fix: fix CI

Signed-off-by: Edward Z. Yang <ezyang@meta.com>

.gitattributes

@@ -1,13 +1,23 @@
 /.gitattributes export-ignore
+/.github export-ignore
 /.gitignore export-ignore
-/.travis.yml export-ignore
+/art export-ignore
-/Doxyfile export-ignore
+/benchmarks export-ignore
-/art/ export-ignore
+/configdoc export-ignore
-/benchmarks/ export-ignore
-/configdoc/ export-ignore
 /configdoc/usage.xml -crlf
-/docs/ export-ignore
+/docs export-ignore
-/phpdoc.ini
+/Doxyfile export-ignore
-/smoketests/ export-ignore
+/extras export-ignore
-/tests/* export-ignore
+/INSTALL* export-ignore
-/tests/path2class.func.php -export-ignore
+/maintenance export-ignore
+/NEWS export-ignore
+/package.php export-ignore
+/plugins export-ignore
+/phpdoc.ini export-ignore
+/smoketests export-ignore
+/test-* export-ignore
+/tests export-ignore
+/TODO export-ignore
+/update-for-release export-ignore
+/WYSIWYG export-ignore
+/release.config.js export-ignore

.github/workflows/ci.yml

@@ -0,0 +1,36 @@
+name: ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  linux_tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        php: ['5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+
+    name: PHP ${{ matrix.php }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          tools: composer:v2
+          ini-values: error_reporting=E_ALL
+          extensions: iconv, bcmath, tidy, mbstring, intl
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Configure simpletest
+        run: cp test-settings.sample.php test-settings.php
+
+      - name: Execute Unit tests
+        run: php tests/index.php

.github/workflows/lint-pr.yml

@@ -0,0 +1,19 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,29 @@
+name: release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    name: Release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 5.5
+
+      - name: Run automated release process with semantic-release
+        uses: cycjimmy/semantic-release-action@v2
+        with:
+          extra_plugins: |
+            @semantic-release/changelog
+            @semantic-release/git
+            @semantic-release/exec
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.travis.yml

@@ -1,13 +0,0 @@
-language: php
-php:
-    - '5.3'
-    - '5.4'
-    - '5.5'
-    - '5.6'
-    - '7.0'
-    - '7.1'
-before_script:
-    - git clone --depth=50 https://github.com/ezyang/simpletest.git
-    - cp test-settings.travis.php test-settings.php
-script:
-    - php tests/index.php

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = HTMLPurifier
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 4.9.3
+PROJECT_NUMBER         = 4.15.0
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.

INSTALL

@@ -15,7 +15,7 @@ with these contents.
 ---------------------------------------------------------------------------
 1.  Compatibility
 
-HTML Purifier is PHP 5 and PHP 7, and is actively tested from PHP 5.0.5
+HTML Purifier is PHP 5 and PHP 7, and is actively tested from PHP 5.3
 and up. It has no core dependencies with other libraries.
 
 These optional extensions can enhance the capabilities of HTML Purifier:
@@ -101,31 +101,6 @@ Autoload compatibility
     autoloader, but there are some cases where you will need to change
     your own code to accomodate HTML Purifier. These are those cases:
 
-    PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload
-        Because spl_autoload_register() doesn't exist in early versions
-        of PHP 5, HTML Purifier has no way of adding itself to the autoload
-        stack. Modify your __autoload function to test
-        HTMLPurifier_Bootstrap::autoload($class)
-
-        For example, suppose your autoload function looks like this:
-
-            function __autoload($class) {
-                require str_replace('_', '/', $class) . '.php';
-                return true;
-            }
-
-        A modified version with HTML Purifier would look like this:
-
-            function __autoload($class) {
-                if (HTMLPurifier_Bootstrap::autoload($class)) return true;
-                require str_replace('_', '/', $class) . '.php';
-                return true;
-            }
-
-        Note that there *is* some custom behavior in our autoloader; the
-        original autoloader in our example would work for 99% of the time,
-        but would fail when including language files.
-
     AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
         spl_autoload_register() has the curious behavior of disabling
         the existing __autoload() handler. Users need to explicitly
@@ -138,11 +113,6 @@ Autoload compatibility
 
             spl_autoload_register('__autoload')
 
-    Users should also be on guard if they use a version of PHP previous
-    to 5.1.2 without an autoloader--HTML Purifier will define __autoload()
-    for you, which can collide with an autoloader that was added by *you*
-    later.
-
 
 For better performance
 ----------------------
@@ -204,9 +174,7 @@ For advanced users
         HTMLPurifier.autoload.php
             Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class).
 
