Release 4.7.0.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>

.gitattributes

@@ -1 +1,12 @@
-configdoc/usage.xml -crlf
+/.gitattributes export-ignore
+/.gitignore export-ignore
+/Doxyfile export-ignore
+/art/ export-ignore
+/benchmarks/ export-ignore
+/configdoc/ export-ignore
+/configdoc/usage.xml -crlf
+/docs/ export-ignore
+/maintenance/ export-ignore
+/phpdoc.ini
+/smoketests/ export-ignore
+/tests/ export-ignore

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 4.6.0
+PROJECT_NUMBER         = 4.7.0
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.

FOCUS

@@ -1,13 +0,0 @@
-9 - Major security fixes
-
-[ Appendix A: Release focus IDs ]
-0 - N/A
-1 - Initial freshmeat announcement
-2 - Documentation
-3 - Code cleanup
-4 - Minor feature enhancements
-5 - Major feature enhancements
-6 - Minor bugfixes
-7 - Major bugfixes
-8 - Minor security fixes
-9 - Major security fixes

INSTALL.fr.utf8

@@ -2,68 +2,59 @@
 Installation
     Comment installer HTML Purifier
 
-Attention: Ce document a encode en UTF-8. Si les lettres avec les accents
-est essoreuse, prenez un mieux editeur de texte.
-
-À L'Aide: Je ne suis pas un diseur natif de français. Si vous trouvez une
-erreur dans ce document, racontez-moi! Merci.
-
-
-L'installation de HTML Purifier est trés simple, parce qu'il ne doit pas
-la configuration.  Dans le pied de de document, les utilisateurs
-impatient peuvent trouver le code, mais je recommande que vous lisez
-ce document pour quelques choses.
+Attention : Ce document est encodé en UTF-8, si les lettres avec des accents
+ne s'affichent pas, prenez un meilleur éditeur de texte.
 
+L'installation de HTML Purifier est très simple, parce qu'il n'a pas besoin
+de configuration. Pour les utilisateurs impatients, le code se trouve dans le
+pied de page, mais je recommande de lire le document.
 
 1.  Compatibilité
 
-HTML Purifier fonctionne dans PHP 5. PHP 5.0.5 est le dernier
-version que je le testais.  Il ne dépend de les autre librairies.
+HTML Purifier fonctionne avec PHP 5. PHP 5.0.5 est la dernière version testée.
+Il ne dépend pas d'autres librairies.
 
-Les extensions optionnel est iconv (en général déjà installer) et
-tidy (répandu aussi). Si vous utilisez UTF-8 et ne voulez pas
-l'indentation, vous pouvez utiliser HTML Purifier sans ces extensions.
+Les extensions optionnelles sont iconv (généralement déjà installée) et tidy
+(répendue aussi). Si vous utilisez UTF-8 et que vous ne voulez pas l'indentation,
+vous pouvez utiliser HTML Purifier sans ces extensions.
 
 
-2.  Inclure la librarie
+2.  Inclure la librairie
 
-Utilisez:
+Quand vous devez l'utilisez, incluez le :
 
-    require_once '/path/to/library/HTMLPurifier.auto.php';
+    require_once('/path/to/library/HTMLPurifier.auto.php');
 
-...quand vous devez utiliser HTML Purifier (ne inclure pas quand vous
-ne devez pas, parce que HTML Purifier est trés grand.)
+Ne pas l'inclure si ce n'est pas nécessaire, car HTML Purifier est lourd.
 
-HTML Purifier utilise 'autoload'. Si vous avez définu la fonction
-__autoload, vous doivez ajoute cet programme:
+HTML Purifier utilise "autoload". Si vous avez défini la fonction __autoload,
+vous devez ajouter cette fonction :
 
     spl_autoload_register('__autoload')
 
-Plus d'information est dans le document 'INSTALL'.
+Plus d'informations dans le document "INSTALL".
 
