chore(release): 4.17.0 [skip ci]

# [4.17.0](https://github.com/ezyang/htmlpurifier/compare/v4.16.0...v4.17.0) (2023-11-17) ### Bug Fixes * CSSTidy ImportantComments not handled properly ([#359](https://github.com/ezyang/htmlpurifier/issues/359)) ([78a9b4d](78a9b4d0da)) * fix CI ([#361](https://github.com/ezyang/htmlpurifier/issues/361)) ([9ec687c](9ec687c904)) * Invalid scheme check in Attr.TargetBlank ([#363](https://github.com/ezyang/htmlpurifier/issues/363)) ([0176ef4](0176ef4bb6)) * semantic release ([#339](https://github.com/ezyang/htmlpurifier/issues/339)) ([d82f3d9](d82f3d996a)) * semantic release ([#341](https://github.com/ezyang/htmlpurifier/issues/341)) ([e55fead](e55fead09f)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) * Support for locales using decimal separators other than . (dot) ([#372](https://github.com/ezyang/htmlpurifier/issues/372)) ([43f49ac](43f49ac9a5)) ### Features * Add support for all text-decoration properties ([#360](https://github.com/ezyang/htmlpurifier/issues/360)) ([2d775c0](2d775c0187)) * Allows commas to be included in tel URI ([#389](https://github.com/ezyang/htmlpurifier/issues/389)) ([ec92490](ec92490139)), closes [#388](https://github.com/ezyang/htmlpurifier/issues/388) ### Reverts * Revert "fix: semantic release (#339)" (#340) ([3e83215](3e832152a6)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) [#340](https://github.com/ezyang/htmlpurifier/issues/340)
ci: upgrade semantic-release-action
2025-08-02 12:21:09 +02:00 · 2023-11-17 15:01:25 +00:00 · 2023-11-17 10:00:42 -05:00 · 2023-11-10 10:25:42 -05:00 · 2023-08-24 11:15:30 -04:00 · 2023-04-30 13:55:11 -04:00
100 changed files with 919 additions and 670 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,13 +1,23 @@
 /.gitattributes export-ignore
+/.github export-ignore
 /.gitignore export-ignore
-/.travis.yml export-ignore
-/Doxyfile export-ignore
-/art/ export-ignore
-/benchmarks/ export-ignore
-/configdoc/ export-ignore
+/art export-ignore
+/benchmarks export-ignore
+/configdoc export-ignore
 /configdoc/usage.xml -crlf
-/docs/ export-ignore
-/phpdoc.ini
-/smoketests/ export-ignore
-/tests/* export-ignore
-/tests/path2class.func.php -export-ignore
+/docs export-ignore
+/Doxyfile export-ignore
+/extras export-ignore
+/INSTALL* export-ignore
+/maintenance export-ignore
+/NEWS export-ignore
+/package.php export-ignore
+/plugins export-ignore
+/phpdoc.ini export-ignore
+/smoketests export-ignore
+/test-* export-ignore
+/tests export-ignore
+/TODO export-ignore
+/update-for-release export-ignore
+/WYSIWYG export-ignore
+/release.config.js export-ignore
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,36 @@
+name: ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  linux_tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        php: ['5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+
+    name: PHP ${{ matrix.php }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          tools: composer:v2
+          ini-values: error_reporting=E_ALL
+          extensions: iconv, bcmath, tidy, mbstring, intl
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Configure simpletest
+        run: cp test-settings.sample.php test-settings.php
+
+      - name: Execute Unit tests
+        run: php tests/index.php
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -0,0 +1,19 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,29 @@
+name: release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    name: Release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.2
+
+      - name: Run automated release process with semantic-release
+        uses: cycjimmy/semantic-release-action@v4
+        with:
+          extra_plugins: |
+            @semantic-release/changelog
+            @semantic-release/git
+            @semantic-release/exec
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,14 +0,0 @@
-language: php
-php:
-    - '5.4'
-    - '5.5'
-    - '5.6'
-    - '7.0'
-    - '7.1'
-    - '7.2'
-    - '7.3'
-before_script:
-    - git clone --depth=50 https://github.com/ezyang/simpletest.git
-    - cp test-settings.travis.php test-settings.php
-script:
-    - php tests/index.php
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 4.11.0
+PROJECT_NUMBER         = 4.17.0

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/75
+++ b/75
@@ -1,3 +1,26 @@
+# [4.17.0](https://github.com/ezyang/htmlpurifier/compare/v4.16.0...v4.17.0) (2023-11-17)
+
+
+### Bug Fixes
+
+* CSSTidy ImportantComments not handled properly ([#359](https://github.com/ezyang/htmlpurifier/issues/359)) ([78a9b4d](https://github.com/ezyang/htmlpurifier/commit/78a9b4d0dae8bce9a70e4e7e551bf51e9a23706d))
+* fix CI ([#361](https://github.com/ezyang/htmlpurifier/issues/361)) ([9ec687c](https://github.com/ezyang/htmlpurifier/commit/9ec687c904a1fe66a5395d22c50f7043e045d1d3))
+* Invalid scheme check in Attr.TargetBlank ([#363](https://github.com/ezyang/htmlpurifier/issues/363)) ([0176ef4](https://github.com/ezyang/htmlpurifier/commit/0176ef4bb6f57103fdcb60a802603e60e81ee93e))
+* semantic release ([#339](https://github.com/ezyang/htmlpurifier/issues/339)) ([d82f3d9](https://github.com/ezyang/htmlpurifier/commit/d82f3d996a0d9b0f23364946d9a14408c1ad72c5))
+* semantic release ([#341](https://github.com/ezyang/htmlpurifier/issues/341)) ([e55fead](https://github.com/ezyang/htmlpurifier/commit/e55fead09f39430d30f48438f06e7bc2326efc94)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339)
+* Support for locales using decimal separators other than . (dot) ([#372](https://github.com/ezyang/htmlpurifier/issues/372)) ([43f49ac](https://github.com/ezyang/htmlpurifier/commit/43f49ac9a51b81dfd07d3bc8dcfc5ec5637a5e3b))
+
+
+### Features
+
+* Add support for all text-decoration properties ([#360](https://github.com/ezyang/htmlpurifier/issues/360)) ([2d775c0](https://github.com/ezyang/htmlpurifier/commit/2d775c01874e2f676ba1a2d9fe69b47c2a823061))
+* Allows commas to be included in tel URI ([#389](https://github.com/ezyang/htmlpurifier/issues/389)) ([ec92490](https://github.com/ezyang/htmlpurifier/commit/ec924901392f088d334622f806b9449b17b75d7b)), closes [#388](https://github.com/ezyang/htmlpurifier/issues/388)
+
+
+### Reverts
+
+* Revert "fix: semantic release (#339)" (#340) ([3e83215](https://github.com/ezyang/htmlpurifier/commit/3e832152a6173f880c6495a3ab2b0e5235e253a6)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) [#340](https://github.com/ezyang/htmlpurifier/issues/340)
+
 NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

@@ -9,6 +32,58 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
    . Internal change
 ==========================

+4.15.0, released 2022-09-18
+! PHP 8.1 and 8.2 support, esp. fixes for deprecation warnings.  A joint effort
+  by David Rans, Tim Düsterhus, Kieran and John Flatness.
+! Allow contenteditable="false" (#336), contributed by Kieran.
+- Replace PHP 8.1 deprecated utf8_ functions with mbstring (#326),
+  contributed by John Flatness.
+- Enhanced composer suggestions with extensions (#317), contributed by
+  func0der.
+
+4.14.0, released 2021-12-24
+! Add "background-size" support (#289), contributed by Václav Smítal
+! Transform deprecated width attribute when tidying HTML, contributed by
+  Kieran.
+- PHP 8 support, contributed by Maksims Sļotovs.
+- Improved PHP 7.3 compatibility, contributed by kishor.
+- Avoid spurious magic quotes notice in PHP 7.4.  Thanks
+  Jasper Zonneveld for the fix.
+- Do not remove thead from table even if there are no tbody/tr (#264).
+  Thanks Marcus Artner for the fix.
+- Fix "Parameter must be an array or an object that implements
+  Countable" (#285)".  Thanks Kieran for this fix.
+. Fix unnecessary reference assignment, handling behavior change from
+  PHP5 and PHP7.  Thanks Arkadiusz Biczewski for the fix.
+
+4.13.0, released 2020-06-28
+! Add %HTML.Forms directive, which lets you accept forms in user
+  HTML without requiring full %HTML.Trusted.  Note that forms can
+  be (trivially) used to setup phishing; e.g., an attacker can
+  use CSS absolute positioning to overlay a form on top of a login
+  element, so please be sure to use this with care!   Fixes #213.
+  Thanks Mateusz Turcza for contributing this feature.
+! tr@bgcolor attribute is now supported.  Thanks Kieran Brahney
+  for this enhancement.
+- Further improvements to PHP 7.4 support, contributed by Witold
+  Wasiczko and Eloy Lafuente.
+- Fix PSR-0 compatibility.  Thanks Jordi Boggiano for contributing
+  part of this fix.
+- Fix bug with purifyArray where it doesn't work on empty arrays.
+  Thanks Fräntz Miccoli for the fix.
+- Reduce amount of maintenance scripts included in distribution
+  packages.  Thanks Sergei Morozov for this patch.
+- Remove leading zeros unless if it is only a zero, fixes #239.  Thanks
+  lubomirbartos for this fix.
+- Correct type hinting of maybeGet*, fixes #240.   Thanks Anders Jenbo
+  for this fix.
+
+4.12.0, released 2019-10-27
+! PHP 7.4 is supported, thank you Witold Wasiczko, Mateuz Turcza and
+  Edi Modrić
+- PHPDocs for HTMLModule::addElement() and Bool attr are fixed (thanks
+  Mateusz)
+
 4.11.0, released 2019-07-14
 # SafeScripting now matches case-sensitively against its whitelist (previously it was
  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](http://travis-ci.org/ezyang/htmlpurifier)
+HTML Purifier [![Build Status](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml)
 =============

 HTML Purifier is an HTML filtering solution that uses a unique combination
--- a/2
+++ b/2
@@ -1 +1 @@
-4.11.0
+4.17.0
--- a/7
+++ b/7
@@ -1,7 +0,0 @@
-HTML Purifier 4.11.x is a maintenance release, collecting a year
-and a half of accumulated bug fixes.  Most notable fixes are
-compatibility with PHP 7.3, and case-sensitive matching for
-the SafeScripting whitelist.  There are a number small feature
-enhancements, including an expanded supported color list,
-initial and inherit support for {min-,max-,}{width,height}
-and multidimensional array support for purifyArray.
--- a/composer.json
+++ b/composer.json
@@ -13,13 +13,33 @@
        }
    ],
    "require": {
-        "php": ">=5.2"
+        "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0"
    },
    "require-dev": {
-        "simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd"
+        "cerdic/css-tidy": "^1.7 || ^2.0",
+        "simpletest/simpletest": "dev-master"
    },
    "autoload": {
        "psr-0": { "HTMLPurifier": "library/" },
-        "files": ["library/HTMLPurifier.composer.php"]
-    }
+        "files": ["library/HTMLPurifier.composer.php"],
+        "exclude-from-classmap": [
+            "/library/HTMLPurifier/Language/"
+        ]
+    },
+    "suggest": {
+        "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
+        "ext-iconv": "Converts text to and from non-UTF-8 encodings",
+        "ext-bcmath": "Used for unit conversion and imagecrash protection",
+        "ext-tidy": "Used for pretty-printing HTML"
+    },
+    "config": {
+        "sort-packages": true
+    },
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/ezyang/simpletest.git",
+            "no-api": true
+        }
+    ]
 }
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@@ -5,8 +5,8 @@
   <line>162</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>85</line>
-   <line>326</line>
+   <line>90</line>
+   <line>331</line>
  </file>
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>67</line>
@@ -19,37 +19,37 @@
 </directive>
 <directive id="CSS.MaxImgLength">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>240</line>
+   <line>256</line>
  </file>
 </directive>
 <directive id="CSS.Proprietary">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>365</line>
+   <line>398</line>
  </file>
 </directive>
 <directive id="CSS.AllowTricky">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>369</line>
+   <line>402</line>
  </file>
 </directive>
 <directive id="CSS.Trusted">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>373</line>
+   <line>406</line>
  </file>
 </directive>
 <directive id="CSS.AllowImportant">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>377</line>
+   <line>410</line>
  </file>
 </directive>
 <directive id="CSS.AllowedProperties">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>506</line>
+   <line>539</line>
  </file>
 </directive>
 <directive id="CSS.ForbiddenProperties">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>522</line>
+   <line>555</line>
  </file>
 </directive>
 <directive id="Cache.DefinitionImpl">
@@ -124,7 +124,7 @@
   <line>122</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>308</line>
+   <line>313</line>
  </file>
 </directive>
 <directive id="Output.Newline">
@@ -172,8 +172,11 @@
   <line>234</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>313</line>
-   <line>353</line>
+   <line>318</line>
+   <line>358</line>
+  </file>
+  <file name="HTMLPurifier/AttrDef/HTML/ContentEditable.php">
+   <line>8</line>
  </file>
  <file name="HTMLPurifier/HTMLModule/Image.php">
   <line>37</line>
@@ -250,12 +253,12 @@
 </directive>
 <directive id="Core.LexerImpl">
  <file name="HTMLPurifier/Lexer.php">
-   <line>80</line>
+   <line>85</line>
  </file>
 </directive>
 <directive id="Core.MaintainLineNumbers">
  <file name="HTMLPurifier/Lexer.php">
-   <line>84</line>
+   <line>89</line>
  </file>
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>62</line>
@@ -263,23 +266,23 @@
 </directive>
 <directive id="Core.LegacyEntityDecoder">
  <file name="HTMLPurifier/Lexer.php">
-   <line>215</line>
-   <line>337</line>
+   <line>220</line>
+   <line>342</line>
  </file>
 </directive>
 <directive id="Core.ConvertDocumentToFragment">
  <file name="HTMLPurifier/Lexer.php">
-   <line>324</line>
+   <line>329</line>
  </file>
 </directive>
 <directive id="Core.RemoveProcessingInstructions">
  <file name="HTMLPurifier/Lexer.php">
-   <line>347</line>
+   <line>352</line>
  </file>
 </directive>
 <directive id="Core.HiddenElements">
  <file name="HTMLPurifier/Lexer.php">
-   <line>351</line>
+   <line>356</line>
  </file>
  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
   <line>36</line>
@@ -287,12 +290,12 @@
 </directive>
 <directive id="Core.AggressivelyRemoveScript">
  <file name="HTMLPurifier/Lexer.php">
-   <line>352</line>
+   <line>357</line>
  </file>
 </directive>
 <directive id="Core.RemoveScriptContents">
  <file name="HTMLPurifier/Lexer.php">
-   <line>353</line>
+   <line>358</line>
  </file>
  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
   <line>35</line>
@@ -354,7 +357,7 @@
 </directive>
 <directive id="CSS.AllowedFonts">
  <file name="HTMLPurifier/AttrDef/CSS/FontFamily.php">
-   <line>64</line>
+   <line>62</line>
  </file>
 </directive>
 <directive id="Attr.AllowedClasses">
@@ -451,7 +454,7 @@
 </directive>
 <directive id="HTML.FlashAllowFullScreen">
  <file name="HTMLPurifier/AttrTransform/SafeParam.php">
-   <line>53</line>
+   <line>58</line>
  </file>
 </directive>
 <directive id="Cache.SerializerPath">
@@ -477,7 +480,12 @@
 </directive>
 <directive id="Filter.ExtractStyleBlocks.Escaping">
  <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
-   <line>330</line>
+   <line>334</line>
+  </file>
+ </directive>
+ <directive id="HTML.Forms">
+  <file name="HTMLPurifier/HTMLModule/Forms.php">
+   <line>31</line>
  </file>
 </directive>
 <directive id="HTML.SafeIframe">
--- a/extras/FSTools.php
+++ b/extras/FSTools.php
@@ -136,7 +136,7 @@ class FSTools
    /**
     * Recursively globs a directory.
     */
-    public function globr($dir, $pattern, $flags = NULL)
+    public function globr($dir, $pattern, $flags = 0)
    {
        $files = $this->glob("$dir/$pattern", $flags);
        if ($files === false) $files = array();
--- a/library/HTMLPurifier.autoload-legacy.php
+++ b/library/HTMLPurifier.autoload-legacy.php
@@ -4,12 +4,11 @@
 * @file
 * Legacy autoloader for systems lacking spl_autoload_register
 *
- * Must be separate to prevent deprecation warning on PHP 7.2
 */