-    You can do these operations by yourself--in fact, you must modify your own
+    You can do these operations by yourself, if you like.
-    autoload handler if you are using a version of PHP earlier than PHP 5.1.2
-    (See "Autoload compatibility" above).
 
 
 ---------------------------------------------------------------------------

INSTALL.fr.utf8

@@ -11,7 +11,7 @@ pied de page, mais je recommande de lire le document.
 
 1.  Compatibilité
 
-HTML Purifier fonctionne avec PHP 5. PHP 5.0.5 est la dernière version testée.
+HTML Purifier fonctionne avec PHP 5. PHP 5.3 est la dernière version testée.
 Il ne dépend pas d'autres librairies.
 
 Les extensions optionnelles sont iconv (généralement déjà installée) et tidy

NEWS

@@ -9,6 +9,100 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
     . Internal change
 ==========================
 
+4.15.0, released 2022-09-18
+! PHP 8.1 and 8.2 support, esp. fixes for deprecation warnings.  A joint effort
+  by David Rans, Tim Düsterhus, Kieran and John Flatness.
+! Allow contenteditable="false" (#336), contributed by Kieran.
+- Replace PHP 8.1 deprecated utf8_ functions with mbstring (#326),
+  contributed by John Flatness.
+- Enhanced composer suggestions with extensions (#317), contributed by
+  func0der.
+
+4.14.0, released 2021-12-24
+! Add "background-size" support (#289), contributed by Václav Smítal
+! Transform deprecated width attribute when tidying HTML, contributed by
+  Kieran.
+- PHP 8 support, contributed by Maksims Sļotovs.
+- Improved PHP 7.3 compatibility, contributed by kishor.
+- Avoid spurious magic quotes notice in PHP 7.4.  Thanks
+  Jasper Zonneveld for the fix.
+- Do not remove thead from table even if there are no tbody/tr (#264).
+  Thanks Marcus Artner for the fix.
+- Fix "Parameter must be an array or an object that implements
+  Countable" (#285)".  Thanks Kieran for this fix.
+. Fix unnecessary reference assignment, handling behavior change from
+  PHP5 and PHP7.  Thanks Arkadiusz Biczewski for the fix.
+
+4.13.0, released 2020-06-28
+! Add %HTML.Forms directive, which lets you accept forms in user
+  HTML without requiring full %HTML.Trusted.  Note that forms can
+  be (trivially) used to setup phishing; e.g., an attacker can
+  use CSS absolute positioning to overlay a form on top of a login
+  element, so please be sure to use this with care!   Fixes #213.
+  Thanks Mateusz Turcza for contributing this feature.
+! tr@bgcolor attribute is now supported.  Thanks Kieran Brahney
+  for this enhancement.
+- Further improvements to PHP 7.4 support, contributed by Witold
+  Wasiczko and Eloy Lafuente.
+- Fix PSR-0 compatibility.  Thanks Jordi Boggiano for contributing
+  part of this fix.
+- Fix bug with purifyArray where it doesn't work on empty arrays.
+  Thanks Fräntz Miccoli for the fix.
+- Reduce amount of maintenance scripts included in distribution
+  packages.  Thanks Sergei Morozov for this patch.
+- Remove leading zeros unless if it is only a zero, fixes #239.  Thanks
+  lubomirbartos for this fix.
+- Correct type hinting of maybeGet*, fixes #240.   Thanks Anders Jenbo
+  for this fix.
+
+4.12.0, released 2019-10-27
+! PHP 7.4 is supported, thank you Witold Wasiczko, Mateuz Turcza and
+  Edi Modrić
+- PHPDocs for HTMLModule::addElement() and Bool attr are fixed (thanks
+  Mateusz)
+
+4.11.0, released 2019-07-14
+# SafeScripting now matches case-sensitively against its whitelist (previously it was
+  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
+  for reporting.
+! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.
+  Thanks M. Suzuki <msuzuki1986@gmail.com> for contributing the patch.
+! purifyArray now supports multidimensional arrays.  Thanks
+  Sandro Miguel Marques <sandromiguel@sandromiguel.com> for contributing this patch.
+! initial and inherit settings available for width, height, and the min-/max-
+  versions thereof.  Thanks Michael Kliewe <info@phpgansta.de> for contributing
+  this patch.
+! More color names are supported.  Thanks Daijobou for contributing.
+- Compatibility fixes for PHP 7.3, including new CI for PHP 7.3
+  (thank you Lukas Neumann <lksnmnn@gmail.com>) and removal of
+  reserved words in our constants (thanks Darko Hrgovic <darko@darkodev.com>
+- Compatibility fixes for HHVM.  Thanks Mateusz Turcza for contributing
+  this fix.
+- HTML Purifier now never defines __autoload, fixing #196.  Thanks
+  Michael Kliewe for reporting.
+- In some situations, Config.php would report an undefined index: class
+  error; this has been fixed.  Thanks DiLong Fa for contributing
+  this fix.
+- We no longer produce <script /> tags; we always explicitly write
+  out the open and close tag.  Thanks Dimitri Gritsajuk
+  <gritsajuk.dimitri@gmail.com> for contributing this fix.
+- Better compatibility when IDNA constants are not present.  Thanks
+  Mateusz Turcza <xemlock@gmail.com> for contributing this fix.
+
+4.10.0, released 2018-02-22
+# PHP 5.3 is no longer officially supported by HTML Purifier
+  (we did not specifically break support, but we are no longer
+  testing on PHP 5.3)
+! Relative CSS length units are now supported
+- A few PHP 7.2 compatibility fixes, thanks John Flatness
+  <john@zerocrates.org>
+- Improve portability with old versions of libxml which don't
+  support accessing the data of a node
+- IDNA2008 is now used for converting domains to ASCII, fixing
+  some rather strange bugs with international domains
+- Fix race condition resulting in E_WARNING when creating
+  directories with Serializer
+
 4.9.3, released 2017-06-02
 - Workaround PHP 7.1 infinite loop when opcode cache is enabled.
   Thanks @Xiphin (#134, #135)

