Values should be
+lowercase, as validation will be done in a case-sensitive manner despite
+W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
+so this directive will have no effect in that doctype. XHTML 1.1 does not
+enable the Target module by default, you will have to manually enable it
+(see the module documentation for more details.)

library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt

@@ -1,8 +1,8 @@
-Attr.AllowedRel
-TYPE: lookup
-VERSION: 1.6.0
-DEFAULT: array()
---DESCRIPTION--
-List of allowed forward document relationships in the rel attribute. Common
-values may be nofollow or print. By default, this is empty, meaning that no
-document relationships are allowed. 
+Attr.AllowedRel
+TYPE: lookup
+VERSION: 1.6.0
+DEFAULT: array()
+--DESCRIPTION--
+List of allowed forward document relationships in the rel attribute. Common
+values may be nofollow or print. By default, this is empty, meaning that no
+document relationships are allowed. 

library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt

@@ -1,8 +1,8 @@
-Attr.AllowedRev
-TYPE: lookup
-VERSION: 1.6.0
-DEFAULT: array()
---DESCRIPTION--
-List of allowed reverse document relationships in the rev attribute. This
-attribute is a bit of an edge-case; if you don't know what it is for, stay
-away. 
+Attr.AllowedRev
+TYPE: lookup
+VERSION: 1.6.0
+DEFAULT: array()
+--DESCRIPTION--
+List of allowed reverse document relationships in the rev attribute. This
+attribute is a bit of an edge-case; if you don't know what it is for, stay
+away. 

library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt

@@ -1,8 +1,8 @@
-Attr.DefaultInvalidImage
-TYPE: string
-DEFAULT: ''
---DESCRIPTION--
-This is the default image an img tag will be pointed to if it does not have
-a valid src attribute.  In future versions, we may allow the image tag to
-be removed completely, but due to design issues, this is not possible right
-now.
+Attr.DefaultInvalidImage
+TYPE: string
+DEFAULT: ''
+--DESCRIPTION--
+This is the default image an img tag will be pointed to if it does not have
+a valid src attribute.  In future versions, we may allow the image tag to
+be removed completely, but due to design issues, this is not possible right
+now.

library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt

@@ -1,7 +1,7 @@
-Attr.DefaultInvalidImageAlt
-TYPE: string
-DEFAULT: 'Invalid image'
---DESCRIPTION--
-This is the content of the alt tag of an invalid image if the user had not
-previously specified an alt attribute.  It has no effect when the image is
-valid but there was no alt attribute present.
+Attr.DefaultInvalidImageAlt
+TYPE: string
+DEFAULT: 'Invalid image'
+--DESCRIPTION--
+This is the content of the alt tag of an invalid image if the user had not
+previously specified an alt attribute.  It has no effect when the image is
+valid but there was no alt attribute present.

library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt

@@ -1,9 +1,9 @@
-Attr.DefaultTextDir
-TYPE: string
-DEFAULT: 'ltr'
---DESCRIPTION--
-Defines the default text direction (ltr or rtl) of the document being
-parsed.  This generally is the same as the value of the dir attribute in
-HTML, or ltr if that is not specified.
---ALLOWED--
-'ltr', 'rtl'
+Attr.DefaultTextDir
+TYPE: string
+DEFAULT: 'ltr'
+--DESCRIPTION--
+Defines the default text direction (ltr or rtl) of the document being
+parsed.  This generally is the same as the value of the dir attribute in
+HTML, or ltr if that is not specified.
+--ALLOWED--
+'ltr', 'rtl'

library/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt

@@ -1,15 +1,15 @@
-Attr.EnableID
-TYPE: bool
-DEFAULT: false
-VERSION: 1.2.0
---DESCRIPTION--
-Allows the ID attribute in HTML.  This is disabled by default due to the
-fact that without proper configuration user input can easily break the
-validation of a webpage by specifying an ID that is already on the
-surrounding HTML.  If you don't mind throwing caution to the wind, enable
-this directive, but I strongly recommend you also consider blacklisting IDs
-you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
-(%Attr.IDPrefix).  When set to true HTML Purifier reverts to the behavior of
-pre-1.2.0 versions.
---ALIASES--
-HTML.EnableAttrID
+Attr.EnableID
+TYPE: bool
+DEFAULT: false
+VERSION: 1.2.0
+--DESCRIPTION--
+Allows the ID attribute in HTML.  This is disabled by default due to the
+fact that without proper configuration user input can easily break the
+validation of a webpage by specifying an ID that is already on the
+surrounding HTML.  If you don't mind throwing caution to the wind, enable
+this directive, but I strongly recommend you also consider blacklisting IDs
+you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
+(%Attr.IDPrefix).  When set to true HTML Purifier reverts to the behavior of
+pre-1.2.0 versions.
+--ALIASES--
+HTML.EnableAttrID

library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt

@@ -1,4 +1,4 @@
-Attr.IDBlacklist
-TYPE: list
-DEFAULT: array()
-DESCRIPTION: Array of IDs not allowed in the document.
+Attr.IDBlacklist
+TYPE: list
+DEFAULT: array()
+DESCRIPTION: Array of IDs not allowed in the document.

