Release 4.14.0

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

.gitattributes

@@ -1,6 +1,6 @@
 /.gitattributes export-ignore
+/.github export-ignore
 /.gitignore export-ignore
-/.travis.yml export-ignore
 /art export-ignore
 /benchmarks export-ignore
 /configdoc export-ignore

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  linux_tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        php: [5.4, 5.5, 5.6, 7.0, 7.1, 7.2, 7.3, 7.4, 8.0]
+
+    name: PHP ${{ matrix.php }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+
+      - name: Clone simpletest
+        run: git clone --depth=50 https://github.com/ezyang/simpletest.git
+
+      - name: Configure simpletest
+        run: cp test-settings.travis.php test-settings.php
+
+      - name: Execute Unit tests
+        run: php tests/index.php

.travis.yml

@@ -1,19 +0,0 @@
-language: php
-php:
-    - '5.6'
-    - '7.0'
-    - '7.1'
-    - '7.2'
-    - '7.3'
-    - '7.4'
-matrix:
-    include:
-        - php: '5.4'
-          dist: trusty
-        - php: '5.5'
-          dist: trusty
-before_script:
-    - git clone --depth=50 https://github.com/ezyang/simpletest.git
-    - cp test-settings.travis.php test-settings.php
-script:
-    - php tests/index.php

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 4.13.0
+PROJECT_NUMBER         = 4.14.0
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.

NEWS

@@ -9,6 +9,21 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+4.14.0, released 2021-12-24
+! Add "background-size" support (#289), contributed by Václav Smítal
+! Transform deprecated width attribute when tidying HTML, contributed by
+  Kieran.
+- PHP 8 support, contributed by Maksims Sļotovs.
+- Improved PHP 7.3 compatibility, contributed by kishor.
+- Avoid spurious magic quotes notice in PHP 7.4.  Thanks
+  Jasper Zonneveld for the fix.
+- Do not remove thead from table even if there are no tbody/tr (#264).
+  Thanks Marcus Artner for the fix.
+- Fix "Parameter must be an array or an object that implements
+  Countable" (#285)".  Thanks Kieran for this fix.
+. Fix unnecessary reference assignment, handling behavior change from
+  PHP5 and PHP7.  Thanks Arkadiusz Biczewski for the fix.
+
 4.13.0, released 2020-06-28
 ! Add %HTML.Forms directive, which lets you accept forms in user
   HTML without requiring full %HTML.Trusted.  Note that forms can
@@ -18,7 +33,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   Thanks Mateusz Turcza for contributing this feature.
 ! tr@bgcolor attribute is now supported.  Thanks Kieran Brahney
   for this enhancement.
-- Further improvements to PHP 6.4 support, contributed by Witold
+- Further improvements to PHP 7.4 support, contributed by Witold
   Wasiczko and Eloy Lafuente.
 - Fix PSR-0 compatibility.  Thanks Jordi Boggiano for contributing
   part of this fix.

README.md

@@ -1,4 +1,4 @@
-HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](http://travis-ci.org/ezyang/htmlpurifier)
+HTML Purifier [![Build Status](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml)
 =============
 
 HTML Purifier is an HTML filtering solution that uses a unique combination

VERSION

@@ -1 +1 @@
-4.13.0
+4.14.0

WHATSNEW

@@ -1,4 +1,4 @@
-HTML Purifier 4.13.x is a maintenance release which fixes
-PSR-0 compatibility of our package.  There are also a few
-new features (%HTML.Forms and tg@bgcolor support) and
-a number of minor bugfixes.
+HTML Purifier 4.14.x is a maintenance release which improves
+PHP7 and PHP8 compatibility.  There are also some minor new features
+(background-size) and some miscellaneous fixes to remove notices
+from recent versions of PHP.

composer.json

@@ -15,9 +15,6 @@
     "require": {
         "php": ">=5.2"
     },
-    "require-dev": {
-        "simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd"
-    },
     "autoload": {
         "psr-0": { "HTMLPurifier": "library/" },
         "files": ["library/HTMLPurifier.composer.php"],

configdoc/usage.xml

@@ -19,37 +19,37 @@
  </directive>
  <directive id="CSS.MaxImgLength">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>240</line>
+   <line>256</line>
   </file>
  </directive>
  <directive id="CSS.Proprietary">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>365</line>
+   <line>381</line>
   </file>
  </directive>
  <directive id="CSS.AllowTricky">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>369</line>
+   <line>385</line>
   </file>
  </directive>
  <directive id="CSS.Trusted">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>373</line>
+   <line>389</line>
   </file>
  </directive>
  <directive id="CSS.AllowImportant">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>377</line>
+   <line>393</line>
   </file>
  </directive>
  <directive id="CSS.AllowedProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>506</line>
+   <line>522</line>
   </file>
  </directive>
  <directive id="CSS.ForbiddenProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>522</line>
+   <line>538</line>
   </file>
  </directive>
  <directive id="Cache.DefinitionImpl">

library/HTMLPurifier.autoload-legacy.php

@@ -4,12 +4,11 @@
  * @file
  * Legacy autoloader for systems lacking spl_autoload_register
  *
- * Must be separate to prevent deprecation warning on PHP 7.2
  */
 
-function __autoload($class)
+spl_autoload_register(function($class)
 {
-    return HTMLPurifier_Bootstrap::autoload($class);
-}
+     return HTMLPurifier_Bootstrap::autoload($class);
+});
 
 // vim: et sw=4 sts=4

library/HTMLPurifier.autoload.php

@@ -17,6 +17,7 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
     require dirname(__FILE__) . '/HTMLPurifier.autoload-legacy.php';
 }
 