README.md

@@ -1,8 +1,8 @@
-HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](http://travis-ci.org/ezyang/htmlpurifier)
+HTML Purifier [![Build Status](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml)
 =============
 
 HTML Purifier is an HTML filtering solution that uses a unique combination
-of robust whitelists and agressive parsing to ensure that not only are
+of robust whitelists and aggressive parsing to ensure that not only are
 XSS attacks thwarted, but the resulting HTML is standards compliant.
 
 HTML Purifier is oriented towards richly formatted documents from
@@ -26,4 +26,4 @@ Package available on [Composer](https://packagist.org/packages/ezyang/htmlpurifi
 
 If you're using Composer to manage dependencies, you can use
 
-    $ composer require "ezyang/htmlpurifier": "dev-master"
+    $ composer require ezyang/htmlpurifier

VERSION

@@ -1 +1 @@
-4.9.3
+4.15.0

WHATSNEW

@@ -1,13 +0,0 @@
-HTML Purifier 4.9.x is a maintenance release, collecting a year
-of accumulated bug fixes plus a few new features.  New features
-include support for min/max-width/height CSS, and rgba/hsl/hsla
-in color specifications.  Major bugfixes include improvements
-in the Serializer cache to avoid chmod'ing directories, better
-entity decoding (we won't accidentally encode entities that occur
-in URLs) and rel="noopener" on links with target attributes,
-to prevent them from overwriting the original frame.
-
-4.9.3 works around an infinite loop bug in PHP 7.1 with the opcode
-cache (and has one other, minor bugfix, avoiding using autoloading
-when testing for DOMDocument presence).  If these bugs do not
-affect you, you do not need to upgrade.