library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt

@@ -1,8 +1,8 @@
-Attr.IDBlacklistRegexp
-TYPE: string/null
-VERSION: 1.6.0
-DEFAULT: NULL
---DESCRIPTION--
-PCRE regular expression to be matched against all IDs. If the expression is
-matches, the ID is rejected. Use this with care: may cause significant
-degradation. ID matching is done after all other validation. 
+Attr.IDBlacklistRegexp
+TYPE: string/null
+VERSION: 1.6.0
+DEFAULT: NULL
+--DESCRIPTION--
+PCRE regular expression to be matched against all IDs. If the expression is
+matches, the ID is rejected. Use this with care: may cause significant
+degradation. ID matching is done after all other validation. 

library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt

@@ -1,11 +1,11 @@
-Attr.IDPrefix
-TYPE: string
-VERSION: 1.2.0
-DEFAULT: ''
---DESCRIPTION--
-String to prefix to IDs.  If you have no idea what IDs your pages may use,
-you may opt to simply add a prefix to all user-submitted ID attributes so
-that they are still usable, but will not conflict with core page IDs.
-Example: setting the directive to 'user_' will result in a user submitted
-'foo' to become 'user_foo'  Be sure to set %HTML.EnableAttrID to true
-before using this.  
+Attr.IDPrefix
+TYPE: string
+VERSION: 1.2.0
+DEFAULT: ''
+--DESCRIPTION--
+String to prefix to IDs.  If you have no idea what IDs your pages may use,
+you may opt to simply add a prefix to all user-submitted ID attributes so
+that they are still usable, but will not conflict with core page IDs.
+Example: setting the directive to 'user_' will result in a user submitted
+'foo' to become 'user_foo'  Be sure to set %HTML.EnableAttrID to true
+before using this.  

library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt

@@ -1,13 +1,13 @@
-Attr.IDPrefixLocal
-TYPE: string
-VERSION: 1.2.0
-DEFAULT: ''
---DESCRIPTION--
-Temporary prefix for IDs used in conjunction with %Attr.IDPrefix.  If you
-need to allow multiple sets of user content on web page, you may need to
-have a seperate prefix that changes with each iteration.  This way,
-seperately submitted user content displayed on the same page doesn't
-clobber each other. Ideal values are unique identifiers for the content it
-represents (i.e. the id of the row in the database). Be sure to add a
-seperator (like an underscore) at the end.  Warning: this directive will
-not work unless %Attr.IDPrefix is set to a non-empty value! 
+Attr.IDPrefixLocal
+TYPE: string
+VERSION: 1.2.0
+DEFAULT: ''
+--DESCRIPTION--
+Temporary prefix for IDs used in conjunction with %Attr.IDPrefix.  If you
+need to allow multiple sets of user content on web page, you may need to
+have a seperate prefix that changes with each iteration.  This way,
+seperately submitted user content displayed on the same page doesn't
+clobber each other. Ideal values are unique identifiers for the content it
+represents (i.e. the id of the row in the database). Be sure to add a
+seperator (like an underscore) at the end.  Warning: this directive will
+not work unless %Attr.IDPrefix is set to a non-empty value! 

library/HTMLPurifier/ConfigSchema/schema/Attr.txt

@@ -1,2 +1,2 @@
-Attr
-DESCRIPTION: Features regarding attribute validation.
+Attr
+DESCRIPTION: Features regarding attribute validation.