-function __autoload($class)
+spl_autoload_register(function($class)
 {
-    return HTMLPurifier_Bootstrap::autoload($class);
-}
+     return HTMLPurifier_Bootstrap::autoload($class);
+});

 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier.autoload.php
+++ b/library/HTMLPurifier.autoload.php
@@ -17,6 +17,7 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
    require dirname(__FILE__) . '/HTMLPurifier.autoload-legacy.php';
 }

+// phpcs:ignore PHPCompatibility.IniDirectives.RemovedIniDirectives.zend_ze1_compatibility_modeRemoved
 if (ini_get('zend.ze1_compatibility_mode')) {
    trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
 }
--- a/library/HTMLPurifier.includes.php
+++ b/library/HTMLPurifier.includes.php
@@ -7,7 +7,7 @@
 * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
 * FILE, changes will be overwritten the next time the script is run.
 *
- * @version 4.11.0
+ * @version 4.17.0
 *
 * @warning
 *      You must *not* include any other HTML Purifier files before this file,
@@ -107,6 +107,7 @@ require 'HTMLPurifier/AttrDef/HTML/Bool.php';
 require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require 'HTMLPurifier/AttrDef/HTML/Class.php';
 require 'HTMLPurifier/AttrDef/HTML/Color.php';
+require 'HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require 'HTMLPurifier/AttrDef/HTML/ID.php';
 require 'HTMLPurifier/AttrDef/HTML/Pixels.php';
--- a/library/HTMLPurifier.php
+++ b/library/HTMLPurifier.php
@@ -19,7 +19,7 @@
 */

 /*
-    HTML Purifier 4.11.0 - Standards Compliant HTML Filtering
+    HTML Purifier 4.17.0 - Standards Compliant HTML Filtering
    Copyright (C) 2006-2008 Edward Z. Yang

    This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
     * Version of HTML Purifier.
     * @type string
     */
-    public $version = '4.11.0';
+    public $version = '4.17.0';

    /**
     * Constant with version of HTML Purifier.
     */
-    const VERSION = '4.11.0';
+    const VERSION = '4.17.0';

    /**
     * Global configuration object.
@@ -240,6 +240,7 @@ class HTMLPurifier
    public function purifyArray($array_of_html, $config = null)
    {
        $context_array = array();
+        $array = array();
        foreach($array_of_html as $key=>$value){
            if (is_array($value)) {
                $array[$key] = $this->purifyArray($value, $config);
--- a/library/HTMLPurifier.safe-includes.php
+++ b/library/HTMLPurifier.safe-includes.php
@@ -101,6 +101,7 @@ require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
--- a/library/HTMLPurifier/AttrDef/CSS/Background.php
+++ b/library/HTMLPurifier/AttrDef/CSS/Background.php
@@ -25,6 +25,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
        $this->info['background-repeat'] = $def->info['background-repeat'];
        $this->info['background-attachment'] = $def->info['background-attachment'];
        $this->info['background-position'] = $def->info['background-position'];
+        $this->info['background-size'] = $def->info['background-size'];
    }

    /**
@@ -53,6 +54,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
        $caught['repeat'] = false;
        $caught['attachment'] = false;
        $caught['position'] = false;
+        $caught['size'] = false;

        $i = 0; // number of catches

--- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -10,23 +10,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef

    public function __construct()
    {
-        $this->mask = '_- ';
-        for ($c = 'a'; $c <= 'z'; $c++) {
-            $this->mask .= $c;
-        }
-        for ($c = 'A'; $c <= 'Z'; $c++) {
-            $this->mask .= $c;
-        }
-        for ($c = '0'; $c <= '9'; $c++) {
-            $this->mask .= $c;
-        } // cast-y, but should be fine
-        // special bytes used by UTF-8
-        for ($i = 0x80; $i <= 0xFF; $i++) {
-            // We don't bother excluding invalid bytes in this range,
-            // because the our restriction of well-formed UTF-8 will
-            // prevent these from ever occurring.
-            $this->mask .= chr($i);
-        }
+        // Lowercase letters
+        $l = range('a', 'z');
+        // Uppercase letters
+        $u = range('A', 'Z');
+        // Digits
+        $d = range('0', '9');
+        // Special bytes used by UTF-8
+        $b = array_map('chr', range(0x80, 0xFF));
+        // All valid characters for the mask
+        $c = array_merge($l, $u, $d, $b);
+        // Concatenate all valid characters into a string 
+        // Use '_- ' as an initial value
+        $this->mask = array_reduce($c, function ($carry, $value) {
+            return $carry . $value;
+        }, '_- ');

        /*
            PHP's internal strcspn implementation is
--- a/library/HTMLPurifier/AttrDef/CSS/Number.php
+++ b/library/HTMLPurifier/AttrDef/CSS/Number.php
@@ -69,7 +69,13 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
            return false;
        }

-        $left = ltrim($left, '0');
+        // Remove leading zeros until positive number or a zero stays left
+        if (ltrim($left, '0') != '') {
+            $left = ltrim($left, '0');
+        } else {
+            $left = '0';
+        }
+
        $right = rtrim($right, '0');

        if ($right === '') {
--- a/library/HTMLPurifier/AttrDef/HTML/Bool.php
+++ b/library/HTMLPurifier/AttrDef/HTML/Bool.php
@@ -7,7 +7,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
 {

    /**
-     * @type bool
+     * @type string
     */
    protected $name;

@@ -17,7 +17,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
    public $minimized = true;

    /**
-     * @param bool $name
+     * @param bool|string $name
     */
    public function __construct($name = false)
    {
--- a/library/HTMLPurifier/AttrDef/HTML/ContentEditable.php
+++ b/library/HTMLPurifier/AttrDef/HTML/ContentEditable.php
@@ -0,0 +1,16 @@
+<?php
+
+class HTMLPurifier_AttrDef_HTML_ContentEditable extends HTMLPurifier_AttrDef
+{
+    public function validate($string, $config, $context)
+    {
+        $allowed = array('false');
+        if ($config->get('HTML.Trusted')) {
+            $allowed = array('', 'true', 'false');
+        }
+
+        $enum = new HTMLPurifier_AttrDef_Enum($allowed);
+
+        return $enum->validate($string, $config, $context);
+    }
+}
--- a/library/HTMLPurifier/AttrDef/URI/Host.php
+++ b/library/HTMLPurifier/AttrDef/URI/Host.php
@@ -106,7 +106,7 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
        // If we have Net_IDNA2 support, we can support IRIs by
        // punycoding them. (This is the most portable thing to do,
        // since otherwise we have to assume browsers support
-        } elseif ($config->get('Core.EnableIDNA')) {
+        } elseif ($config->get('Core.EnableIDNA') && class_exists('Net_IDNA2')) {
            $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
            // we need to encode each period separately
            $parts = explode('.', $string);
--- a/library/HTMLPurifier/AttrTransform/NameSync.php
+++ b/library/HTMLPurifier/AttrTransform/NameSync.php
@@ -8,6 +8,11 @@
 class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
 {

+    /**
+     * @type HTMLPurifier_AttrDef_HTML_ID
+     */
+    public $idDef;
+
    public function __construct()
    {
        $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -24,6 +24,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
     */
    private $uri;

+    /**
+     * @type HTMLPurifier_AttrDef_Enum
+     */
+    public $wmode;
+
    public function __construct()
    {
        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
--- a/library/HTMLPurifier/AttrTransform/TargetBlank.php
+++ b/library/HTMLPurifier/AttrTransform/TargetBlank.php
@@ -33,7 +33,11 @@ class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform

        // XXX Kind of inefficient
        $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
+        
+        // Ignore invalid schemes (e.g. `javascript:`)
+        if (!($scheme = $url->getSchemeObj($config, $context))) {
+            return $attr;
+        }

        if ($scheme->browsable && !$url->isBenign($config, $context)) {
            $attr['target'] = '_blank';
--- a/library/HTMLPurifier/AttrTypes.php
+++ b/library/HTMLPurifier/AttrTypes.php
@@ -41,6 +41,7 @@ class HTMLPurifier_AttrTypes
        $this->info['IAlign']   = self::makeEnum('top,middle,bottom,left,right');
        $this->info['LAlign']   = self::makeEnum('top,bottom,left,right');
        $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
+        $this->info['ContentEditable'] = new HTMLPurifier_AttrDef_HTML_ContentEditable();

        // unimplemented aliases
        $this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
--- a/library/HTMLPurifier/Bootstrap.php
+++ b/library/HTMLPurifier/Bootstrap.php
@@ -79,44 +79,11 @@ class HTMLPurifier_Bootstrap
    public static function registerAutoload()
    {
        $autoload = array('HTMLPurifier_Bootstrap', 'autoload');
-        if (($funcs = spl_autoload_functions()) === false) {
+        if (spl_autoload_functions() === false) {
            spl_autoload_register($autoload);
-        } elseif (function_exists('spl_autoload_unregister')) {
-            if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
-                // prepend flag exists, no need for shenanigans
-                spl_autoload_register($autoload, true, true);
-            } else {
-                $buggy  = version_compare(PHP_VERSION, '5.2.11', '<');
-                $compat = version_compare(PHP_VERSION, '5.1.2', '<=') &&
-                          version_compare(PHP_VERSION, '5.1.0', '>=');
-                foreach ($funcs as $func) {
-                    if ($buggy && is_array($func)) {
-                        // :TRICKY: There are some compatibility issues and some
-                        // places where we need to error out
-                        $reflector = new ReflectionMethod($func[0], $func[1]);
-                        if (!$reflector->isStatic()) {
-                            throw new Exception(
-                                'HTML Purifier autoloader registrar is not compatible
-                                with non-static object methods due to PHP Bug #44144;
-                                Please do not use HTMLPurifier.autoload.php (or any
-                                file that includes this file); instead, place the code:
-                                spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\'))
-                                after your own autoloaders.'
-                            );
-                        }
-                        // Suprisingly, spl_autoload_register supports the
-                        // Class::staticMethod callback format, although call_user_func doesn't
-                        if ($compat) {
-                            $func = implode('::', $func);
-                        }
-                    }
-                    spl_autoload_unregister($func);
-                }
-                spl_autoload_register($autoload);
-                foreach ($funcs as $func) {
-                    spl_autoload_register($func);
-                }
-            }
+        } else {
+            // prepend flag exists, no need for shenanigans
+            spl_autoload_register($autoload, true, true);
        }
    }
 }
--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@@ -13,7 +13,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
     * Assoc array of attribute name to definition object.
     * @type HTMLPurifier_AttrDef[]
     */
-    public $info = array();
+    public $info = [];

    /**
     * Constructs the info array.  The meat of this class.
@@ -22,7 +22,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetup($config)
    {
        $this->info['text-align'] = new HTMLPurifier_AttrDef_Enum(
-            array('left', 'right', 'center', 'justify'),
+            ['left', 'right', 'center', 'justify'],
            false
        );

@@ -31,7 +31,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['border-right-style'] =
            $this->info['border-left-style'] =
            $this->info['border-top-style'] = new HTMLPurifier_AttrDef_Enum(
-                array(
+                [
                    'none',
                    'hidden',
                    'dotted',
@@ -42,42 +42,42 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'ridge',
                    'inset',
                    'outset'
-                ),
+                ],
                false
            );

        $this->info['border-style'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_style);

        $this->info['clear'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right', 'both'),
+            ['none', 'left', 'right', 'both'],
            false
        );
        $this->info['float'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right'),
+            ['none', 'left', 'right'],
            false
        );
        $this->info['font-style'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'italic', 'oblique'),
+            ['normal', 'italic', 'oblique'],
            false
        );
        $this->info['font-variant'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'small-caps'),
+            ['normal', 'small-caps'],
            false
        );

        $uri_or_none = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
-                new HTMLPurifier_AttrDef_Enum(array('none')),
+            [
+                new HTMLPurifier_AttrDef_Enum(['none']),
                new HTMLPurifier_AttrDef_CSS_URI()
-            )
+            ]
        );

        $this->info['list-style-position'] = new HTMLPurifier_AttrDef_Enum(
-            array('inside', 'outside'),
+            ['inside', 'outside'],
            false
        );
        $this->info['list-style-type'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'disc',
                'circle',
                'square',
@@ -87,7 +87,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                'lower-alpha',
                'upper-alpha',
                'none'
-            ),
+            ],
            false
        );
        $this->info['list-style-image'] = $uri_or_none;
@@ -95,30 +95,46 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        $this->info['list-style'] = new HTMLPurifier_AttrDef_CSS_ListStyle($config);

        $this->info['text-transform'] = new HTMLPurifier_AttrDef_Enum(
-            array('capitalize', 'uppercase', 'lowercase', 'none'),
+            ['capitalize', 'uppercase', 'lowercase', 'none'],
            false
        );
        $this->info['color'] = new HTMLPurifier_AttrDef_CSS_Color();

        $this->info['background-image'] = $uri_or_none;
        $this->info['background-repeat'] = new HTMLPurifier_AttrDef_Enum(
-            array('repeat', 'repeat-x', 'repeat-y', 'no-repeat')
+            ['repeat', 'repeat-x', 'repeat-y', 'no-repeat']
        );
        $this->info['background-attachment'] = new HTMLPurifier_AttrDef_Enum(
-            array('scroll', 'fixed')
+            ['scroll', 'fixed']
        );
        $this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition();

