Release 4.9.3

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>

.travis.yml

@@ -1,9 +1,11 @@
 language: php
 php:
+    - '5.3'
     - '5.4'
     - '5.5'
     - '5.6'
     - '7.0'
+    - '7.1'
 before_script:
     - git clone --depth=50 https://github.com/ezyang/simpletest.git
     - cp test-settings.travis.php test-settings.php

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 4.9.1
+PROJECT_NUMBER         = 4.9.3
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.

NEWS

@@ -9,6 +9,18 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+4.9.3, released 2017-06-02
+- Workaround PHP 7.1 infinite loop when opcode cache is enabled.
+  Thanks @Xiphin (#134, #135)
+- Don't use autoloader when testing for DOMDocument.  Hypothetically,
+  this could cause your install to start using DirectLex if you had
+  previously been monkeypatching in a custom, autoloaded implementation
+  of DOMDocument.  Don't do that.  Thanks @Izumi-kun (#130)
+
+4.9.2, released 2017-03-12
+- Fixes PHP 5.3 compatibility
+- Fix breakage when decoding decimal entities.  Thanks @rybakit (#129)
+
 4.9.1, released 2017-03-08
 ! %URI.DefaultScheme can now be set to null, in which case
   all relative paths are removed.

VERSION

@@ -1 +1 @@
-4.9.1
+4.9.3

WHATSNEW

@@ -1,8 +1,13 @@
-HTML Purifier 4.9.0 is a maintenance release, collecting a year
-of accumulated bug fixes plus a few new feature.  New features
+HTML Purifier 4.9.x is a maintenance release, collecting a year
+of accumulated bug fixes plus a few new features.  New features
 include support for min/max-width/height CSS, and rgba/hsl/hsla
 in color specifications.  Major bugfixes include improvements
 in the Serializer cache to avoid chmod'ing directories, better
 entity decoding (we won't accidentally encode entities that occur
 in URLs) and rel="noopener" on links with target attributes,
 to prevent them from overwriting the original frame.
+
+4.9.3 works around an infinite loop bug in PHP 7.1 with the opcode
+cache (and has one other, minor bugfix, avoiding using autoloading
+when testing for DOMDocument presence).  If these bugs do not
+affect you, you do not need to upgrade.

configdoc/usage.xml

@@ -173,7 +173,7 @@
   </file>
   <file name="HTMLPurifier/Lexer.php">
    <line>313</line>
-   <line>352</line>
+   <line>353</line>
   </file>
   <file name="HTMLPurifier/HTMLModule/Image.php">
    <line>37</line>
@@ -277,25 +277,25 @@
    <line>347</line>
   </file>
  </directive>
- <directive id="Core.AggressivelyRemoveScript">
+ <directive id="Core.HiddenElements">
   <file name="HTMLPurifier/Lexer.php">
    <line>351</line>
   </file>
+  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
+   <line>36</line>
+  </file>
+ </directive>
+ <directive id="Core.AggressivelyRemoveScript">
+  <file name="HTMLPurifier/Lexer.php">
+   <line>352</line>
+  </file>
  </directive>
  <directive id="Core.RemoveScriptContents">
-  <file name="HTMLPurifier/Lexer.php">
-   <line>352</line>
-  </file>
-  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
-   <line>35</line>
-  </file>
- </directive>
- <directive id="Core.HiddenElements">
   <file name="HTMLPurifier/Lexer.php">
    <line>353</line>
   </file>
   <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
-   <line>36</line>
+   <line>35</line>
   </file>
  </directive>
  <directive id="URI.">

docs/dev-config-schema.html

@@ -228,7 +228,7 @@ Test.Example</pre>
         </tr>
         <tr>
           <td>mixed</td>
-          <td>new stdclass</td>
+          <td>new stdClass</td>
           <td>Any PHP variable is fine</td>
         </tr>
       </tbody>

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.9.1
+ * @version 4.9.3
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,

library/HTMLPurifier.php

@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 4.9.1 - Standards Compliant HTML Filtering
+    HTML Purifier 4.9.3 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.9.1';
+    public $version = '4.9.3';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    const VERSION = '4.9.1';
+    const VERSION = '4.9.3';
 
     /**
      * Global configuration object.