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt

@@ -1,30 +1,30 @@
-AutoFormat.AutoParagraph
-TYPE: bool
-VERSION: 2.0.1
-DEFAULT: false
---DESCRIPTION--
-
-<p>
-  This directive turns on auto-paragraphing, where double newlines are
-  converted in to paragraphs whenever possible. Auto-paragraphing:
-</p>
-<ul>
-  <li>Always applies to inline elements or text in the root node,</li>
-  <li>Applies to inline elements or text with double newlines in nodes
-      that allow paragraph tags,</li>
-  <li>Applies to double newlines in paragraph tags</li>
-</ul>
-<p>
-  <code>p</code> tags must be allowed for this directive to take effect.
-  We do not use <code>br</code> tags for paragraphing, as that is
-  semantically incorrect.
-</p>
-<p>
-  To prevent auto-paragraphing as a content-producer, refrain from using
-  double-newlines except to specify a new paragraph or in contexts where
-  it has special meaning (whitespace usually has no meaning except in
-  tags like <code>pre</code>, so this should not be difficult.) To prevent
-  the paragraphing of inline text adjacent to block elements, wrap them
-  in <code>div</code> tags (the behavior is slightly different outside of
-  the root node.)
-</p>
+AutoFormat.AutoParagraph
+TYPE: bool
+VERSION: 2.0.1
+DEFAULT: false
+--DESCRIPTION--
+
+<p>
+  This directive turns on auto-paragraphing, where double newlines are
+  converted in to paragraphs whenever possible. Auto-paragraphing:
+</p>
+<ul>
+  <li>Always applies to inline elements or text in the root node,</li>
+  <li>Applies to inline elements or text with double newlines in nodes
+      that allow paragraph tags,</li>
+  <li>Applies to double newlines in paragraph tags</li>
+</ul>
+<p>
+  <code>p</code> tags must be allowed for this directive to take effect.
+  We do not use <code>br</code> tags for paragraphing, as that is
+  semantically incorrect.
+</p>
+<p>
+  To prevent auto-paragraphing as a content-producer, refrain from using
+  double-newlines except to specify a new paragraph or in contexts where
+  it has special meaning (whitespace usually has no meaning except in
+  tags like <code>pre</code>, so this should not be difficult.) To prevent
+  the paragraphing of inline text adjacent to block elements, wrap them
+  in <code>div</code> tags (the behavior is slightly different outside of
+  the root node.)
+</p>

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt

@@ -1,12 +1,12 @@
-AutoFormat.Custom
-TYPE: list
-VERSION: 2.0.1
-DEFAULT: array()
---DESCRIPTION--
-
-<p>
-  This directive can be used to add custom auto-format injectors.
-  Specify an array of injector names (class name minus the prefix)
-  or concrete implementations. Injector class must exist. 
-</p>
-
+AutoFormat.Custom
+TYPE: list
+VERSION: 2.0.1
+DEFAULT: array()
+--DESCRIPTION--
+
+<p>
+  This directive can be used to add custom auto-format injectors.
+  Specify an array of injector names (class name minus the prefix)
+  or concrete implementations. Injector class must exist. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt

@@ -1,12 +1,12 @@
-AutoFormat.Linkify
-TYPE: bool
-VERSION: 2.0.1
-DEFAULT: false
---DESCRIPTION--
-
-<p>
-  This directive turns on linkification, auto-linking http, ftp and
-  https URLs. <code>a</code> tags with the <code>href</code> attribute
-  must be allowed. 
-</p>
-
+AutoFormat.Linkify
+TYPE: bool
+VERSION: 2.0.1
+DEFAULT: false
+--DESCRIPTION--
+
+<p>
+  This directive turns on linkification, auto-linking http, ftp and
+  https URLs. <code>a</code> tags with the <code>href</code> attribute
+  must be allowed. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt

@@ -1,12 +1,12 @@
-AutoFormat.PurifierLinkify
-TYPE: bool
-VERSION: 2.0.1
-DEFAULT: false
---DESCRIPTION--
-
-<p>
-  Internal auto-formatter that converts configuration directives in
-  syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
-  with the <code>href</code> attribute must be allowed.
-</p>
-
+AutoFormat.PurifierLinkify
+TYPE: bool
+VERSION: 2.0.1
+DEFAULT: false
+--DESCRIPTION--
+
+<p>
+  Internal auto-formatter that converts configuration directives in
+  syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
+  with the <code>href</code> attribute must be allowed.
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.txt

@@ -1,2 +1,2 @@
-AutoFormat
-DESCRIPTION: Configuration for activating auto-formatting functionality (also known as <code>Injector</code>s)
+AutoFormat
+DESCRIPTION: Configuration for activating auto-formatting functionality (also known as <code>Injector</code>s)

library/HTMLPurifier/ConfigSchema/schema/AutoFormatParam.PurifierLinkifyDocURL.txt

@@ -1,12 +1,12 @@
-AutoFormatParam.PurifierLinkifyDocURL
-TYPE: string
-VERSION: 2.0.1
-DEFAULT: '#%s'
---DESCRIPTION--
-
-<p>
-  Location of configuration documentation to link to, let %s substitute
-  into the configuration's namespace and directive names sans the percent
-  sign. 
-</p>
-
+AutoFormatParam.PurifierLinkifyDocURL
+TYPE: string
+VERSION: 2.0.1
+DEFAULT: '#%s'
+--DESCRIPTION--
+
+<p>
+  Location of configuration documentation to link to, let %s substitute
+  into the configuration's namespace and directive names sans the percent
+  sign. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/AutoFormatParam.txt