+        $this->info['background-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
+            [
+                new HTMLPurifier_AttrDef_Enum(
+                    [
+                        'auto',
+                        'cover',
+                        'contain',
+                        'initial',
+                        'inherit',
+                    ]
+                ),
+                new HTMLPurifier_AttrDef_CSS_Percentage(),
+                new HTMLPurifier_AttrDef_CSS_Length()
+            ]
+        );
+
        $border_color =
            $this->info['border-top-color'] =
            $this->info['border-bottom-color'] =
            $this->info['border-left-color'] =
            $this->info['border-right-color'] =
            $this->info['background-color'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
-                    new HTMLPurifier_AttrDef_Enum(array('transparent')),
+                [
+                    new HTMLPurifier_AttrDef_Enum(['transparent']),
                    new HTMLPurifier_AttrDef_CSS_Color()
-                )
+                ]
            );

        $this->info['background'] = new HTMLPurifier_AttrDef_CSS_Background($config);
@@ -130,32 +146,32 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['border-bottom-width'] =
            $this->info['border-left-width'] =
            $this->info['border-right-width'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
-                    new HTMLPurifier_AttrDef_Enum(array('thin', 'medium', 'thick')),
+                [
+                    new HTMLPurifier_AttrDef_Enum(['thin', 'medium', 'thick']),
                    new HTMLPurifier_AttrDef_CSS_Length('0') //disallow negative
-                )
+                ]
            );

        $this->info['border-width'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_width);

        $this->info['letter-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+            [
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );

        $this->info['word-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+            [
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );

        $this->info['font-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                        'xx-small',
                        'x-small',
                        'small',
@@ -165,20 +181,20 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                        'xx-large',
                        'larger',
                        'smaller'
-                    )
+                    ]
                ),
                new HTMLPurifier_AttrDef_CSS_Percentage(),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );

        $this->info['line-height'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+            [
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Number(true), // no negatives
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true)
-            )
+            ]
        );

        $margin =
@@ -186,11 +202,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['margin-bottom'] =
            $this->info['margin-left'] =
            $this->info['margin-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                    new HTMLPurifier_AttrDef_CSS_Length(),
                    new HTMLPurifier_AttrDef_CSS_Percentage(),
-                    new HTMLPurifier_AttrDef_Enum(array('auto'))
-                )
+                    new HTMLPurifier_AttrDef_Enum(['auto'])
+                ]
            );

        $this->info['margin'] = new HTMLPurifier_AttrDef_CSS_Multiple($margin);
@@ -201,41 +217,41 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['padding-bottom'] =
            $this->info['padding-left'] =
            $this->info['padding-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                    new HTMLPurifier_AttrDef_CSS_Length('0'),
                    new HTMLPurifier_AttrDef_CSS_Percentage(true)
-                )
+                ]
            );

        $this->info['padding'] = new HTMLPurifier_AttrDef_CSS_Multiple($padding);

        $this->info['text-indent'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
        );

        $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('auto', 'initial', 'inherit'))
-            )
+                new HTMLPurifier_AttrDef_Enum(['auto', 'initial', 'inherit'])
+            ]
        );
        $trusted_min_wh = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('initial', 'inherit'))
-            )
+                new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
+            ]
        );
        $trusted_max_wh = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('none', 'initial', 'inherit'))
-            )
+                new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
+            ]
        );
        $max = $config->get('CSS.MaxImgLength');

@@ -247,10 +263,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Composite(
-                        array(
+                        [
                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
-                            new HTMLPurifier_AttrDef_Enum(array('auto'))
-                        )
+                            new HTMLPurifier_AttrDef_Enum(['auto'])
+                        ]
                    ),
                    // For everyone else:
                    $trusted_wh
@@ -263,10 +279,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Composite(
-                        array(
+                        [
                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
-                            new HTMLPurifier_AttrDef_Enum(array('initial', 'inherit'))
-                        )
+                            new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
+                        ]
                    ),
                    // For everyone else:
                    $trusted_min_wh
@@ -279,22 +295,39 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Composite(
-                        array(
+                        [
                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
-                            new HTMLPurifier_AttrDef_Enum(array('none', 'initial', 'inherit'))
-                        )
+                            new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
+                        ]
                    ),
                    // For everyone else:
                    $trusted_max_wh
                );

+        // text-decoration and related shorthands
        $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();

+        $this->info['text-decoration-line'] = new HTMLPurifier_AttrDef_Enum(
+            ['none', 'underline', 'overline', 'line-through', 'initial', 'inherit']
+        );
+
+        $this->info['text-decoration-style'] = new HTMLPurifier_AttrDef_Enum(
+            ['solid', 'double', 'dotted', 'dashed', 'wavy', 'initial', 'inherit']
+        );
+
+        $this->info['text-decoration-color'] = new HTMLPurifier_AttrDef_CSS_Color();
+
+        $this->info['text-decoration-thickness'] = new HTMLPurifier_AttrDef_CSS_Composite([
+            new HTMLPurifier_AttrDef_CSS_Length(),
+            new HTMLPurifier_AttrDef_CSS_Percentage(),
+            new HTMLPurifier_AttrDef_Enum(['auto', 'from-font', 'initial', 'inherit'])
+        ]);
+
        $this->info['font-family'] = new HTMLPurifier_AttrDef_CSS_FontFamily();

        // this could use specialized code
        $this->info['font-weight'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'normal',
                'bold',
                'bolder',
@@ -308,7 +341,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                '700',
                '800',
                '900'
-            ),
+            ],
            false
        );

@@ -324,21 +357,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        $this->info['border-right'] = new HTMLPurifier_AttrDef_CSS_Border($config);

        $this->info['border-collapse'] = new HTMLPurifier_AttrDef_Enum(
-            array('collapse', 'separate')
+            ['collapse', 'separate']
        );

        $this->info['caption-side'] = new HTMLPurifier_AttrDef_Enum(
-            array('top', 'bottom')
+            ['top', 'bottom']
        );

        $this->info['table-layout'] = new HTMLPurifier_AttrDef_Enum(
-            array('auto', 'fixed')
+            ['auto', 'fixed']
        );

        $this->info['vertical-align'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                        'baseline',
                        'sub',
                        'super',
@@ -347,11 +380,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                        'middle',
                        'bottom',
                        'text-bottom'
-                    )
+                    ]
                ),
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
        );

        $this->info['border-spacing'] = new HTMLPurifier_AttrDef_CSS_Multiple(new HTMLPurifier_AttrDef_CSS_Length(), 2);
@@ -359,7 +392,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        // These CSS properties don't work on many browsers, but we live
        // in THE FUTURE!
        $this->info['white-space'] = new HTMLPurifier_AttrDef_Enum(
-            array('nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line')
+            ['nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line']
        );

        if ($config->get('CSS.Proprietary')) {
@@ -406,21 +439,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        // more CSS3
        $this->info['page-break-after'] =
        $this->info['page-break-before'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'auto',
                'always',
                'avoid',
                'left',
                'right'
-            )
+            ]
        );
-        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(array('auto', 'avoid'));
+        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(['auto', 'avoid']);

        $border_radius = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Percentage(true), // disallow negative
                new HTMLPurifier_AttrDef_CSS_Length('0') // disallow negative
-            ));
+            ]);

        $this->info['border-top-left-radius'] =
        $this->info['border-top-right-radius'] =
@@ -437,7 +470,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetupTricky($config)
    {
        $this->info['display'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'inline',
                'block',
                'list-item',
@@ -456,12 +489,12 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                'table-cell',
                'table-caption',
                'none'
-            )
+            ]
        );
        $this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(
-            array('visible', 'hidden', 'collapse')
+            ['visible', 'hidden', 'collapse']
        );
-        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
+        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(['visible', 'hidden', 'auto', 'scroll']);
        $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
    }

@@ -471,23 +504,23 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetupTrusted($config)
    {
        $this->info['position'] = new HTMLPurifier_AttrDef_Enum(
-            array('static', 'relative', 'absolute', 'fixed')
+            ['static', 'relative', 'absolute', 'fixed']
        );
        $this->info['top'] =
        $this->info['left'] =
        $this->info['right'] =
        $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
-            )
+                new HTMLPurifier_AttrDef_Enum(['auto']),
+            ]
        );
        $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Integer(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
-            )
+                new HTMLPurifier_AttrDef_Enum(['auto']),
+            ]
        );
    }

--- a/library/HTMLPurifier/ChildDef/Custom.php
+++ b/library/HTMLPurifier/ChildDef/Custom.php
@@ -45,7 +45,7 @@ class HTMLPurifier_ChildDef_Custom extends HTMLPurifier_ChildDef
    protected function _compileRegex()
    {
        $raw = str_replace(' ', '', $this->dtd_regex);
-        if ($raw{0} != '(') {
+        if ($raw[0] != '(') {
            $raw = "($raw)";
        }
        $el = '[#a-zA-Z0-9_.-]+';
--- a/library/HTMLPurifier/ChildDef/List.php
+++ b/library/HTMLPurifier/ChildDef/List.php
@@ -22,6 +22,8 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
    // XXX: This whole business with 'wrap' is all a bit unsatisfactory
    public $elements = array('li' => true, 'ul' => true, 'ol' => true);

+    public $whitespace;
+
    /**
     * @param array $children
     * @param HTMLPurifier_Config $config
--- a/library/HTMLPurifier/ChildDef/Table.php
+++ b/library/HTMLPurifier/ChildDef/Table.php
@@ -164,7 +164,7 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
            }
        }

-        if (empty($content)) {
+        if (empty($content) && $thead === false && $tfoot === false) {
            return false;
        }

--- a/library/HTMLPurifier/Config.php
+++ b/library/HTMLPurifier/Config.php
@@ -21,7 +21,7 @@ class HTMLPurifier_Config
     * HTML Purifier's version
     * @type string
     */
-    public $version = '4.11.0';
+    public $version = '4.17.0';

    /**
     * Whether or not to automatically finalize
@@ -408,7 +408,7 @@ class HTMLPurifier_Config
     *             maybeGetRawHTMLDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
     */
    public function getHTMLDefinition($raw = false, $optimized = false)
    {
@@ -427,7 +427,7 @@ class HTMLPurifier_Config
     *             maybeGetRawCSSDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
     */
    public function getCSSDefinition($raw = false, $optimized = false)
    {
@@ -446,7 +446,7 @@ class HTMLPurifier_Config
     *             maybeGetRawURIDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
     */
    public function getURIDefinition($raw = false, $optimized = false)
    {
@@ -468,7 +468,7 @@ class HTMLPurifier_Config
     *        maybe semantics is the "right thing to do."
     *
     * @throws HTMLPurifier_Exception
-     * @return HTMLPurifier_Definition
+     * @return HTMLPurifier_Definition|null
     */
    public function getDefinition($type, $raw = false, $optimized = false)
    {
@@ -647,7 +647,7 @@ class HTMLPurifier_Config
    }

    /**
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
     */
    public function maybeGetRawHTMLDefinition()
    {
@@ -655,7 +655,7 @@ class HTMLPurifier_Config
    }
    
    /**
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
     */
    public function maybeGetRawCSSDefinition()
    {
@@ -663,7 +663,7 @@ class HTMLPurifier_Config
    }
    
    /**
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
     */
    public function maybeGetRawURIDefinition()
    {
@@ -803,7 +803,7 @@ class HTMLPurifier_Config
        if ($index !== false) {
            $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
        }
-        $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
+        $mq = $mq_fix && version_compare(PHP_VERSION, '7.4.0', '<') && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();

        $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
        $ret = array();
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
@@ -0,0 +1,11 @@
+HTML.Forms
+TYPE: bool
+VERSION: 4.13.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit form elements in the user input, regardless of
+    %HTML.Trusted value. Please be very careful when using this functionality, as
+    enabling forms in untrusted documents may allow for phishing attacks.
+</p>
+--# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/DefinitionCache/Serializer.php
+++ b/library/HTMLPurifier/DefinitionCache/Serializer.php
@@ -287,13 +287,14 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
            } elseif (filegroup($dir) === posix_getgid()) {
                $chmod = $chmod | 0070;
            } else {
-                // PHP's probably running as nobody, so we'll
-                // need to give global permissions
-                $chmod = $chmod | 0777;
+              // PHP's probably running as nobody, it is
+              // not obvious how to fix this (777 is probably
+              // bad if you are multi-user), let the user figure it out
+                $chmod = null;
            }
            trigger_error(
-                'Directory ' . $dir . ' not writable, ' .
-                'please chmod to ' . decoct($chmod),
+                'Directory ' . $dir . ' not writable. ' .
+                ($chmod === null ? '' : 'Please chmod to ' . decoct($chmod)),
                E_USER_WARNING
            );
        } else {
--- a/library/HTMLPurifier/DefinitionCacheFactory.php
+++ b/library/HTMLPurifier/DefinitionCacheFactory.php
@@ -71,7 +71,7 @@ class HTMLPurifier_DefinitionCacheFactory
            return $this->caches[$method][$type];
        }
        if (isset($this->implementations[$method]) &&
-            class_exists($class = $this->implementations[$method], false)) {
+            class_exists($class = $this->implementations[$method])) {
            $cache = new $class($type);
        } else {
            if ($method != 'Serializer') {
--- a/library/HTMLPurifier/ElementDef.php
+++ b/library/HTMLPurifier/ElementDef.php
@@ -176,7 +176,7 @@ class HTMLPurifier_ElementDef

        if (!empty($def->content_model)) {
            $this->content_model =
-                str_replace("#SUPER", $this->content_model, $def->content_model);
+                str_replace("#SUPER", (string)$this->content_model, $def->content_model);
            $this->child = false;
        }
        if (!empty($def->content_model_type)) {
--- a/library/HTMLPurifier/Encoder.php
+++ b/library/HTMLPurifier/Encoder.php
@@ -159,7 +159,7 @@ class HTMLPurifier_Encoder