+3.  Installation rapide
 
-3.   Installation vite
-
-Si votre site web est en UTF-8 et XHTML Transitional, utilisez:
+Si votre site Web est en UTF-8 et XHTML Transitional, utilisez :
 
 <?php
-    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
-
+    require_once('/path/to/htmlpurifier/library/HTMLPurifier.auto.php');
     $purificateur = new HTMLPurifier();
-    $html_propre = $purificateur->purify($html_salle);
+    $html_propre = $purificateur->purify($html_a_purifier);
 ?>
 
-Sinon, utilisez:
+Sinon, utilisez :
 
 <?php
-    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
-
-    $config = HTMLPurifier_Config::createDefault();
-    $config->set('Core', 'Encoding', 'ISO-8859-1'); //remplacez avec votre encoding
-    $config->set('Core', 'XHTML', true); //remplacez avec false si HTML 4.01
+    require_once('/path/to/html/purifier/library/HTMLPurifier.auto.load');
+    $config = $HTMLPurifier_Config::createDefault();
+    $config->set('Core', 'Encoding', 'ISO-8859-1'); //Remplacez par votre
+    encodage
+    $config->set('Core', 'XHTML', true); //Remplacer par false si HTML 4.01
     $purificateur = new HTMLPurifier($config);
-
-    $html_propre = $purificateur->purify($html_salle);
+    $html_propre = $purificateur->purify($html_a_purifier);
 ?>
 
+
     vim: et sw=4 sts=4

NEWS

@@ -9,6 +9,22 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+4.7.0, released 2015-08-04
+# opacity is now considered a "tricky" CSS property rather than a
+  proprietary one.
+! %AutoFormat.RemoveEmpty.Predicate for specifying exactly when
+  an element should be considered "empty" (maybe preserve if it
+  has attributes), and modify iframe support so that the iframe
+  is removed if it is missing a src attribute.  Thanks meeva for
+  reporting.
+- Don't truncate upon encountering </div> when using DOMLex.  Thanks
+  Myrto Christina for finally convincing me to fix this.
+- Update YouTube filter for new code.
+- Fix parsing of rgb() values with spaces in them for 'border'
+  attribute.
+- Don't remove foo="" attributes if foo is a boolean attribute.  Thanks
+  valME for reporting.
+
 4.6.0, released 2013-11-30
 # Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url, $secret).
   Please update any verification scripts you may have.

TODO

@@ -32,7 +32,7 @@ Things to do as soon as possible:
 FUTURE VERSIONS
 ---------------
 
-4.6 release [OMG CONFIG PONIES]
+4.8 release [OMG CONFIG PONIES]
  ! Fix Printer. It's from the old days when we didn't have decent XML classes
  ! Factor demo.php into a set of Printer classes, and then create a stub
    file for users here (inside the actual HTML Purifier library)

VERSION

@@ -1 +1 @@
-4.6.0
+4.7.0

WHATSNEW

@@ -1,5 +1,4 @@
-HTML Purifier 4.6.0 is a major security release, fixing numerous bad
-quadratic asymptotics in HTML Purifier's core algorithms.  Most users will
-see a decent speedup on large inputs, although small inputs may take
-longer.  Additionally, the secure URI munging algorithm has changed to
-do a proper HMAC.  There are some other miscellaneous bugfixes as well.
+HTML Purifier 4.7.0 is a bugfix release, collecting two years
+worth of accumulated bug fixes.  Highlighted bugfixes are updated
+YouTube filter code, corrected rgb() CSS parsing, and one new
+configuration option, %AutoFormat.RemoveEmpty.Predicate.

configdoc/usage.xml

@@ -481,6 +481,11 @@
    <line>47</line>
   </file>
  </directive>
+ <directive id="AutoFormat.RemoveEmpty.Predicate">
+  <file name="HTMLPurifier/Injector/RemoveEmpty.php">
+   <line>48</line>
+  </file>
+ </directive>
  <directive id="Core.AggressivelyFixLt">
   <file name="HTMLPurifier/Lexer/DOMLex.php">
    <line>54</line>

library/HTMLPurifier.composer.php

@@ -1,4 +1,4 @@
 <?php
 if (!defined('HTMLPURIFIER_PREFIX')) {
-    define('HTMLPURIFIER_PREFIX', __DIR__);
+    define('HTMLPURIFIER_PREFIX', dirname(__FILE__));
 }

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.6.0
+ * @version 4.7.0
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,

library/HTMLPurifier.php

@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 4.6.0 - Standards Compliant HTML Filtering
+    HTML Purifier 4.7.0 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.6.0';
+    public $version = '4.7.0';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    const VERSION = '4.6.0';
+    const VERSION = '4.7.0';
 
     /**
      * Global configuration object.