@@ -1,2 +1,2 @@
-AutoFormatParam
-DESCRIPTION: Configuration for customizing auto-formatting functionality
+AutoFormatParam
+DESCRIPTION: Configuration for customizing auto-formatting functionality

library/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt

@@ -1,11 +1,11 @@
-CSS.DefinitionRev
-TYPE: int
-VERSION: 2.0.0
-DEFAULT: 1
---DESCRIPTION--
-
-<p>
-    Revision identifier for your custom definition. See
-    %HTML.DefinitionRev for details. 
-</p>
-
+CSS.DefinitionRev
+TYPE: int
+VERSION: 2.0.0
+DEFAULT: 1
+--DESCRIPTION--
+
+<p>
+    Revision identifier for your custom definition. See
+    %HTML.DefinitionRev for details. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt

@@ -0,0 +1,15 @@
+CSS.MaxImgLength
+TYPE: string/null
+DEFAULT: '1200px'
+VERSION: 3.1.1
+--DESCRIPTION--
+<p>
+ This parameter sets the maximum allowed length on <code>img</code> tags,
+ effectively the <code>width</code> and <code>height</code> properties.
+ Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
+ in place to prevent imagecrash attacks, disable with null at your own risk.
+ This directive is similar to %HTML.MaxImgLength, and both should be
+ concurrently edited, although there are
+ subtle differences in the input format (the CSS max is a number with
+ a unit).
+</p>

library/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt

@@ -1,10 +1,10 @@
-CSS.Proprietary
-TYPE: bool
-VERSION: 3.0.0
-DEFAULT: false
---DESCRIPTION--
-
-<p>
-    Whether or not to allow safe, proprietary CSS values. 
-</p>
-
+CSS.Proprietary
+TYPE: bool
+VERSION: 3.0.0
+DEFAULT: false
+--DESCRIPTION--
+
+<p>
+    Whether or not to allow safe, proprietary CSS values. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/CSS.txt

@@ -1,2 +1,2 @@
-CSS
-DESCRIPTION: Configuration regarding allowed CSS.
+CSS
+DESCRIPTION: Configuration regarding allowed CSS.

library/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt

@@ -1,13 +1,13 @@
-Cache.DefinitionImpl
-TYPE: string/null
-VERSION: 2.0.0
-DEFAULT: 'Serializer'
---DESCRIPTION--
-
-This directive defines which method to use when caching definitions,
-the complex data-type that makes HTML Purifier tick. Set to null
-to disable caching (not recommended, as you will see a definite
-performance degradation). 
-
---ALIASES--
-Core.DefinitionCache
+Cache.DefinitionImpl
+TYPE: string/null
+VERSION: 2.0.0
+DEFAULT: 'Serializer'
+--DESCRIPTION--
+
+This directive defines which method to use when caching definitions,
+the complex data-type that makes HTML Purifier tick. Set to null
+to disable caching (not recommended, as you will see a definite
+performance degradation). 
+
+--ALIASES--
+Core.DefinitionCache

library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt

@@ -1,13 +1,13 @@
-Cache.SerializerPath
-TYPE: string/null
-VERSION: 2.0.0
-DEFAULT: NULL
---DESCRIPTION--
-
-<p>
-    Absolute path with no trailing slash to store serialized definitions in.
-    Default is within the
-    HTML Purifier library inside DefinitionCache/Serializer. This
-    path must be writable by the webserver. 
-</p>
-
+Cache.SerializerPath
+TYPE: string/null
+VERSION: 2.0.0
+DEFAULT: NULL
+--DESCRIPTION--
+
+<p>
+    Absolute path with no trailing slash to store serialized definitions in.
+    Default is within the
+    HTML Purifier library inside DefinitionCache/Serializer. This
+    path must be writable by the webserver. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/Cache.txt

@@ -1,2 +1,2 @@
-Cache
-DESCRIPTION: Configuration for DefinitionCache and related subclasses.
+Cache
+DESCRIPTION: Configuration for DefinitionCache and related subclasses.

