sfix

Signed-off-by: Edward Z. Yang <ezyang@meta.com>
Exception throwing
2025-08-04 05:07:55 +02:00 · 2024-11-09 21:06:43 -05:00 · 2024-11-09 21:03:54 -05:00 · 2024-11-09 20:43:22 -05:00 · 2024-11-01 03:51:45 +00:00 · 2024-10-30 22:57:29 -04:00
141 changed files with 1662 additions and 962 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,13 +1,23 @@
 /.gitattributes export-ignore
 /.github export-ignore
 /.gitignore export-ignore
-/.travis.yml export-ignore
+/art export-ignore
-/Doxyfile export-ignore
+/benchmarks export-ignore
-/art/ export-ignore
+/configdoc export-ignore
 /benchmarks/ export-ignore
 /configdoc/ export-ignore
 /configdoc/usage.xml -crlf
-/docs/ export-ignore
+/docs export-ignore
-/phpdoc.ini
+/Doxyfile export-ignore
-/smoketests/ export-ignore
+/extras export-ignore
-/tests/* export-ignore
+/INSTALL* export-ignore
-/tests/path2class.func.php -export-ignore
+/maintenance export-ignore
 /NEWS export-ignore
 /package.php export-ignore
 /plugins export-ignore
 /phpdoc.ini export-ignore
 /smoketests export-ignore
 /test-* export-ignore
 /tests export-ignore
 /TODO export-ignore
 /update-for-release export-ignore
 /WYSIWYG export-ignore
 /release.config.js export-ignore
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,36 @@
 name: ci
 on:
  push:
  pull_request:
 jobs:
  linux_tests:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        php: ['5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
    name: PHP ${{ matrix.php }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: ${{ matrix.php }}
          tools: composer:v2
          ini-values: error_reporting=E_ALL
          extensions: iconv, bcmath, tidy, mbstring, intl
      - name: Install dependencies
        run: composer install
      - name: Configure simpletest
        run: cp test-settings.sample.php test-settings.php
      - name: Execute Unit tests
        run: php tests/index.php
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -0,0 +1,19 @@
 name: "Lint PR"
 on:
  pull_request_target:
    types:
      - opened
      - edited
      - synchronize
 jobs:
  main:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
      - uses: amannn/action-semantic-pull-request@v4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,29 @@
 name: release
 on:
  workflow_dispatch:
 jobs:
  release:
    runs-on: ubuntu-latest
    name: Release
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: 8.2
      - name: Run automated release process with semantic-release
        uses: cycjimmy/semantic-release-action@v4
        with:
          extra_plugins: |
            @semantic-release/changelog
            @semantic-release/git
            @semantic-release/exec
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,13 +0,0 @@
 language: php
 php:
    - '5.3'
    - '5.4'
    - '5.5'
    - '5.6'
    - '7.0'
    - '7.1'
 before_script:
    - git clone --depth=50 https://github.com/ezyang/simpletest.git
    - cp test-settings.travis.php test-settings.php
 script:
    - php tests/index.php
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
-PROJECT_NUMBER         = 4.9.3
+PROJECT_NUMBER         = 4.18.0
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/36
+++ b/36
@@ -15,7 +15,7 @@ with these contents.
 ---------------------------------------------------------------------------
 1.  Compatibility
-HTML Purifier is PHP 5 and PHP 7, and is actively tested from PHP 5.0.5
+HTML Purifier is PHP 5 and PHP 7, and is actively tested from PHP 5.3
 and up. It has no core dependencies with other libraries.
 These optional extensions can enhance the capabilities of HTML Purifier:
@@ -101,31 +101,6 @@ Autoload compatibility
    autoloader, but there are some cases where you will need to change
    your own code to accomodate HTML Purifier. These are those cases:
    PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload
        Because spl_autoload_register() doesn't exist in early versions
        of PHP 5, HTML Purifier has no way of adding itself to the autoload
        stack. Modify your __autoload function to test
        HTMLPurifier_Bootstrap::autoload($class)
        For example, suppose your autoload function looks like this:
            function __autoload($class) {
                require str_replace('_', '/', $class) . '.php';
                return true;
            }
        A modified version with HTML Purifier would look like this:
            function __autoload($class) {
                if (HTMLPurifier_Bootstrap::autoload($class)) return true;
                require str_replace('_', '/', $class) . '.php';
                return true;
            }
        Note that there *is* some custom behavior in our autoloader; the
        original autoloader in our example would work for 99% of the time,
        but would fail when including language files.
    AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
        spl_autoload_register() has the curious behavior of disabling
        the existing __autoload() handler. Users need to explicitly
@@ -138,11 +113,6 @@ Autoload compatibility
            spl_autoload_register('__autoload')
    Users should also be on guard if they use a version of PHP previous
    to 5.1.2 without an autoloader--HTML Purifier will define __autoload()
    for you, which can collide with an autoloader that was added by *you*
    later.
 For better performance
 ----------------------
@@ -204,9 +174,7 @@ For advanced users
        HTMLPurifier.autoload.php
            Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class).
-    You can do these operations by yourself--in fact, you must modify your own
+    You can do these operations by yourself, if you like.
    autoload handler if you are using a version of PHP earlier than PHP 5.1.2
    (See "Autoload compatibility" above).
 ---------------------------------------------------------------------------
--- a/INSTALL.fr.utf8
+++ b/INSTALL.fr.utf8
@@ -11,7 +11,7 @@ pied de page, mais je recommande de lire le document.
 1.  Compatibilité
-HTML Purifier fonctionne avec PHP 5. PHP 5.0.5 est la dernière version testée.
+HTML Purifier fonctionne avec PHP 5. PHP 5.3 est la dernière version testée.
 Il ne dépend pas d'autres librairies.
 Les extensions optionnelles sont iconv (généralement déjà installée) et tidy
--- a/137
+++ b/137
@@ -1,3 +1,46 @@
 # [4.18.0](https://github.com/ezyang/htmlpurifier/compare/v4.17.0...v4.18.0) (2024-11-01)
 ### Bug Fixes
 * Adjust Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986 ([#406](https://github.com/ezyang/htmlpurifier/issues/406)) ([d9fbef8](https://github.com/ezyang/htmlpurifier/commit/d9fbef8e27f6a0848a8987a8534351de98eb0fa1))
 * Avoid a deprecated error when the attribute name is numeric and DirectLex is used ([#412](https://github.com/ezyang/htmlpurifier/issues/412)) ([f0fbf51](https://github.com/ezyang/htmlpurifier/commit/f0fbf510981b27fc03168efdb17d6bff48f521af))
 * checking that node has property name ([#399](https://github.com/ezyang/htmlpurifier/issues/399)) ([9ca5a36](https://github.com/ezyang/htmlpurifier/commit/9ca5a3687bd2e6e42ed9d5199b2cfb1dbd6dbdc2))
 * Ignore conditional comments ([#401](https://github.com/ezyang/htmlpurifier/issues/401)) ([4828fdf](https://github.com/ezyang/htmlpurifier/commit/4828fdf45a93eeeacfcbcc855f96f9a7e6b4ed44))
 * Support PHP 8.4 ([#396](https://github.com/ezyang/htmlpurifier/issues/396)) ([92da247](https://github.com/ezyang/htmlpurifier/commit/92da2473ffbb3ed5e894560d4166b1ca8032aeb3))
 * undefined array key warning ([#419](https://github.com/ezyang/htmlpurifier/issues/419)) ([01be377](https://github.com/ezyang/htmlpurifier/commit/01be377f93654fad4d3fbc8c81779f14316eaecf))
 ### Features
 * Add allowfullscreen attr for iframe ([#411](https://github.com/ezyang/htmlpurifier/issues/411)) ([70754a2](https://github.com/ezyang/htmlpurifier/commit/70754a253342f67a67425cfa81029db3a5c1bd28))
 * add directive for removing blank nodes ([#404](https://github.com/ezyang/htmlpurifier/issues/404)) ([c9d60c9](https://github.com/ezyang/htmlpurifier/commit/c9d60c96d799c02bc357c88a49f422034b6914fd))
 * Add support for CSS aspect-ratio ([#408](https://github.com/ezyang/htmlpurifier/issues/408)) ([93bee73](https://github.com/ezyang/htmlpurifier/commit/93bee733497a098b65daf5910f1c435d347860a4))
 * Allow universal CSS values for all properties ([#410](https://github.com/ezyang/htmlpurifier/issues/410)) ([9723267](https://github.com/ezyang/htmlpurifier/commit/972326785d201b81e1095bc296b99bbcfa8c7fd4))
 # [4.17.0](https://github.com/ezyang/htmlpurifier/compare/v4.16.0...v4.17.0) (2023-11-17)
 ### Bug Fixes
 * CSSTidy ImportantComments not handled properly ([#359](https://github.com/ezyang/htmlpurifier/issues/359)) ([78a9b4d](https://github.com/ezyang/htmlpurifier/commit/78a9b4d0dae8bce9a70e4e7e551bf51e9a23706d))
 * fix CI ([#361](https://github.com/ezyang/htmlpurifier/issues/361)) ([9ec687c](https://github.com/ezyang/htmlpurifier/commit/9ec687c904a1fe66a5395d22c50f7043e045d1d3))
 * Invalid scheme check in Attr.TargetBlank ([#363](https://github.com/ezyang/htmlpurifier/issues/363)) ([0176ef4](https://github.com/ezyang/htmlpurifier/commit/0176ef4bb6f57103fdcb60a802603e60e81ee93e))
 * semantic release ([#339](https://github.com/ezyang/htmlpurifier/issues/339)) ([d82f3d9](https://github.com/ezyang/htmlpurifier/commit/d82f3d996a0d9b0f23364946d9a14408c1ad72c5))
 * semantic release ([#341](https://github.com/ezyang/htmlpurifier/issues/341)) ([e55fead](https://github.com/ezyang/htmlpurifier/commit/e55fead09f39430d30f48438f06e7bc2326efc94)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339)
 * Support for locales using decimal separators other than . (dot) ([#372](https://github.com/ezyang/htmlpurifier/issues/372)) ([43f49ac](https://github.com/ezyang/htmlpurifier/commit/43f49ac9a51b81dfd07d3bc8dcfc5ec5637a5e3b))
 ### Features
 * Add support for all text-decoration properties ([#360](https://github.com/ezyang/htmlpurifier/issues/360)) ([2d775c0](https://github.com/ezyang/htmlpurifier/commit/2d775c01874e2f676ba1a2d9fe69b47c2a823061))
 * Allows commas to be included in tel URI ([#389](https://github.com/ezyang/htmlpurifier/issues/389)) ([ec92490](https://github.com/ezyang/htmlpurifier/commit/ec924901392f088d334622f806b9449b17b75d7b)), closes [#388](https://github.com/ezyang/htmlpurifier/issues/388)
 ### Reverts
 * Revert "fix: semantic release (#339)" (#340) ([3e83215](https://github.com/ezyang/htmlpurifier/commit/3e832152a6173f880c6495a3ab2b0e5235e253a6)), closes [#339](https://github.com/ezyang/htmlpurifier/issues/339) [#340](https://github.com/ezyang/htmlpurifier/issues/340)
 NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
@@ -9,6 +52,100 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
    . Internal change
 ==========================
 4.15.0, released 2022-09-18
 ! PHP 8.1 and 8.2 support, esp. fixes for deprecation warnings.  A joint effort
  by David Rans, Tim Düsterhus, Kieran and John Flatness.
 ! Allow contenteditable="false" (#336), contributed by Kieran.
 - Replace PHP 8.1 deprecated utf8_ functions with mbstring (#326),
  contributed by John Flatness.
 - Enhanced composer suggestions with extensions (#317), contributed by
  func0der.
 4.14.0, released 2021-12-24
 ! Add "background-size" support (#289), contributed by Václav Smítal
 ! Transform deprecated width attribute when tidying HTML, contributed by
  Kieran.
 - PHP 8 support, contributed by Maksims Sļotovs.
 - Improved PHP 7.3 compatibility, contributed by kishor.
 - Avoid spurious magic quotes notice in PHP 7.4.  Thanks
  Jasper Zonneveld for the fix.
 - Do not remove thead from table even if there are no tbody/tr (#264).
  Thanks Marcus Artner for the fix.
 - Fix "Parameter must be an array or an object that implements
  Countable" (#285)".  Thanks Kieran for this fix.
 . Fix unnecessary reference assignment, handling behavior change from
  PHP5 and PHP7.  Thanks Arkadiusz Biczewski for the fix.
 4.13.0, released 2020-06-28
 ! Add %HTML.Forms directive, which lets you accept forms in user
  HTML without requiring full %HTML.Trusted.  Note that forms can
  be (trivially) used to setup phishing; e.g., an attacker can
  use CSS absolute positioning to overlay a form on top of a login
  element, so please be sure to use this with care!   Fixes #213.
  Thanks Mateusz Turcza for contributing this feature.
 ! tr@bgcolor attribute is now supported.  Thanks Kieran Brahney
  for this enhancement.
 - Further improvements to PHP 7.4 support, contributed by Witold
  Wasiczko and Eloy Lafuente.
 - Fix PSR-0 compatibility.  Thanks Jordi Boggiano for contributing
  part of this fix.
 - Fix bug with purifyArray where it doesn't work on empty arrays.
  Thanks Fräntz Miccoli for the fix.
 - Reduce amount of maintenance scripts included in distribution
  packages.  Thanks Sergei Morozov for this patch.
 - Remove leading zeros unless if it is only a zero, fixes #239.  Thanks
  lubomirbartos for this fix.
 - Correct type hinting of maybeGet*, fixes #240.   Thanks Anders Jenbo
  for this fix.
 4.12.0, released 2019-10-27
 ! PHP 7.4 is supported, thank you Witold Wasiczko, Mateuz Turcza and
  Edi Modrić
 - PHPDocs for HTMLModule::addElement() and Bool attr are fixed (thanks
  Mateusz)
 4.11.0, released 2019-07-14
 # SafeScripting now matches case-sensitively against its whitelist (previously it was
  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
  for reporting.
 ! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.
  Thanks M. Suzuki <msuzuki1986@gmail.com> for contributing the patch.
 ! purifyArray now supports multidimensional arrays.  Thanks
  Sandro Miguel Marques <sandromiguel@sandromiguel.com> for contributing this patch.
 ! initial and inherit settings available for width, height, and the min-/max-
  versions thereof.  Thanks Michael Kliewe <info@phpgansta.de> for contributing
  this patch.
 ! More color names are supported.  Thanks Daijobou for contributing.
 - Compatibility fixes for PHP 7.3, including new CI for PHP 7.3
  (thank you Lukas Neumann <lksnmnn@gmail.com>) and removal of
  reserved words in our constants (thanks Darko Hrgovic <darko@darkodev.com>
 - Compatibility fixes for HHVM.  Thanks Mateusz Turcza for contributing
  this fix.
 - HTML Purifier now never defines __autoload, fixing #196.  Thanks
  Michael Kliewe for reporting.
 - In some situations, Config.php would report an undefined index: class
  error; this has been fixed.  Thanks DiLong Fa for contributing
  this fix.