        $len = strlen($str);
        for ($i = 0; $i < $len; $i++) {
-            $in = ord($str{$i});
+            $in = ord($str[$i]);
            $char .= $str[$i]; // append byte to char
            if (0 == $mState) {
                // When mState is zero we expect either a US-ASCII character
@@ -398,8 +398,8 @@ class HTMLPurifier_Encoder
            // characters to their true byte-wise ASCII/UTF-8 equivalents.
            $str = strtr($str, self::testEncodingSupportsASCII($encoding));
            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_encode($str);
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
+            $str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
            return $str;
        }
        $bug = HTMLPurifier_Encoder::testIconvTruncateBug();
@@ -450,8 +450,8 @@ class HTMLPurifier_Encoder
            // Normal stuff
            $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_decode($str);
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
+            $str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
            return $str;
        }
        trigger_error('Encoding not supported', E_USER_ERROR);
--- a/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
+++ b/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
@@ -146,175 +146,179 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
        foreach ($this->_tidy->css as $k => $decls) {
            // $decls are all CSS declarations inside an @ selector
            $new_decls = array();
-            foreach ($decls as $selector => $style) {
-                $selector = trim($selector);
-                if ($selector === '') {
-                    continue;
-                } // should not happen
-                // Parse the selector
-                // Here is the relevant part of the CSS grammar:
-                //
-                // ruleset
-                //   : selector [ ',' S* selector ]* '{' ...
-                // selector
-                //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
-                // combinator
-                //   : '+' S*
-                //   : '>' S*
-                // simple_selector
-                //   : element_name [ HASH | class | attrib | pseudo ]*
-                //   | [ HASH | class | attrib | pseudo ]+
-                // element_name
-                //   : IDENT | '*'
-                //   ;
-                // class
-                //   : '.' IDENT
-                //   ;
-                // attrib
-                //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
-                //     [ IDENT | STRING ] S* ]? ']'
-                //   ;
-                // pseudo
-                //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
-                //   ;
-                //
-                // For reference, here are the relevant tokens:
-                //
-                // HASH         #{name}
-                // IDENT        {ident}
-                // INCLUDES     ==
-                // DASHMATCH    |=
-                // STRING       {string}
-                // FUNCTION     {ident}\(
-                //
-                // And the lexical scanner tokens
-                //
-                // name         {nmchar}+
-                // nmchar       [_a-z0-9-]|{nonascii}|{escape}
-                // nonascii     [\240-\377]
-                // escape       {unicode}|\\[^\r\n\f0-9a-f]
-                // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
-                // ident        -?{nmstart}{nmchar*}
-                // nmstart      [_a-z]|{nonascii}|{escape}
-                // string       {string1}|{string2}
-                // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
-                // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
-                //
-                // We'll implement a subset (in order to reduce attack
-                // surface); in particular:
-                //
-                //      - No Unicode support
-                //      - No escapes support
-                //      - No string support (by proxy no attrib support)
-                //      - element_name is matched against allowed
-                //        elements (some people might find this
-                //        annoying...)
-                //      - Pseudo-elements one of :first-child, :link,
-                //        :visited, :active, :hover, :focus
+            if (is_array($decls)) {
+                foreach ($decls as $selector => $style) {
+                    $selector = trim($selector);
+                    if ($selector === '') {
+                        continue;
+                    } // should not happen
+                    // Parse the selector
+                    // Here is the relevant part of the CSS grammar:
+                    //
+                    // ruleset
+                    //   : selector [ ',' S* selector ]* '{' ...
+                    // selector
+                    //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
+                    // combinator
+                    //   : '+' S*
+                    //   : '>' S*
+                    // simple_selector
+                    //   : element_name [ HASH | class | attrib | pseudo ]*
+                    //   | [ HASH | class | attrib | pseudo ]+
+                    // element_name
+                    //   : IDENT | '*'
+                    //   ;
+                    // class
+                    //   : '.' IDENT
+                    //   ;
+                    // attrib
+                    //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
+                    //     [ IDENT | STRING ] S* ]? ']'
+                    //   ;
+                    // pseudo
+                    //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
+                    //   ;
+                    //
+                    // For reference, here are the relevant tokens:
+                    //
+                    // HASH         #{name}
+                    // IDENT        {ident}
+                    // INCLUDES     ==
+                    // DASHMATCH    |=
+                    // STRING       {string}
+                    // FUNCTION     {ident}\(
+                    //
+                    // And the lexical scanner tokens
+                    //
+                    // name         {nmchar}+
+                    // nmchar       [_a-z0-9-]|{nonascii}|{escape}
+                    // nonascii     [\240-\377]
+                    // escape       {unicode}|\\[^\r\n\f0-9a-f]
+                    // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
+                    // ident        -?{nmstart}{nmchar*}
+                    // nmstart      [_a-z]|{nonascii}|{escape}
+                    // string       {string1}|{string2}
+                    // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
+                    // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
+                    //
+                    // We'll implement a subset (in order to reduce attack
+                    // surface); in particular:
+                    //
+                    //      - No Unicode support
+                    //      - No escapes support
+                    //      - No string support (by proxy no attrib support)
+                    //      - element_name is matched against allowed
+                    //        elements (some people might find this
+                    //        annoying...)
+                    //      - Pseudo-elements one of :first-child, :link,
+                    //        :visited, :active, :hover, :focus

-                // handle ruleset
-                $selectors = array_map('trim', explode(',', $selector));
-                $new_selectors = array();
-                foreach ($selectors as $sel) {
-                    // split on +, > and spaces
-                    $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
-                    // even indices are chunks, odd indices are
-                    // delimiters
-                    $nsel = null;
-                    $delim = null; // guaranteed to be non-null after
-                    // two loop iterations
-                    for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
-                        $x = $basic_selectors[$i];
-                        if ($i % 2) {
-                            // delimiter
-                            if ($x === ' ') {
-                                $delim = ' ';
-                            } else {
-                                $delim = ' ' . $x . ' ';
-                            }
-                        } else {
-                            // simple selector
-                            $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
-                            $sdelim = null;
-                            $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j++) {
-                                $y = $components[$j];
-                                if ($j === 0) {
-                                    if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
-                                        $nx = $y;
-                                    } else {
-                                        // $nx stays null; this matters
-                                        // if we don't manage to find
-                                        // any valid selector content,
-                                        // in which case we ignore the
-                                        // outer $delim
-                                    }
-                                } elseif ($j % 2) {
-                                    // set delimiter
-                                    $sdelim = $y;
+                    // handle ruleset
+                    $selectors = array_map('trim', explode(',', $selector));
+                    $new_selectors = array();
+                    foreach ($selectors as $sel) {
+                        // split on +, > and spaces
+                        $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
+                        // even indices are chunks, odd indices are
+                        // delimiters
+                        $nsel = null;
+                        $delim = null; // guaranteed to be non-null after
+                        // two loop iterations
+                        for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
+                            $x = $basic_selectors[$i];
+                            if ($i % 2) {
+                                // delimiter
+                                if ($x === ' ') {
+                                    $delim = ' ';
                                } else {
-                                    $attrdef = null;
-                                    if ($sdelim === '#') {
-                                        $attrdef = $this->_id_attrdef;
-                                    } elseif ($sdelim === '.') {
-                                        $attrdef = $this->_class_attrdef;
-                                    } elseif ($sdelim === ':') {
-                                        $attrdef = $this->_enum_attrdef;
-                                    } else {
-                                        throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
-                                    }
-                                    $r = $attrdef->validate($y, $config, $context);
-                                    if ($r !== false) {
-                                        if ($r !== true) {
-                                            $y = $r;
-                                        }
-                                        if ($nx === null) {
-                                            $nx = '';
-                                        }
-                                        $nx .= $sdelim . $y;
-                                    }
-                                }
-                            }
-                            if ($nx !== null) {
-                                if ($nsel === null) {
-                                    $nsel = $nx;
-                                } else {
-                                    $nsel .= $delim . $nx;
+                                    $delim = ' ' . $x . ' ';
                                }
                            } else {
-                                // delimiters to the left of invalid
-                                // basic selector ignored
+                                // simple selector
+                                $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
+                                $sdelim = null;
+                                $nx = null;
+                                for ($j = 0, $cc = count($components); $j < $cc; $j++) {
+                                    $y = $components[$j];
+                                    if ($j === 0) {
+                                        if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
+                                            $nx = $y;
+                                        } else {
+                                            // $nx stays null; this matters
+                                            // if we don't manage to find
+                                            // any valid selector content,
+                                            // in which case we ignore the
+                                            // outer $delim
+                                        }
+                                    } elseif ($j % 2) {
+                                        // set delimiter
+                                        $sdelim = $y;
+                                    } else {
+                                        $attrdef = null;
+                                        if ($sdelim === '#') {
+                                            $attrdef = $this->_id_attrdef;
+                                        } elseif ($sdelim === '.') {
+                                            $attrdef = $this->_class_attrdef;
+                                        } elseif ($sdelim === ':') {
+                                            $attrdef = $this->_enum_attrdef;
+                                        } else {
+                                            throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
+                                        }
+                                        $r = $attrdef->validate($y, $config, $context);
+                                        if ($r !== false) {
+                                            if ($r !== true) {
+                                                $y = $r;
+                                            }
+                                            if ($nx === null) {
+                                                $nx = '';
+                                            }
+                                            $nx .= $sdelim . $y;
+                                        }
+                                    }
+                                }
+                                if ($nx !== null) {
+                                    if ($nsel === null) {
+                                        $nsel = $nx;
+                                    } else {
+                                        $nsel .= $delim . $nx;
+                                    }
+                                } else {
+                                    // delimiters to the left of invalid
+                                    // basic selector ignored
+                                }
+                            }
+                        }
+                        if ($nsel !== null) {
+                            if (!empty($scopes)) {
+                                foreach ($scopes as $s) {
+                                    $new_selectors[] = "$s $nsel";
+                                }
+                            } else {
+                                $new_selectors[] = $nsel;
                            }
                        }
                    }
-                    if ($nsel !== null) {
-                        if (!empty($scopes)) {
-                            foreach ($scopes as $s) {
-                                $new_selectors[] = "$s $nsel";
-                            }
-                        } else {
-                            $new_selectors[] = $nsel;
-                        }
-                    }
-                }
-                if (empty($new_selectors)) {
-                    continue;
-                }
-                $selector = implode(', ', $new_selectors);
-                foreach ($style as $name => $value) {
-                    if (!isset($css_definition->info[$name])) {
-                        unset($style[$name]);
+                    if (empty($new_selectors)) {
                        continue;
                    }
-                    $def = $css_definition->info[$name];
-                    $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) {
-                        unset($style[$name]);
-                    } else {
-                        $style[$name] = $ret;
+                    $selector = implode(', ', $new_selectors);
+                    foreach ($style as $name => $value) {
+                        if (!isset($css_definition->info[$name])) {
+                            unset($style[$name]);
+                            continue;
+                        }
+                        $def = $css_definition->info[$name];
+                        $ret = $def->validate($value, $config, $context);
+                        if ($ret === false) {
+                            unset($style[$name]);
+                        } else {
+                            $style[$name] = $ret;
+                        }
                    }
+                    $new_decls[$selector] = $style;
                }
-                $new_decls[$selector] = $style;
+            } else {
+                continue;
            }
            $new_css[$k] = $new_decls;
        }
--- a/library/HTMLPurifier/HTMLModule.php
+++ b/library/HTMLPurifier/HTMLModule.php
@@ -132,9 +132,9 @@ class HTMLPurifier_HTMLModule
     * @param string $element Name of element to add
     * @param string|bool $type What content set should element be registered to?
     *              Set as false to skip this step.
-     * @param string $contents Allowed children in form of:
+     * @param string|HTMLPurifier_ChildDef $contents Allowed children in form of:
     *              "$content_model_type: $content_model"
-     * @param array $attr_includes What attribute collections to register to
+     * @param array|string $attr_includes What attribute collections to register to
     *              element?
     * @param array $attr What unique attributes does the element define?
     * @see HTMLPurifier_ElementDef:: for in-depth descriptions of these parameters.
@@ -257,8 +257,9 @@ class HTMLPurifier_HTMLModule
     */
    public function makeLookup($list)
    {
+        $args = func_get_args();
        if (is_string($list)) {
-            $list = func_get_args();
+            $list = $args;
        }
        $ret = array();
        foreach ($list as $value) {
--- a/library/HTMLPurifier/HTMLModule/CommonAttributes.php
+++ b/library/HTMLPurifier/HTMLModule/CommonAttributes.php
@@ -17,6 +17,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
            'class' => 'Class',
            'id' => 'ID',
            'title' => 'CDATA',
+            'contenteditable' => 'ContentEditable',
        ),
        'Lang' => array(),
        'I18N' => array(
--- a/library/HTMLPurifier/HTMLModule/Forms.php
+++ b/library/HTMLPurifier/HTMLModule/Forms.php
@@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
     */
    public function setup($config)
    {
+        if ($config->get('HTML.Forms')) {
+            $this->safe = true;
+        }
+
        $form = $this->addElement(
            'form',
            'Form',
--- a/library/HTMLPurifier/HTMLModule/Tidy.php
+++ b/library/HTMLPurifier/HTMLModule/Tidy.php
@@ -146,10 +146,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                        $type = "info_$type";
                        $e = $this;
                    }
-                    // PHP does some weird parsing when I do
-                    // $e->$type[$attr], so I have to assign a ref.
-                    $f =& $e->$type;
-                    $f[$attr] = $fix;
+                    $e->{$type}[$attr] = $fix;
                    break;
                case 'tag_transform':
                    $this->info_tag_transform[$params['element']] = $fix;
@@ -224,6 +221,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
     */
    public function makeFixes()
    {
+        return array();
    }
 }

--- a/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php
+++ b/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php
@@ -96,6 +96,7 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule

        // @bgcolor for table, tr, td, th ---------------------------------
        $r['table@bgcolor'] =
+        $r['tr@bgcolor'] =
        $r['td@bgcolor'] =
        $r['th@bgcolor'] =
            new HTMLPurifier_AttrTransform_BgColor();
@@ -167,9 +168,11 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
        // @vspace for img ------------------------------------------------
        $r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace');

-        // @width for hr, td, th ------------------------------------------
+        // @width for table, hr, td, th, col ------------------------------------------
+        $r['table@width'] =
        $r['td@width'] =
        $r['th@width'] =
+        $r['col@width'] =
        $r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width');

        return $r;
--- a/library/HTMLPurifier/Injector/Linkify.php
+++ b/library/HTMLPurifier/Injector/Linkify.php
@@ -40,6 +40,9 @@ class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector
            '/\\b((?:[a-z][\\w\\-]+:(?:\\/{1,3}|[a-z0-9%])|www\\d{0,3}[.]|[a-z0-9.\\-]+[.][a-z]{2,4}\\/)(?:[^\\s()<>]|\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\))+(?:\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\)|[^\\s`!()\\[\\]{};:\'".,<>?\x{00ab}\x{00bb}\x{201c}\x{201d}\x{2018}\x{2019}]))/iu',
            $token->data, -1, PREG_SPLIT_DELIM_CAPTURE);

+        if ($bits === false) {
+            return;
+        }

        $token = array();

--- a/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php
+++ b/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php
@@ -31,6 +31,16 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
     */
    private $context;

+    /**
+     * @type SplObjectStorage
+     */
+    private $markForDeletion;
+
+    public function __construct()
+    {
+        $this->markForDeletion = new SplObjectStorage();
+    }
+
    public function prepare($config, $context)
    {
        $this->attrValidator = new HTMLPurifier_AttrValidator();
@@ -64,7 +74,7 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In

        if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
            // Mark closing span tag for deletion
-            $current->markForDeletion = true;
+            $this->markForDeletion->attach($current);
            // Delete open span tag
            $token = false;
        }
@@ -75,7 +85,8 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
     */
    public function handleEnd(&$token)
    {
-        if ($token->markForDeletion) {
+        if ($this->markForDeletion->contains($token)) {
+            $this->markForDeletion->detach($token);
            $token = false;
        }
    }
--- a/library/HTMLPurifier/Language/classes/en-x-test.php
+++ b/library/HTMLPurifier/Language/classes/en-x-test.php
@@ -1,9 +0,0 @@
-<?php
-
-// private class for unit testing
-
-class HTMLPurifier_Language_en_x_test extends HTMLPurifier_Language
-{
-}
-
-// vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Language/messages/en-x-test.php
+++ b/library/HTMLPurifier/Language/messages/en-x-test.php
@@ -1,13 +0,0 @@
-<?php
-
-// private language message file for unit testing purposes
-
-$fallback = 'en';
-
-$messages = array(
-    'HTMLPurifier' => 'HTML Purifier X'
-);
-
-$errorNames = array();
-
-// vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Language/messages/en-x-testmini.php
+++ b/library/HTMLPurifier/Language/messages/en-x-testmini.php
@@ -1,14 +0,0 @@
-<?php
-
-// private language message file for unit testing purposes
-// this language file has no class associated with it
-
-$fallback = 'en';
-
-$messages = array(
-    'HTMLPurifier' => 'HTML Purifier XNone'
-);
-
-$errorNames = array();
-
-// vim: et sw=4 sts=4
--- a/library/HTMLPurifier/LanguageFactory.php
+++ b/library/HTMLPurifier/LanguageFactory.php
@@ -109,7 +109,7 @@ class HTMLPurifier_LanguageFactory
        } else {
            $class = 'HTMLPurifier_Language_' . $pcode;
            $file  = $this->dir . '/Language/classes/' . $code . '.php';
-            if (file_exists($file) || class_exists($class, false)) {
+            if (file_exists($file) || class_exists($class)) {
                $lang = new $class($config, $context);
            } else {
                // Go fallback
--- a/library/HTMLPurifier/Length.php
+++ b/library/HTMLPurifier/Length.php
@@ -78,7 +78,7 @@ class HTMLPurifier_Length
        if ($this->n === '0' && $this->unit === false) {
            return true;
        }
-        if (!ctype_lower($this->unit)) {
+        if ($this->unit === false || !ctype_lower($this->unit)) {
            $this->unit = strtolower($this->unit);
        }
        if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) {
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@@ -48,6 +48,11 @@ class HTMLPurifier_Lexer
     */
    public $tracksLineNumbers = false;