library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt

@@ -1,13 +1,13 @@
-Core.AggressivelyFixLt
-TYPE: bool
-VERSION: 2.1.0
-DEFAULT: false
---DESCRIPTION--
-
-This directive enables aggressive pre-filter fixes HTML Purifier can
-perform in order to ensure that open angled-brackets do not get killed
-during parsing stage. Enabling this will result in two preg_replace_callback
-calls and one preg_replace call for every bit of HTML passed through here.
-It is not necessary and will have no effect for PHP 4.
-
-
+Core.AggressivelyFixLt
+TYPE: bool
+VERSION: 2.1.0
+DEFAULT: false
+--DESCRIPTION--
+
+This directive enables aggressive pre-filter fixes HTML Purifier can
+perform in order to ensure that open angled-brackets do not get killed
+during parsing stage. Enabling this will result in two preg_replace_callback
+calls and one preg_replace call for every bit of HTML passed through here.
+It is not necessary and will have no effect for PHP 4.
+
+

library/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt

@@ -1,11 +1,11 @@
-Core.CollectErrors
-TYPE: bool
-VERSION: 2.0.0
-DEFAULT: false
---DESCRIPTION--
-
-Whether or not to collect errors found while filtering the document. This
-is a useful way to give feedback to your users. <strong>Warning:</strong>
-Currently this feature is very patchy and experimental, with lots of
-possible error messages not yet implemented. It will not cause any
-problems, but it may not help your users either. 
+Core.CollectErrors
+TYPE: bool
+VERSION: 2.0.0
+DEFAULT: false
+--DESCRIPTION--
+
+Whether or not to collect errors found while filtering the document. This
+is a useful way to give feedback to your users. <strong>Warning:</strong>
+Currently this feature is very patchy and experimental, with lots of
+possible error messages not yet implemented. It will not cause any
+problems, but it may not help your users either. 

library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt

@@ -1,29 +1,29 @@
-Core.ColorKeywords
-TYPE: hash
-VERSION: 2.0.0
---DEFAULT--
-array (
-  'maroon' => '#800000',
-  'red' => '#FF0000',
-  'orange' => '#FFA500',
-  'yellow' => '#FFFF00',
-  'olive' => '#808000',
-  'purple' => '#800080',
-  'fuchsia' => '#FF00FF',
-  'white' => '#FFFFFF',
-  'lime' => '#00FF00',
-  'green' => '#008000',
-  'navy' => '#000080',
-  'blue' => '#0000FF',
-  'aqua' => '#00FFFF',
-  'teal' => '#008080',
-  'black' => '#000000',
-  'silver' => '#C0C0C0',
-  'gray' => '#808080',
-)
---DESCRIPTION--
-
-Lookup array of color names to six digit hexadecimal number corresponding
-to color, with preceding hash mark. Used when parsing colors.
-
-
+Core.ColorKeywords
+TYPE: hash
+VERSION: 2.0.0
+--DEFAULT--
+array (
+  'maroon' => '#800000',
+  'red' => '#FF0000',
+  'orange' => '#FFA500',
+  'yellow' => '#FFFF00',
+  'olive' => '#808000',
+  'purple' => '#800080',
+  'fuchsia' => '#FF00FF',
+  'white' => '#FFFFFF',
+  'lime' => '#00FF00',
+  'green' => '#008000',
+  'navy' => '#000080',
+  'blue' => '#0000FF',
+  'aqua' => '#00FFFF',
+  'teal' => '#008080',
+  'black' => '#000000',
+  'silver' => '#C0C0C0',
+  'gray' => '#808080',
+)
+--DESCRIPTION--
+
+Lookup array of color names to six digit hexadecimal number corresponding
+to color, with preceding hash mark. Used when parsing colors.
+
+

library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt

@@ -1,13 +1,13 @@
-Core.ConvertDocumentToFragment
-TYPE: bool
-DEFAULT: true
---DESCRIPTION--
-
-This parameter determines whether or not the filter should convert
-input that is a full document with html and body tags to a fragment
-of just the contents of a body tag. This parameter is simply something
-HTML Purifier can do during an edge-case: for most inputs, this
-processing is not necessary.
-
---ALIASES--
-Core.AcceptFullDocuments
+Core.ConvertDocumentToFragment
+TYPE: bool
+DEFAULT: true
+--DESCRIPTION--
+
+This parameter determines whether or not the filter should convert
+input that is a full document with html and body tags to a fragment
+of just the contents of a body tag. This parameter is simply something
+HTML Purifier can do during an edge-case: for most inputs, this
+processing is not necessary.
+
+--ALIASES--
+Core.AcceptFullDocuments

library/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt

@@ -1,17 +1,17 @@
-Core.DirectLexLineNumberSyncInterval
-TYPE: int
-VERSION: 2.0.0
-DEFAULT: 0
---DESCRIPTION--
-
-<p>
-  Specifies the number of tokens the DirectLex line number tracking
-  implementations should process before attempting to resyncronize the
-  current line count by manually counting all previous new-lines. When
-  at 0, this functionality is disabled. Lower values will decrease
-  performance, and this is only strictly necessary if the counting
-  algorithm is buggy (in which case you should report it as a bug).
-  This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
-  not being used. 
-</p>
-
+Core.DirectLexLineNumberSyncInterval
+TYPE: int
+VERSION: 2.0.0
+DEFAULT: 0
+--DESCRIPTION--
+
+<p>
+  Specifies the number of tokens the DirectLex line number tracking
+  implementations should process before attempting to resyncronize the
+  current line count by manually counting all previous new-lines. When
+  at 0, this functionality is disabled. Lower values will decrease
+  performance, and this is only strictly necessary if the counting
+  algorithm is buggy (in which case you should report it as a bug).
+  This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
+  not being used. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt

@@ -1,14 +1,14 @@
-Core.Encoding
-TYPE: istring
-DEFAULT: 'utf-8'
---DESCRIPTION--
-If for some reason you are unable to convert all webpages to UTF-8, you can
-use this directive as a stop-gap compatibility change to let HTML Purifier
-deal with non UTF-8 input.  This technique has notable deficiencies:
-absolutely no characters outside of the selected character encoding will be
-preserved, not even the ones that have been ampersand escaped (this is due
-to a UTF-8 specific <em>feature</em> that automatically resolves all
-entities), making it pretty useless for anything except the most I18N-blind
-applications, although %Core.EscapeNonASCIICharacters offers fixes this
-trouble with another tradeoff. This directive only accepts ISO-8859-1 if
-iconv is not enabled.
+Core.Encoding
+TYPE: istring
+DEFAULT: 'utf-8'
+--DESCRIPTION--
+If for some reason you are unable to convert all webpages to UTF-8, you can
+use this directive as a stop-gap compatibility change to let HTML Purifier
+deal with non UTF-8 input.  This technique has notable deficiencies:
+absolutely no characters outside of the selected character encoding will be
+preserved, not even the ones that have been ampersand escaped (this is due
+to a UTF-8 specific <em>feature</em> that automatically resolves all
+entities), making it pretty useless for anything except the most I18N-blind
+applications, although %Core.EscapeNonASCIICharacters offers fixes this
+trouble with another tradeoff. This directive only accepts ISO-8859-1 if
+iconv is not enabled.

library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt

@@ -1,9 +1,9 @@
-Core.EscapeInvalidChildren
-TYPE: bool
-DEFAULT: false
---DESCRIPTION--
-When true, a child is found that is not allowed in the context of the
-parent element will be transformed into text as if it were ASCII. When
-false, that element and all internal tags will be dropped, though text will
-be preserved.  There is no option for dropping the element but preserving
-child nodes.
+Core.EscapeInvalidChildren
+TYPE: bool
+DEFAULT: false
+--DESCRIPTION--
+When true, a child is found that is not allowed in the context of the
+parent element will be transformed into text as if it were ASCII. When
+false, that element and all internal tags will be dropped, though text will
+be preserved.  There is no option for dropping the element but preserving
+child nodes.

library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt

@@ -1,6 +1,6 @@
-Core.EscapeInvalidTags
-TYPE: bool
-DEFAULT: false
---DESCRIPTION--
-When true, invalid tags will be written back to the document as plain text.
-Otherwise, they are silently dropped.
+Core.EscapeInvalidTags
+TYPE: bool
+DEFAULT: false
+--DESCRIPTION--
+When true, invalid tags will be written back to the document as plain text.
+Otherwise, they are silently dropped.

library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt

@@ -1,12 +1,12 @@
-Core.EscapeNonASCIICharacters
-TYPE: bool
-VERSION: 1.4.0
-DEFAULT: false
---DESCRIPTION--
-This directive overcomes a deficiency in %Core.Encoding by blindly
-converting all non-ASCII characters into decimal numeric entities before
-converting it to its native encoding. This means that even characters that
-can be expressed in the non-UTF-8 encoding will be entity-ized, which can
-be a real downer for encodings like Big5. It also assumes that the ASCII
-repetoire is available, although this is the case for almost all encodings.
-Anyway, use UTF-8! 
+Core.EscapeNonASCIICharacters
+TYPE: bool
+VERSION: 1.4.0
+DEFAULT: false
+--DESCRIPTION--
+This directive overcomes a deficiency in %Core.Encoding by blindly
+converting all non-ASCII characters into decimal numeric entities before
+converting it to its native encoding. This means that even characters that
+can be expressed in the non-UTF-8 encoding will be entity-ized, which can
+be a real downer for encodings like Big5. It also assumes that the ASCII
+repetoire is available, although this is the case for almost all encodings.
+Anyway, use UTF-8! 