 - We no longer produce <script /> tags; we always explicitly write
  out the open and close tag.  Thanks Dimitri Gritsajuk
  <gritsajuk.dimitri@gmail.com> for contributing this fix.
 - Better compatibility when IDNA constants are not present.  Thanks
  Mateusz Turcza <xemlock@gmail.com> for contributing this fix.
 4.10.0, released 2018-02-22
 # PHP 5.3 is no longer officially supported by HTML Purifier
  (we did not specifically break support, but we are no longer
  testing on PHP 5.3)
 ! Relative CSS length units are now supported
 - A few PHP 7.2 compatibility fixes, thanks John Flatness
  <john@zerocrates.org>
 - Improve portability with old versions of libxml which don't
  support accessing the data of a node
 - IDNA2008 is now used for converting domains to ASCII, fixing
  some rather strange bugs with international domains
 - Fix race condition resulting in E_WARNING when creating
  directories with Serializer
 4.9.3, released 2017-06-02
 - Workaround PHP 7.1 infinite loop when opcode cache is enabled.
  Thanks @Xiphin (#134, #135)
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
-HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](http://travis-ci.org/ezyang/htmlpurifier)
+HTML Purifier [![Build Status](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml)
 =============
 HTML Purifier is an HTML filtering solution that uses a unique combination
-of robust whitelists and agressive parsing to ensure that not only are
+of robust whitelists and aggressive parsing to ensure that not only are
 XSS attacks thwarted, but the resulting HTML is standards compliant.
 HTML Purifier is oriented towards richly formatted documents from
@@ -26,4 +26,4 @@ Package available on [Composer](https://packagist.org/packages/ezyang/htmlpurifi
 If you're using Composer to manage dependencies, you can use
-    $ composer require "ezyang/htmlpurifier": "dev-master"
+    $ composer require ezyang/htmlpurifier
--- a/2
+++ b/2
@@ -1 +1 @@
-4.9.3
+4.18.0
--- a/13
+++ b/13
@@ -1,13 +0,0 @@
 HTML Purifier 4.9.x is a maintenance release, collecting a year
 of accumulated bug fixes plus a few new features.  New features
 include support for min/max-width/height CSS, and rgba/hsl/hsla
 in color specifications.  Major bugfixes include improvements
 in the Serializer cache to avoid chmod'ing directories, better
 entity decoding (we won't accidentally encode entities that occur
 in URLs) and rel="noopener" on links with target attributes,
 to prevent them from overwriting the original frame.
 4.9.3 works around an infinite loop bug in PHP 7.1 with the opcode
 cache (and has one other, minor bugfix, avoiding using autoloading
 when testing for DOMDocument presence).  If these bugs do not
 affect you, you do not need to upgrade.
--- a/benchmarks/.htaccess
+++ b/benchmarks/.htaccess
@@ -1 +1,7 @@
-Deny from all
+<IfModule mod_authz_core.c>
    Require all denied
 </IfModule>
 <IfModule !mod_authz_core.c>
    Deny from all
 </ifModule>
--- a/composer.json
+++ b/composer.json
@@ -4,7 +4,7 @@
    "type": "library",
    "keywords": ["html"],
    "homepage": "http://htmlpurifier.org/",
-    "license": "LGPL",
+    "license": "LGPL-2.1-or-later",
    "authors": [
        {
            "name": "Edward Z. Yang",
@@ -13,13 +13,33 @@
        }
    ],
    "require": {
-        "php": ">=5.2"
+        "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0"
    },
    "require-dev": {
-        "simpletest/simpletest": "^1.1"
+        "cerdic/css-tidy": "^1.7 || ^2.0",
        "simpletest/simpletest": "dev-master"
    },
    "autoload": {
        "psr-0": { "HTMLPurifier": "library/" },
-        "files": ["library/HTMLPurifier.composer.php"]
+        "files": ["library/HTMLPurifier.composer.php"],
-    }
+        "exclude-from-classmap": [
            "/library/HTMLPurifier/Language/"
        ]
    },
    "suggest": {
        "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
        "ext-iconv": "Converts text to and from non-UTF-8 encodings",
        "ext-bcmath": "Used for unit conversion and imagecrash protection",
        "ext-tidy": "Used for pretty-printing HTML"
    },
    "config": {
        "sort-packages": true
    },
    "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/ezyang/simpletest.git",
            "no-api": true
        }
    ]
 }
--- a/configdoc/generate.php
+++ b/configdoc/generate.php
@@ -16,7 +16,7 @@ TODO:
 */
 if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.');
-error_reporting(E_ALL | E_STRICT);
+error_reporting(E_ALL);
 // load dual-libraries
 require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php';
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@@ -5,8 +5,8 @@
   <line>162</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>85</line>
+   <line>90</line>
-   <line>326</line>
+   <line>315</line>
  </file>
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>67</line>
@@ -19,37 +19,37 @@
 </directive>
 <directive id="CSS.MaxImgLength">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>226</line>
+   <line>253</line>
  </file>
 </directive>
 <directive id="CSS.Proprietary">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>323</line>
+   <line>397</line>
  </file>
 </directive>
 <directive id="CSS.AllowTricky">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>327</line>
+   <line>401</line>
  </file>
 </directive>
 <directive id="CSS.Trusted">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>331</line>
+   <line>405</line>
  </file>
 </directive>
 <directive id="CSS.AllowImportant">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>335</line>
+   <line>409</line>
  </file>
 </directive>
 <directive id="CSS.AllowedProperties">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>464</line>
+   <line>538</line>
  </file>
 </directive>
 <directive id="CSS.ForbiddenProperties">
  <file name="HTMLPurifier/CSSDefinition.php">
-   <line>480</line>
+   <line>554</line>
  </file>
 </directive>
 <directive id="Cache.DefinitionImpl">
@@ -124,7 +124,7 @@
   <line>122</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>308</line>
+   <line>299</line>
  </file>
 </directive>
 <directive id="Output.Newline">
@@ -172,8 +172,14 @@
   <line>234</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>313</line>
+   <line>304</line>
-   <line>353</line>
+   <line>342</line>
  </file>
  <file name="HTMLPurifier/AttrDef/HTML/ContentEditable.php">
   <line>8</line>
  </file>
  <file name="HTMLPurifier/HTMLModule/Iframe.php">
   <line>43</line>
  </file>
  <file name="HTMLPurifier/HTMLModule/Image.php">
   <line>37</line>
@@ -250,12 +256,12 @@
 </directive>
 <directive id="Core.LexerImpl">
  <file name="HTMLPurifier/Lexer.php">
-   <line>80</line>
+   <line>85</line>
  </file>
 </directive>
 <directive id="Core.MaintainLineNumbers">
  <file name="HTMLPurifier/Lexer.php">
-   <line>84</line>
+   <line>89</line>
  </file>
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>62</line>
@@ -263,23 +269,23 @@
 </directive>
 <directive id="Core.LegacyEntityDecoder">
  <file name="HTMLPurifier/Lexer.php">
-   <line>215</line>
+   <line>220</line>
-   <line>337</line>
+   <line>326</line>
  </file>
 </directive>
 <directive id="Core.ConvertDocumentToFragment">
  <file name="HTMLPurifier/Lexer.php">
-   <line>324</line>
+   <line>313</line>
  </file>
 </directive>
 <directive id="Core.RemoveProcessingInstructions">
  <file name="HTMLPurifier/Lexer.php">
-   <line>347</line>
+   <line>336</line>
  </file>
 </directive>
 <directive id="Core.HiddenElements">
  <file name="HTMLPurifier/Lexer.php">
-   <line>351</line>
+   <line>340</line>
  </file>
  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
   <line>36</line>
@@ -287,12 +293,12 @@
 </directive>
 <directive id="Core.AggressivelyRemoveScript">
  <file name="HTMLPurifier/Lexer.php">
-   <line>352</line>
+   <line>341</line>
  </file>
 </directive>
 <directive id="Core.RemoveScriptContents">
  <file name="HTMLPurifier/Lexer.php">
-   <line>353</line>
+   <line>342</line>
  </file>
  <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
   <line>35</line>
@@ -354,7 +360,7 @@
 </directive>
 <directive id="CSS.AllowedFonts">
  <file name="HTMLPurifier/AttrDef/CSS/FontFamily.php">
-   <line>64</line>
+   <line>62</line>
  </file>
 </directive>
 <directive id="Attr.AllowedClasses">
@@ -405,12 +411,12 @@
 </directive>
 <directive id="Core.AllowHostnameUnderscore">
  <file name="HTMLPurifier/AttrDef/URI/Host.php">
-   <line>77</line>
+   <line>71</line>
  </file>
 </directive>
 <directive id="Core.EnableIDNA">
  <file name="HTMLPurifier/AttrDef/URI/Host.php">
-   <line>105</line>
+   <line>103</line>
  </file>
 </directive>
 <directive id="Attr.DefaultTextDir">
@@ -451,7 +457,7 @@
 </directive>
 <directive id="HTML.FlashAllowFullScreen">
  <file name="HTMLPurifier/AttrTransform/SafeParam.php">
-   <line>53</line>
+   <line>58</line>
  </file>
 </directive>
 <directive id="Cache.SerializerPath">
@@ -467,17 +473,22 @@
 </directive>
 <directive id="Filter.ExtractStyleBlocks.TidyImpl">
  <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
-   <line>94</line>
+   <line>106</line>
  </file>
 </directive>
 <directive id="Filter.ExtractStyleBlocks.Scope">
  <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
-   <line>125</line>
+   <line>137</line>
  </file>
 </directive>
 <directive id="Filter.ExtractStyleBlocks.Escaping">
  <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
-   <line>330</line>
+   <line>351</line>
  </file>
 </directive>
 <directive id="HTML.Forms">
  <file name="HTMLPurifier/HTMLModule/Forms.php">
   <line>31</line>
  </file>
 </directive>
 <directive id="HTML.SafeIframe">
@@ -539,6 +550,16 @@
   <line>54</line>
  </file>
 </directive>
 <directive id="Core.AllowParseManyTags">
  <file name="HTMLPurifier/Lexer/DOMLex.php">
   <line>72</line>
  </file>
 </directive>
 <directive id="Core.RemoveBlanks">
  <file name="HTMLPurifier/Lexer/DOMLex.php">
   <line>75</line>
  </file>
 </directive>
 <directive id="Core.DirectLexLineNumberSyncInterval">
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>84</line>
--- a/docs/dev-config-naming.txt
+++ b/docs/dev-config-naming.txt
@@ -75,6 +75,7 @@ Core is the potpourri of directives, mostly regarding some minor behavioral
 tweaks for HTML handling abilities.
    AggressivelyFixLt
    AllowParseManyTags
    ConvertDocumentToFragment
    DirectLexLineNumberSyncInterval
    LexerImpl
--- a/extras/FSTools.php
+++ b/extras/FSTools.php
@@ -136,7 +136,7 @@ class FSTools
    /**
     * Recursively globs a directory.
     */
-    public function globr($dir, $pattern, $flags = NULL)
+    public function globr($dir, $pattern, $flags = 0)
    {
        $files = $this->glob("$dir/$pattern", $flags);
        if ($files === false) $files = array();
--- a/extras/HTMLPurifierExtras.autoload-legacy.php
+++ b/extras/HTMLPurifierExtras.autoload-legacy.php
@@ -0,0 +1,15 @@
 <?php
 /**
 * @file
 * Legacy autoloader for systems lacking spl_autoload_register
 *
 * Must be separate to prevent deprecation warning on PHP 7.2
 */
 function __autoload($class)
 {
    return HTMLPurifierExtras::autoload($class);
 }
 // vim: et sw=4 sts=4
--- a/extras/HTMLPurifierExtras.autoload.php
+++ b/extras/HTMLPurifierExtras.autoload.php
@@ -17,10 +17,7 @@ if (function_exists('spl_autoload_register')) {
        spl_autoload_register('__autoload');
    }
 } elseif (!function_exists('__autoload')) {
-    function __autoload($class)
+    require dirname(__FILE__) . '/HTMLPurifierExtras.autoload-legacy.php';
    {
        return HTMLPurifierExtras::autoload($class);
    }
 }
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier.autoload-legacy.php
+++ b/library/HTMLPurifier.autoload-legacy.php
@@ -0,0 +1,14 @@
 <?php
 /**
 * @file
 * Legacy autoloader for systems lacking spl_autoload_register
 *
 */
 spl_autoload_register(function($class)
 {
     return HTMLPurifier_Bootstrap::autoload($class);
 });
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier.autoload.php
+++ b/library/HTMLPurifier.autoload.php
@@ -14,12 +14,10 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
        spl_autoload_register('__autoload');
    }
 } elseif (!function_exists('__autoload')) {
-    function __autoload($class)
+    require dirname(__FILE__) . '/HTMLPurifier.autoload-legacy.php';
    {
        return HTMLPurifier_Bootstrap::autoload($class);
    }
 }
 // phpcs:ignore PHPCompatibility.IniDirectives.RemovedIniDirectives.zend_ze1_compatibility_modeRemoved
 if (ini_get('zend.ze1_compatibility_mode')) {
    trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
 }
--- a/library/HTMLPurifier.includes.php
+++ b/library/HTMLPurifier.includes.php
@@ -7,7 +7,7 @@
 * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
 * FILE, changes will be overwritten the next time the script is run.
 *
- * @version 4.9.3
+ * @version 4.18.0
 *
 * @warning
 *      You must *not* include any other HTML Purifier files before this file,
@@ -101,12 +101,14 @@ require 'HTMLPurifier/AttrDef/CSS/Length.php';
 require 'HTMLPurifier/AttrDef/CSS/ListStyle.php';
 require 'HTMLPurifier/AttrDef/CSS/Multiple.php';
 require 'HTMLPurifier/AttrDef/CSS/Percentage.php';
 require 'HTMLPurifier/AttrDef/CSS/Ratio.php';
 require 'HTMLPurifier/AttrDef/CSS/TextDecoration.php';
 require 'HTMLPurifier/AttrDef/CSS/URI.php';
 require 'HTMLPurifier/AttrDef/HTML/Bool.php';
 require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require 'HTMLPurifier/AttrDef/HTML/Class.php';
 require 'HTMLPurifier/AttrDef/HTML/Color.php';
 require 'HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require 'HTMLPurifier/AttrDef/HTML/ID.php';
 require 'HTMLPurifier/AttrDef/HTML/Pixels.php';
--- a/library/HTMLPurifier.php
+++ b/library/HTMLPurifier.php
@@ -19,7 +19,7 @@
 */
 /*
-    HTML Purifier 4.9.3 - Standards Compliant HTML Filtering
+    HTML Purifier 4.18.0 - Standards Compliant HTML Filtering
    Copyright (C) 2006-2008 Edward Z. Yang
    This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
     * Version of HTML Purifier.
     * @type string
     */
-    public $version = '4.9.3';
+    public $version = '4.18.0';
    /**
     * Constant with version of HTML Purifier.
     */
-    const VERSION = '4.9.3';
+    const VERSION = '4.18.0';
    /**
     * Global configuration object.