+    /**
+     * @type HTMLPurifier_EntityParser
+     */
+    private $_entity_parser;
+
    // -- STATIC ----------------------------------------------------------

    /**
@@ -96,7 +101,7 @@ class HTMLPurifier_Lexer
                        break;
                    }

-                    if (class_exists('DOMDocument', false) &&
+                    if (class_exists('DOMDocument') &&
                        method_exists('DOMDocument', 'loadHTML') &&
                        !extension_loaded('domxml')
                    ) {
@@ -306,8 +311,8 @@ class HTMLPurifier_Lexer
    {
        // normalize newlines to \n
        if ($config->get('Core.NormalizeNewlines')) {
-            $html = str_replace("\r\n", "\n", $html);
-            $html = str_replace("\r", "\n", $html);
+            $html = str_replace("\r\n", "\n", (string)$html);
+            $html = str_replace("\r", "\n", (string)$html);
        }

        if ($config->get('HTML.Trusted')) {
--- a/library/HTMLPurifier/Lexer/DOMLex.php
+++ b/library/HTMLPurifier/Lexer/DOMLex.php
@@ -74,7 +74,12 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
        }

        set_error_handler(array($this, 'muteErrorHandler'));
-        $doc->loadHTML($html, $options);
+        // loadHTML() fails on PHP 5.3 when second parameter is given
+        if ($options) {
+            $doc->loadHTML($html, $options);
+        } else {
+            $doc->loadHTML($html);
+        }
        restore_error_handler();

        $body = $doc->getElementsByTagName('html')->item(0)-> // <html>
@@ -99,7 +104,6 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
     * To iterate is human, to recurse divine - L. Peter Deutsch
     * @param DOMNode $node DOMNode to be tokenized.
     * @param HTMLPurifier_Token[] $tokens   Array-list of already tokenized tokens.
-     * @return HTMLPurifier_Token of node appended to previously passed tokens.
     */
    protected function tokenizeDOM($node, &$tokens, $config)
    {
--- a/library/HTMLPurifier/Lexer/PH5P.php
+++ b/library/HTMLPurifier/Lexer/PH5P.php
@@ -4410,7 +4410,7 @@ class HTML5TreeConstructer

        foreach ($token['attr'] as $attr) {
            if (!$el->hasAttribute($attr['name'])) {
-                $el->setAttribute($attr['name'], $attr['value']);
+                $el->setAttribute($attr['name'], (string)$attr['value']);
            }
        }

--- a/library/HTMLPurifier/Printer/ConfigForm.php
+++ b/library/HTMLPurifier/Printer/ConfigForm.php
@@ -32,6 +32,11 @@ class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer
     */
    protected $compress = false;

+    /**
+     * @var HTMLPurifier_Config
+     */
+    protected $genConfig;
+
    /**
     * @param string $name Form element name for directives to be stuffed into
     * @param string $doc_url String documentation URL, will have fragment tagged on
--- a/library/HTMLPurifier/Printer/HTMLDefinition.php
+++ b/library/HTMLPurifier/Printer/HTMLDefinition.php
@@ -43,8 +43,8 @@ class HTMLPurifier_Printer_HTMLDefinition extends HTMLPurifier_Printer
        $ret .= $this->element('caption', 'Doctype');
        $ret .= $this->row('Name', $doctype->name);
        $ret .= $this->row('XML', $doctype->xml ? 'Yes' : 'No');
-        $ret .= $this->row('Default Modules', implode($doctype->modules, ', '));
-        $ret .= $this->row('Default Tidy Modules', implode($doctype->tidyModules, ', '));
+        $ret .= $this->row('Default Modules', implode(', ', $doctype->modules));
+        $ret .= $this->row('Default Tidy Modules', implode(', ', $doctype->tidyModules));
        $ret .= $this->end('table');
        return $ret;
    }
--- a/library/HTMLPurifier/PropertyListIterator.php
+++ b/library/HTMLPurifier/PropertyListIterator.php
@@ -29,6 +29,7 @@ class HTMLPurifier_PropertyListIterator extends FilterIterator
    /**
     * @return bool
     */
+    #[\ReturnTypeWillChange]
    public function accept()
    {
        $key = $this->getInnerIterator()->key();
--- a/library/HTMLPurifier/StringHash.php
+++ b/library/HTMLPurifier/StringHash.php
@@ -20,6 +20,7 @@ class HTMLPurifier_StringHash extends ArrayObject
     * @param mixed $index
     * @return mixed
     */
+    #[\ReturnTypeWillChange]
    public function offsetGet($index)
    {
        $this->accessed[$index] = true;
--- a/library/HTMLPurifier/TagTransform/Font.php
+++ b/library/HTMLPurifier/TagTransform/Font.php
@@ -75,7 +75,7 @@ class HTMLPurifier_TagTransform_Font extends HTMLPurifier_TagTransform
        if (isset($attr['size'])) {
            // normalize large numbers
            if ($attr['size'] !== '') {
-                if ($attr['size']{0} == '+' || $attr['size']{0} == '-') {
+                if ($attr['size'][0] == '+' || $attr['size'][0] == '-') {
                    $size = (int)$attr['size'];
                    if ($size < -2) {
                        $attr['size'] = '-2';
--- a/library/HTMLPurifier/URIFilter/HostBlacklist.php
+++ b/library/HTMLPurifier/URIFilter/HostBlacklist.php
@@ -35,7 +35,7 @@ class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
    public function filter(&$uri, $config, $context)
    {
        foreach ($this->blacklist as $blacklisted_host_fragment) {
-            if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
+            if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
                return false;
            }
        }
--- a/library/HTMLPurifier/URIFilter/Munge.php
+++ b/library/HTMLPurifier/URIFilter/Munge.php
@@ -100,11 +100,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
        $string = $uri->toString();
        // always available
        $this->replace['%s'] = $string;
-        $this->replace['%r'] = $context->get('EmbeddedURI', true);
-        $token = $context->get('CurrentToken', true);
-        $this->replace['%n'] = $token ? $token->name : null;
-        $this->replace['%m'] = $context->get('CurrentAttr', true);
-        $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
+        $this->replace['%r'] = $context->get('EmbeddedURI', true) ?: '';
+        $token = $context->get('CurrentToken', true) ?: '';
+        $this->replace['%n'] = $token ? $token->name : '';
+        $this->replace['%m'] = $context->get('CurrentAttr', true) ?: '';
+        $this->replace['%p'] = $context->get('CurrentCSSProperty', true) ?: '';
        // not always available
        if ($this->secretKey) {
            $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
--- a/library/HTMLPurifier/URIScheme/tel.php
+++ b/library/HTMLPurifier/URIScheme/tel.php
@@ -33,11 +33,11 @@ class HTMLPurifier_URIScheme_tel extends HTMLPurifier_URIScheme
        $uri->host     = null;
        $uri->port     = null;

-        // Delete all non-numeric characters, non-x characters
+        // Delete all non-numeric characters, commas, and non-x characters
        // from phone number, EXCEPT for a leading plus sign.
-        $uri->path = preg_replace('/(?!^\+)[^\dx]/', '',
+        $uri->path = preg_replace('/(?!^\+)[^\dx,]/', '',
                     // Normalize e(x)tension to lower-case
-                     str_replace('X', 'x', $uri->path));
+                     str_replace('X', 'x', rawurldecode($uri->path)));

        return true;
    }
--- a/library/HTMLPurifier/UnitConverter.php
+++ b/library/HTMLPurifier/UnitConverter.php
@@ -261,7 +261,7 @@ class HTMLPurifier_UnitConverter
     */
    private function round($n, $sigfigs)
    {
-        $new_log = (int)floor(log(abs($n), 10)); // Number of digits left of decimal - 1
+        $new_log = (int)floor(log(abs((float)$n), 10)); // Number of digits left of decimal - 1
        $rp = $sigfigs - $new_log - 1; // Number of decimal places needed
        $neg = $n < 0 ? '-' : ''; // Negative sign
        if ($this->bcmath) {
@@ -276,7 +276,7 @@ class HTMLPurifier_UnitConverter
            }
            return $n;
        } else {
-            return $this->scale(round($n, $sigfigs - $new_log - 1), $rp + 1);
+            return $this->scale(round((float)$n, $sigfigs - $new_log - 1), $rp + 1);
        }
    }

@@ -300,7 +300,7 @@ class HTMLPurifier_UnitConverter
            // Now we return it, truncating the zero that was rounded off.
            return substr($precise, 0, -1) . str_repeat('0', -$scale + 1);
        }
-        return sprintf('%.' . $scale . 'f', (float)$r);
+        return number_format((float)$r, $scale, '.', '');
    }
 }

--- a/maintenance/add-vimline.php
+++ b/maintenance/add-vimline.php
@@ -34,7 +34,6 @@ foreach ($files as $file) {
        postfix_is('.svg', $file) ||
        postfix_is('.phpt', $file) ||
        postfix_is('VERSION', $file) ||
-        postfix_is('WHATSNEW', $file) ||
        postfix_is('configdoc/usage.xml', $file) ||
        postfix_is('library/HTMLPurifier.includes.php', $file) ||
        postfix_is('library/HTMLPurifier.safe-includes.php', $file) ||
--- a/package.php
+++ b/package.php
@@ -48,7 +48,6 @@ $pkg->setReleaseStability('stable');

 $pkg->addRelease();

-$pkg->setNotes(file_get_contents('WHATSNEW'));
 $pkg->setPackageType('php');

 $pkg->setPhpDep('5.0.0');
--- a/release.config.js
+++ b/release.config.js
@@ -0,0 +1,33 @@
+module.exports = {
+  debug: true,
+  branch: 'master',
+  plugins: [
+    '@semantic-release/commit-analyzer',
+    '@semantic-release/release-notes-generator',
+    [
+      '@semantic-release/changelog',
+      {
+        'changelogFile': 'NEWS'
+      }
+    ],
+    [
+      '@semantic-release/exec',
+      {
+        'prepareCmd': 'php update-for-release ${nextRelease.version}'
+      }
+    ],
+    [
+      '@semantic-release/git',
+      {
+        'assets': [
+          'VERSION',
+          'NEWS',
+          'Doxyfile',
+          ['library/**/*', '!library/standalone/**/*', '!library/HTMLPurifier.standalone.php'],
+          'configdoc/**/*',
+        ],
+      }
+    ],
+    '@semantic-release/github'
+  ],
+}
--- a/smoketests/common.php
+++ b/smoketests/common.php
@@ -2,6 +2,8 @@

 header('Content-type: text/html; charset=UTF-8');

+require_once __DIR__.'/../vendor/autoload.php';
+
 if (!isset($_GET['standalone'])) {
    require_once '../library/HTMLPurifier.auto.php';
 } else {
--- a/smoketests/extractStyleBlocks.php
+++ b/smoketests/extractStyleBlocks.php
@@ -3,23 +3,6 @@
 require_once 'common.php';
 require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php';

-// need CSSTidy location
-$csstidy_location = false;
-if (file_exists('../conf/test-settings.php')) include '../conf/test-settings.php';
-if (file_exists('../test-settings.php')) include '../test-settings.php';
-
-if (!$csstidy_location) {
-?>
-Error: <a href="http://csstidy.sourceforge.net/">CSSTidy</a> library not
-found, please install and configure <code>test-settings.php</code>
-accordingly.
-<?php
-    exit;
-}
-
-require_once $csstidy_location . 'class.csstidy.php';
-require_once $csstidy_location . 'class.csstidy_print.php';
-
 $purifier = new HTMLPurifier(array(
    'Filter.ExtractStyleBlocks' => true,
 ));
--- a/test-settings.sample.php
+++ b/test-settings.sample.php
@@ -17,20 +17,6 @@ if ($data !== false && $data !== '') {
    exit;
 }

-// -----------------------------------------------------------------------------
-// REQUIRED SETTINGS
-
-// Note on running SimpleTest:
-//      You want the Git copy of SimpleTest, found here:
-//          https://github.com/simpletest/simpletest/
-//
-//      If SimpleTest is borked with HTML Purifier, please contact me or
-//      the SimpleTest devs; I am a developer for SimpleTest so I should be
-//      able to quickly assess a fix. SimpleTest's problem is my problem!
-
-// Where is SimpleTest located? Remember to include a trailing slash!
-$simpletest_location = '/path/to/simpletest/';
-
 // -----------------------------------------------------------------------------
 // OPTIONAL SETTINGS

@@ -50,9 +36,6 @@ $GLOBALS['HTMLPurifierTest']['PHPT'] = false;
 // If PHPT isn't in your Path via PEAR, set that here:
 // set_include_path('/path/to/phpt/Core/src' . PATH_SEPARATOR . get_include_path());

-// Where is CSSTidy located? (Include trailing slash. Leave false to disable.)
-$csstidy_location    = false;
-
 // For tests/multitest.php, which versions to test?
 $versions_to_test    = array();

@@ -69,6 +52,6 @@ $GLOBALS['HTMLPurifierTest']['PEAR'] = false;

 // If PEAR is enabled, what PEAR tests should be run? (Note: you will
 // need to ensure these libraries are installed)
-$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = true;
+$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = false;