library/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt

@@ -1,19 +1,19 @@
-Core.HiddenElements
-TYPE: lookup
---DEFAULT--
-array (
-  'script' => true,
-  'style' => true,
-)
---DESCRIPTION--
-
-<p>
-  This directive is a lookup array of elements which should have their
-  contents removed when they are not allowed by the HTML definition.
-  For example, the contents of a <code>script</code> tag are not 
-  normally shown in a document, so if script tags are to be removed,
-  their contents should be removed to. This is opposed to a <code>b</code>
-  tag, which defines some presentational changes but does not hide its
-  contents.
-</p>
-
+Core.HiddenElements
+TYPE: lookup
+--DEFAULT--
+array (
+  'script' => true,
+  'style' => true,
+)
+--DESCRIPTION--
+
+<p>
+  This directive is a lookup array of elements which should have their
+  contents removed when they are not allowed by the HTML definition.
+  For example, the contents of a <code>script</code> tag are not 
+  normally shown in a document, so if script tags are to be removed,
+  their contents should be removed to. This is opposed to a <code>b</code>
+  tag, which defines some presentational changes but does not hide its
+  contents.
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/Core.Language.txt

@@ -1,11 +1,11 @@
-Core.Language
-TYPE: string
-VERSION: 2.0.0
-DEFAULT: 'en'
---DESCRIPTION--
-
-ISO 639 language code for localizable things in HTML Purifier to use,
-which is mainly error reporting. There is currently only an English (en)
-translation, so this directive is currently useless.
-
-
+Core.Language
+TYPE: string
+VERSION: 2.0.0
+DEFAULT: 'en'
+--DESCRIPTION--
+
+ISO 639 language code for localizable things in HTML Purifier to use,
+which is mainly error reporting. There is currently only an English (en)
+translation, so this directive is currently useless.
+
+

library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt

@@ -1,33 +1,33 @@
-Core.LexerImpl
-TYPE: mixed/null
-VERSION: 2.0.0
-DEFAULT: NULL
---DESCRIPTION--
-
-<p>
-  This parameter determines what lexer implementation can be used. The
-  valid values are:
-</p>
-<dl>
-  <dt><em>null</em></dt>
-  <dd>
-    Recommended, the lexer implementation will be auto-detected based on
-    your PHP-version and configuration.
-  </dd>
-  <dt><em>string</em> lexer identifier</dt>
-  <dd>
-    This is a slim way of manually overridding the implementation.
-    Currently recognized values are: DOMLex (the default PHP5
-implementation)
-    and DirectLex (the default PHP4 implementation). Only use this if
-    you know what you are doing: usually, the auto-detection will
-    manage things for cases you aren't even aware of.
-  </dd>
-  <dt><em>object</em> lexer instance</dt>
-  <dd>
-    Super-advanced: you can specify your own, custom, implementation that
-    implements the interface defined by <code>HTMLPurifier_Lexer</code>.
-    I may remove this option simply because I don't expect anyone
-    to use it.
-  </dd>
-</dl>
+Core.LexerImpl
+TYPE: mixed/null
+VERSION: 2.0.0
+DEFAULT: NULL
+--DESCRIPTION--
+
+<p>
+  This parameter determines what lexer implementation can be used. The
+  valid values are:
+</p>
+<dl>
+  <dt><em>null</em></dt>
+  <dd>
+    Recommended, the lexer implementation will be auto-detected based on
+    your PHP-version and configuration.
+  </dd>
+  <dt><em>string</em> lexer identifier</dt>
+  <dd>
+    This is a slim way of manually overridding the implementation.
+    Currently recognized values are: DOMLex (the default PHP5
+implementation)
+    and DirectLex (the default PHP4 implementation). Only use this if
+    you know what you are doing: usually, the auto-detection will
+    manage things for cases you aren't even aware of.
+  </dd>
+  <dt><em>object</em> lexer instance</dt>
+  <dd>
+    Super-advanced: you can specify your own, custom, implementation that
+    implements the interface defined by <code>HTMLPurifier_Lexer</code>.
+    I may remove this option simply because I don't expect anyone
+    to use it.
+  </dd>
+</dl>

library/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt

@@ -1,16 +1,16 @@
-Core.MaintainLineNumbers
-TYPE: bool/null
-VERSION: 2.0.0
-DEFAULT: NULL
---DESCRIPTION--
-
-<p>
-  If true, HTML Purifier will add line number information to all tokens.
-  This is useful when error reporting is turned on, but can result in
-  significant performance degradation and should not be used when
-  unnecessary. This directive must be used with the DirectLex lexer,
-  as the DOMLex lexer does not (yet) support this functionality. 
-  If the value is null, an appropriate value will be selected based
-  on other configuration. 
-</p>
-
+Core.MaintainLineNumbers
+TYPE: bool/null
+VERSION: 2.0.0
+DEFAULT: NULL
+--DESCRIPTION--
+
+<p>
+  If true, HTML Purifier will add line number information to all tokens.
+  This is useful when error reporting is turned on, but can result in
+  significant performance degradation and should not be used when
+  unnecessary. This directive must be used with the DirectLex lexer,
+  as the DOMLex lexer does not (yet) support this functionality. 
+  If the value is null, an appropriate value will be selected based
+  on other configuration. 
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt

@@ -1,12 +1,12 @@
-Core.RemoveInvalidImg
-TYPE: bool
-DEFAULT: true
-VERSION: 1.3.0
---DESCRIPTION--
-
-<p>
-  This directive enables pre-emptive URI checking in <code>img</code> 
-  tags, as the attribute validation strategy is not authorized to 
-  remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
-</p>
-
+Core.RemoveInvalidImg
+TYPE: bool
+DEFAULT: true
+VERSION: 1.3.0
+--DESCRIPTION--
+
+<p>
+  This directive enables pre-emptive URI checking in <code>img</code> 
+  tags, as the attribute validation strategy is not authorized to 
+  remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
+</p>
+

library/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt

@@ -1,11 +1,11 @@
-Core.RemoveScriptContents
-TYPE: bool/null
-DEFAULT: NULL
-VERSION: 2.0.0
-DEPRECATED-VERSION: 2.1.0
-DEPRECATED-USE: Core.HiddenElements
---DESCRIPTION--
-<p>
-  This directive enables HTML Purifier to remove not only script tags
-  but all of their contents.
-</p>
+Core.RemoveScriptContents
+TYPE: bool/null
+DEFAULT: NULL
+VERSION: 2.0.0
+DEPRECATED-VERSION: 2.1.0
+DEPRECATED-USE: Core.HiddenElements
+--DESCRIPTION--
+<p>
+  This directive enables HTML Purifier to remove not only script tags
+  but all of their contents.
+</p>

library/HTMLPurifier/ConfigSchema/schema/Core.txt

@@ -1,2 +1,2 @@
-Core
-DESCRIPTION: Core features that are always available.
+Core
+DESCRIPTION: Core features that are always available.

library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt

@@ -21,3 +21,17 @@ $styles = $purifier->context->get('StyleBlocks');
 foreach ($styles as $style) {
     echo '<style type="text/css">' . $style . "</style>\n";
 }]]></pre>
+<p>
+  <strong>Warning:</strong> It is possible for a user to mount an
+  imagecrash attack using this CSS. Counter-measures are difficult;
+  it is not simply enough to limit the range of CSS lengths (using
+  relative lengths with many nesting levels allows for large values
+  to be attained without actually specifying them in the stylesheet),
+  and the flexible nature of selectors makes it difficult to selectively
+  disable lengths on image tags (HTML Purifier, however, does disable
+  CSS width and height in inline styling). There are probably two effective
+  counter measures: an explicit width and height set to auto in all
+  images in your document (unlikely) or the disabling of width and
+  height (somewhat reasonable). Whether or not these measures should be
+  used is left to the reader.
+</p>

library/HTMLPurifier/ConfigSchema/schema/Filter.txt

@@ -1,2 +1,2 @@
-Filter
-DESCRIPTION: Directives for turning filters on and off, or specifying custom filters.
+Filter
+DESCRIPTION: Directives for turning filters on and off, or specifying custom filters.

library/HTMLPurifier/ConfigSchema/schema/FilterParam.ExtractStyleBlocksEscaping.txt

@@ -1,14 +1,14 @@
-FilterParam.ExtractStyleBlocksEscaping
-TYPE: bool
-VERSION: 3.0.0
-DEFAULT: true
-ALIASES: Filter.ExtractStyleBlocksEscaping
---DESCRIPTION--
-
-<p>
-  Whether or not to escape the dangerous characters &lt;, &gt; and &amp;
-  as \3C, \3E and \26, respectively. This is can be safely set to false
-  if the contents of StyleBlocks will be placed in an external stylesheet,
-  where there is no risk of it being interpreted as HTML. 
-</p>
-
+FilterParam.ExtractStyleBlocksEscaping
+TYPE: bool
+VERSION: 3.0.0
+DEFAULT: true
+ALIASES: Filter.ExtractStyleBlocksEscaping
+--DESCRIPTION--
+
+<p>
+  Whether or not to escape the dangerous characters &lt;, &gt; and &amp;
+  as \3C, \3E and \26, respectively. This is can be safely set to false
+  if the contents of StyleBlocks will be placed in an external stylesheet,
+  where there is no risk of it being interpreted as HTML. 
+</p>
+