@@ -240,12 +240,17 @@ class HTMLPurifier
    public function purifyArray($array_of_html, $config = null)
    {
        $context_array = array();
-        foreach ($array_of_html as $key => $html) {
+        $array = array();
-            $array_of_html[$key] = $this->purify($html, $config);
+        foreach($array_of_html as $key=>$value){
            if (is_array($value)) {
                $array[$key] = $this->purifyArray($value, $config);
            } else {
                $array[$key] = $this->purify($value, $config);
            }
            $context_array[$key] = $this->context;
        }
        $this->context = $context_array;
-        return $array_of_html;
+        return $array;
    }
    /**
--- a/library/HTMLPurifier.safe-includes.php
+++ b/library/HTMLPurifier.safe-includes.php
@@ -95,12 +95,14 @@ require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Multiple.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Ratio.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
--- a/library/HTMLPurifier/AttrDef/CSS.php
+++ b/library/HTMLPurifier/AttrDef/CSS.php
@@ -27,6 +27,13 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
        $definition = $config->getCSSDefinition();
        $allow_duplicates = $config->get("CSS.AllowDuplicates");
        $universal_attrdef = new HTMLPurifier_AttrDef_Enum(
            array(
                'initial',
                'inherit',
                'unset',
            )
        );
        // According to the CSS2.1 spec, the places where a
        // non-delimiting semicolon can appear are in strings
@@ -96,16 +103,13 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
            if (!$ok) {
                continue;
            }
-            // inefficient call, since the validator will do this again
+            $result = $universal_attrdef->validate($value, $config, $context);
-            if (strtolower(trim($value)) !== 'inherit') {
+            if ($result === false) {
                // inherit works for everything (but only on the base property)
                $result = $definition->info[$property]->validate(
                    $value,
                    $config,
                    $context
                );
            } else {
                $result = 'inherit';
            }
            if ($result === false) {
                continue;
--- a/library/HTMLPurifier/AttrDef/CSS/Background.php
+++ b/library/HTMLPurifier/AttrDef/CSS/Background.php
@@ -25,6 +25,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
        $this->info['background-repeat'] = $def->info['background-repeat'];
        $this->info['background-attachment'] = $def->info['background-attachment'];
        $this->info['background-position'] = $def->info['background-position'];
        $this->info['background-size'] = $def->info['background-size'];
    }
    /**
@@ -53,6 +54,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
        $caught['repeat'] = false;
        $caught['attachment'] = false;
        $caught['position'] = false;
        $caught['size'] = false;
        $i = 0; // number of catches
--- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -10,23 +10,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
    public function __construct()
    {
-        $this->mask = '_- ';
+        // Lowercase letters
-        for ($c = 'a'; $c <= 'z'; $c++) {
+        $l = range('a', 'z');
-            $this->mask .= $c;
+        // Uppercase letters
-        }
+        $u = range('A', 'Z');
-        for ($c = 'A'; $c <= 'Z'; $c++) {
+        // Digits
-            $this->mask .= $c;
+        $d = range('0', '9');
-        }
+        // Special bytes used by UTF-8
-        for ($c = '0'; $c <= '9'; $c++) {
+        $b = array_map('chr', range(0x80, 0xFF));
-            $this->mask .= $c;
+        // All valid characters for the mask
-        } // cast-y, but should be fine
+        $c = array_merge($l, $u, $d, $b);
-        // special bytes used by UTF-8
+        // Concatenate all valid characters into a string 
-        for ($i = 0x80; $i <= 0xFF; $i++) {
+        // Use '_- ' as an initial value
-            // We don't bother excluding invalid bytes in this range,
+        $this->mask = array_reduce($c, function ($carry, $value) {
-            // because the our restriction of well-formed UTF-8 will
+            return $carry . $value;
-            // prevent these from ever occurring.
+        }, '_- ');
            $this->mask .= chr($i);
        }
        /*
            PHP's internal strcspn implementation is
--- a/library/HTMLPurifier/AttrDef/CSS/Number.php
+++ b/library/HTMLPurifier/AttrDef/CSS/Number.php
@@ -69,7 +69,13 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
            return false;
        }
-        $left = ltrim($left, '0');
+        // Remove leading zeros until positive number or a zero stays left
        if (ltrim($left, '0') != '') {
            $left = ltrim($left, '0');
        } else {
            $left = '0';
        }
        $right = rtrim($right, '0');
        if ($right === '') {
--- a/library/HTMLPurifier/AttrDef/CSS/Ratio.php
+++ b/library/HTMLPurifier/AttrDef/CSS/Ratio.php
@@ -0,0 +1,46 @@
 <?php
 /**
 * Validates a ratio as defined by the CSS spec.
 */
 class HTMLPurifier_AttrDef_CSS_Ratio extends HTMLPurifier_AttrDef
 {
    /**
     * @param   string               $ratio   Ratio to validate
     * @param   HTMLPurifier_Config  $config  Configuration options
     * @param   HTMLPurifier_Context $context Context
     *
     * @return  string|boolean
     *
     * @warning Some contexts do not pass $config, $context. These
     *          variables should not be used without checking HTMLPurifier_Length
     */
    public function validate($ratio, $config, $context)
    {
        $ratio = $this->parseCDATA($ratio);
        $parts = explode('/', $ratio, 2);
        $length = count($parts);
        if ($length < 1 || $length > 2) {
            return false;
        }
        $num = new \HTMLPurifier_AttrDef_CSS_Number();
        if ($length === 1) {
            return $num->validate($parts[0], $config, $context);
        }
        $num1 = $num->validate($parts[0], $config, $context);
        $num2 = $num->validate($parts[1], $config, $context);
        if ($num1 === false || $num2 === false) {
            return false;
        }
        return $num1 . '/' . $num2;
    }
 }
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/AttrDef/HTML/Bool.php
+++ b/library/HTMLPurifier/AttrDef/HTML/Bool.php
@@ -7,7 +7,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
 {
    /**
-     * @type bool
+     * @type string
     */
    protected $name;
@@ -17,7 +17,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
    public $minimized = true;
    /**
-     * @param bool $name
+     * @param bool|string $name
     */
    public function __construct($name = false)
    {
--- a/library/HTMLPurifier/AttrDef/HTML/ContentEditable.php
+++ b/library/HTMLPurifier/AttrDef/HTML/ContentEditable.php
@@ -0,0 +1,16 @@
 <?php
 class HTMLPurifier_AttrDef_HTML_ContentEditable extends HTMLPurifier_AttrDef
 {
    public function validate($string, $config, $context)
    {
        $allowed = array('false');
        if ($config->get('HTML.Trusted')) {
            $allowed = array('', 'true', 'false');
        }
        $enum = new HTMLPurifier_AttrDef_Enum($allowed);
        return $enum->validate($string, $config, $context);
    }
 }
--- a/library/HTMLPurifier/AttrDef/URI/Host.php
+++ b/library/HTMLPurifier/AttrDef/URI/Host.php
@@ -63,24 +63,18 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
        // This doesn't match I18N domain names, but we don't have proper IRI support,
        // so force users to insert Punycode.
-        // There is not a good sense in which underscores should be
+        // Underscores defined as Unreserved Characters in RFC 3986 are
-        // allowed, since it's technically not! (And if you go as
+        // allowed in a URI. There are cases where we want to consider a
-        // far to allow everything as specified by the DNS spec...
+        // URI containing "_" such as "_dmarc.example.com".
-        // well, that's literally everything, modulo some space limits
+        // Underscores are not allowed in the default. If you want to
-        // for the components and the overall name (which, by the way,
+        // allow it, set Core.AllowHostnameUnderscore to true.
        // we are NOT checking!).  So we (arbitrarily) decide this:
        // let's allow underscores wherever we would have allowed
        // hyphens, if they are enabled.  This is a pretty good match
        // for browser behavior, for example, a large number of browsers
        // cannot handle foo_.example.com, but foo_bar.example.com is
        // fairly well supported.
        $underscore = $config->get('Core.AllowHostnameUnderscore') ? '_' : '';
        // Based off of RFC 1738, but amended so that
        // as per RFC 3696, the top label need only not be all numeric.
        // The productions describing this are:
        $a   = '[a-z]';     // alpha
-        $an  = '[a-z0-9]';  // alphanum
+        $an  = "[a-z0-9$underscore]";  // alphanum
        $and = "[a-z0-9-$underscore]"; // alphanum | "-"
        // domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
        $domainlabel = "$an(?:$and*$an)?";
@@ -97,12 +91,16 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
        // PHP 5.3 and later support this functionality natively
        if (function_exists('idn_to_ascii')) {
-            $string = idn_to_ascii($string);
+            if (defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46')) {
                $string = idn_to_ascii($string, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
            } else {
                $string = idn_to_ascii($string);
            }
        // If we have Net_IDNA2 support, we can support IRIs by
        // punycoding them. (This is the most portable thing to do,
        // since otherwise we have to assume browsers support
-        } elseif ($config->get('Core.EnableIDNA')) {
+        } elseif ($config->get('Core.EnableIDNA') && class_exists('Net_IDNA2')) {
            $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
            // we need to encode each period separately
            $parts = explode('.', $string);
--- a/library/HTMLPurifier/AttrTransform/NameSync.php
+++ b/library/HTMLPurifier/AttrTransform/NameSync.php
@@ -8,6 +8,11 @@
 class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
 {
    /**
     * @type HTMLPurifier_AttrDef_HTML_ID
     */
    public $idDef;
    public function __construct()
    {
        $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -24,6 +24,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
     */
    private $uri;
    /**
     * @type HTMLPurifier_AttrDef_Enum
     */
    public $wmode;
    public function __construct()
    {
        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
--- a/library/HTMLPurifier/AttrTransform/TargetBlank.php
+++ b/library/HTMLPurifier/AttrTransform/TargetBlank.php
@@ -33,7 +33,11 @@ class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform
        // XXX Kind of inefficient
        $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
+        
        // Ignore invalid schemes (e.g. `javascript:`)
        if (!($scheme = $url->getSchemeObj($config, $context))) {
            return $attr;
        }
        if ($scheme->browsable && !$url->isBenign($config, $context)) {
            $attr['target'] = '_blank';
--- a/library/HTMLPurifier/AttrTypes.php
+++ b/library/HTMLPurifier/AttrTypes.php
@@ -41,6 +41,7 @@ class HTMLPurifier_AttrTypes
        $this->info['IAlign']   = self::makeEnum('top,middle,bottom,left,right');
        $this->info['LAlign']   = self::makeEnum('top,bottom,left,right');
        $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
        $this->info['ContentEditable'] = new HTMLPurifier_AttrDef_HTML_ContentEditable();
        // unimplemented aliases
        $this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
@@ -76,7 +77,7 @@ class HTMLPurifier_AttrTypes
        }
        if (!isset($this->info[$type])) {
-            trigger_error('Cannot retrieve undefined attribute type ' . $type, E_USER_ERROR);
+            throw new Exception('Cannot retrieve undefined attribute type ' . $type);
            return;
        }
        return $this->info[$type]->make($string);
--- a/library/HTMLPurifier/Bootstrap.php
+++ b/library/HTMLPurifier/Bootstrap.php
@@ -79,44 +79,11 @@ class HTMLPurifier_Bootstrap
    public static function registerAutoload()
    {
        $autoload = array('HTMLPurifier_Bootstrap', 'autoload');
-        if (($funcs = spl_autoload_functions()) === false) {
+        if (spl_autoload_functions() === false) {
            spl_autoload_register($autoload);
-        } elseif (function_exists('spl_autoload_unregister')) {
+        } else {
-            if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+            // prepend flag exists, no need for shenanigans
-                // prepend flag exists, no need for shenanigans
+            spl_autoload_register($autoload, true, true);
                spl_autoload_register($autoload, true, true);
            } else {
                $buggy  = version_compare(PHP_VERSION, '5.2.11', '<');
                $compat = version_compare(PHP_VERSION, '5.1.2', '<=') &&
                          version_compare(PHP_VERSION, '5.1.0', '>=');
                foreach ($funcs as $func) {
                    if ($buggy && is_array($func)) {
                        // :TRICKY: There are some compatibility issues and some
                        // places where we need to error out
                        $reflector = new ReflectionMethod($func[0], $func[1]);
                        if (!$reflector->isStatic()) {
                            throw new Exception(
                                'HTML Purifier autoloader registrar is not compatible
                                with non-static object methods due to PHP Bug #44144;
                                Please do not use HTMLPurifier.autoload.php (or any
                                file that includes this file); instead, place the code:
                                spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\'))
                                after your own autoloaders.'
                            );
                        }
                        // Suprisingly, spl_autoload_register supports the
                        // Class::staticMethod callback format, although call_user_func doesn't
                        if ($compat) {
                            $func = implode('::', $func);
                        }
                    }
                    spl_autoload_unregister($func);
                }
                spl_autoload_register($autoload);
                foreach ($funcs as $func) {
                    spl_autoload_register($func);
                }
            }
        }
    }
 }
--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@@ -13,7 +13,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
     * Assoc array of attribute name to definition object.
     * @type HTMLPurifier_AttrDef[]
     */
-    public $info = array();
+    public $info = [];
    /**
     * Constructs the info array.  The meat of this class.