library/HTMLPurifier/AttrDef/CSS/Color.php

@@ -59,19 +59,19 @@ class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef
              * Allowed types for values :
              * parameter_position => [type => max_value]
              */
-            $allowed_types = [
-                1 => ['percentage' => 100, 'integer' => 255],
-                2 => ['percentage' => 100, 'integer' => 255],
-                3 => ['percentage' => 100, 'integer' => 255],
-            ];
+            $allowed_types = array(
+                1 => array('percentage' => 100, 'integer' => 255),
+                2 => array('percentage' => 100, 'integer' => 255),
+                3 => array('percentage' => 100, 'integer' => 255),
+            );
             $allow_different_types = false;
 
             if (strpos($function, 'hsl') !== false) {
-                $allowed_types = [
-                    1 => ['integer' => 360],
-                    2 => ['percentage' => 100],
-                    3 => ['percentage' => 100],
-                ];
+                $allowed_types = array(
+                    1 => array('integer' => 360),
+                    2 => array('percentage' => 100),
+                    3 => array('percentage' => 100),
+                );
                 $allow_different_types = true;
             }
 

library/HTMLPurifier/ChildDef/List.php

@@ -50,7 +50,7 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
         // a little sanity check to make sure it's not ALL whitespace
         $all_whitespace = true;
 
-        $current_li = false;
+        $current_li = null;
 
         foreach ($children as $node) {
             if (!empty($node->is_whitespace)) {
@@ -71,7 +71,7 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
                 // to handle non-list elements; non-list elements should
                 // not be appended to an existing li; only li created
                 // for non-list. This distinction is not currently made.
-                if ($current_li === false) {
+                if ($current_li === null) {
                     $current_li = new HTMLPurifier_Node_Element('li');
                     $result[] = $current_li;
                 }

library/HTMLPurifier/Config.php

@@ -21,7 +21,7 @@ class HTMLPurifier_Config
      * HTML Purifier's version
      * @type string
      */
-    public $version = '4.9.1';
+    public $version = '4.9.3';
 
     /**
      * Whether or not to automatically finalize
@@ -333,7 +333,7 @@ class HTMLPurifier_Config
         }
 
         // Raw type might be negative when using the fully optimized form
-        // of stdclass, which indicates allow_null == true
+        // of stdClass, which indicates allow_null == true
         $rtype = is_int($def) ? $def : $def->type;
         if ($rtype < 0) {
             $type = -$rtype;

library/HTMLPurifier/ConfigSchema.php

@@ -24,11 +24,11 @@ class HTMLPurifier_ConfigSchema
      *
      *  array(
      *      'Namespace' => array(
-     *          'Directive' => new stdclass(),
+     *          'Directive' => new stdClass(),
      *      )
      *  )
      *
-     * The stdclass may have the following properties:
+     * The stdClass may have the following properties:
      *
      *  - If isAlias isn't set:
      *      - type: Integer type of directive, see HTMLPurifier_VarParser for definitions
@@ -39,8 +39,8 @@ class HTMLPurifier_ConfigSchema
      *      - namespace: Namespace this directive aliases to
      *      - name: Directive name this directive aliases to
      *
-     * In certain degenerate cases, stdclass will actually be an integer. In
-     * that case, the value is equivalent to an stdclass with the type
+     * In certain degenerate cases, stdClass will actually be an integer. In
+     * that case, the value is equivalent to an stdClass with the type
      * property set to the integer. If the integer is negative, type is
      * equal to the absolute value of integer, and allow_null is true.
      *
@@ -105,7 +105,7 @@ class HTMLPurifier_ConfigSchema
      */
     public function add($key, $default, $type, $allow_null)
     {
-        $obj = new stdclass();
+        $obj = new stdClass();
         $obj->type = is_int($type) ? $type : HTMLPurifier_VarParser::$types[$type];
         if ($allow_null) {
             $obj->allow_null = true;
@@ -152,14 +152,14 @@ class HTMLPurifier_ConfigSchema
      */
     public function addAlias($key, $new_key)
     {
-        $obj = new stdclass;
+        $obj = new stdClass;
         $obj->key = $new_key;
         $obj->isAlias = true;
         $this->info[$key] = $obj;
     }
 