+// phpcs:ignore PHPCompatibility.IniDirectives.RemovedIniDirectives.zend_ze1_compatibility_modeRemoved
 if (ini_get('zend.ze1_compatibility_mode')) {
     trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
 }

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.13.0
+ * @version 4.14.0
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,

library/HTMLPurifier.php

@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 4.13.0 - Standards Compliant HTML Filtering
+    HTML Purifier 4.14.0 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.13.0';
+    public $version = '4.14.0';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    const VERSION = '4.13.0';
+    const VERSION = '4.14.0';
 
     /**
      * Global configuration object.

library/HTMLPurifier/AttrDef/CSS/Background.php

@@ -25,6 +25,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
         $this->info['background-repeat'] = $def->info['background-repeat'];
         $this->info['background-attachment'] = $def->info['background-attachment'];
         $this->info['background-position'] = $def->info['background-position'];
+        $this->info['background-size'] = $def->info['background-size'];
     }
 
     /**
@@ -53,6 +54,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
         $caught['repeat'] = false;
         $caught['attachment'] = false;
         $caught['position'] = false;
+        $caught['size'] = false;
 
         $i = 0; // number of catches
 

library/HTMLPurifier/CSSDefinition.php

@@ -109,6 +109,22 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         );
         $this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition();
 
+        $this->info['background-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
+            array(
+                new HTMLPurifier_AttrDef_Enum(
+                    array(
+                        'auto',
+                        'cover',
+                        'contain',
+                        'initial',
+                        'inherit',
+                    )
+                ),
+                new HTMLPurifier_AttrDef_CSS_Percentage(),
+                new HTMLPurifier_AttrDef_CSS_Length()
+            )
+        );
+
         $border_color =
             $this->info['border-top-color'] =
             $this->info['border-bottom-color'] =

library/HTMLPurifier/ChildDef/Table.php

@@ -164,7 +164,7 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
             }
         }
 
-        if (empty($content)) {
+        if (empty($content) && $thead === false && $tfoot === false) {
             return false;
         }
 

library/HTMLPurifier/Config.php

@@ -21,7 +21,7 @@ class HTMLPurifier_Config
      * HTML Purifier's version
      * @type string
      */
-    public $version = '4.13.0';
+    public $version = '4.14.0';
 
     /**
      * Whether or not to automatically finalize
@@ -803,7 +803,7 @@ class HTMLPurifier_Config
         if ($index !== false) {
             $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
         }
-        $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
+        $mq = $mq_fix && version_compare(PHP_VERSION, '7.4.0', '<') && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
 
         $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
         $ret = array();

library/HTMLPurifier/HTMLModule.php

@@ -257,8 +257,9 @@ class HTMLPurifier_HTMLModule
      */
     public function makeLookup($list)
     {
+        $args = func_get_args();
         if (is_string($list)) {
-            $list = func_get_args();
+            $list = $args;
         }
         $ret = array();
         foreach ($list as $value) {

library/HTMLPurifier/HTMLModule/Tidy.php

@@ -146,10 +146,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                         $type = "info_$type";
                         $e = $this;
                     }
-                    // PHP does some weird parsing when I do
-                    // $e->$type[$attr], so I have to assign a ref.
-                    $f =& $e->$type;
-                    $f[$attr] = $fix;
+                    $e->{$type}[$attr] = $fix;
                     break;
                 case 'tag_transform':
                     $this->info_tag_transform[$params['element']] = $fix;

library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php

@@ -168,9 +168,11 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
         // @vspace for img ------------------------------------------------
         $r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace');
 
-        // @width for hr, td, th ------------------------------------------
+        // @width for table, hr, td, th, col ------------------------------------------
+        $r['table@width'] =
         $r['td@width'] =
         $r['th@width'] =
+        $r['col@width'] =
         $r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width');
 
         return $r;

library/HTMLPurifier/Injector/Linkify.php

@@ -40,6 +40,9 @@ class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector
             '/\\b((?:[a-z][\\w\\-]+:(?:\\/{1,3}|[a-z0-9%])|www\\d{0,3}[.]|[a-z0-9.\\-]+[.][a-z]{2,4}\\/)(?:[^\\s()<>]|\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\))+(?:\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\)|[^\\s`!()\\[\\]{};:\'".,<>?\x{00ab}\x{00bb}\x{201c}\x{201d}\x{2018}\x{2019}]))/iu',
             $token->data, -1, PREG_SPLIT_DELIM_CAPTURE);
 
+        if ($bits === false) {
+            return;
+        }
 
         $token = array();
 

tests/HTMLPurifier/AttrDef/CSSTest.php

@@ -92,6 +92,9 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('background-repeat:repeat-y;');
         $this->assertDef('background-attachment:fixed;');
         $this->assertDef('background-position:left 90%;');
+        $this->assertDef('background-size:50%;');
+        $this->assertDef('background-size:cover;');
+        $this->assertDef('background-size:200px;');
         $this->assertDef('border-spacing:1em;');
         $this->assertDef('border-spacing:1em 2em;');
         $this->assertDef('border-color: rgb(0, 0, 0) rgb(10,0,10)', 'border-color:rgb(0,0,0) rgb(10,0,10);');

tests/HTMLPurifier/ChildDef/TableTest.php

@@ -44,6 +44,22 @@ class HTMLPurifier_ChildDef_TableTest extends HTMLPurifier_ChildDefHarness
         );
     }
 
+    public function testTheadOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<thead><tr><th>a</th></tr></thead>',
+            '<thead><tr><th>a</th></tr></thead>'
+        );
+    }
+
+    public function testTbodyOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<tbody><tr><th>a</th></tr></tbody>',
+            '<tbody><tr><th>a</th></tr></tbody>'
+        );
+    }
+
     public function testTrOverflowAndClose()
     {
         $this->assertResult(