@@ -22,7 +22,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetup($config)
    {
        $this->info['text-align'] = new HTMLPurifier_AttrDef_Enum(
-            array('left', 'right', 'center', 'justify'),
+            ['left', 'right', 'center', 'justify'],
            false
        );
@@ -31,7 +31,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['border-right-style'] =
            $this->info['border-left-style'] =
            $this->info['border-top-style'] = new HTMLPurifier_AttrDef_Enum(
-                array(
+                [
                    'none',
                    'hidden',
                    'dotted',
@@ -42,42 +42,42 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'ridge',
                    'inset',
                    'outset'
-                ),
+                ],
                false
            );
        $this->info['border-style'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_style);
        $this->info['clear'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right', 'both'),
+            ['none', 'left', 'right', 'both'],
            false
        );
        $this->info['float'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right'),
+            ['none', 'left', 'right'],
            false
        );
        $this->info['font-style'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'italic', 'oblique'),
+            ['normal', 'italic', 'oblique'],
            false
        );
        $this->info['font-variant'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'small-caps'),
+            ['normal', 'small-caps'],
            false
        );
        $uri_or_none = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('none')),
+                new HTMLPurifier_AttrDef_Enum(['none']),
                new HTMLPurifier_AttrDef_CSS_URI()
-            )
+            ]
        );
        $this->info['list-style-position'] = new HTMLPurifier_AttrDef_Enum(
-            array('inside', 'outside'),
+            ['inside', 'outside'],
            false
        );
        $this->info['list-style-type'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'disc',
                'circle',
                'square',
@@ -87,7 +87,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                'lower-alpha',
                'upper-alpha',
                'none'
-            ),
+            ],
            false
        );
        $this->info['list-style-image'] = $uri_or_none;
@@ -95,30 +95,44 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        $this->info['list-style'] = new HTMLPurifier_AttrDef_CSS_ListStyle($config);
        $this->info['text-transform'] = new HTMLPurifier_AttrDef_Enum(
-            array('capitalize', 'uppercase', 'lowercase', 'none'),
+            ['capitalize', 'uppercase', 'lowercase', 'none'],
            false
        );
        $this->info['color'] = new HTMLPurifier_AttrDef_CSS_Color();
        $this->info['background-image'] = $uri_or_none;
        $this->info['background-repeat'] = new HTMLPurifier_AttrDef_Enum(
-            array('repeat', 'repeat-x', 'repeat-y', 'no-repeat')
+            ['repeat', 'repeat-x', 'repeat-y', 'no-repeat']
        );
        $this->info['background-attachment'] = new HTMLPurifier_AttrDef_Enum(
-            array('scroll', 'fixed')
+            ['scroll', 'fixed']
        );
        $this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition();
        $this->info['background-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
            [
                new HTMLPurifier_AttrDef_Enum(
                    [
                        'auto',
                        'cover',
                        'contain',
                    ]
                ),
                new HTMLPurifier_AttrDef_CSS_Percentage(),
                new HTMLPurifier_AttrDef_CSS_Length()
            ]
        );
        $border_color =
            $this->info['border-top-color'] =
            $this->info['border-bottom-color'] =
            $this->info['border-left-color'] =
            $this->info['border-right-color'] =
            $this->info['background-color'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
-                    new HTMLPurifier_AttrDef_Enum(array('transparent')),
+                    new HTMLPurifier_AttrDef_Enum(['transparent']),
                    new HTMLPurifier_AttrDef_CSS_Color()
-                )
+                ]
            );
        $this->info['background'] = new HTMLPurifier_AttrDef_CSS_Background($config);
@@ -130,32 +144,32 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['border-bottom-width'] =
            $this->info['border-left-width'] =
            $this->info['border-right-width'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
-                    new HTMLPurifier_AttrDef_Enum(array('thin', 'medium', 'thick')),
+                    new HTMLPurifier_AttrDef_Enum(['thin', 'medium', 'thick']),
                    new HTMLPurifier_AttrDef_CSS_Length('0') //disallow negative
-                )
+                ]
            );
        $this->info['border-width'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_width);
        $this->info['letter-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );
        $this->info['word-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );
        $this->info['font-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                        'xx-small',
                        'x-small',
                        'small',
@@ -165,20 +179,20 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                        'xx-large',
                        'larger',
                        'smaller'
-                    )
+                    ]
                ),
                new HTMLPurifier_AttrDef_CSS_Percentage(),
                new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
        );
        $this->info['line-height'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                new HTMLPurifier_AttrDef_CSS_Number(true), // no negatives
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true)
-            )
+            ]
        );
        $margin =
@@ -186,11 +200,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['margin-bottom'] =
            $this->info['margin-left'] =
            $this->info['margin-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                    new HTMLPurifier_AttrDef_CSS_Length(),
                    new HTMLPurifier_AttrDef_CSS_Percentage(),
-                    new HTMLPurifier_AttrDef_Enum(array('auto'))
+                    new HTMLPurifier_AttrDef_Enum(['auto'])
-                )
+                ]
            );
        $this->info['margin'] = new HTMLPurifier_AttrDef_CSS_Multiple($margin);
@@ -201,34 +215,43 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->info['padding-bottom'] =
            $this->info['padding-left'] =
            $this->info['padding-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                    new HTMLPurifier_AttrDef_CSS_Length('0'),
                    new HTMLPurifier_AttrDef_CSS_Percentage(true)
-                )
+                ]
            );
        $this->info['padding'] = new HTMLPurifier_AttrDef_CSS_Multiple($padding);
        $this->info['text-indent'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
        );
        $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('auto'))
+                new HTMLPurifier_AttrDef_Enum(['auto'])
-            )
+            ]
        );
        $trusted_min_wh = new HTMLPurifier_AttrDef_CSS_Composite(
            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
            ]
        );
        $trusted_max_wh = new HTMLPurifier_AttrDef_CSS_Composite(
            [
                new HTMLPurifier_AttrDef_CSS_Length('0'),
                new HTMLPurifier_AttrDef_CSS_Percentage(true),
                new HTMLPurifier_AttrDef_Enum(['none'])
            ]
        );
        $max = $config->get('CSS.MaxImgLength');
        $this->info['min-width'] =
        $this->info['max-width'] =
        $this->info['min-height'] =
        $this->info['max-height'] =
        $this->info['width'] =
        $this->info['height'] =
            $max === null ?
@@ -237,22 +260,73 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Composite(
-                        array(
+                        [
                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
-                            new HTMLPurifier_AttrDef_Enum(array('auto'))
+                            new HTMLPurifier_AttrDef_Enum(['auto'])
-                        )
+                        ]
                    ),
                    // For everyone else:
                    $trusted_wh
                );
        $this->info['min-width'] =
        $this->info['min-height'] =
            $max === null ?
                $trusted_min_wh :
                new HTMLPurifier_AttrDef_Switch(
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Length('0', $max),
                    // For everyone else:
                    $trusted_min_wh
                );
        $this->info['max-width'] =
        $this->info['max-height'] =
            $max === null ?
                $trusted_max_wh :
                new HTMLPurifier_AttrDef_Switch(
                    'img',
                    // For img tags:
                    new HTMLPurifier_AttrDef_CSS_Composite(
                        [
                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
                            new HTMLPurifier_AttrDef_Enum(['none'])
                        ]
                    ),
                    // For everyone else:
                    $trusted_max_wh
                );
        $this->info['aspect-ratio'] = new HTMLPurifier_AttrDef_CSS_Multiple(
            new HTMLPurifier_AttrDef_CSS_Composite([
                new HTMLPurifier_AttrDef_CSS_Ratio(),
                new HTMLPurifier_AttrDef_Enum(['auto']),
            ])
        );
        // text-decoration and related shorthands
        $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();
        $this->info['text-decoration-line'] = new HTMLPurifier_AttrDef_Enum(
            ['none', 'underline', 'overline', 'line-through']
        );
        $this->info['text-decoration-style'] = new HTMLPurifier_AttrDef_Enum(
            ['solid', 'double', 'dotted', 'dashed', 'wavy']
        );
        $this->info['text-decoration-color'] = new HTMLPurifier_AttrDef_CSS_Color();
        $this->info['text-decoration-thickness'] = new HTMLPurifier_AttrDef_CSS_Composite([
            new HTMLPurifier_AttrDef_CSS_Length(),
            new HTMLPurifier_AttrDef_CSS_Percentage(),
            new HTMLPurifier_AttrDef_Enum(['auto', 'from-font'])
        ]);
        $this->info['font-family'] = new HTMLPurifier_AttrDef_CSS_FontFamily();
        // this could use specialized code
        $this->info['font-weight'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'normal',
                'bold',
                'bolder',
@@ -266,7 +340,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                '700',
                '800',
                '900'
-            ),
+            ],
            false
        );
@@ -282,21 +356,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        $this->info['border-right'] = new HTMLPurifier_AttrDef_CSS_Border($config);
        $this->info['border-collapse'] = new HTMLPurifier_AttrDef_Enum(
-            array('collapse', 'separate')
+            ['collapse', 'separate']
        );
        $this->info['caption-side'] = new HTMLPurifier_AttrDef_Enum(
-            array('top', 'bottom')
+            ['top', 'bottom']
        );
        $this->info['table-layout'] = new HTMLPurifier_AttrDef_Enum(
-            array('auto', 'fixed')
+            ['auto', 'fixed']
        );
        $this->info['vertical-align'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                        'baseline',
                        'sub',
                        'super',
@@ -305,11 +379,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                        'middle',
                        'bottom',
                        'text-bottom'
-                    )
+                    ]
                ),
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
        );
        $this->info['border-spacing'] = new HTMLPurifier_AttrDef_CSS_Multiple(new HTMLPurifier_AttrDef_CSS_Length(), 2);
@@ -317,7 +391,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        // These CSS properties don't work on many browsers, but we live
        // in THE FUTURE!
        $this->info['white-space'] = new HTMLPurifier_AttrDef_Enum(
-            array('nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line')
+            ['nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line']
        );
        if ($config->get('CSS.Proprietary')) {
@@ -364,21 +438,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        // more CSS3
        $this->info['page-break-after'] =
        $this->info['page-break-before'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'auto',
                'always',
                'avoid',
                'left',
                'right'
-            )
+            ]
        );
-        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(array('auto', 'avoid'));
+        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(['auto', 'avoid']);
        $border_radius = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Percentage(true), // disallow negative
                new HTMLPurifier_AttrDef_CSS_Length('0') // disallow negative
-            ));
+            ]);
        $this->info['border-top-left-radius'] =
        $this->info['border-top-right-radius'] =
@@ -395,7 +469,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetupTricky($config)
    {
        $this->info['display'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                'inline',
                'block',
                'list-item',
@@ -414,12 +488,12 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                'table-cell',
                'table-caption',
                'none'
-            )
+            ]
        );
        $this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(
-            array('visible', 'hidden', 'collapse')
+            ['visible', 'hidden', 'collapse']
        );
-        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
+        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(['visible', 'hidden', 'auto', 'scroll']);
        $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
    }
@@ -429,23 +503,23 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
    protected function doSetupTrusted($config)
    {
        $this->info['position'] = new HTMLPurifier_AttrDef_Enum(
-            array('static', 'relative', 'absolute', 'fixed')
+            ['static', 'relative', 'absolute', 'fixed']
        );
        $this->info['top'] =
        $this->info['left'] =
        $this->info['right'] =
        $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_CSS_Length(),
                new HTMLPurifier_AttrDef_CSS_Percentage(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
+                new HTMLPurifier_AttrDef_Enum(['auto']),
-            )
+            ]
        );
        $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                new HTMLPurifier_AttrDef_Integer(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
+                new HTMLPurifier_AttrDef_Enum(['auto']),
-            )
+            ]
        );
    }
--- a/library/HTMLPurifier/ChildDef/Custom.php
+++ b/library/HTMLPurifier/ChildDef/Custom.php
@@ -45,7 +45,7 @@ class HTMLPurifier_ChildDef_Custom extends HTMLPurifier_ChildDef
    protected function _compileRegex()
    {
        $raw = str_replace(' ', '', $this->dtd_regex);
-        if ($raw{0} != '(') {
+        if ($raw[0] != '(') {
            $raw = "($raw)";
        }
        $el = '[#a-zA-Z0-9_.-]+';
--- a/library/HTMLPurifier/ChildDef/List.php
+++ b/library/HTMLPurifier/ChildDef/List.php
@@ -22,6 +22,8 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
    // XXX: This whole business with 'wrap' is all a bit unsatisfactory
    public $elements = array('li' => true, 'ul' => true, 'ol' => true);
    public $whitespace;
    /**
     * @param array $children
     * @param HTMLPurifier_Config $config
--- a/library/HTMLPurifier/ChildDef/Table.php
+++ b/library/HTMLPurifier/ChildDef/Table.php
@@ -164,7 +164,7 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
            }
        }
-        if (empty($content)) {
+        if (empty($content) && $thead === false && $tfoot === false) {
            return false;
        }
@@ -190,6 +190,9 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
            $current_tr_tbody = null;
            foreach($content as $node) {
                if (!isset($node->name)) {
                    continue;
                }
                switch ($node->name) {
                case 'tbody':
                    $current_tr_tbody = null;
--- a/library/HTMLPurifier/Config.php
+++ b/library/HTMLPurifier/Config.php
@@ -21,7 +21,7 @@ class HTMLPurifier_Config
     * HTML Purifier's version
     * @type string
     */
-    public $version = '4.9.3';
+    public $version = '4.18.0';
    /**
     * Whether or not to automatically finalize
@@ -408,7 +408,7 @@ class HTMLPurifier_Config
     *             maybeGetRawHTMLDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
     */
    public function getHTMLDefinition($raw = false, $optimized = false)
    {
@@ -427,7 +427,7 @@ class HTMLPurifier_Config
     *             maybeGetRawCSSDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
     */
    public function getCSSDefinition($raw = false, $optimized = false)
    {
@@ -446,7 +446,7 @@ class HTMLPurifier_Config
     *             maybeGetRawURIDefinition, which is more explicitly
     *             named, instead.
     *
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
     */
    public function getURIDefinition($raw = false, $optimized = false)
    {
@@ -468,7 +468,7 @@ class HTMLPurifier_Config
     *        maybe semantics is the "right thing to do."
     *
     * @throws HTMLPurifier_Exception
-     * @return HTMLPurifier_Definition
+     * @return HTMLPurifier_Definition|null
     */
    public function getDefinition($type, $raw = false, $optimized = false)
    {
@@ -647,7 +647,7 @@ class HTMLPurifier_Config
    }
    /**
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
     */
    public function maybeGetRawHTMLDefinition()
    {
@@ -655,7 +655,7 @@ class HTMLPurifier_Config
    }
    /**
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
     */
    public function maybeGetRawCSSDefinition()
    {
@@ -663,7 +663,7 @@ class HTMLPurifier_Config
    }
    /**
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
     */
    public function maybeGetRawURIDefinition()
    {
@@ -803,7 +803,7 @@ class HTMLPurifier_Config
        if ($index !== false) {
            $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
        }
-        $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
+        $mq = $mq_fix && version_compare(PHP_VERSION, '7.4.0', '<') && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
        $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
        $ret = array();
@@ -890,7 +890,7 @@ class HTMLPurifier_Config
            // zip(tail(trace), trace) -- but PHP is not Haskell har har
            for ($i = 0, $c = count($trace); $i < $c - 1; $i++) {
                // XXX this is not correct on some versions of HTML Purifier
-                if ($trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
+                if (isset($trace[$i + 1]['class']) && $trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
                    continue;
                }
                $frame = $trace[$i];
@@ -898,7 +898,11 @@ class HTMLPurifier_Config
                break;
            }
        }
-        trigger_error($msg . $extra, $no);
+        if ($no == E_USER_ERROR) {
          throw new Exception($msg . $extra);
        } else {
          trigger_error($msg . $extra, $no);
        }
    }
    /**
--- a/library/HTMLPurifier/ConfigSchema.php
+++ b/library/HTMLPurifier/ConfigSchema.php
@@ -100,7 +100,7 @@ class HTMLPurifier_ConfigSchema
     * @param string $key Name of directive
     * @param mixed $default Default value of directive
     * @param string $type Allowed type of the directive. See
-     *      HTMLPurifier_DirectiveDef::$type for allowed values
+     *      HTMLPurifier_VarParser::$types for allowed values
     * @param bool $allow_null Whether or not to allow null values
     */
    public function add($key, $default, $type, $allow_null)
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt
@@ -6,7 +6,7 @@ DEFAULT: false
 <p>
  When enabled, HTML Purifier will treat any elements that contain only
  non-breaking spaces as well as regular whitespace as empty, and remove
-  them when %AutoForamt.RemoveEmpty is enabled.
+  them when %AutoFormat.RemoveEmpty is enabled.
 </p>
 <p>
  See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
--- a/library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt
@@ -0,0 +1,12 @@
 Core.AllowParseManyTags
 TYPE: bool
 DEFAULT: false
 VERSION: 4.10.1
 --DESCRIPTION--
 <p>
    This directive allows parsing of many nested tags.
    If you set true, relaxes any hardcoded limit from the parser.
    However, in that case it may cause a Dos attack.
    Be careful when enabling it.