benchmarks/.htaccess

@@ -1 +1,7 @@
-Deny from all
+<IfModule mod_authz_core.c>
+    Require all denied
+</IfModule>
+
+<IfModule !mod_authz_core.c>
+    Deny from all
+</ifModule>

composer.json

@@ -4,7 +4,7 @@
     "type": "library",
     "keywords": ["html"],
     "homepage": "http://htmlpurifier.org/",
-    "license": "LGPL",
+    "license": "LGPL-2.1-or-later",
     "authors": [
         {
             "name": "Edward Z. Yang",
@@ -13,13 +13,33 @@
         }
     ],
     "require": {
-        "php": ">=5.2"
+        "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0"
     },
     "require-dev": {
-        "simpletest/simpletest": "^1.1"
+        "cerdic/css-tidy": "^1.7 || ^2.0",
+        "simpletest/simpletest": "dev-master"
     },
     "autoload": {
         "psr-0": { "HTMLPurifier": "library/" },
-        "files": ["library/HTMLPurifier.composer.php"]
+        "files": ["library/HTMLPurifier.composer.php"],
-    }
+        "exclude-from-classmap": [
+            "/library/HTMLPurifier/Language/"
+        ]
+    },
+    "suggest": {
+        "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
+        "ext-iconv": "Converts text to and from non-UTF-8 encodings",
+        "ext-bcmath": "Used for unit conversion and imagecrash protection",
+        "ext-tidy": "Used for pretty-printing HTML"
+    },
+    "config": {
+        "sort-packages": true
+    },
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/ezyang/simpletest.git",
+            "no-api": true
+        }
+    ]
 }

configdoc/usage.xml

@@ -5,8 +5,8 @@
    <line>162</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>85</line>
+   <line>90</line>
-   <line>326</line>
+   <line>331</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>67</line>
@@ -19,37 +19,37 @@
  </directive>
  <directive id="CSS.MaxImgLength">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>226</line>
+   <line>256</line>
   </file>
  </directive>
  <directive id="CSS.Proprietary">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>323</line>
+   <line>381</line>
   </file>
  </directive>
  <directive id="CSS.AllowTricky">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>327</line>
+   <line>385</line>
   </file>
  </directive>
  <directive id="CSS.Trusted">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>331</line>
+   <line>389</line>
   </file>
  </directive>
  <directive id="CSS.AllowImportant">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>335</line>
+   <line>393</line>
   </file>
  </directive>
  <directive id="CSS.AllowedProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>464</line>
+   <line>522</line>
   </file>
  </directive>
  <directive id="CSS.ForbiddenProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>480</line>
+   <line>538</line>
   </file>
  </directive>
  <directive id="Cache.DefinitionImpl">
@@ -124,7 +124,7 @@
    <line>122</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>308</line>
+   <line>313</line>
   </file>
  </directive>
  <directive id="Output.Newline">
@@ -172,8 +172,11 @@
    <line>234</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>313</line>
+   <line>318</line>
-   <line>353</line>
+   <line>358</line>
+  </file>
+  <file name="HTMLPurifier/AttrDef/HTML/ContentEditable.php">
+   <line>8</line>
   </file>
   <file name="HTMLPurifier/HTMLModule/Image.php">
    <line>37</line>
@@ -250,12 +253,12 @@
  </directive>
  <directive id="Core.LexerImpl">
   <file name="HTMLPurifier/Lexer.php">
-   <line>80</line>
+   <line>85</line>
   </file>
  </directive>
  <directive id="Core.MaintainLineNumbers">
   <file name="HTMLPurifier/Lexer.php">
-   <line>84</line>
+   <line>89</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>62</line>
@@ -263,23 +266,23 @@
  </directive>
  <directive id="Core.LegacyEntityDecoder">
   <file name="HTMLPurifier/Lexer.php">
-   <line>215</line>
+   <line>220</line>
-   <line>337</line>
+   <line>342</line>
   </file>
  </directive>
  <directive id="Core.ConvertDocumentToFragment">
   <file name="HTMLPurifier/Lexer.php">
-   <line>324</line>
+   <line>329</line>
   </file>
  </directive>
  <directive id="Core.RemoveProcessingInstructions">
   <file name="HTMLPurifier/Lexer.php">
-   <line>347</line>
+   <line>352</line>
   </file>
  </directive>
  <directive id="Core.HiddenElements">
   <file name="HTMLPurifier/Lexer.php">
-   <line>351</line>
+   <line>356</line>
   </file>
   <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
    <line>36</line>
@@ -287,12 +290,12 @@
  </directive>
  <directive id="Core.AggressivelyRemoveScript">
   <file name="HTMLPurifier/Lexer.php">
-   <line>352</line>
+   <line>357</line>
   </file>
  </directive>
  <directive id="Core.RemoveScriptContents">
   <file name="HTMLPurifier/Lexer.php">
-   <line>353</line>
+   <line>358</line>
   </file>
   <file name="HTMLPurifier/Strategy/RemoveForeignElements.php">
    <line>35</line>
@@ -410,7 +413,7 @@
  </directive>
  <directive id="Core.EnableIDNA">
   <file name="HTMLPurifier/AttrDef/URI/Host.php">
-   <line>105</line>
+   <line>109</line>
   </file>
  </directive>
  <directive id="Attr.DefaultTextDir">
@@ -451,7 +454,7 @@
  </directive>
  <directive id="HTML.FlashAllowFullScreen">
   <file name="HTMLPurifier/AttrTransform/SafeParam.php">
-   <line>53</line>
+   <line>58</line>
   </file>
  </directive>
  <directive id="Cache.SerializerPath">
@@ -480,6 +483,11 @@
    <line>330</line>
   </file>
  </directive>
+ <directive id="HTML.Forms">
+  <file name="HTMLPurifier/HTMLModule/Forms.php">
+   <line>31</line>
+  </file>
+ </directive>
  <directive id="HTML.SafeIframe">
   <file name="HTMLPurifier/HTMLModule/Iframe.php">
    <line>28</line>
@@ -539,6 +547,11 @@
    <line>54</line>
   </file>
  </directive>
+ <directive id="Core.AllowParseManyTags">
+  <file name="HTMLPurifier/Lexer/DOMLex.php">
+   <line>72</line>
+  </file>
+ </directive>
  <directive id="Core.DirectLexLineNumberSyncInterval">
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>84</line>