 // vim: et sw=4 sts=4
--- a/test-settings.travis.php
+++ b/test-settings.travis.php
@@ -1,72 +0,0 @@
-<?php
-
-// This file is the configuration for Travis testing.
-
-// Note: The only external library you *need* is SimpleTest; everything else
-//       is optional.
-
-// We've got a lot of tests, so we recommend turning the limit off.
-set_time_limit(0);
-
-// Turning off output buffering will prevent mysterious errors from core dumps.
-$data = @ob_get_clean();
-if ($data !== false && $data !== '') {
-    echo "Output buffer contains data [".urlencode($data)."]\n";
-    exit;
-}
-
-// -----------------------------------------------------------------------------
-// REQUIRED SETTINGS
-
-// Note on running SimpleTest:
-//      You want the Git copy of SimpleTest, found here:
-//          https://github.com/simpletest/simpletest/
-//
-//      If SimpleTest is borked with HTML Purifier, please contact me or
-//      the SimpleTest devs; I am a developer for SimpleTest so I should be
-//      able to quickly assess a fix. SimpleTest's problem is my problem!
-
-// Where is SimpleTest located? Remember to include a trailing slash!
-$simpletest_location = dirname(__FILE__) . '/simpletest/';
-
-// -----------------------------------------------------------------------------
-// OPTIONAL SETTINGS
-
-// Note on running PHPT:
-//      Vanilla PHPT from https://github.com/tswicegood/PHPT_Core should
-//      work fine on Linux w/o multitest.
-//
-//      To do multitest or Windows testing, you'll need some more
-//      patches at https://github.com/ezyang/PHPT_Core
-//
-//      I haven't tested the Windows setup in a while so I don't know if
-//      it still works.
-
-// Should PHPT tests be enabled?
-$GLOBALS['HTMLPurifierTest']['PHPT'] = false;
-
-// If PHPT isn't in your Path via PEAR, set that here:
-// set_include_path('/path/to/phpt/Core/src' . PATH_SEPARATOR . get_include_path());
-
-// Where is CSSTidy located? (Include trailing slash. Leave false to disable.)
-$csstidy_location    = false;
-
-// For tests/multitest.php, which versions to test?
-$versions_to_test    = array();
-
-// Stable PHP binary to use when invoking maintenance scripts.
-$php = 'php';
-
-// For tests/multitest.php, what is the multi-version executable? It must
-// accept an extra parameter (version number) before all other arguments
-$phpv = false;
-
-// Should PEAR tests be run? If you've got a valid PEAR installation, set this
-// to true (or, if it's not in the include path, to its install directory).
-$GLOBALS['HTMLPurifierTest']['PEAR'] = false;
-
-// If PEAR is enabled, what PEAR tests should be run? (Note: you will
-// need to ensure these libraries are installed)
-$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = true;
-
-// vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php
@@ -9,7 +9,7 @@ class HTMLPurifier_AttrDef_CSS_AlphaValueTest extends HTMLPurifier_AttrDefHarnes

        $this->assertDef('0');
        $this->assertDef('1');
-        $this->assertDef('.2');
+        $this->assertDef('0.2');

        // clamping to [0.0, 1,0]
        $this->assertDef('1.2', '1');
--- a/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php
@@ -17,7 +17,7 @@ class HTMLPurifier_AttrDef_CSS_BackgroundTest extends HTMLPurifier_AttrDefHarnes
        );
        $this->assertDef(
            'rgba(74, 12, 85, 0.35) repeat fixed bottom',
-            'rgba(74,12,85,.35) repeat fixed bottom'
+            'rgba(74,12,85,0.35) repeat fixed bottom'
        );
        $this->assertDef(
            'hsl(244, 47.4%, 88.1%) right center',
--- a/tests/HTMLPurifier/AttrDef/CSS/ColorTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/ColorTest.php
@@ -20,8 +20,8 @@ class HTMLPurifier_AttrDef_CSS_ColorTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('rgb(12%,150%,0%)', 'rgb(12%,100%,0%)'); // percentage max values

        $this->assertDef('rgba(255, 0, 0, 0)', 'rgba(255,0,0,0)'); // rm spaces
-        $this->assertDef('rgba(100%,0%,0%,.4)');
-        $this->assertDef('rgba(38.1%,59.7%,1.8%,0.7)', 'rgba(38.1%,59.7%,1.8%,.7)'); // decimals okay
+        $this->assertDef('rgba(100%,0%,0%,0.4)');
+        $this->assertDef('rgba(38.1%,59.7%,1.8%,0.7)', 'rgba(38.1%,59.7%,1.8%,0.7)'); // decimals okay

        $this->assertDef('hsl(275, 45%, 81%)', 'hsl(275,45%,81%)'); // rm spaces
        $this->assertDef('hsl(100,0%,0%)');
@@ -30,8 +30,8 @@ class HTMLPurifier_AttrDef_CSS_ColorTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('hsl(380,125%,0%)', 'hsl(360,100%,0%)'); // max values

        $this->assertDef('hsla(100, 74%, 29%, 0)', 'hsla(100,74%,29%,0)'); // rm spaces
-        $this->assertDef('hsla(154,87%,21%,.4)');
-        $this->assertDef('hsla(45,94.3%,4.1%,0.7)', 'hsla(45,94.3%,4.1%,.7)'); // decimals okay
+        $this->assertDef('hsla(154,87%,21%,0.4)');
+        $this->assertDef('hsla(45,94.3%,4.1%,0.7)', 'hsla(45,94.3%,4.1%,0.7)'); // decimals okay

        $this->assertDef('#G00', false);
        $this->assertDef('cmyk(40, 23, 43, 23)', false);
--- a/tests/HTMLPurifier/AttrDef/CSS/NumberTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/NumberTest.php
@@ -12,8 +12,8 @@ class HTMLPurifier_AttrDef_CSS_NumberTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('1.0', '1');
        $this->assertDef('34');
        $this->assertDef('4.5');
-        $this->assertDef('.5');
-        $this->assertDef('0.5', '.5');
+        $this->assertDef('0.5');
+        $this->assertDef('0.5', '0.5');
        $this->assertDef('-56.9');

        $this->assertDef('0.', '0');
@@ -21,10 +21,10 @@ class HTMLPurifier_AttrDef_CSS_NumberTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('0.0', '0');

        $this->assertDef('1.', '1');
-        $this->assertDef('.1', '.1');
+        $this->assertDef('.1', '0.1');

        $this->assertDef('1.0', '1');
-        $this->assertDef('0.1', '.1');
+        $this->assertDef('0.1', '0.1');

        $this->assertDef('000', '0');
        $this->assertDef(' 9', '9');
--- a/tests/HTMLPurifier/AttrDef/CSSTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSSTest.php
@@ -73,6 +73,10 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('min-width:50vw;');
        $this->assertDef('min-width:-50vw;', false);
        $this->assertDef('text-decoration:underline;');
+        $this->assertDef('text-decoration-line:overline;');
+        $this->assertDef('text-decoration-style:dashed;');
+        $this->assertDef('text-decoration-color:#F00;');
+        $this->assertDef('text-decoration-thickness:5%;');
        $this->assertDef('font-family:sans-serif;');
        $this->assertDef("font-family:Gill, 'Times New Roman', sans-serif;");
        $this->assertDef('font:12px serif;');
@@ -92,6 +96,9 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('background-repeat:repeat-y;');
        $this->assertDef('background-attachment:fixed;');
        $this->assertDef('background-position:left 90%;');
+        $this->assertDef('background-size:50%;');
+        $this->assertDef('background-size:cover;');
+        $this->assertDef('background-size:200px;');
        $this->assertDef('border-spacing:1em;');
        $this->assertDef('border-spacing:1em 2em;');
        $this->assertDef('border-color: rgb(0, 0, 0) rgb(10,0,10)', 'border-color:rgb(0,0,0) rgb(10,0,10);');
@@ -140,8 +147,8 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('scrollbar-highlight-color:#ff69b4;');
        $this->assertDef('scrollbar-shadow-color:#f0f;');

-        $this->assertDef('-moz-opacity:.2;');
-        $this->assertDef('-khtml-opacity:.2;');
+        $this->assertDef('-moz-opacity:0.2;');
+        $this->assertDef('-khtml-opacity:0.2;');
        $this->assertDef('filter:alpha(opacity=20);');

        $this->assertDef('border-top-left-radius:55pt 25pt;');
@@ -160,7 +167,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('display:none;');
        $this->assertDef('visibility:visible;');
        $this->assertDef('overflow:scroll;');
-        $this->assertDef('opacity:.2;');
+        $this->assertDef('opacity:0.2;');
    }

    public function testForbidden()
--- a/tests/HTMLPurifier/AttrDef/HTML/ContentEditableTest.php
+++ b/tests/HTMLPurifier/AttrDef/HTML/ContentEditableTest.php
@@ -0,0 +1,27 @@
+<?php
+
+class HTMLPurifier_AttrDef_HTML_ContentEditableTest extends HTMLPurifier_AttrDefHarness
+{
+    public function setUp()
+    {
+        parent::setUp();
+        $this->def = new HTMLPurifier_AttrDef_HTML_ContentEditable();
+    }
+
+    public function test()
+    {
+        $this->assertDef('', false);
+        $this->assertDef('true', false);
+        $this->assertDef('caret', false);
+        $this->assertDef('false');
+    }
+
+    public function testTrustedHtml()
+    {
+        $this->config->set('HTML.Trusted', true);
+        $this->assertDef('');
+        $this->assertDef('true');
+        $this->assertDef('false');
+        $this->assertDef('caret', false);
+    }
+}
--- a/tests/HTMLPurifier/AttrDef/URITest.php
+++ b/tests/HTMLPurifier/AttrDef/URITest.php
@@ -23,6 +23,8 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('nntp://news.example.com/324234');
        $this->assertDef('mailto:bob@example.com');
        $this->assertDef('tel:+15555555555');
+        $this->assertDef('tel:+15555 555 555', 'tel:+15555555555');
+        $this->assertDef('tel:+15555%20555%20555', 'tel:+15555555555');
    }

    public function testIntegrationWithPercentEncoder()
--- a/tests/HTMLPurifier/AttrTransform/NameSyncTest.php
+++ b/tests/HTMLPurifier/AttrTransform/NameSyncTest.php
@@ -3,6 +3,11 @@
 class HTMLPurifier_AttrTransform_NameSyncTest extends HTMLPurifier_AttrTransformHarness
 {

+    /**
+     * @type HTMLPurifier_IDAccumulator
+     */
+    public $accumulator;
+
    public function setUp()
    {
        parent::setUp();
--- a/tests/HTMLPurifier/AttrValidator_ErrorsTest.php
+++ b/tests/HTMLPurifier/AttrValidator_ErrorsTest.php
@@ -3,6 +3,11 @@
 class HTMLPurifier_AttrValidator_ErrorsTest extends HTMLPurifier_ErrorsHarness
 {

+    /**
+     * @type HTMLPurifier_Language
+     */
+    public $language;
+
    public function setup()
    {
        parent::setup();
--- a/tests/HTMLPurifier/ChildDef/TableTest.php
+++ b/tests/HTMLPurifier/ChildDef/TableTest.php
@@ -44,6 +44,22 @@ class HTMLPurifier_ChildDef_TableTest extends HTMLPurifier_ChildDefHarness
        );
    }

+    public function testTheadOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<thead><tr><th>a</th></tr></thead>',
+            '<thead><tr><th>a</th></tr></thead>'
+        );
+    }
+
+    public function testTbodyOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<tbody><tr><th>a</th></tr></tbody>',
+            '<tbody><tr><th>a</th></tr></tbody>'
+        );
+    }
+
    public function testTrOverflowAndClose()
    {
        $this->assertResult(
--- a/tests/HTMLPurifier/DefinitionCache/DecoratorHarness.php
+++ b/tests/HTMLPurifier/DefinitionCache/DecoratorHarness.php
@@ -5,6 +5,12 @@ generate_mock_once('HTMLPurifier_DefinitionCache');
 class HTMLPurifier_DefinitionCache_DecoratorHarness extends HTMLPurifier_DefinitionCacheHarness
 {

+    public $cache;
+
+    public $mock;
+
+    public $def;
+
    public function setup()
    {
        $this->mock     = new HTMLPurifier_DefinitionCacheMock();
--- a/tests/HTMLPurifier/DefinitionTestable.php
+++ b/tests/HTMLPurifier/DefinitionTestable.php
@@ -1,7 +1,14 @@
 <?php

+abstract class HTMLPurifier_TestDefinition extends HTMLPurifier_Definition
+{
+    public $info;
+    public $info_candles;
+    public $info_random;
+}
+
 Mock::generatePartial(
-        'HTMLPurifier_Definition',
+        'HTMLPurifier_TestDefinition',
        'HTMLPurifier_DefinitionTestable',
        array('doSetup'));

--- a/tests/HTMLPurifier/EntityParserTest.php
+++ b/tests/HTMLPurifier/EntityParserTest.php
@@ -5,6 +5,8 @@ class HTMLPurifier_EntityParserTest extends HTMLPurifier_Harness

    protected $EntityParser;

+    protected $_entity_lookup;
+
    public function setUp()
    {
        $this->EntityParser = new HTMLPurifier_EntityParser();
--- a/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
+++ b/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
@@ -214,6 +214,19 @@ text-align:right
        );
    }

+    public function test_keepImportantComments()
+    {
+        $this->assertCleanCSS(
+            "/*! Important */
+div {
+text-align:right /*! Important2 */
+}",
+            "div {
+text-align:right
+}"
+        );
+    }
+
    public function test_atSelector()
    {
        $this->assertCleanCSS(
--- a/tests/HTMLPurifier/HTMLModule/FormsTest.php
+++ b/tests/HTMLPurifier/HTMLModule/FormsTest.php
@@ -161,6 +161,13 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
        $this->assertResult('<form action=""><input align="left" /></form>');
    }

+    public function testHTMLFormsConfigDirective()
+    {
+        $this->config->set('HTML.Trusted', false);
+        $this->config->set('HTML.Forms', true);
+
+        $this->assertResult('<form action="..." method="post"><input type="text" /><textarea cols="20" rows="3"></textarea></form>');
+    }
 }

 // vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/LanguageFactoryTest.php
+++ b/tests/HTMLPurifier/LanguageFactoryTest.php
@@ -29,45 +29,6 @@ class HTMLPurifier_LanguageFactoryTest extends HTMLPurifier_Harness

    }

-    public function testFallback()
-    {
-        $this->config->set('Core.Language', 'en-x-test');
-        $language = $this->factory->create($this->config, $this->context);
-
-        $this->assertIsA($language, 'HTMLPurifier_Language_en_x_test');
-        $this->assertIdentical($language->code, 'en-x-test');
-
-        $language->load();
-
-        // test overloaded message
-        $this->assertIdentical($language->getMessage('HTMLPurifier'), 'HTML Purifier X');
-
-        // test inherited message
-        $this->assertIdentical($language->getMessage('LanguageFactoryTest: Pizza'), 'Pizza');
-
-    }
-
-    public function testFallbackWithNoClass()
-    {
-        $this->config->set('Core.Language', 'en-x-testmini');
-        $language = $this->factory->create($this->config, $this->context);
-        $this->assertIsA($language, 'HTMLPurifier_Language');
-        $this->assertIdentical($language->code, 'en-x-testmini');
-        $language->load();
-        $this->assertIdentical($language->getMessage('HTMLPurifier'), 'HTML Purifier XNone');
-        $this->assertIdentical($language->getMessage('LanguageFactoryTest: Pizza'), 'Pizza');
-        $this->assertIdentical($language->error, false);
-    }
-
-    public function testNoSuchLanguage()
-    {
-        $this->config->set('Core.Language', 'en-x-testnone');
-        $language = $this->factory->create($this->config, $this->context);
-        $this->assertIsA($language, 'HTMLPurifier_Language');
-        $this->assertIdentical($language->code, 'en-x-testnone');
-        $this->assertIdentical($language->error, true);
-    }
-
 }

 // vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjector.php
+++ b/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjector.php
@@ -4,10 +4,13 @@ class HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector extends HTMLPurifie
 {
    public $name = 'EndRewindInjector';
    public $needed = array('span');
+    private $deleteElement = false;
+
    public function handleElement(&$token)
    {
-        if (isset($token->_InjectorTest_EndRewindInjector_delete)) {
+        if ($this->deleteElement) {
            $token = false;
+            $this->deleteElement = false;
        }
    }
    public function handleText(&$token)
@@ -23,7 +26,7 @@ class HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector extends HTMLPurifie
            $prev->name == 'span'
        ) {
            $token = false;
-            $prev->_InjectorTest_EndRewindInjector_delete = true;
+            $this->deleteElement = true;
            $this->rewindOffset(1);
        }
    }
--- a/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php
+++ b/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php
@@ -258,6 +258,13 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
        );
    }

+    public function testContentEditableAttribute()
+    {
+        $this->assertResult(
+            '<div contenteditable="false"></div>',
+            '<div contenteditable="false"></div>'
+        );
+    }
 }

 // vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/URIFilter/HostBlacklistTest.php
+++ b/tests/HTMLPurifier/URIFilter/HostBlacklistTest.php
@@ -28,6 +28,12 @@ class HTMLPurifier_URIFilter_HostBlacklistTest extends HTMLPurifier_URIFilterHar
        $this->assertFiltering('http://google.com');
    }

+    public function testFragment()
+    {
+        $this->config->set('URI.HostBlacklist', 'example.com');
+        $this->assertFiltering('#foo');
+    }
+
 }

 // vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php
+++ b/tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php
@@ -40,6 +40,8 @@ class HTMLPurifier_URIFilter_MakeAbsoluteTest extends HTMLPurifier_URIFilterHarn
    public function testPreserveAltSchemeWithTel()
    {
        $this->assertFiltering('tel:+15555555555');
+        $this->assertFiltering('tel:+15555 555 555');
+        $this->assertFiltering('tel:+15555%20555%20555');
    }

    public function testFilterIgnoreHTTPSpecialCase()
--- a/tests/HTMLPurifier/URIFilterHarness.php
+++ b/tests/HTMLPurifier/URIFilterHarness.php
@@ -3,6 +3,11 @@
 class HTMLPurifier_URIFilterHarness extends HTMLPurifier_URIHarness
 {

+    /**
+     * @type HTMLPurifier_URIFilter
+     */
+    public $filter;
+
    protected function assertFiltering($uri, $expect_uri = true)
    {
        $this->prepareURI($uri, $expect_uri);
--- a/tests/HTMLPurifier/URIParserTest.php
+++ b/tests/HTMLPurifier/URIParserTest.php
@@ -75,6 +75,10 @@ class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness
            'tel:+1 (555) 555-5555',
            'tel', null, null, null, '+1 (555) 555-5555', null, null
        );
+        $this->assertParsing(
+          'tel:+1%20(555)%20555-5555',
+          'tel', null, null, null, '+1%20(555)%20555-5555', null, null
+        );
    }

    public function testIPv4Address()
--- a/tests/HTMLPurifier/URISchemeTest.php
+++ b/tests/HTMLPurifier/URISchemeTest.php
@@ -179,6 +179,13 @@ class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness
        );
    }

+    public function test_tel_with_url_encoding()
+    {
+        $this->assertValidation(
+            'tel:+1%20(555)%20555-5555', 'tel:+15555555555'
+        );
+    }
+
    public function test_tel_regular()
    {
        $this->assertValidation(
--- a/tests/HTMLPurifier/UnitConverterTest.php
+++ b/tests/HTMLPurifier/UnitConverterTest.php
@@ -101,6 +101,13 @@ class HTMLPurifier_UnitConverterTest extends HTMLPurifier_Harness
        $this->assertConversion('111.12pt', '1.5433in');
        $this->assertConversion('11.112pt', '0.15433in');
    }
+    
+    public function testDecimalSeparatorComma()
+    {
+        setlocale(LC_ALL, 'de_DE@euro', 'de_DE', 'deu_deu');
+        $this->assertConversion('11.11px', '0.294cm');
+        setlocale(LC_ALL, '');
+    }

    public function testRoundingBigNumber()
    {
--- a/tests/HTMLPurifierTest.php
+++ b/tests/HTMLPurifierTest.php
@@ -32,6 +32,13 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
        );
    }

+    public function test_purifyArray_empty() {
+        $purifiedEmptyArray = $this->purifier->purifyArray(array());
+        $this->assertTrue(
+            empty($purifiedEmptyArray)
+        );
+    }
+
    public function testGetInstance()
    {
        $purifier  = HTMLPurifier::getInstance();
--- a/tests/common.php
+++ b/tests/common.php
@@ -1,5 +1,7 @@
 <?php

+require_once __DIR__.'/../vendor/autoload.php';
+
 if (!defined('HTMLPurifierTest')) {
    echo "Invalid entry point\n";
    exit;
@@ -27,8 +29,6 @@ $GLOBALS['HTMLPurifierTest']['PHPT'] = true; // do PHPT tests
 $GLOBALS['HTMLPurifierTest']['PH5P'] = class_exists('DOMDocument');

 // default library settings
-$simpletest_location = 'simpletest/'; // reasonable guess
-$csstidy_location = false;
 $versions_to_test = array();
 $php  = 'php';
 $phpv = 'phpv';
@@ -40,20 +40,6 @@ else {
    throw new Exception('Please create a test-settings.php file by copying test-settings.sample.php and configuring accordingly');
 }

-// load SimpleTest
-require_once $simpletest_location . 'unit_tester.php';
-require_once $simpletest_location . 'reporter.php';
-require_once $simpletest_location . 'mock_objects.php';
-require_once $simpletest_location . 'xml.php';
-require_once $simpletest_location . 'remote.php';
-
-// load CSS Tidy
-if ($csstidy_location !== false) {
-    $old = error_reporting(E_ALL);
-    require $csstidy_location . 'class.csstidy.php';
-    error_reporting($old);
-}
-
 // load PEAR to include path
 if ( is_string($GLOBALS['HTMLPurifierTest']['PEAR']) ) {
    // if PEAR is true, there's no need to add it to the path
--- a/tests/test_files.php
+++ b/tests/test_files.php
@@ -18,9 +18,7 @@ switch ($AC['type']) {
        $test_dirs[] = 'HTMLPurifier';
        $test_files[] = 'HTMLPurifierTest.php';
        $test_dirs_exclude['HTMLPurifier/Filter/ExtractStyleBlocksTest.php'] = true;
-        if ($csstidy_location) {
-          $test_files[] = 'HTMLPurifier/Filter/ExtractStyleBlocksTest.php';
-        }
+        $test_files[] = 'HTMLPurifier/Filter/ExtractStyleBlocksTest.php';
        if ($break) break;
    case 'configdoc':
        if (version_compare(PHP_VERSION, '5.2', '>=')) {
@@ -29,6 +27,7 @@ switch ($AC['type']) {
        if ($break) break;
    case 'fstools':
        $test_dirs[] = 'FSTools';
+        if ($break) break;
    case 'htmlt':
        $htmlt_dirs[] = 'HTMLPurifier/HTMLT';
        if ($break) break;
--- a/34
+++ b/34
@@ -23,24 +23,7 @@ $version = trim($argv[1]);
 // ...in VERSION
 file_put_contents('VERSION', $version);

-// ...in NEWS
-if ($is_dev = (strpos($version, 'dev') === false)) {
-  $date = date('Y-m-d');
-  $news_c = str_replace(
-      $l = "$version, unknown release date",
-      "$version, released $date",
-      file_get_contents('NEWS'),
-      $c
-  );
-  if (!$c) {
-      echo 'Could not update NEWS, missing ' . $l . PHP_EOL;
-      exit;
-  } elseif ($c > 1) {
-      echo 'More than one release declaration in NEWS replaced' . PHP_EOL;
-      exit;
-  }
-  file_put_contents('NEWS', $news_c);
-}
+$is_dev = strpos($version, 'dev') === false;

 // ...in Doxyfile
 $doxyfile_c = preg_replace(
@@ -102,9 +85,22 @@ if (!$c) {
 }
 file_put_contents('library/HTMLPurifier/Config.php', $config_c);

+$includes = file_get_contents('library/HTMLPurifier.includes.php');
+$includes = preg_replace(
+    '/@version .+?/',
+    "@version $version",
+    $includes,
+    1, $c
+);
+if (!$c) {
+    echo 'Could not update HTMLPurifier.includes.php, missing @version docblock.' . PHP_EOL;
+    exit;
+}
+file_put_contents('HTMLPurifier.includes.php', $includes);
+
 passthru('maintenance/flush.sh');

-if ($is_dev) echo "Review changes, write something in WHATSNEW and FOCUS, and then commit with log 'Release $version.'" . PHP_EOL;
+if ($is_dev) echo "Review changes, and then commit with log 'Release $version.'" . PHP_EOL;
 else echo "Numbers updated to dev, no other modifications necessary!";