 </p>
 --# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
@@ -3,23 +3,154 @@ TYPE: hash
 VERSION: 2.0.0
 --DEFAULT--
 array (
-  'maroon' => '#800000',
+  'aliceblue' => '#F0F8FF',
-  'red' => '#FF0000',
+  'antiquewhite' => '#FAEBD7',
  'orange' => '#FFA500',
  'yellow' => '#FFFF00',
  'olive' => '#808000',
  'purple' => '#800080',
  'fuchsia' => '#FF00FF',
  'white' => '#FFFFFF',
  'lime' => '#00FF00',
  'green' => '#008000',
  'navy' => '#000080',
  'blue' => '#0000FF',
  'aqua' => '#00FFFF',
-  'teal' => '#008080',
+  'aquamarine' => '#7FFFD4',
  'azure' => '#F0FFFF',
  'beige' => '#F5F5DC',
  'bisque' => '#FFE4C4',
  'black' => '#000000',
-  'silver' => '#C0C0C0',
+  'blanchedalmond' => '#FFEBCD',
  'blue' => '#0000FF',
  'blueviolet' => '#8A2BE2',
  'brown' => '#A52A2A',
  'burlywood' => '#DEB887',
  'cadetblue' => '#5F9EA0',
  'chartreuse' => '#7FFF00',
  'chocolate' => '#D2691E',
  'coral' => '#FF7F50',
  'cornflowerblue' => '#6495ED',
  'cornsilk' => '#FFF8DC',
  'crimson' => '#DC143C',
  'cyan' => '#00FFFF',
  'darkblue' => '#00008B',
  'darkcyan' => '#008B8B',
  'darkgoldenrod' => '#B8860B',
  'darkgray' => '#A9A9A9',
  'darkgrey' => '#A9A9A9',
  'darkgreen' => '#006400',
  'darkkhaki' => '#BDB76B',
  'darkmagenta' => '#8B008B',
  'darkolivegreen' => '#556B2F',
  'darkorange' => '#FF8C00',
  'darkorchid' => '#9932CC',
  'darkred' => '#8B0000',
  'darksalmon' => '#E9967A',
  'darkseagreen' => '#8FBC8F',
  'darkslateblue' => '#483D8B',
  'darkslategray' => '#2F4F4F',
  'darkslategrey' => '#2F4F4F',
  'darkturquoise' => '#00CED1',
  'darkviolet' => '#9400D3',
  'deeppink' => '#FF1493',
  'deepskyblue' => '#00BFFF',
  'dimgray' => '#696969',
  'dimgrey' => '#696969',
  'dodgerblue' => '#1E90FF',
  'firebrick' => '#B22222',
  'floralwhite' => '#FFFAF0',
  'forestgreen' => '#228B22',
  'fuchsia' => '#FF00FF',
  'gainsboro' => '#DCDCDC',
  'ghostwhite' => '#F8F8FF',
  'gold' => '#FFD700',
  'goldenrod' => '#DAA520',
  'gray' => '#808080',
  'grey' => '#808080',
  'green' => '#008000',
  'greenyellow' => '#ADFF2F',
  'honeydew' => '#F0FFF0',
  'hotpink' => '#FF69B4',
  'indianred' => '#CD5C5C',
  'indigo' => '#4B0082',
  'ivory' => '#FFFFF0',
  'khaki' => '#F0E68C',
  'lavender' => '#E6E6FA',
  'lavenderblush' => '#FFF0F5',
  'lawngreen' => '#7CFC00',
  'lemonchiffon' => '#FFFACD',
  'lightblue' => '#ADD8E6',
  'lightcoral' => '#F08080',
  'lightcyan' => '#E0FFFF',
  'lightgoldenrodyellow' => '#FAFAD2',
  'lightgray' => '#D3D3D3',
  'lightgrey' => '#D3D3D3',
  'lightgreen' => '#90EE90',
  'lightpink' => '#FFB6C1',
  'lightsalmon' => '#FFA07A',
  'lightseagreen' => '#20B2AA',
  'lightskyblue' => '#87CEFA',
  'lightslategray' => '#778899',
  'lightslategrey' => '#778899',
  'lightsteelblue' => '#B0C4DE',
  'lightyellow' => '#FFFFE0',
  'lime' => '#00FF00',
  'limegreen' => '#32CD32',
  'linen' => '#FAF0E6',
  'magenta' => '#FF00FF',
  'maroon' => '#800000',
  'mediumaquamarine' => '#66CDAA',
  'mediumblue' => '#0000CD',
  'mediumorchid' => '#BA55D3',
  'mediumpurple' => '#9370DB',
  'mediumseagreen' => '#3CB371',
  'mediumslateblue' => '#7B68EE',
  'mediumspringgreen' => '#00FA9A',
  'mediumturquoise' => '#48D1CC',
  'mediumvioletred' => '#C71585',
  'midnightblue' => '#191970',
  'mintcream' => '#F5FFFA',
  'mistyrose' => '#FFE4E1',
  'moccasin' => '#FFE4B5',
  'navajowhite' => '#FFDEAD',
  'navy' => '#000080',
  'oldlace' => '#FDF5E6',
  'olive' => '#808000',
  'olivedrab' => '#6B8E23',
  'orange' => '#FFA500',
  'orangered' => '#FF4500',
  'orchid' => '#DA70D6',
  'palegoldenrod' => '#EEE8AA',
  'palegreen' => '#98FB98',
  'paleturquoise' => '#AFEEEE',
  'palevioletred' => '#DB7093',
  'papayawhip' => '#FFEFD5',
  'peachpuff' => '#FFDAB9',
  'peru' => '#CD853F',
  'pink' => '#FFC0CB',
  'plum' => '#DDA0DD',
  'powderblue' => '#B0E0E6',
  'purple' => '#800080',
  'rebeccapurple' => '#663399',
  'red' => '#FF0000',
  'rosybrown' => '#BC8F8F',
  'royalblue' => '#4169E1',
  'saddlebrown' => '#8B4513',
  'salmon' => '#FA8072',
  'sandybrown' => '#F4A460',
  'seagreen' => '#2E8B57',
  'seashell' => '#FFF5EE',
  'sienna' => '#A0522D',
  'silver' => '#C0C0C0',
  'skyblue' => '#87CEEB',
  'slateblue' => '#6A5ACD',
  'slategray' => '#708090',
  'slategrey' => '#708090',
  'snow' => '#FFFAFA',
  'springgreen' => '#00FF7F',
  'steelblue' => '#4682B4',
  'tan' => '#D2B48C',
  'teal' => '#008080',
  'thistle' => '#D8BFD8',
  'tomato' => '#FF6347',
  'turquoise' => '#40E0D0',
  'violet' => '#EE82EE',
  'wheat' => '#F5DEB3',
  'white' => '#FFFFFF',
  'whitesmoke' => '#F5F5F5',
  'yellow' => '#FFFF00',
  'yellowgreen' => '#9ACD32'
 )
 --DESCRIPTION--
--- a/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveBlanks.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveBlanks.txt
@@ -0,0 +1,10 @@
 Core.RemoveBlanks
 TYPE: bool
 DEFAULT: false
 VERSION: 4.18
 --DESCRIPTION--
 <p>
    If set to true, blank nodes will be removed. This can be useful for maintaining
    backwards compatibility when upgrading from previous versions of PHP.
 </p>
 --# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
@@ -0,0 +1,11 @@
 HTML.Forms
 TYPE: bool
 VERSION: 4.13.0
 DEFAULT: false
 --DESCRIPTION--
 <p>
    Whether or not to permit form elements in the user input, regardless of
    %HTML.Trusted value. Please be very careful when using this functionality, as
    enabling forms in untrusted documents may allow for phishing attacks.
 </p>
 --# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/DefinitionCache/Serializer.php
+++ b/library/HTMLPurifier/DefinitionCache/Serializer.php
@@ -217,9 +217,14 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
        $directory = $this->generateDirectoryPath($config);
        $chmod = $config->get('Cache.SerializerPermissions');
        if ($chmod === null) {
-            // TODO: This races
+            if (!@mkdir($directory) && !is_dir($directory)) {
-            if (is_dir($directory)) return true;
+                trigger_error(
-            return mkdir($directory);
+                    'Could not create directory ' . $directory . '',
                    E_USER_WARNING
                );
                return false;
            }
            return true;
        }
        if (!is_dir($directory)) {
            $base = $this->generateBaseDirectoryPath($config);
@@ -233,7 +238,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
            } elseif (!$this->_testPermissions($base, $chmod)) {
                return false;
            }
-            if (!mkdir($directory, $chmod)) {
+            if (!@mkdir($directory, $chmod) && !is_dir($directory)) {
                trigger_error(
                    'Could not create directory ' . $directory . '',
                    E_USER_WARNING
@@ -282,13 +287,14 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
            } elseif (filegroup($dir) === posix_getgid()) {
                $chmod = $chmod | 0070;
            } else {
-                // PHP's probably running as nobody, so we'll
+              // PHP's probably running as nobody, it is
-                // need to give global permissions
+              // not obvious how to fix this (777 is probably
-                $chmod = $chmod | 0777;
+              // bad if you are multi-user), let the user figure it out
                $chmod = null;
            }
            trigger_error(
-                'Directory ' . $dir . ' not writable, ' .
+                'Directory ' . $dir . ' not writable. ' .
-                'please chmod to ' . decoct($chmod),
+                ($chmod === null ? '' : 'Please chmod to ' . decoct($chmod)),
                E_USER_WARNING
            );
        } else {
--- a/library/HTMLPurifier/DefinitionCacheFactory.php
+++ b/library/HTMLPurifier/DefinitionCacheFactory.php
@@ -71,7 +71,7 @@ class HTMLPurifier_DefinitionCacheFactory
            return $this->caches[$method][$type];
        }
        if (isset($this->implementations[$method]) &&
-            class_exists($class = $this->implementations[$method], false)) {
+            class_exists($class = $this->implementations[$method])) {
            $cache = new $class($type);
        } else {
            if ($method != 'Serializer') {
--- a/library/HTMLPurifier/DoctypeRegistry.php
+++ b/library/HTMLPurifier/DoctypeRegistry.php
@@ -86,7 +86,7 @@ class HTMLPurifier_DoctypeRegistry
            $doctype = $this->aliases[$doctype];
        }
        if (!isset($this->doctypes[$doctype])) {
-            trigger_error('Doctype ' . htmlspecialchars($doctype) . ' does not exist', E_USER_ERROR);
+            throw new Exception('Doctype ' . htmlspecialchars($doctype) . ' does not exist');
            $anon = new HTMLPurifier_Doctype($doctype);
            return $anon;
        }
--- a/library/HTMLPurifier/ElementDef.php
+++ b/library/HTMLPurifier/ElementDef.php
@@ -176,7 +176,7 @@ class HTMLPurifier_ElementDef
        if (!empty($def->content_model)) {
            $this->content_model =
-                str_replace("#SUPER", $this->content_model, $def->content_model);
+                str_replace("#SUPER", (string)$this->content_model, $def->content_model);
            $this->child = false;
        }
        if (!empty($def->content_model_type)) {
--- a/library/HTMLPurifier/Encoder.php
+++ b/library/HTMLPurifier/Encoder.php
@@ -159,7 +159,7 @@ class HTMLPurifier_Encoder
        $len = strlen($str);
        for ($i = 0; $i < $len; $i++) {
-            $in = ord($str{$i});
+            $in = ord($str[$i]);
            $char .= $str[$i]; // append byte to char
            if (0 == $mState) {
                // When mState is zero we expect either a US-ASCII character
@@ -390,7 +390,7 @@ class HTMLPurifier_Encoder
            $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
            if ($str === false) {
                // $encoding is not a valid encoding
-                trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR);
+                throw new Exception('Invalid encoding ' . $encoding);
                return '';
            }
            // If the string is bjorked by Shift_JIS or a similar encoding
@@ -398,8 +398,8 @@ class HTMLPurifier_Encoder
            // characters to their true byte-wise ASCII/UTF-8 equivalents.
            $str = strtr($str, self::testEncodingSupportsASCII($encoding));
            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
-            $str = utf8_encode($str);
+            $str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
            return $str;
        }
        $bug = HTMLPurifier_Encoder::testIconvTruncateBug();
@@ -450,8 +450,8 @@ class HTMLPurifier_Encoder
            // Normal stuff
            $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
-            $str = utf8_decode($str);
+            $str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
            return $str;
        }
        trigger_error('Encoding not supported', E_USER_ERROR);
--- a/library/HTMLPurifier/EntityParser.php
+++ b/library/HTMLPurifier/EntityParser.php
@@ -116,9 +116,9 @@ class HTMLPurifier_EntityParser
    protected function entityCallback($matches)
    {
        $entity = $matches[0];
-        $hex_part = @$matches[1];
+        $hex_part = isset($matches[1]) ? $matches[1] : null;
-        $dec_part = @$matches[2];
+        $dec_part = isset($matches[2]) ? $matches[2] : null;
-        $named_part = empty($matches[3]) ? @$matches[4] : $matches[3];
+        $named_part = empty($matches[3]) ? (empty($matches[4]) ? "" : $matches[4]) : $matches[3];
        if ($hex_part !== NULL && $hex_part !== "") {
            return HTMLPurifier_Encoder::unichr(hexdec($hex_part));
        } elseif ($dec_part !== NULL && $dec_part !== "") {
--- a/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
+++ b/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
@@ -54,6 +54,11 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
     */
    private $_enum_attrdef;
    /**
     * @type HTMLPurifier_AttrDef_Enum
     */
    private $_universal_attrdef;
    public function __construct()
    {
        $this->_tidy = new csstidy();
@@ -70,6 +75,13 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
                'focus'
            )
        );
        $this->_universal_attrdef = new HTMLPurifier_AttrDef_Enum(
            array(
                'initial',
                'inherit',
                'unset',
            )
        );
    }
    /**
@@ -146,175 +158,184 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
        foreach ($this->_tidy->css as $k => $decls) {
            // $decls are all CSS declarations inside an @ selector
            $new_decls = array();
-            foreach ($decls as $selector => $style) {
+            if (is_array($decls)) {
-                $selector = trim($selector);
+                foreach ($decls as $selector => $style) {
-                if ($selector === '') {
+                    $selector = trim($selector);
-                    continue;
+                    if ($selector === '') {
-                } // should not happen
+                        continue;
-                // Parse the selector
+                    } // should not happen
-                // Here is the relevant part of the CSS grammar:
+                    // Parse the selector
-                //
+                    // Here is the relevant part of the CSS grammar:
-                // ruleset
+                    //
-                //   : selector [ ',' S* selector ]* '{' ...
+                    // ruleset
-                // selector
+                    //   : selector [ ',' S* selector ]* '{' ...