docs/dev-config-naming.txt

@@ -75,6 +75,7 @@ Core is the potpourri of directives, mostly regarding some minor behavioral
 tweaks for HTML handling abilities.
 
     AggressivelyFixLt
+    AllowParseManyTags
     ConvertDocumentToFragment
     DirectLexLineNumberSyncInterval
     LexerImpl

extras/FSTools.php

@@ -136,7 +136,7 @@ class FSTools
     /**
      * Recursively globs a directory.
      */
-    public function globr($dir, $pattern, $flags = NULL)
+    public function globr($dir, $pattern, $flags = 0)
     {
         $files = $this->glob("$dir/$pattern", $flags);
         if ($files === false) $files = array();

extras/HTMLPurifierExtras.autoload-legacy.php

@@ -0,0 +1,15 @@
+<?php
+
+/**
+ * @file
+ * Legacy autoloader for systems lacking spl_autoload_register
+ *
+ * Must be separate to prevent deprecation warning on PHP 7.2
+ */
+
+function __autoload($class)
+{
+    return HTMLPurifierExtras::autoload($class);
+}
+
+// vim: et sw=4 sts=4

extras/HTMLPurifierExtras.autoload.php

@@ -17,10 +17,7 @@ if (function_exists('spl_autoload_register')) {
         spl_autoload_register('__autoload');
     }
 } elseif (!function_exists('__autoload')) {
-    function __autoload($class)
+    require dirname(__FILE__) . '/HTMLPurifierExtras.autoload-legacy.php';
-    {
-        return HTMLPurifierExtras::autoload($class);
-    }
 }
 