library/HTMLPurifier/AttrDef/CSS/Multiple.php

@@ -44,7 +44,7 @@ class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef
      */
     public function validate($string, $config, $context)
     {
-        $string = $this->parseCDATA($string);
+        $string = $this->mungeRgb($this->parseCDATA($string));
         if ($string === '') {
             return false;
         }

library/HTMLPurifier/AttrDef/HTML/Bool.php

@@ -32,9 +32,6 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
      */
     public function validate($string, $config, $context)
     {
-        if (empty($string)) {
-            return false;
-        }
         return $this->name;
     }
 

library/HTMLPurifier/CSSDefinition.php

@@ -350,8 +350,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['scrollbar-highlight-color'] = new HTMLPurifier_AttrDef_CSS_Color();
         $this->info['scrollbar-shadow-color'] = new HTMLPurifier_AttrDef_CSS_Color();
 
-        // technically not proprietary, but CSS3, and no one supports it
-        $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
+        // vendor specific prefixes of opacity
         $this->info['-moz-opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
         $this->info['-khtml-opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
 
@@ -404,6 +403,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             array('visible', 'hidden', 'collapse')
         );
         $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
+        $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
     }
 
     /**

library/HTMLPurifier/Config.php

@@ -21,7 +21,7 @@ class HTMLPurifier_Config
      * HTML Purifier's version
      * @type string
      */
-    public $version = '4.6.0';
+    public $version = '4.7.0';
 
     /**
      * Whether or not to automatically finalize
@@ -646,16 +646,25 @@ class HTMLPurifier_Config
         return $this->getDefinition($name, true, true);
     }
 
+    /**
+     * @return HTMLPurifier_HTMLDefinition
+     */
     public function maybeGetRawHTMLDefinition()
     {
         return $this->getDefinition('HTML', true, true);
     }
-
+    
+    /**
+     * @return HTMLPurifier_CSSDefinition
+     */
     public function maybeGetRawCSSDefinition()
     {
         return $this->getDefinition('CSS', true, true);
     }
-
+    
+    /**
+     * @return HTMLPurifier_URIDefinition
+     */
     public function maybeGetRawURIDefinition()
     {
         return $this->getDefinition('URI', true, true);

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.Predicate.txt

@@ -0,0 +1,14 @@
+AutoFormat.RemoveEmpty.Predicate
+TYPE: hash
+VERSION: 4.7.0
+DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
+--DESCRIPTION--
+<p>
+  Given that an element has no contents, it will be removed by default, unless
+  this predicate dictates otherwise.  The predicate can either be an associative
+  map from tag name to list of attributes that must be present for the element
+  to be considered preserved: thus, the default always preserves <code>colgroup</code>,
+  <code>th</code> and <code>td</code>, and also <code>iframe</code> if it
+  has a <code>src</code>.
+</p>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt

@@ -4,6 +4,6 @@ VERSION: 2.0.1
 DEFAULT: NULL
 --DESCRIPTION--
 
-A custom doctype for power-users who defined there own document
+A custom doctype for power-users who defined their own document
 type. This directive only applies when %HTML.Doctype is blank.
 --# vim: et sw=4 sts=4

library/HTMLPurifier/DefinitionCache/Serializer.php

@@ -219,9 +219,15 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
             } elseif (!$this->_testPermissions($base, $chmod)) {
                 return false;
             }
-            $old = umask(0000);
             mkdir($directory, $chmod);
-            umask($old);
+            if (!$this->_testPermissions($directory, $chmod)) {
+                trigger_error(
+                    'Base directory ' . $base . ' does not exist,
+                    please create or change using %Cache.SerializerPath',
+                    E_USER_WARNING
+                );
+                return false;
+            }
         } elseif (!$this->_testPermissions($directory, $chmod)) {
             return false;
         }

library/HTMLPurifier/Filter/YouTube.php

@@ -17,7 +17,7 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
     public function preFilter($html, $config, $context)
     {
         $pre_regex = '#<object[^>]+>.+?' .
-            'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
+            '(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
         $pre_replace = '<span class="youtube-embed">\1</span>';
         return preg_replace($pre_regex, $pre_replace, $html);
     }
@@ -51,10 +51,10 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
     {
         $url = $this->armorUrl($matches[1]);
         return '<object width="425" height="350" type="application/x-shockwave-flash" ' .
-        'data="http://www.youtube.com/' . $url . '">' .
-        '<param name="movie" value="http://www.youtube.com/' . $url . '"></param>' .
+        'data="//www.youtube.com/' . $url . '">' .
+        '<param name="movie" value="//www.youtube.com/' . $url . '"></param>' .
         '<!--[if IE]>' .
-        '<embed src="http://www.youtube.com/' . $url . '"' .
+        '<embed src="//www.youtube.com/' . $url . '"' .
         'type="application/x-shockwave-flash"' .
         'wmode="transparent" width="425" height="350" />' .
         '<![endif]-->' .