-                //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
+                    // selector
-                // combinator
+                    //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
-                //   : '+' S*
+                    // combinator
-                //   : '>' S*
+                    //   : '+' S*
-                // simple_selector
+                    //   : '>' S*
-                //   : element_name [ HASH | class | attrib | pseudo ]*
+                    // simple_selector
-                //   | [ HASH | class | attrib | pseudo ]+
+                    //   : element_name [ HASH | class | attrib | pseudo ]*
-                // element_name
+                    //   | [ HASH | class | attrib | pseudo ]+
-                //   : IDENT | '*'
+                    // element_name
-                //   ;
+                    //   : IDENT | '*'
-                // class
+                    //   ;
-                //   : '.' IDENT
+                    // class
-                //   ;
+                    //   : '.' IDENT
-                // attrib
+                    //   ;
-                //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
+                    // attrib
-                //     [ IDENT | STRING ] S* ]? ']'
+                    //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
-                //   ;
+                    //     [ IDENT | STRING ] S* ]? ']'
-                // pseudo
+                    //   ;
-                //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
+                    // pseudo
-                //   ;
+                    //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
-                //
+                    //   ;
-                // For reference, here are the relevant tokens:
+                    //
-                //
+                    // For reference, here are the relevant tokens:
-                // HASH         #{name}
+                    //
-                // IDENT        {ident}
+                    // HASH         #{name}
-                // INCLUDES     ==
+                    // IDENT        {ident}
-                // DASHMATCH    |=
+                    // INCLUDES     ==
-                // STRING       {string}
+                    // DASHMATCH    |=
-                // FUNCTION     {ident}\(
+                    // STRING       {string}
-                //
+                    // FUNCTION     {ident}\(
-                // And the lexical scanner tokens
+                    //
-                //
+                    // And the lexical scanner tokens
-                // name         {nmchar}+
+                    //
-                // nmchar       [_a-z0-9-]|{nonascii}|{escape}
+                    // name         {nmchar}+
-                // nonascii     [\240-\377]
+                    // nmchar       [_a-z0-9-]|{nonascii}|{escape}
-                // escape       {unicode}|\\[^\r\n\f0-9a-f]
+                    // nonascii     [\240-\377]
-                // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
+                    // escape       {unicode}|\\[^\r\n\f0-9a-f]
-                // ident        -?{nmstart}{nmchar*}
+                    // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
-                // nmstart      [_a-z]|{nonascii}|{escape}
+                    // ident        -?{nmstart}{nmchar*}
-                // string       {string1}|{string2}
+                    // nmstart      [_a-z]|{nonascii}|{escape}
-                // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
+                    // string       {string1}|{string2}
-                // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
+                    // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
-                //
+                    // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
-                // We'll implement a subset (in order to reduce attack
+                    //
-                // surface); in particular:
+                    // We'll implement a subset (in order to reduce attack
-                //
+                    // surface); in particular:
-                //      - No Unicode support
+                    //
-                //      - No escapes support
+                    //      - No Unicode support
-                //      - No string support (by proxy no attrib support)
+                    //      - No escapes support
-                //      - element_name is matched against allowed
+                    //      - No string support (by proxy no attrib support)
-                //        elements (some people might find this
+                    //      - element_name is matched against allowed
-                //        annoying...)
+                    //        elements (some people might find this
-                //      - Pseudo-elements one of :first-child, :link,
+                    //        annoying...)
-                //        :visited, :active, :hover, :focus
+                    //      - Pseudo-elements one of :first-child, :link,
                    //        :visited, :active, :hover, :focus
-                // handle ruleset
+                    // handle ruleset
-                $selectors = array_map('trim', explode(',', $selector));
+                    $selectors = array_map('trim', explode(',', $selector));
-                $new_selectors = array();
+                    $new_selectors = array();
-                foreach ($selectors as $sel) {
+                    foreach ($selectors as $sel) {
-                    // split on +, > and spaces
+                        // split on +, > and spaces
-                    $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
+                        $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
-                    // even indices are chunks, odd indices are
+                        // even indices are chunks, odd indices are
-                    // delimiters
+                        // delimiters
-                    $nsel = null;
+                        $nsel = null;
-                    $delim = null; // guaranteed to be non-null after
+                        $delim = null; // guaranteed to be non-null after
-                    // two loop iterations
+                        // two loop iterations
-                    for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
+                        for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
-                        $x = $basic_selectors[$i];
+                            $x = $basic_selectors[$i];
-                        if ($i % 2) {
+                            if ($i % 2) {
-                            // delimiter
+                                // delimiter
-                            if ($x === ' ') {
+                                if ($x === ' ') {
-                                $delim = ' ';
+                                    $delim = ' ';
                            } else {
                                $delim = ' ' . $x . ' ';
                            }
                        } else {
                            // simple selector
                            $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
                            $sdelim = null;
                            $nx = null;
                            for ($j = 0, $cc = count($components); $j < $cc; $j++) {
                                $y = $components[$j];
                                if ($j === 0) {
                                    if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
                                        $nx = $y;
                                    } else {
                                        // $nx stays null; this matters
                                        // if we don't manage to find
                                        // any valid selector content,
                                        // in which case we ignore the
                                        // outer $delim
                                    }
                                } elseif ($j % 2) {
                                    // set delimiter
                                    $sdelim = $y;
                                } else {
-                                    $attrdef = null;
+                                    $delim = ' ' . $x . ' ';
                                    if ($sdelim === '#') {
                                        $attrdef = $this->_id_attrdef;
                                    } elseif ($sdelim === '.') {
                                        $attrdef = $this->_class_attrdef;
                                    } elseif ($sdelim === ':') {
                                        $attrdef = $this->_enum_attrdef;
                                    } else {
                                        throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
                                    }
                                    $r = $attrdef->validate($y, $config, $context);
                                    if ($r !== false) {
                                        if ($r !== true) {
                                            $y = $r;
                                        }
                                        if ($nx === null) {
                                            $nx = '';
                                        }
                                        $nx .= $sdelim . $y;
                                    }
                                }
                            }
                            if ($nx !== null) {
                                if ($nsel === null) {
                                    $nsel = $nx;
                                } else {
                                    $nsel .= $delim . $nx;
                                }
                            } else {
-                                // delimiters to the left of invalid
+                                // simple selector
-                                // basic selector ignored
+                                $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
                                $sdelim = null;
                                $nx = null;
                                for ($j = 0, $cc = count($components); $j < $cc; $j++) {
                                    $y = $components[$j];
                                    if ($j === 0) {
                                        if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
                                            $nx = $y;
                                        } else {
                                            // $nx stays null; this matters
                                            // if we don't manage to find
                                            // any valid selector content,
                                            // in which case we ignore the
                                            // outer $delim
                                        }
                                    } elseif ($j % 2) {
                                        // set delimiter
                                        $sdelim = $y;
                                    } else {
                                        $attrdef = null;
                                        if ($sdelim === '#') {
                                            $attrdef = $this->_id_attrdef;
                                        } elseif ($sdelim === '.') {
                                            $attrdef = $this->_class_attrdef;
                                        } elseif ($sdelim === ':') {
                                            $attrdef = $this->_enum_attrdef;
                                        } else {
                                            throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
                                        }
                                        $r = $attrdef->validate($y, $config, $context);
                                        if ($r !== false) {
                                            if ($r !== true) {
                                                $y = $r;
                                            }
                                            if ($nx === null) {
                                                $nx = '';
                                            }
                                            $nx .= $sdelim . $y;
                                        }
                                    }
                                }
                                if ($nx !== null) {
                                    if ($nsel === null) {
                                        $nsel = $nx;
                                    } else {
                                        $nsel .= $delim . $nx;
                                    }
                                } else {
                                    // delimiters to the left of invalid
                                    // basic selector ignored
                                }
                            }
                        }
                        if ($nsel !== null) {
                            if (!empty($scopes)) {
                                foreach ($scopes as $s) {
                                    $new_selectors[] = "$s $nsel";
                                }
                            } else {
                                $new_selectors[] = $nsel;
                            }
                        }
                    }
-                    if ($nsel !== null) {
+                    if (empty($new_selectors)) {
                        if (!empty($scopes)) {
                            foreach ($scopes as $s) {
                                $new_selectors[] = "$s $nsel";
                            }
                        } else {
                            $new_selectors[] = $nsel;
                        }
                    }
                }
                if (empty($new_selectors)) {
                    continue;
                }
                $selector = implode(', ', $new_selectors);
                foreach ($style as $name => $value) {
                    if (!isset($css_definition->info[$name])) {
                        unset($style[$name]);
                        continue;
                    }
-                    $def = $css_definition->info[$name];
+                    $selector = implode(', ', $new_selectors);
-                    $ret = $def->validate($value, $config, $context);
+                    foreach ($style as $name => $value) {
-                    if ($ret === false) {
+                        if (!isset($css_definition->info[$name])) {
-                        unset($style[$name]);
+                            unset($style[$name]);
-                    } else {
+                            continue;
-                        $style[$name] = $ret;
+                        }
                        $uni_ret = $this->_universal_attrdef->validate($value, $config, $context);
                        if ($uni_ret !== false) {
                            $style[$name] = $uni_ret;
                            continue;
                        }
                        $def = $css_definition->info[$name];
                        $ret = $def->validate($value, $config, $context);
                        if ($ret === false) {
                            unset($style[$name]);
                        } else {
                            $style[$name] = $ret;
                        }
                    }
                    $new_decls[$selector] = $style;
                }
-                $new_decls[$selector] = $style;
+            } else {
                continue;
            }
            $new_css[$k] = $new_decls;
        }
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@@ -264,9 +264,8 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
        if (isset($this->info_content_sets['Block'][$block_wrapper])) {
            $this->info_block_wrapper = $block_wrapper;
        } else {
-            trigger_error(
+            throw new Exception(
-                'Cannot use non-block element as block wrapper',
+                'Cannot use non-block element as block wrapper'
                E_USER_ERROR
            );
        }
--- a/library/HTMLPurifier/HTMLModule.php
+++ b/library/HTMLPurifier/HTMLModule.php
@@ -132,9 +132,9 @@ class HTMLPurifier_HTMLModule
     * @param string $element Name of element to add
     * @param string|bool $type What content set should element be registered to?
     *              Set as false to skip this step.
-     * @param string $contents Allowed children in form of:
+     * @param string|HTMLPurifier_ChildDef $contents Allowed children in form of:
     *              "$content_model_type: $content_model"
-     * @param array $attr_includes What attribute collections to register to
+     * @param array|string $attr_includes What attribute collections to register to
     *              element?
     * @param array $attr What unique attributes does the element define?
     * @see HTMLPurifier_ElementDef:: for in-depth descriptions of these parameters.
@@ -257,8 +257,9 @@ class HTMLPurifier_HTMLModule
     */
    public function makeLookup($list)
    {
        $args = func_get_args();
        if (is_string($list)) {
-            $list = func_get_args();
+            $list = $args;
        }
        $ret = array();
        foreach ($list as $value) {
--- a/library/HTMLPurifier/HTMLModule/CommonAttributes.php
+++ b/library/HTMLPurifier/HTMLModule/CommonAttributes.php
@@ -17,6 +17,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
            'class' => 'Class',
            'id' => 'ID',
            'title' => 'CDATA',
            'contenteditable' => 'ContentEditable',
        ),
        'Lang' => array(),
        'I18N' => array(
--- a/library/HTMLPurifier/HTMLModule/Forms.php
+++ b/library/HTMLPurifier/HTMLModule/Forms.php
@@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
     */
    public function setup($config)
    {
        if ($config->get('HTML.Forms')) {
            $this->safe = true;
        }
        $form = $this->addElement(
            'form',
            'Form',
--- a/library/HTMLPurifier/HTMLModule/Iframe.php
+++ b/library/HTMLPurifier/HTMLModule/Iframe.php
@@ -28,22 +28,28 @@ class HTMLPurifier_HTMLModule_Iframe extends HTMLPurifier_HTMLModule
        if ($config->get('HTML.SafeIframe')) {
            $this->safe = true;
        }
        $attrs = array(
            'src' => 'URI#embedded',
            'width' => 'Length',
            'height' => 'Length',
            'name' => 'ID',
            'scrolling' => 'Enum#yes,no,auto',
            'frameborder' => 'Enum#0,1',
            'longdesc' => 'URI',
            'marginheight' => 'Pixels',
            'marginwidth' => 'Pixels',
        );
        if ($config->get('HTML.Trusted')) {
            $attrs['allowfullscreen'] = 'Bool#allowfullscreen';
        }
        $this->addElement(
            'iframe',
            'Inline',
            'Flow',
            'Common',
-            array(
+            $attrs
                'src' => 'URI#embedded',
                'width' => 'Length',
                'height' => 'Length',
                'name' => 'ID',
                'scrolling' => 'Enum#yes,no,auto',
                'frameborder' => 'Enum#0,1',
                'longdesc' => 'URI',
                'marginheight' => 'Pixels',
                'marginwidth' => 'Pixels',
            )
        );
    }
 }
--- a/library/HTMLPurifier/HTMLModule/SafeScripting.php
+++ b/library/HTMLPurifier/HTMLModule/SafeScripting.php
@@ -23,13 +23,13 @@ class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
        $script = $this->addElement(
            'script',
            'Inline',
-            'Empty',
+            'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
            null,
            array(
                // While technically not required by the spec, we're forcing
                // it to this value.
                'type' => 'Enum#text/javascript',
-                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
            )
        );
        $script->attr_transform_pre[] =
--- a/library/HTMLPurifier/HTMLModule/Tidy.php
+++ b/library/HTMLPurifier/HTMLModule/Tidy.php
@@ -112,9 +112,8 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
            return;
        }
        if (!isset($this->fixesForLevel[$this->defaultLevel])) {
-            trigger_error(
+            throw new Exception(
-                'Default level ' . $this->defaultLevel . ' does not exist',
+                'Default level ' . $this->defaultLevel . ' does not exist'
                E_USER_ERROR
            );
            return;
        }
@@ -146,10 +145,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                        $type = "info_$type";
                        $e = $this;
                    }
-                    // PHP does some weird parsing when I do
+                    $e->{$type}[$attr] = $fix;
                    // $e->$type[$attr], so I have to assign a ref.