 // vim: et sw=4 sts=4

library/HTMLPurifier.autoload-legacy.php

@@ -0,0 +1,14 @@
+<?php
+
+/**
+ * @file
+ * Legacy autoloader for systems lacking spl_autoload_register
+ *
+ */
+
+spl_autoload_register(function($class)
+{
+     return HTMLPurifier_Bootstrap::autoload($class);
+});
+
+// vim: et sw=4 sts=4

library/HTMLPurifier.autoload.php

@@ -14,12 +14,10 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
         spl_autoload_register('__autoload');
     }
 } elseif (!function_exists('__autoload')) {
-    function __autoload($class)
+    require dirname(__FILE__) . '/HTMLPurifier.autoload-legacy.php';
-    {
-        return HTMLPurifier_Bootstrap::autoload($class);
-    }
 }
 
+// phpcs:ignore PHPCompatibility.IniDirectives.RemovedIniDirectives.zend_ze1_compatibility_modeRemoved
 if (ini_get('zend.ze1_compatibility_mode')) {
     trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
 }

library/HTMLPurifier.includes.php

@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.9.3
+ * @version 4.15.0
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,
@@ -107,6 +107,7 @@ require 'HTMLPurifier/AttrDef/HTML/Bool.php';
 require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require 'HTMLPurifier/AttrDef/HTML/Class.php';
 require 'HTMLPurifier/AttrDef/HTML/Color.php';
+require 'HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require 'HTMLPurifier/AttrDef/HTML/ID.php';
 require 'HTMLPurifier/AttrDef/HTML/Pixels.php';

library/HTMLPurifier.php

@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 4.9.3 - Standards Compliant HTML Filtering
+    HTML Purifier 4.15.0 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -58,12 +58,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.9.3';
+    public $version = '4.15.0';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    const VERSION = '4.9.3';
+    const VERSION = '4.15.0';
 
     /**
      * Global configuration object.
@@ -240,12 +240,17 @@ class HTMLPurifier
     public function purifyArray($array_of_html, $config = null)
     {
         $context_array = array();
-        foreach ($array_of_html as $key => $html) {
+        $array = array();
-            $array_of_html[$key] = $this->purify($html, $config);
+        foreach($array_of_html as $key=>$value){
+            if (is_array($value)) {
+                $array[$key] = $this->purifyArray($value, $config);
+            } else {
+                $array[$key] = $this->purify($value, $config);
+            }
             $context_array[$key] = $this->context;
         }
         $this->context = $context_array;
-        return $array_of_html;
+        return $array;
     }
 
     /**

library/HTMLPurifier.safe-includes.php

@@ -101,6 +101,7 @@ require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ContentEditable.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
 require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';

library/HTMLPurifier/AttrDef/CSS/Background.php

@@ -25,6 +25,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
         $this->info['background-repeat'] = $def->info['background-repeat'];
         $this->info['background-attachment'] = $def->info['background-attachment'];
         $this->info['background-position'] = $def->info['background-position'];
+        $this->info['background-size'] = $def->info['background-size'];
     }
 
     /**
@@ -53,6 +54,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
         $caught['repeat'] = false;
         $caught['attachment'] = false;
         $caught['position'] = false;
+        $caught['size'] = false;
 
         $i = 0; // number of catches
 

library/HTMLPurifier/AttrDef/CSS/Number.php

@@ -69,7 +69,13 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
             return false;
         }
 
-        $left = ltrim($left, '0');
+        // Remove leading zeros until positive number or a zero stays left
+        if (ltrim($left, '0') != '') {
+            $left = ltrim($left, '0');
+        } else {
+            $left = '0';
+        }
+
         $right = rtrim($right, '0');
 
         if ($right === '') {

library/HTMLPurifier/AttrDef/HTML/Bool.php

@@ -7,7 +7,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
 {
 
     /**
-     * @type bool
+     * @type string
      */
     protected $name;
 
@@ -17,7 +17,7 @@ class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef
     public $minimized = true;
 