library/HTMLPurifier/Injector/RemoveEmpty.php

@@ -28,10 +28,10 @@ class HTMLPurifier_Injector_RemoveEmpty extends HTMLPurifier_Injector
     private $removeNbspExceptions;
 
     /**
+     * Cached contents of %AutoFormat.RemoveEmpty.Predicate
      * @type array
-     * TODO: make me configurable
      */
-    private $_exclude = array('colgroup' => 1, 'th' => 1, 'td' => 1, 'iframe' => 1);
+    private $exclude;
 
     /**
      * @param HTMLPurifier_Config $config
@@ -45,6 +45,7 @@ class HTMLPurifier_Injector_RemoveEmpty extends HTMLPurifier_Injector
         $this->context = $context;
         $this->removeNbsp = $config->get('AutoFormat.RemoveEmpty.RemoveNbsp');
         $this->removeNbspExceptions = $config->get('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions');
+        $this->exclude = $config->get('AutoFormat.RemoveEmpty.Predicate');
         $this->attrValidator = new HTMLPurifier_AttrValidator();
     }
 
@@ -75,11 +76,15 @@ class HTMLPurifier_Injector_RemoveEmpty extends HTMLPurifier_Injector
             break;
         }
         if (!$next || ($next instanceof HTMLPurifier_Token_End && $next->name == $token->name)) {
-            if (isset($this->_exclude[$token->name])) {
-                return;
-            }
             $this->attrValidator->validateToken($token, $this->config, $this->context);
             $token->armor['ValidateAttributes'] = true;
+            if (isset($this->exclude[$token->name])) {
+                $r = true;
+                foreach ($this->exclude[$token->name] as $elem) {
+                    if (!isset($token->attr[$elem])) $r = false;
+                }
+                if ($r) return;
+            }
             if (isset($token->attr['id']) || isset($token->attr['name'])) {
                 return;
             }

library/HTMLPurifier/Lexer/DOMLex.php

@@ -75,8 +75,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         $tokens = array();
         $this->tokenizeDOM(
             $doc->getElementsByTagName('html')->item(0)-> // <html>
-            getElementsByTagName('body')->item(0)-> //   <body>
-            getElementsByTagName('div')->item(0), //     <div>
+            getElementsByTagName('body')->item(0), //   <body>
             $tokens
         );
         return $tokens;
@@ -272,7 +271,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         $ret .= '<html><head>';
         $ret .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
         // No protection if $html contains a stray </div>!
-        $ret .= '</head><body><div>' . $html . '</div></body></html>';
+        $ret .= '</head><body>' . $html . '</body></html>';
         return $ret;
     }
 }

library/HTMLPurifier/Lexer/PH5P.php

@@ -34,8 +34,7 @@ class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex
         $tokens = array();
         $this->tokenizeDOM(
             $doc->getElementsByTagName('html')->item(0)-> // <html>
-                getElementsByTagName('body')->item(0)-> //   <body>
-                getElementsByTagName('div')->item(0) //     <div>
+                getElementsByTagName('body')->item(0) //   <body>
             ,
             $tokens
         );

maintenance/add-vimline.php

@@ -35,7 +35,6 @@ foreach ($files as $file) {
         postfix_is('.phpt', $file) ||
         postfix_is('VERSION', $file) ||
         postfix_is('WHATSNEW', $file) ||
-        postfix_is('FOCUS', $file) ||
         postfix_is('configdoc/usage.xml', $file) ||
         postfix_is('library/HTMLPurifier.includes.php', $file) ||
         postfix_is('library/HTMLPurifier.safe-includes.php', $file) ||