                    $f =& $e->$type;
                    $f[$attr] = $fix;
                    break;
                case 'tag_transform':
                    $this->info_tag_transform[$params['element']] = $fix;
@@ -165,8 +161,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                    $e->$type = $fix;
                    break;
                default:
-                    trigger_error("Fix type $type not supported", E_USER_ERROR);
+                    throw new Exception("Fix type $type not supported");
                    break;
            }
        }
    }
@@ -224,6 +219,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
     */
    public function makeFixes()
    {
        return array();
    }
 }
--- a/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php
+++ b/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php
@@ -96,6 +96,7 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
        // @bgcolor for table, tr, td, th ---------------------------------
        $r['table@bgcolor'] =
        $r['tr@bgcolor'] =
        $r['td@bgcolor'] =
        $r['th@bgcolor'] =
            new HTMLPurifier_AttrTransform_BgColor();
@@ -167,9 +168,11 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
        // @vspace for img ------------------------------------------------
        $r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace');
-        // @width for hr, td, th ------------------------------------------
+        // @width for table, hr, td, th, col ------------------------------------------
        $r['table@width'] =
        $r['td@width'] =
        $r['th@width'] =
        $r['col@width'] =
        $r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width');
        return $r;
--- a/library/HTMLPurifier/Injector.php
+++ b/library/HTMLPurifier/Injector.php
@@ -157,11 +157,13 @@ abstract class HTMLPurifier_Injector
            return false;
        }
        // check for exclusion
-        for ($i = count($this->currentNesting) - 2; $i >= 0; $i--) {
+        if (!empty($this->currentNesting)) {
-            $node = $this->currentNesting[$i];
+            for ($i = count($this->currentNesting) - 2; $i >= 0; $i--) {
-            $def  = $this->htmlDefinition->info[$node->name];
+                $node = $this->currentNesting[$i];
-            if (isset($def->excludes[$name])) {
+                $def  = $this->htmlDefinition->info[$node->name];
-                return false;
+                if (isset($def->excludes[$name])) {
                    return false;
                }
            }
        }
        return true;
--- a/library/HTMLPurifier/Injector/Linkify.php
+++ b/library/HTMLPurifier/Injector/Linkify.php
@@ -40,6 +40,9 @@ class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector
            '/\\b((?:[a-z][\\w\\-]+:(?:\\/{1,3}|[a-z0-9%])|www\\d{0,3}[.]|[a-z0-9.\\-]+[.][a-z]{2,4}\\/)(?:[^\\s()<>]|\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\))+(?:\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\)|[^\\s`!()\\[\\]{};:\'".,<>?\x{00ab}\x{00bb}\x{201c}\x{201d}\x{2018}\x{2019}]))/iu',
            $token->data, -1, PREG_SPLIT_DELIM_CAPTURE);
        if ($bits === false) {
            return;
        }
        $token = array();
--- a/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php
+++ b/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php
@@ -31,6 +31,16 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
     */
    private $context;
    /**
     * @type SplObjectStorage
     */
    private $markForDeletion;
    public function __construct()
    {
        $this->markForDeletion = new SplObjectStorage();
    }
    public function prepare($config, $context)
    {
        $this->attrValidator = new HTMLPurifier_AttrValidator();
@@ -64,7 +74,7 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
        if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
            // Mark closing span tag for deletion
-            $current->markForDeletion = true;
+            $this->markForDeletion->attach($current);
            // Delete open span tag
            $token = false;
        }
@@ -75,7 +85,8 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
     */
    public function handleEnd(&$token)
    {
-        if ($token->markForDeletion) {
+        if ($this->markForDeletion->contains($token)) {
            $this->markForDeletion->detach($token);
            $token = false;
        }
    }
--- a/library/HTMLPurifier/Language/classes/en-x-test.php
+++ b/library/HTMLPurifier/Language/classes/en-x-test.php
@@ -1,9 +0,0 @@
 <?php
 // private class for unit testing
 class HTMLPurifier_Language_en_x_test extends HTMLPurifier_Language
 {
 }
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Language/messages/en-x-test.php
+++ b/library/HTMLPurifier/Language/messages/en-x-test.php
@@ -1,11 +0,0 @@
 <?php
 // private language message file for unit testing purposes
 $fallback = 'en';
 $messages = array(
    'HTMLPurifier' => 'HTML Purifier X'
 );
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Language/messages/en-x-testmini.php
+++ b/library/HTMLPurifier/Language/messages/en-x-testmini.php
@@ -1,12 +0,0 @@
 <?php
 // private language message file for unit testing purposes
 // this language file has no class associated with it
 $fallback = 'en';
 $messages = array(
    'HTMLPurifier' => 'HTML Purifier XNone'
 );
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/LanguageFactory.php
+++ b/library/HTMLPurifier/LanguageFactory.php
@@ -109,7 +109,7 @@ class HTMLPurifier_LanguageFactory
        } else {
            $class = 'HTMLPurifier_Language_' . $pcode;
            $file  = $this->dir . '/Language/classes/' . $code . '.php';
-            if (file_exists($file) || class_exists($class, false)) {
+            if (file_exists($file) || class_exists($class)) {
                $lang = new $class($config, $context);
            } else {
                // Go fallback
--- a/library/HTMLPurifier/Length.php
+++ b/library/HTMLPurifier/Length.php
@@ -26,12 +26,14 @@ class HTMLPurifier_Length
    protected $isValid;
    /**
-     * Array Lookup array of units recognized by CSS 2.1
+     * Array Lookup array of units recognized by CSS 3
     * @type array
     */
    protected static $allowedUnits = array(
        'em' => true, 'ex' => true, 'px' => true, 'in' => true,
-        'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true
+        'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true,
        'ch' => true, 'rem' => true, 'vw' => true, 'vh' => true,
        'vmin' => true, 'vmax' => true
    );
    /**
@@ -76,7 +78,7 @@ class HTMLPurifier_Length
        if ($this->n === '0' && $this->unit === false) {
            return true;
        }
-        if (!ctype_lower($this->unit)) {
+        if ($this->unit === false || !ctype_lower($this->unit)) {
            $this->unit = strtolower($this->unit);
        }
        if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) {
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@@ -48,6 +48,11 @@ class HTMLPurifier_Lexer
     */
    public $tracksLineNumbers = false;
    /**
     * @type HTMLPurifier_EntityParser
     */
    private $_entity_parser;
    // -- STATIC ----------------------------------------------------------
    /**
@@ -96,7 +101,7 @@ class HTMLPurifier_Lexer
                        break;
                    }
-                    if (class_exists('DOMDocument', false) &&
+                    if (class_exists('DOMDocument') &&
                        method_exists('DOMDocument', 'loadHTML') &&
                        !extension_loaded('domxml')
                    ) {
@@ -264,20 +269,6 @@ class HTMLPurifier_Lexer
        );
    }
    /**
     * Special Internet Explorer conditional comments should be removed.
     * @param string $string HTML string to process.
     * @return string HTML with conditional comments removed.
     */
    protected static function removeIEConditional($string)
    {
        return preg_replace(
            '#<!--\[if [^>]+\]>.*?<!\[endif\]-->#si', // probably should generalize for all strings
            '',
            $string
        );
    }
    /**
     * Callback function for escapeCDATA() that does the work.
     *
@@ -306,8 +297,8 @@ class HTMLPurifier_Lexer
    {
        // normalize newlines to \n
        if ($config->get('Core.NormalizeNewlines')) {
-            $html = str_replace("\r\n", "\n", $html);
+            $html = str_replace("\r\n", "\n", (string)$html);
-            $html = str_replace("\r", "\n", $html);
+            $html = str_replace("\r", "\n", (string)$html);
        }
        if ($config->get('HTML.Trusted')) {
@@ -318,8 +309,6 @@ class HTMLPurifier_Lexer
        // escape CDATA
        $html = $this->escapeCDATA($html);
        $html = $this->removeIEConditional($html);
        // extract body from document if applicable
        if ($config->get('Core.ConvertDocumentToFragment')) {
            $e = false;
--- a/library/HTMLPurifier/Lexer/DOMLex.php
+++ b/library/HTMLPurifier/Lexer/DOMLex.php
@@ -68,8 +68,21 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
        $doc = new DOMDocument();
        $doc->encoding = 'UTF-8'; // theoretically, the above has this covered
        $options = 0;
        if ($config->get('Core.AllowParseManyTags') && defined('LIBXML_PARSEHUGE')) {
            $options |= LIBXML_PARSEHUGE;
        }
        if ($config->get('Core.RemoveBlanks') && defined('LIBXML_NOBLANKS')) {
            $options |= LIBXML_NOBLANKS;
        }
        set_error_handler(array($this, 'muteErrorHandler'));
-        $doc->loadHTML($html);
+        // loadHTML() fails on PHP 5.3 when second parameter is given
        if ($options) {
            $doc->loadHTML($html, $options);
        } else {
            $doc->loadHTML($html);
        }
        restore_error_handler();
        $body = $doc->getElementsByTagName('html')->item(0)-> // <html>
@@ -94,7 +107,6 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
     * To iterate is human, to recurse divine - L. Peter Deutsch
     * @param DOMNode $node DOMNode to be tokenized.
     * @param HTMLPurifier_Token[] $tokens   Array-list of already tokenized tokens.
     * @return HTMLPurifier_Token of node appended to previously passed tokens.
     */
    protected function tokenizeDOM($node, &$tokens, $config)
    {
@@ -126,6 +138,41 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
        } while ($level > 0);
    }
    /**
     * Portably retrieve the tag name of a node; deals with older versions
     * of libxml like 2.7.6
     * @param DOMNode $node
     */
    protected function getTagName($node)
    {
        if (isset($node->tagName)) {
            return $node->tagName;
        } else if (isset($node->nodeName)) {
            return $node->nodeName;
        } else if (isset($node->localName)) {
            return $node->localName;
        }
        return null;
    }
    /**
     * Portably retrieve the data of a node; deals with older versions
     * of libxml like 2.7.6
     * @param DOMNode $node
     */
    protected function getData($node)
    {
        if (isset($node->data)) {
            return $node->data;
        } else if (isset($node->nodeValue)) {
            return $node->nodeValue;
        } else if (isset($node->textContent)) {
            return $node->textContent;
        }
        return null;
    }
    /**
     * @param DOMNode $node DOMNode to be tokenized.
     * @param HTMLPurifier_Token[] $tokens   Array-list of already tokenized tokens.
@@ -141,7 +188,10 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
        // but we're not getting the character reference nodes because
        // those should have been preprocessed
        if ($node->nodeType === XML_TEXT_NODE) {
-            $tokens[] = $this->factory->createText($node->data);
+            $data = $this->getData($node); // Handle variable data property
            if ($data !== null) {
              $tokens[] = $this->factory->createText($data);
            }
            return false;
        } elseif ($node->nodeType === XML_CDATA_SECTION_NODE) {
            // undo libxml's special treatment of <script> and <style> tags
@@ -171,21 +221,20 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
            // not-well tested: there may be other nodes we have to grab
            return false;
        }
        $attr = $node->hasAttributes() ? $this->transformAttrToAssoc($node->attributes) : array();
-
+        $tag_name = $this->getTagName($node); // Handle variable tagName property
        if (empty($tag_name)) {
            return (bool) $node->childNodes->length;
        }
        // We still have to make sure that the element actually IS empty
        if (!$node->childNodes->length) {
            if ($collect) {
-                $tokens[] = $this->factory->createEmpty($node->tagName, $attr);
+                $tokens[] = $this->factory->createEmpty($tag_name, $attr);
            }
            return false;
        } else {
            if ($collect) {
-                $tokens[] = $this->factory->createStart(
+                $tokens[] = $this->factory->createStart($tag_name, $attr);
                    $tag_name = $node->tagName, // somehow, it get's dropped
                    $attr
                );
            }
            return true;
        }
@@ -197,10 +246,10 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
     */
    protected function createEndNode($node, &$tokens)
    {
-        $tokens[] = $this->factory->createEnd($node->tagName);
+        $tag_name = $this->getTagName($node); // Handle variable tagName property
        $tokens[] = $this->factory->createEnd($tag_name);
    }
    /**
     * Converts a DOMNamedNodeMap of DOMAttr objects into an assoc array.
     *
--- a/library/HTMLPurifier/Lexer/PH5P.php
+++ b/library/HTMLPurifier/Lexer/PH5P.php
@@ -1507,7 +1507,7 @@ class HTML5
                $entity = $this->character($start, $this->char);
                $cond = strlen($e_name) > 0;
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
                break;
            // Anything else
@@ -1535,7 +1535,7 @@ class HTML5
                }
                $cond = isset($entity);
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
                break;
        }
@@ -4410,7 +4410,7 @@ class HTML5TreeConstructer
        foreach ($token['attr'] as $attr) {
            if (!$el->hasAttribute($attr['name'])) {
-                $el->setAttribute($attr['name'], $attr['value']);
+                $el->setAttribute($attr['name'], (string)$attr['value']);
            }
        }
--- a/library/HTMLPurifier/Printer/ConfigForm.php
+++ b/library/HTMLPurifier/Printer/ConfigForm.php
@@ -32,6 +32,11 @@ class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer
     */
    protected $compress = false;
    /**
     * @var HTMLPurifier_Config
     */
    protected $genConfig;
    /**
     * @param string $name Form element name for directives to be stuffed into
     * @param string $doc_url String documentation URL, will have fragment tagged on
@@ -48,7 +53,7 @@ class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer
        $this->compress = $compress;
        // initialize sub-printers
        $this->fields[0] = new HTMLPurifier_Printer_ConfigForm_default();
-        $this->fields[HTMLPurifier_VarParser::BOOL] = new HTMLPurifier_Printer_ConfigForm_bool();
+        $this->fields[HTMLPurifier_VarParser::C_BOOL] = new HTMLPurifier_Printer_ConfigForm_bool();
    }
    /**
@@ -339,7 +344,7 @@ class HTMLPurifier_Printer_ConfigForm_default extends HTMLPurifier_Printer
                    $value = '';
            }
        }
-        if ($type === HTMLPurifier_VarParser::MIXED) {
+        if ($type === HTMLPurifier_VarParser::C_MIXED) {
            return 'Not supported';
            $value = serialize($value);
        }
--- a/library/HTMLPurifier/Printer/HTMLDefinition.php
+++ b/library/HTMLPurifier/Printer/HTMLDefinition.php
@@ -43,8 +43,8 @@ class HTMLPurifier_Printer_HTMLDefinition extends HTMLPurifier_Printer
        $ret .= $this->element('caption', 'Doctype');
        $ret .= $this->row('Name', $doctype->name);
        $ret .= $this->row('XML', $doctype->xml ? 'Yes' : 'No');
-        $ret .= $this->row('Default Modules', implode($doctype->modules, ', '));
+        $ret .= $this->row('Default Modules', implode(', ', $doctype->modules));
-        $ret .= $this->row('Default Tidy Modules', implode($doctype->tidyModules, ', '));
+        $ret .= $this->row('Default Tidy Modules', implode(', ', $doctype->tidyModules));
        $ret .= $this->end('table');
        return $ret;
    }
--- a/library/HTMLPurifier/PropertyListIterator.php
+++ b/library/HTMLPurifier/PropertyListIterator.php
@@ -29,6 +29,7 @@ class HTMLPurifier_PropertyListIterator extends FilterIterator
    /**
     * @return bool
     */
    #[\ReturnTypeWillChange]
    public function accept()
    {
        $key = $this->getInnerIterator()->key();
--- a/library/HTMLPurifier/StringHash.php
+++ b/library/HTMLPurifier/StringHash.php
@@ -20,6 +20,7 @@ class HTMLPurifier_StringHash extends ArrayObject
     * @param mixed $index
     * @return mixed
     */
    #[\ReturnTypeWillChange]
    public function offsetGet($index)
    {
        $this->accessed[$index] = true;
--- a/library/HTMLPurifier/TagTransform/Font.php
+++ b/library/HTMLPurifier/TagTransform/Font.php
@@ -75,7 +75,7 @@ class HTMLPurifier_TagTransform_Font extends HTMLPurifier_TagTransform
        if (isset($attr['size'])) {
            // normalize large numbers
            if ($attr['size'] !== '') {
-                if ($attr['size']{0} == '+' || $attr['size']{0} == '-') {
+                if ($attr['size'][0] == '+' || $attr['size'][0] == '-') {
                    $size = (int)$attr['size'];
                    if ($size < -2) {
                        $attr['size'] = '-2';
--- a/library/HTMLPurifier/Token/Tag.php
+++ b/library/HTMLPurifier/Token/Tag.php
@@ -44,7 +44,7 @@ abstract class HTMLPurifier_Token_Tag extends HTMLPurifier_Token
        $this->name = ctype_lower($name) ? $name : strtolower($name);
        foreach ($attr as $key => $value) {
            // normalization only necessary when key is not lowercase
-            if (!ctype_lower($key)) {
+            if (!ctype_lower((string)$key)) {
                $new_key = strtolower($key);
                if (!isset($attr[$new_key])) {
                    $attr[$new_key] = $attr[$key];
--- a/library/HTMLPurifier/URIFilter/HostBlacklist.php
+++ b/library/HTMLPurifier/URIFilter/HostBlacklist.php
@@ -35,7 +35,7 @@ class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
    public function filter(&$uri, $config, $context)
    {
        foreach ($this->blacklist as $blacklisted_host_fragment) {
-            if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
+            if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
                return false;
            }
        }
--- a/library/HTMLPurifier/URIFilter/Munge.php
+++ b/library/HTMLPurifier/URIFilter/Munge.php
@@ -100,11 +100,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
        $string = $uri->toString();
        // always available
        $this->replace['%s'] = $string;
-        $this->replace['%r'] = $context->get('EmbeddedURI', true);
+        $this->replace['%r'] = $context->get('EmbeddedURI', true) ?: '';
-        $token = $context->get('CurrentToken', true);
+        $token = $context->get('CurrentToken', true) ?: '';
-        $this->replace['%n'] = $token ? $token->name : null;
+        $this->replace['%n'] = $token ? $token->name : '';
-        $this->replace['%m'] = $context->get('CurrentAttr', true);
+        $this->replace['%m'] = $context->get('CurrentAttr', true) ?: '';
-        $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
+        $this->replace['%p'] = $context->get('CurrentCSSProperty', true) ?: '';
        // not always available
        if ($this->secretKey) {
            $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
--- a/library/HTMLPurifier/URIScheme/tel.php
+++ b/library/HTMLPurifier/URIScheme/tel.php
@@ -33,11 +33,11 @@ class HTMLPurifier_URIScheme_tel extends HTMLPurifier_URIScheme
        $uri->host     = null;
        $uri->port     = null;
-        // Delete all non-numeric characters, non-x characters
+        // Delete all non-numeric characters, commas, and non-x characters
        // from phone number, EXCEPT for a leading plus sign.