 // vim: et sw=4 sts=4
Author	SHA1	Message	Date
semantic-release-bot	bbc513d79a	chore(release): 4.17.0 [skip ci] # [4.17.0](https://github.com/ezyang/htmlpurifier/compare/v4.16.0...v4.17.0) (2023-11-17) ### Bug Fixes * CSSTidy ImportantComments not handled properly ([#359](https://github.com/ezyang/htmlpurifier/issues/359)) ([`78a9b4d`](`78a9b4d0da`)) * fix CI ([#361](https://github.com/ezyang/htmlpurifier/issues/361)) ([`9ec687c`](`9ec687c904`)) * Invalid scheme check in Attr.TargetBlank ([#363](https://github.com/ezyang/htmlpurifier/issues/363)) ([`0176ef4`](`0176ef4bb6`)) * semantic release ([#339](https://github.com/ezyang/htmlpurifier/issues/339)) ([`d82f3d9`](`d82f3d996a`)) * semantic release ([#341](https://github.com/ezyang/htmlpurifier/issues/341)) ([`e55fead`](`e55fead09f`)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) * Support for locales using decimal separators other than . (dot) ([#372](https://github.com/ezyang/htmlpurifier/issues/372)) ([`43f49ac`](`43f49ac9a5`)) ### Features * Add support for all text-decoration properties ([#360](https://github.com/ezyang/htmlpurifier/issues/360)) ([`2d775c0`](`2d775c0187`)) * Allows commas to be included in tel URI ([#389](https://github.com/ezyang/htmlpurifier/issues/389)) ([`ec92490`](`ec92490139`)), closes [#388](https://github.com/ezyang/htmlpurifier/issues/388) ### Reverts * Revert "fix: semantic release (#339)" (#340) ([`3e83215`](`3e832152a6`)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) [#340](https://github.com/ezyang/htmlpurifier/issues/340)	2023-11-17 15:01:25 +00:00
Edward Z. Yang	0f0fd36896	ci: upgrade semantic-release-action Signed-off-by: Edward Z. Yang <ezyang@meta.com>	2023-11-17 10:00:42 -05:00
danbrellis	ec92490139	feat: Allows commas to be included in tel URI (#389 ) * Allows commas in tel URI scheme validator (addresses #388) * Adds comment explaining `8429f7b`	2023-11-10 10:25:42 -05:00
Tim Düsterhus	ab21ea735a	chore: Add support for PHP 8.3 (#382 ) * Add PHP 8.3 to CI * Allow PHP 8.3 in composer.json	2023-08-24 11:15:30 -04:00
Edward Z. Yang	6eb6123036	Don't suggest chmod to 777 (#373 ) Signed-off-by: Edward Z. Yang <ezyang@meta.com>	2023-04-30 13:55:11 -04:00
cracksalad	43f49ac9a5	fix: Support for locales using decimal separators other than . (dot) (#372 ) * Bugfix UnitConverter expects float got string (strict types enabled) * Bugfix for latest bugfix with huge numbers * Bugfix for german locale * Use number_format instead of str_replace(sprintf())	2023-04-30 09:30:23 -04:00
George Peter Banyard	c05639e0c9	[refactor] Use range() function instead of string increment (#367 ) This was found during the analysis for https://wiki.php.net/rfc/saner-inc-dec-operators I don't know what is the minimal version targeted, so the line which defines ``$c`` may need to be changes to use ``array_merge()``	2023-02-23 13:11:13 -05:00
Steve Bauman	b4136da73c	Remove unnecessary disablement of autoload (#364 )	2023-02-05 21:40:57 -05:00
Jeff Standen	0176ef4bb6	fix: Invalid scheme check in Attr.TargetBlank (#363 )	2023-01-26 19:06:28 -05:00
Francis Lévesque	78a9b4d0da	fix: CSSTidy ImportantComments not handled properly (#359 ) * fix: CSSTidy ImportantComments not handled properly Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com> * fix: CSSTidy ImportantComments not handled properly -> remove comments Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com> Co-authored-by: Edward Z. Yang <ezyang@meta.com>	2023-01-21 22:44:44 -05:00
Edward Z. Yang	9ec687c904	fix: fix CI (#361 ) Signed-off-by: Edward Z. Yang <ezyang@meta.com> Signed-off-by: Edward Z. Yang <ezyang@meta.com>	2023-01-21 22:42:38 -05:00
Raheel Hsn	2d775c0187	feat: Add support for all text-decoration properties (#360 ) * CSS: add support for all text-decoration related properties * updated arrays to use short syntex Co-authored-by: Raheel Hasan <raheel.hasan@luciditysoftware.com.au>	2023-01-12 08:41:13 -05:00
jw2(kit rio)	da35a5e0d7	Drop supporting PHP 5.2 (#335 ) (#356 )	2022-12-04 13:22:17 -06:00
Michael S	1424f17cf3	Add support for encoded tel URI schemes. (#354 )	2022-11-24 16:31:20 -05:00
Michael Kliewe	becc9d40cf	Fixed missing return value (#349 )	2022-11-19 14:26:34 -08:00
Michael Kliewe	909dda6621	Fixed wrong return PHPDoc (#348 )	2022-11-18 21:03:18 -08:00
Michael Kliewe	2d1314820e	Added class_exists('Net_IDNA2') around optional external class (#351 )	2022-11-18 20:56:21 -08:00
Michael Kliewe	d567de85e6	Fixed undefined property (#346 )	2022-11-18 20:42:06 -08:00
Kieran	e55fead09f	fix: semantic release (#341 ) Same as #339 but stops library/standalone and library/HTMLPurifier.standalone.phpfrom being commit	2022-09-20 12:45:11 -04:00
Edward Z. Yang	3e832152a6	Revert "fix: semantic release (#339 )" (#340 ) This reverts commit `d82f3d996a`.	2022-09-18 15:21:20 -04:00
Kieran	d82f3d996a	fix: semantic release (#339 ) * fix: semantic release * update git assets	2022-09-18 15:15:38 -04:00
semantic-release-bot	523407fb06	chore(release): 4.16.0 [skip ci] # [4.16.0](https://github.com/ezyang/htmlpurifier/compare/v4.15.0...v4.16.0) (2022-09-18) ### Features * add semantic release ([#307](https://github.com/ezyang/htmlpurifier/issues/307)) ([`db31243`](`db312435cb`)), closes [#322](https://github.com/ezyang/htmlpurifier/issues/322) [#323](https://github.com/ezyang/htmlpurifier/issues/323) [#326](https://github.com/ezyang/htmlpurifier/issues/326) [#327](https://github.com/ezyang/htmlpurifier/issues/327) [#328](https://github.com/ezyang/htmlpurifier/issues/328) [#329](https://github.com/ezyang/htmlpurifier/issues/329) [#330](https://github.com/ezyang/htmlpurifier/issues/330) [#331](https://github.com/ezyang/htmlpurifier/issues/331) [#332](https://github.com/ezyang/htmlpurifier/issues/332) [#333](https://github.com/ezyang/htmlpurifier/issues/333) [#337](https://github.com/ezyang/htmlpurifier/issues/337) [#335](https://github.com/ezyang/htmlpurifier/issues/335) [ezyang/htmlpurifier#334](https://github.com/ezyang/htmlpurifier/issues/334) [#336](https://github.com/ezyang/htmlpurifier/issues/336) [#338](https://github.com/ezyang/htmlpurifier/issues/338)	2022-09-18 07:06:19 +00:00
Kieran	db312435cb	feat: add semantic release (#307 ) * Add semantic release * fix typo * split from matrix * remove only on push * remove npm plugin * write changelog to NEWS * list assets to include in git commit * fix update-for-release * lint pr title * split release into separate workflow that runs manually * revert ci.yml changes * remove references to WHATSNEW * Fix #322 - PHP 8.1 deprecation notice in HostBlacklist URIFilter (#323) * Replace 8.1-deprecated utf8_ funcs with mbstring (#326) * Treat PHP version numbers as strings in GitHub Actions (#327) YAML will try to interpret numeric values as numbers, leading to `8.0` being interpreted as `8` instead of `'8.0'`. This doesn't result in a functional change, but cleans up the output of the jobs a little (e.g. in the title line). * Update to `actions/checkout@v3` (#328) This does not introduce any functional difference and is intended as a future-proofing change. see https://github.com/actions/checkout/releases/tag/v3.0.0 * Fix test selection logic in tests/test_files.php (#329) Selecting the `fstools` tests also executed the `htmlt` tests. * Fix some more PHP 8.2 deprecations (#330) * Define HTMLPurifier_AttrTransform_SafeParam::$wmode This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$cache This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$mock This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$def This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_EntityParserTest::$_entity_lookup This fixes a PHP 8.2 deprecation. * Increase minimum requirement to PHP 5.6 (#331) * Add contenteditable attribute definition (#332) * Add contenteditable attribute definition * gate behind html.trusted * use enum * Fix creation of dynamic property (#333) * Fix creation of dynamic property (#337) * Add PHP 8.2 to CI (#335) * Add PHP 8.2 to CI see ezyang/htmlpurifier#334 * Add PHP 8.2 to composer.json * Fix contenteditable attribute definition (#336) * Run CSSTidy tests on CI (#338) * Run CSSTidy tests on CI * update dirname * use compopser instead of git clone * use composer * use test-settings.sample.php * enable ext-intl * disable Net_IDNA2 * Release 4.15.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu> Signed-off-by: Edward Z. Yang <ezyang@mit.edu> Co-authored-by: John Flatness <john@zerocrates.org> Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com> Co-authored-by: Tim Düsterhus <timwolla@googlemail.com> Co-authored-by: Edward Z. Yang <ezyang@mit.edu>	2022-09-18 02:44:00 -04:00
Edward Z. Yang	8d9f4c9ec1	Release 4.15.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2022-09-18 02:23:57 -04:00
Kieran	25824056ee	Run CSSTidy tests on CI (#338 ) * Run CSSTidy tests on CI * update dirname * use compopser instead of git clone * use composer * use test-settings.sample.php * enable ext-intl * disable Net_IDNA2	2022-09-14 20:55:41 -07:00
Kieran	f1d6da13bc	Fix contenteditable attribute definition (#336 )	2022-09-12 07:53:24 -07:00
Tim Düsterhus	dc27c78871	Add PHP 8.2 to CI (#335 ) * Add PHP 8.2 to CI see ezyang/htmlpurifier#334 * Add PHP 8.2 to composer.json	2022-09-11 19:51:02 -04:00
Kieran	ce9cf2ec99	Fix creation of dynamic property (#337 )	2022-09-10 14:03:42 -04:00
Kieran	36e06603a8	Fix creation of dynamic property (#333 )	2022-09-06 13:05:15 -04:00
Kieran	dbbd3e59f9	Add contenteditable attribute definition (#332 ) * Add contenteditable attribute definition * gate behind html.trusted * use enum	2022-09-06 13:04:45 -04:00
Tim Düsterhus	1c2bae18e3	Increase minimum requirement to PHP 5.6 (#331 )	2022-09-02 21:43:29 -04:00
Tim Düsterhus	1b80051115	Fix some more PHP 8.2 deprecations (#330 ) * Define HTMLPurifier_AttrTransform_SafeParam::$wmode This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$cache This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$mock This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_DefinitionCache_DecoratorHarness::$def This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_EntityParserTest::$_entity_lookup This fixes a PHP 8.2 deprecation.	2022-09-02 21:38:58 -04:00
Tim Düsterhus	c60bba1fe4	Fix test selection logic in tests/test_files.php (#329 ) Selecting the `fstools` tests also executed the `htmlt` tests.	2022-09-02 21:35:32 -04:00
Tim Düsterhus	6ec13635ce	Update to `actions/checkout@v3` (#328 ) This does not introduce any functional difference and is intended as a future-proofing change. see https://github.com/actions/checkout/releases/tag/v3.0.0	2022-08-30 09:50:18 -04:00
Tim Düsterhus	be2a668e81	Treat PHP version numbers as strings in GitHub Actions (#327 ) YAML will try to interpret numeric values as numbers, leading to `8.0` being interpreted as `8` instead of `'8.0'`. This doesn't result in a functional change, but cleans up the output of the jobs a little (e.g. in the title line).	2022-08-30 09:46:59 -04:00
John Flatness	dff4746e13	Replace 8.1-deprecated utf8_ funcs with mbstring (#326 )	2022-08-15 22:59:31 -04:00
Kieran	3fc193c755	Fix #322 - PHP 8.1 deprecation notice in HostBlacklist URIFilter (#323 )	2022-06-27 17:20:36 -04:00
Tim Düsterhus	1db36fb09d	Fix some PHP 8.2 deprecations (#319 ) * Define HTMLPurifier_Lexer::$_entity_parser property This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_URIFilterHarness::$filter property This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_AttrTransform_NameSync::$idDef property This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_AttrTransform_NameSyncTest::$accumulator property This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_AttrValidator_ErrorsTest::$language property This fixes a PHP 8.2 deprecation. * Define HTMLPurifier_ChildDef_List::$whitespace property This fixes a PHP 8.2 deprecation. * Do not modify incoming tokens in RemoveSpansWithoutAttributes Previously the undefined property `->markForDeletion` was added to the incoming tokens. This causes a deprecation in PHP 8.2. Fix this by storing to-be-deleted tokens inside SplObjectStorage. In PHP 8 a WeakMap would be preferable, as that prevents leaks if `handleEnd` is never called for the token.	2022-06-10 16:30:01 -04:00
func0der	38296c603b	Composer suggestions with extensions (#317 ) * Add suggestion for usage of Filter.ExtractStyleBlocks Resolves #316 * Add php extensions as suggestions Resolves #316 * Correct typo in composer property	2022-06-02 23:03:44 -04:00
David Rans	1dd3e52365	PHP 8.1: fix various deprecations/errors in newest version of PHP (#310 ) * Test on PHP 8.1 * PHP 8.1: fix deprecated NULL param to glob() * PHP 8.1: fix PHP error when passing NULL to rawurlencode() * PHP 8.1: calling ctype_lower with FALSE is deprecated * PHP 8.1: passing NULL to setAttribute() is deprecated * PHP 8.1: passing NULL to str_replace() is an error * PHP 8.1: fix error passing NULL to str_replace() * PHP 8.1: fix return type deprecation with backwards compatible attribute * Revert typo	2022-04-08 13:48:12 -04:00
Edward Z. Yang	12ab42bd6e	Release 4.14.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2021-12-24 20:21:49 -05:00
Kieran	1c784a5c3d	ci: test on php 8.0 (#308 ) * PHP 8 support * only php 8.0 * Merged to master Co-authored-by: Edward Z. Yang <ezyang@mit.edu>	2021-12-23 21:26:25 -05:00
Kieran	41fc223f96	feat: transform deprecated width attribute (#306 ) * Transform deprecated col@width attribute * Transform deprecated table@width attribute * reformat	2021-12-23 21:26:14 -05:00
Arkadiusz Biczewski	996eaf4331	Remove unnecessary reference assigment (#301 ) * Remove unnecessary reference assigment Proposed code is PHP5 and PHP7 compatible. PHP5 interpreted `$e->$type[$attr]` as `$e->{$type[$attr]}`, but the expected behavior based on workaround is consistent with PHP7 interpretation: `($e->$type)[$attr]`. By using curly braces `{$e->$type}[$attr]` there is a forced interpretation order working for both versions. Details can be found on https://www.php.net/manual/en/migration70.incompatible.php (section "Changes to the handling of indirect variables, properties, and methods") * Fix syntax Use correct syntax for indirect variable evaluation order change.	2021-09-07 14:16:55 -04:00
Kieran	c97bb93223	Fix GH workflow conditions (#298 ) * Fix GH workflow conditions * Remove PHP 8	2021-07-26 10:16:49 -04:00
Max	288bf75acc	PHP 8 Support (#297 ) Co-authored-by: Maksims Sļotovs <maksims.slotovs@printful.com>	2021-07-20 09:40:50 -04:00
Kieran	3a368d7668	Switch to GitHub Actions (#293 )	2021-05-21 20:46:13 -04:00
Václav Smítal	6f9aac9325	CSS: Add "background-size" tag support (#289 )	2021-04-22 10:01:00 -04:00
Kieran	1354e7e8c5	Fix "Parameter must be an array or an object that implements Countable" (#285 )	2021-02-27 20:42:20 -05:00
Marcus Artner	214cb8a693	Fixed Issue #264 : <thead> element removed from <table> if there are no <tbody> or <tr> elements (#283 )	2021-01-26 11:11:50 -05:00
Jasper Zonneveld	2512f595e0	Check PHP version before checking magic quotes (#273 ) This function has been DEPRECATED as of PHP 7.4.0. Relying on this function is highly discouraged. It is basically useless as of PHP 5.4 because it will always return false, so for modern applications it can be safely removed. But as this library still supports PHP 5.2 — according to the constraints in composer.json — I added a version check to prevent this method from being called (and trigger a notice) on PHP >=7.4. See: https://www.php.net/manual/en/function.get-magic-quotes-gpc.php	2020-09-30 20:19:10 -04:00
kishor	6aa4166b7e	Issue-256: Fix PHP 7.3 compatibility issues update zend.ze1_compatibility_mode mode (#267 )	2020-09-15 20:12:43 -04:00
kishor	4285590c90	issue-256: Fix PHP 7.3 compatibility issues (#266 )	2020-09-15 12:38:39 -04:00
LeSuisse	15258fd24e	Fix typo in the 4.13.0 NEWS: PHP 6.4 never existed (#262 ) Corresponding PRs (#230, #242) are about PHP 7.4 and PHP 6.4 has never existed 🙂.	2020-07-06 14:36:33 -04:00
Edward Z. Yang	08e27c97e4	Release 4.13.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2020-06-28 20:56:53 -04:00
Edward Z. Yang	d7be9d2a8c	Update changelog Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2020-06-28 20:55:45 -04:00
Edward Z. Yang	ce7efc11b2	Delete language tests that are interfering with PSR-0 compatibility Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2020-06-28 20:38:16 -04:00
Mateusz Turcza	3bdc031224	Add %HTML.Forms config directive (#260 ) The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted value. This adds support for form elements without enabling other unsafe modules, such as Scripts, Iframe or Object. To achieve the same effect without this directive one has to explicitly list all enabled modules in %HTML.AllowedModules, and any not listed will be removed. This however is not very convenient, as the allowed modules may vary between doctypes. Resolves #213.	2020-06-28 20:26:33 -04:00
Sergei Morozov	d148edbcf1	Exclude more resources from the distribution package (#257 )	2020-06-06 10:29:01 -04:00
Fräntz Miccoli	ced089434d	Make purifyArray work with empty array (#245 )	2020-02-22 12:12:02 -05:00
Kieran	c2c91f52d0	Added tr@bgcolor to tidy (#244 )	2020-02-22 12:10:30 -05:00
Eloy Lafuente	37dd61c45f	Correct implode() params for php74 compliance (#243 ) Passing parameters to implode() in reverse order is deprecated, use implode($glue, $parts) instead of implode($parts, $glue). Part of https://tracker.moodle.org/browse/MDL-67115	2020-01-21 11:17:18 -05:00
Witold Wasiczko	d15890222b	Add support for stable php 7.4 (#242 )	2020-01-02 06:58:15 -05:00
Anders Jenbo	fe0452d688	Correct typehinting of maybeGet* (#240 ) getDefinition can return null, this wasn't properly hinted leaning to false error detections with static analyzers	2019-12-04 10:29:08 -05:00
lubomirbartos	df923d1f15	Issue 238 remove leading zeroes except if there is only zero (#239 ) * Issue 238 remove leading zeroes except if there is only zero * Issue-238 unit test fixes	2019-11-21 10:05:07 -05:00
Jordi Boggiano	4faca32a4d	Exclude language classes from autoloader optimization (#236 ) These classes are autoloaded by a custom autoloader	2019-10-31 13:42:00 -04:00
Edward Z. Yang	a617e55bc6	Release 4.12.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2019-10-27 23:44:26 -04:00
Edward Z. Yang	3060a5606c	Update changelog Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2019-10-27 23:42:45 -04:00
Edward Z. Yang	b4ec8c8036	Merge remote-tracking branch 'ezyang/master'	2019-10-27 23:40:25 -04:00
Mateusz Turcza	06b3fc4cf4	Fix phpdoc params in HTMLModule::addElement() and Bool attr (#233 )	2019-10-25 10:07:38 -04:00
Witold Wasiczko	c6ca293eab	Add support for PHP 7.4 (#230 ) * Add php7.4 * 7.4 cannot fail * Disallow failures	2019-09-11 20:25:44 -04:00
Mateusz Turcza	ab2887e423	Fix DOM Lexer for PHP versions older than 5.4 (#225 )	2019-08-09 17:01:13 -04:00
Mateusz Turcza	029d1df5e3	Fix PHP 5.4 and 5.5 builds on Travis CI (#227 )	2019-08-09 09:45:41 -04:00
Edi Modrić	b88fcd180c	Replace curly braces with square brackets in string offsets (#224 )	2019-07-30 22:50:43 -04:00
@@ -1 +1 @@
 .11.0
 .17.0