     /**
-     * Replaces any stdclass that only has the type property with type integer.
+     * Replaces any stdClass that only has the type property with type integer.
      */
     public function postProcess()
     {

library/HTMLPurifier/EntityParser.php

@@ -119,10 +119,10 @@ class HTMLPurifier_EntityParser
         $hex_part = @$matches[1];
         $dec_part = @$matches[2];
         $named_part = empty($matches[3]) ? @$matches[4] : $matches[3];
-        if ($hex_part) {
+        if ($hex_part !== NULL && $hex_part !== "") {
             return HTMLPurifier_Encoder::unichr(hexdec($hex_part));
-        } elseif ($dec_part) {
-            return HTMLPurifier_Encoder((int) $dec_part);
+        } elseif ($dec_part !== NULL && $dec_part !== "") {
+            return HTMLPurifier_Encoder::unichr((int) $dec_part);
         } else {
             if (!$this->_entity_lookup) {
                 $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();

library/HTMLPurifier/Generator.php

@@ -146,7 +146,7 @@ class HTMLPurifier_Generator
             $attr = $this->generateAttributes($token->attr, $token->name);
             if ($this->_flashCompat) {
                 if ($token->name == "object") {
-                    $flash = new stdclass();
+                    $flash = new stdClass();
                     $flash->attr = $token->attr;
                     $flash->param = array();
                     $this->_flashStack[] = $flash;

library/HTMLPurifier/Lexer.php

@@ -96,7 +96,7 @@ class HTMLPurifier_Lexer
                         break;
                     }
 
-                    if (class_exists('DOMDocument') &&
+                    if (class_exists('DOMDocument', false) &&
                         method_exists('DOMDocument', 'loadHTML') &&
                         !extension_loaded('domxml')
                     ) {
@@ -348,9 +348,10 @@ class HTMLPurifier_Lexer
             $html = preg_replace('#<\?.+?\?>#s', '', $html);
         }
 
+        $hidden_elements = $config->get('Core.HiddenElements');
         if ($config->get('Core.AggressivelyRemoveScript') &&
             !($config->get('HTML.Trusted') || !$config->get('Core.RemoveScriptContents')
-            || empty($config->get('Core.HiddenElements')["script"]))) {
+            || empty($hidden_elements["script"]))) {
             $html = preg_replace('#<script[^>]*>.*?</script>#i', '', $html);
         }
 

smoketests/test-schema/Type.mixed.txt

@@ -1,5 +1,5 @@
 Type.mixed
 TYPE: mixed
-DEFAULT: new stdclass()
+DEFAULT: new stdClass()
 DESCRIPTION: The mixed type allows any type, and is not form-editable.
 --# vim: et sw=4 sts=4

tests/HTMLPurifier/EntityParserTest.php

@@ -16,8 +16,12 @@ class HTMLPurifier_EntityParserTest extends HTMLPurifier_Harness
         $char_theta = $this->_entity_lookup->table['theta'];
         $this->assertIdentical($char_theta,
             $this->EntityParser->substituteNonSpecialEntities('θ') );
+        $this->assertIdentical($char_theta,
+            $this->EntityParser->substituteTextEntities('θ') );
         $this->assertIdentical('"',
             $this->EntityParser->substituteNonSpecialEntities('"') );
+        $this->assertIdentical('"',
+            $this->EntityParser->substituteTextEntities('"') );
 
         // numeric tests, adapted from Feyd
         $args = array();
@@ -71,6 +75,11 @@ class HTMLPurifier_EntityParserTest extends HTMLPurifier_Harness
                 $expect,
                 'Identical expectation [Hex: '. dechex($arg[0]) .']'
             );
+            $this->assertIdentical(
+                $this->EntityParser->substituteTextEntities($string),
+                $expect,
+                'Identical expectation [Hex: '. dechex($arg[0]) .']'
+            );
         }
 
     }
@@ -81,6 +90,10 @@ class HTMLPurifier_EntityParserTest extends HTMLPurifier_Harness
             "'",
             $this->EntityParser->substituteSpecialEntities(''')
         );
+        $this->assertIdentical(
+            "'",
+            $this->EntityParser->substituteTextEntities(''')
+        );
     }
 
 }