-        $uri->path = preg_replace('/(?!^\+)[^\dx]/', '',
+        $uri->path = preg_replace('/(?!^\+)[^\dx,]/', '',
                     // Normalize e(x)tension to lower-case
-                     str_replace('X', 'x', $uri->path));
+                     str_replace('X', 'x', rawurldecode($uri->path)));
        return true;
    }
--- a/library/HTMLPurifier/UnitConverter.php
+++ b/library/HTMLPurifier/UnitConverter.php
@@ -261,7 +261,7 @@ class HTMLPurifier_UnitConverter
     */
    private function round($n, $sigfigs)
    {
-        $new_log = (int)floor(log(abs($n), 10)); // Number of digits left of decimal - 1
+        $new_log = (int)floor(log(abs((float)$n), 10)); // Number of digits left of decimal - 1
        $rp = $sigfigs - $new_log - 1; // Number of decimal places needed
        $neg = $n < 0 ? '-' : ''; // Negative sign
        if ($this->bcmath) {
@@ -276,7 +276,7 @@ class HTMLPurifier_UnitConverter
            }
            return $n;
        } else {
-            return $this->scale(round($n, $sigfigs - $new_log - 1), $rp + 1);
+            return $this->scale(round((float)$n, $sigfigs - $new_log - 1), $rp + 1);
        }
    }
@@ -300,7 +300,7 @@ class HTMLPurifier_UnitConverter
            // Now we return it, truncating the zero that was rounded off.
            return substr($precise, 0, -1) . str_repeat('0', -$scale + 1);
        }
-        return sprintf('%.' . $scale . 'f', (float)$r);
+        return number_format((float)$r, $scale, '.', '');
    }
 }
--- a/library/HTMLPurifier/VarParser.php
+++ b/library/HTMLPurifier/VarParser.php
@@ -7,34 +7,34 @@
 class HTMLPurifier_VarParser
 {
-    const STRING = 1;
+    const C_STRING = 1;
    const ISTRING = 2;
    const TEXT = 3;
    const ITEXT = 4;
-    const INT = 5;
+    const C_INT = 5;
-    const FLOAT = 6;
+    const C_FLOAT = 6;
-    const BOOL = 7;
+    const C_BOOL = 7;
    const LOOKUP = 8;
    const ALIST = 9;
    const HASH = 10;
-    const MIXED = 11;
+    const C_MIXED = 11;
    /**
     * Lookup table of allowed types. Mainly for backwards compatibility, but
     * also convenient for transforming string type names to the integer constants.
     */
    public static $types = array(
-        'string' => self::STRING,
+        'string' => self::C_STRING,
        'istring' => self::ISTRING,
        'text' => self::TEXT,
        'itext' => self::ITEXT,
-        'int' => self::INT,
+        'int' => self::C_INT,
-        'float' => self::FLOAT,
+        'float' => self::C_FLOAT,
-        'bool' => self::BOOL,
+        'bool' => self::C_BOOL,
        'lookup' => self::LOOKUP,
        'list' => self::ALIST,
        'hash' => self::HASH,
-        'mixed' => self::MIXED
+        'mixed' => self::C_MIXED
    );
    /**
@@ -42,7 +42,7 @@ class HTMLPurifier_VarParser
     * allowed value lists.
     */
    public static $stringTypes = array(
-        self::STRING => true,
+        self::C_STRING => true,
        self::ISTRING => true,
        self::TEXT => true,
        self::ITEXT => true,
@@ -74,7 +74,7 @@ class HTMLPurifier_VarParser
        // These are basic checks, to make sure nothing horribly wrong
        // happened in our implementations.
        switch ($type) {
-            case (self::STRING):
+            case (self::C_STRING):
            case (self::ISTRING):
            case (self::TEXT):
            case (self::ITEXT):
@@ -85,17 +85,17 @@ class HTMLPurifier_VarParser
                    $var = strtolower($var);
                }
                return $var;
-            case (self::INT):
+            case (self::C_INT):
                if (!is_int($var)) {
                    break;
                }
                return $var;
-            case (self::FLOAT):
+            case (self::C_FLOAT):
                if (!is_float($var)) {
                    break;
                }
                return $var;
-            case (self::BOOL):
+            case (self::C_BOOL):
                if (!is_bool($var)) {
                    break;
                }
@@ -119,7 +119,7 @@ class HTMLPurifier_VarParser
                    }
                }
                return $var;
-            case (self::MIXED):
+            case (self::C_MIXED):
                return $var;
            default:
                $this->errorInconsistent(get_class($this), $type);
--- a/library/HTMLPurifier/VarParser/Flexible.php
+++ b/library/HTMLPurifier/VarParser/Flexible.php
@@ -23,23 +23,23 @@ class HTMLPurifier_VarParser_Flexible extends HTMLPurifier_VarParser
            // Note: if code "breaks" from the switch, it triggers a generic
            // exception to be thrown. Specific errors can be specifically
            // done here.
-            case self::MIXED:
+            case self::C_MIXED:
            case self::ISTRING:
-            case self::STRING:
+            case self::C_STRING:
            case self::TEXT:
            case self::ITEXT:
                return $var;
-            case self::INT:
+            case self::C_INT:
                if (is_string($var) && ctype_digit($var)) {
                    $var = (int)$var;
                }
                return $var;
-            case self::FLOAT:
+            case self::C_FLOAT:
                if ((is_string($var) && is_numeric($var)) || is_int($var)) {
                    $var = (float)$var;
                }
                return $var;
-            case self::BOOL:
+            case self::C_BOOL:
                if (is_int($var) && ($var === 0 || $var === 1)) {
                    $var = (bool)$var;
                } elseif (is_string($var)) {
--- a/maintenance/.htaccess
+++ b/maintenance/.htaccess
@@ -1 +1,7 @@
-Deny from all
+<IfModule mod_authz_core.c>
    Require all denied
 </IfModule>
 <IfModule !mod_authz_core.c>
    Deny from all
 </ifModule>
--- a/maintenance/PH5P.php
+++ b/maintenance/PH5P.php
@@ -1080,7 +1080,7 @@ class HTML5
                $entity = $this->character($start, $this->char);
                $cond = strlen($e_name) > 0;
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
            break;
            // Anything else
@@ -1102,7 +1102,7 @@ class HTML5
                }
                $cond = isset($entity);
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
            break;
        }
--- a/maintenance/add-vimline.php
+++ b/maintenance/add-vimline.php
@@ -34,7 +34,6 @@ foreach ($files as $file) {
        postfix_is('.svg', $file) ||
        postfix_is('.phpt', $file) ||
        postfix_is('VERSION', $file) ||
        postfix_is('WHATSNEW', $file) ||
        postfix_is('configdoc/usage.xml', $file) ||
        postfix_is('library/HTMLPurifier.includes.php', $file) ||
        postfix_is('library/HTMLPurifier.safe-includes.php', $file) ||
--- a/maintenance/flush.php
+++ b/maintenance/flush.php
@@ -1,30 +0,0 @@
 #!/usr/bin/php
 <?php
 chdir(dirname(__FILE__));
 require_once 'common.php';
 assertCli();
 /**
 * @file
 * Runs all generation/flush cache scripts to ensure that somewhat volatile
 * generated files are up-to-date.
 */
 function e($cmd)
 {
    echo "\$ $cmd\n";
    passthru($cmd, $status);
    echo "\n";
    if ($status) exit($status);
 }
 $php = empty($_SERVER['argv'][1]) ? 'php' : $_SERVER['argv'][1];
 e($php . ' generate-includes.php');
 e($php . ' generate-schema-cache.php');
 e($php . ' flush-definition-cache.php');
 e($php . ' generate-standalone.php');
 e($php . ' config-scanner.php');
 // vim: et sw=4 sts=4
--- a/maintenance/flush.sh
+++ b/maintenance/flush.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 set -ex
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 php "$DIR/generate-includes.php"
 php "$DIR/generate-schema-cache.php"
 php "$DIR/flush-definition-cache.php"
 php "$DIR/generate-standalone.php"
 php "$DIR/config-scanner.php"
--- a/maintenance/update-config.php
+++ b/maintenance/update-config.php
@@ -1,34 +0,0 @@
 #!/usr/bin/php
 <?php
 chdir(dirname(__FILE__));
 require_once 'common.php';
 assertCli();
 /**
 * @file
 * Converts all instances of $config->set and $config->get to the new
 * format, as described by docs/dev-config-bcbreaks.txt
 */
 $FS = new FSTools();
 chdir(dirname(__FILE__) . '/..');
 $raw_files = $FS->globr('.', '*.php');
 foreach ($raw_files as $file) {
    $file = substr($file, 2); // rm leading './'
    if (strpos($file, 'library/standalone/') === 0) continue;
    if (strpos($file, 'maintenance/update-config.php') === 0) continue;
    if (strpos($file, 'test-settings.php') === 0) continue;
    if (substr_count($file, '.') > 1) continue; // rm meta files
    // process the file
    $contents = file_get_contents($file);
    $contents = preg_replace(
        "#config->(set|get)\('(.+?)', '(.+?)'#",
        "config->\\1('\\2.\\3'",
        $contents
    );
    if ($contents === '') continue;
    file_put_contents($file, $contents);
 }
 // vim: et sw=4 sts=4
--- a/package.php
+++ b/package.php
@@ -48,7 +48,6 @@ $pkg->setReleaseStability('stable');
 $pkg->addRelease();
 $pkg->setNotes(file_get_contents('WHATSNEW'));
 $pkg->setPackageType('php');
 $pkg->setPhpDep('5.0.0');
--- a/plugins/phorum/config.default.php
+++ b/plugins/phorum/config.default.php
@@ -53,5 +53,7 @@ $config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll c
 if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') {
  $config->set('Core.EscapeNonASCIICharacters', true);
 }
 $config->set('Core.AllowParseManyTags', false);
 $config->set('Core.RemoveBlanks', false);
 // vim: et sw=4 sts=4
--- a/release.config.js
+++ b/release.config.js
@@ -0,0 +1,33 @@
 module.exports = {
  debug: true,
  branch: 'master',
  plugins: [
    '@semantic-release/commit-analyzer',
    '@semantic-release/release-notes-generator',
    [
      '@semantic-release/changelog',
      {
        'changelogFile': 'NEWS'
      }
    ],
    [
      '@semantic-release/exec',
      {
        'prepareCmd': 'php update-for-release ${nextRelease.version}'
      }
    ],
    [
      '@semantic-release/git',
      {
        'assets': [
          'VERSION',
          'NEWS',
          'Doxyfile',
          ['library/**/*', '!library/standalone/**/*', '!library/HTMLPurifier.standalone.php'],
          'configdoc/**/*',
        ],
      }
    ],
    '@semantic-release/github'
  ],
 }
--- a/release2-tag.php
+++ b/release2-tag.php
@@ -1,22 +0,0 @@
 <?php
 // Tags releases
 if (php_sapi_name() != 'cli') {
    echo 'Release script cannot be called from web-browser.';
    exit;
 }
 require 'svn.php';
 $svn_info = my_svn_info('.');
 $version = trim(file_get_contents('VERSION'));
 $trunk_url  = $svn_info['Repository Root'] . '/htmlpurifier/trunk';
 $trunk_tag_url  = $svn_info['Repository Root'] . '/htmlpurifier/tags/' . $version;
 echo "Tagging trunk to tags/$version...";
 passthru("svn copy --message \"Tag $version release.\" $trunk_url $trunk_tag_url");
 // vim: et sw=4 sts=4
--- a/smoketests/common.php
+++ b/smoketests/common.php
@@ -2,6 +2,8 @@
 header('Content-type: text/html; charset=UTF-8');
 require_once __DIR__.'/../vendor/autoload.php';
 if (!isset($_GET['standalone'])) {
    require_once '../library/HTMLPurifier.auto.php';
 } else {
--- a/smoketests/extractStyleBlocks.php
+++ b/smoketests/extractStyleBlocks.php
@@ -3,23 +3,6 @@
 require_once 'common.php';
 require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php';
 // need CSSTidy location
 $csstidy_location = false;
 if (file_exists('../conf/test-settings.php')) include '../conf/test-settings.php';
 if (file_exists('../test-settings.php')) include '../test-settings.php';
 if (!$csstidy_location) {
 ?>
 Error: <a href="http://csstidy.sourceforge.net/">CSSTidy</a> library not
 found, please install and configure <code>test-settings.php</code>
 accordingly.
 <?php
    exit;
 }
 require_once $csstidy_location . 'class.csstidy.php';
 require_once $csstidy_location . 'class.csstidy_print.php';
 $purifier = new HTMLPurifier(array(
    'Filter.ExtractStyleBlocks' => true,
 ));
--- a/Show More
+++ b/Show More