maintenance/update-freshmeat.php

@@ -1,161 +0,0 @@
-#!/usr/bin/php
-<?php
-
-chdir(dirname(__FILE__));
-require_once 'common.php';
-assertCli();
-
-/**
- * @file
- * Updates Freshmeat's HTML Purifier with the latest information via XML RPC.
- */
-
-class XmlRpc_Freshmeat
-{
-
-    const URL = 'http://freshmeat.net/xmlrpc/';
-
-    public $chatty = false;
-
-    public $encodeOptions = array(
-        'encoding' => 'utf-8',
-    );
-
-    /**
-     * This array defines shortcut method signatures for dealing with simple
-     * XML RPC methods. More complex ones (publish_release) should use the named parameter
-     * syntax.
-     */
-    public $signatures = array(
-        'login' => array('username', 'password'),
-        'fetch_branch_list' => array('project_name'),
-        'fetch_release'    => array('project_name', 'branch_name', 'version'),
-        'withdraw_release' => array('project_name', 'branch_name', 'version'),
-    );
-
-    protected $sid = null;
-
-    /**
-     * @param $username Username to login with
-     * @param $password Password to login with
-     */
-    public function __construct($username = null, $password = null)
-    {
-        if ($username && $password) {
-            $this->login($username, $password);
-        }
-    }
-
-    /**
-     * Performs a raw XML RPC call to self::URL
-     */
-    protected function call($method, $params)
-    {
-        $request = xmlrpc_encode_request($method, $params, $this->encodeOptions);
-        $ch = curl_init();
-        curl_setopt($ch, CURLOPT_URL, self::URL);
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-        curl_setopt($ch, CURLOPT_TIMEOUT, 1);
-        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-            'Content-type: text/xml',
-            'Content-length: ' . strlen($request)
-        ));
-        curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
-        $data = curl_exec($ch);
-        if ($errno = curl_errno($ch)) {
-            throw new Exception("Curl error [$errno]: " . curl_error($ch));
-        } else {
-            curl_close($ch);
-            return xmlrpc_decode($data);
-        }
-    }
-
-    /**
-     * Performs an XML RPC call to Freshmeat.
-     * @param $name Name of method to call, can be methodName or method_name
-     * @param $args Arguments of call, in form array('key1', 'val1', 'key2' ...)
-     */
-    public function __call($name, $args)
-    {
-        $method = $this->camelToUnderscore($name);
-        $params = array();
-        if ($this->sid) $params['SID'] = $this->sid;
-        if (isset($this->signatures[$method])) {
-            for ($i = 0, $c = count($this->signatures[$method]); $i < $c; $i++) {
-                $params[$this->signatures[$method][$i]] = $args[$i];
-            }
-        } else {
-            for ($i = 0, $c = count($args); $i + 1 < $c; $i += 2) {
-                $params[$args[$i]] = $args[$i + 1];
-            }
-        }
-        $result = $this->call($method, $params);
-        switch ($method) {
-            case 'login':
-                $this->sid = $result['SID'];
-                break;
-            case 'logout':
-                $this->sid = null;
-                break;
-        }
-        if ($this->chatty) print_r($result);
-        return $result;
-    }
-
-    /**
-     * Munge methodName to method_name
-     */
-    private function camelToUnderscore($name)
-    {
-        $method = '';
-        for ($i = 0, $c = strlen($name); $i < $c; $i++) {
-            $v = $name[$i];
-            if (ctype_lower($v)) $method .= $v;
-            else $method .= '_' . strtolower($v);
-        }
-        return $method;
-    }
-
-    /**
-     * Automatically logout at end of scope
-     */
-    public function __destruct()
-    {
-        if ($this->sid) $this->logout();
-    }
-
-}
-
-$rpc = new XmlRpc_Freshmeat($argv[1], $argv[2]);
-$rpc->chatty = true;
-
-$project = 'htmlpurifier';
-$branch  = 'Default';
-$version = file_get_contents('../VERSION');
-
-$result = $rpc->fetchRelease($project, $branch, $version);
-if (!isset($result['faultCode'])) {
-    echo "Freshmeat release already exists.\n";
-    exit(0);
-}
-
-$changes = strtr(file_get_contents('../WHATSNEW'), array("\r" => '', "\n" => ' '));
-$focus = (int) trim(file_get_contents('../FOCUS'));
-
-if (strlen($changes) > 600) {
-    echo "WHATSNEW entry is too long.\n";
-    exit(1);
-}
-
-$rpc->publishRelease(
-    'project_name',  $project,
-    'branch_name',   $branch,
-    'version',       $version,
-    'changes',       $changes,
-    'release_focus', $focus,
-    'url_tgz',       "http://htmlpurifier.org/releases/htmlpurifier-$version.tar.gz",
-    'url_zip',       "http://htmlpurifier.org/releases/htmlpurifier-$version.zip",
-    'url_changelog', "http://htmlpurifier.org/svnroot/htmlpurifier/tags/$version/NEWS"
-);
-
-// vim: et sw=4 sts=4

tests/HTMLPurifier/AttrDef/CSSTest.php

@@ -83,6 +83,8 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('background-position:left 90%;');
         $this->assertDef('border-spacing:1em;');
         $this->assertDef('border-spacing:1em 2em;');
+        $this->assertDef('border-color: rgb(0, 0, 0) rgb(10,0,10)', 'border-color:rgb(0,0,0) rgb(10,0,10);');
+        $this->assertDef('border: rgb(0, 0, 0)', 'border:rgb(0,0,0);');
 
         // duplicates
         $this->assertDef('text-align:right;text-align:left;',
@@ -127,7 +129,6 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('scrollbar-highlight-color:#ff69b4;');
         $this->assertDef('scrollbar-shadow-color:#f0f;');
 
-        $this->assertDef('opacity:.2;');
         $this->assertDef('-moz-opacity:.2;');
         $this->assertDef('-khtml-opacity:.2;');
         $this->assertDef('filter:alpha(opacity=20);');
@@ -146,6 +147,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('display:none;');
         $this->assertDef('visibility:visible;');
         $this->assertDef('overflow:scroll;');
+        $this->assertDef('opacity:.2;');
     }
 
     public function testForbidden()

tests/HTMLPurifier/AttrDef/HTML/BoolTest.php

@@ -7,7 +7,7 @@ class HTMLPurifier_AttrDef_HTML_BoolTest extends HTMLPurifier_AttrDefHarness
     {
         $this->def = new HTMLPurifier_AttrDef_HTML_Bool('foo');
         $this->assertDef('foo');
-        $this->assertDef('', false);
+        $this->assertDef('', 'foo');
         $this->assertDef('bar', 'foo');
     }
 

tests/HTMLPurifier/DefinitionCache/SerializerTest.php

@@ -211,14 +211,14 @@ class HTMLPurifier_DefinitionCache_SerializerTest extends HTMLPurifier_Definitio
         $config->setReturnValue('get', 1, array('Test.DefinitionRev'));
         $dir = dirname(__FILE__) . '/SerializerTest';
         $config->setReturnValue('get', $dir, array('Cache.SerializerPath'));
-        $config->setReturnValue('get', 0777, array('Cache.SerializerPermissions'));
+        $config->setReturnValue('get', 0700, array('Cache.SerializerPermissions'));
 
         $def_original = $this->generateDefinition();
         $cache->add($def_original, $config);
         $this->assertFileExist($dir . '/Test/1.0.0,serial,1.ser');
 
-        $this->assertEqual(0666, 0777 & fileperms($dir . '/Test/1.0.0,serial,1.ser'));
-        $this->assertEqual(0777, 0777 & fileperms($dir . '/Test'));
+        $this->assertEqual(0600, 0777 & fileperms($dir . '/Test/1.0.0,serial,1.ser'));
+        $this->assertEqual(0700, 0777 & fileperms($dir . '/Test'));
 
         unlink($dir . '/Test/1.0.0,serial,1.ser');
         rmdir( $dir . '/Test');

tests/HTMLPurifier/Injector/RemoveEmptyTest.php

@@ -91,6 +91,25 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
         $this->assertResult('<b>&nbsp;</b>', "<b>\xC2\xA0</b>");
     }
 
+    public function testRemoveIframe()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->assertResult('<iframe></iframe>', '');
+    }
+
+    public function testNoRemoveIframe()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->assertResult('<iframe src="http://google.com"></iframe>', '');
+    }
+
+    public function testRemoveDisallowedIframe()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->config->set('URI.SafeIframeRegexp', '%^http://www.youtube.com/embed/%');
+        $this->assertResult('<iframe src="http://google.com"></iframe>', '');
+    }
+
 }
 
 // vim: et sw=4 sts=4

tests/HTMLPurifier/LexerTest.php

@@ -264,7 +264,8 @@ class HTMLPurifier_LexerTest extends HTMLPurifier_Harness
                     new HTMLPurifier_Token_End('poolasdf'),
                     new HTMLPurifier_Token_End('pooloka'),
                 ),
-                'PH5P' => $alt,
+                // 20140831: Weird, but whatever...
+                'PH5P' => array(new HTMLPurifier_Token_Empty('asdf')),
             )
         );
     }
@@ -800,6 +801,21 @@ div {}
         );
     }
 
+    public function test_tokenizeHTML_prematureDivClose()
+    {
+        $this->assertTokenization(
+            '</div>dontdie',
+            array(
+                new HTMLPurifier_Token_End('div'),
+                new HTMLPurifier_Token_Text('dontdie')
+            ),
+            array(
+                'DOMLex' => $alt = array(new HTMLPurifier_Token_Text('dontdie')),
+                'PH5P' => $alt
+            )
+        );
+    }
+
 
     /*