     /**
-     * @param bool $name
+     * @param bool|string $name
      */
     public function __construct($name = false)
     {

library/HTMLPurifier/AttrDef/HTML/ContentEditable.php

@@ -0,0 +1,16 @@
+<?php
+
+class HTMLPurifier_AttrDef_HTML_ContentEditable extends HTMLPurifier_AttrDef
+{
+    public function validate($string, $config, $context)
+    {
+        $allowed = array('false');
+        if ($config->get('HTML.Trusted')) {
+            $allowed = array('', 'true', 'false');
+        }
+
+        $enum = new HTMLPurifier_AttrDef_Enum($allowed);
+
+        return $enum->validate($string, $config, $context);
+    }
+}

library/HTMLPurifier/AttrDef/URI/Host.php

@@ -97,12 +97,16 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
 
         // PHP 5.3 and later support this functionality natively
         if (function_exists('idn_to_ascii')) {
-            $string = idn_to_ascii($string);
+            if (defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46')) {
+                $string = idn_to_ascii($string, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
+            } else {
+                $string = idn_to_ascii($string);
+            }
 
         // If we have Net_IDNA2 support, we can support IRIs by
         // punycoding them. (This is the most portable thing to do,
         // since otherwise we have to assume browsers support
-        } elseif ($config->get('Core.EnableIDNA')) {
+        } elseif ($config->get('Core.EnableIDNA') && class_exists('Net_IDNA2')) {
             $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
             // we need to encode each period separately
             $parts = explode('.', $string);

library/HTMLPurifier/AttrTransform/NameSync.php

@@ -8,6 +8,11 @@
 class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
 {
 
+    /**
+     * @type HTMLPurifier_AttrDef_HTML_ID
+     */
+    public $idDef;
+
     public function __construct()
     {
         $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();

library/HTMLPurifier/AttrTransform/SafeParam.php

@@ -24,6 +24,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
      */
     private $uri;
 
+    /**
+     * @type HTMLPurifier_AttrDef_Enum
+     */
+    public $wmode;
+
     public function __construct()
     {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded

library/HTMLPurifier/AttrTypes.php

@@ -41,6 +41,7 @@ class HTMLPurifier_AttrTypes
         $this->info['IAlign']   = self::makeEnum('top,middle,bottom,left,right');
         $this->info['LAlign']   = self::makeEnum('top,bottom,left,right');
         $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
+        $this->info['ContentEditable'] = new HTMLPurifier_AttrDef_HTML_ContentEditable();
 
         // unimplemented aliases
         $this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();

library/HTMLPurifier/Bootstrap.php

@@ -79,44 +79,11 @@ class HTMLPurifier_Bootstrap
     public static function registerAutoload()
     {
         $autoload = array('HTMLPurifier_Bootstrap', 'autoload');
-        if (($funcs = spl_autoload_functions()) === false) {
+        if (spl_autoload_functions() === false) {
             spl_autoload_register($autoload);
-        } elseif (function_exists('spl_autoload_unregister')) {
+        } else {
-            if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+            // prepend flag exists, no need for shenanigans
-                // prepend flag exists, no need for shenanigans
+            spl_autoload_register($autoload, true, true);
-                spl_autoload_register($autoload, true, true);
-            } else {
-                $buggy  = version_compare(PHP_VERSION, '5.2.11', '<');
-                $compat = version_compare(PHP_VERSION, '5.1.2', '<=') &&
-                          version_compare(PHP_VERSION, '5.1.0', '>=');
-                foreach ($funcs as $func) {
-                    if ($buggy && is_array($func)) {
-                        // :TRICKY: There are some compatibility issues and some
-                        // places where we need to error out
-                        $reflector = new ReflectionMethod($func[0], $func[1]);
-                        if (!$reflector->isStatic()) {
-                            throw new Exception(
-                                'HTML Purifier autoloader registrar is not compatible
-                                with non-static object methods due to PHP Bug #44144;
-                                Please do not use HTMLPurifier.autoload.php (or any
-                                file that includes this file); instead, place the code:
-                                spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\'))
-                                after your own autoloaders.'
-                            );
-                        }
-                        // Suprisingly, spl_autoload_register supports the
-                        // Class::staticMethod callback format, although call_user_func doesn't
-                        if ($compat) {
-                            $func = implode('::', $func);
-                        }
-                    }
-                    spl_autoload_unregister($func);
-                }
-                spl_autoload_register($autoload);
-                foreach ($funcs as $func) {
-                    spl_autoload_register($func);
-                }
-            }
         }
     }
 }

library/HTMLPurifier/CSSDefinition.php

@@ -13,7 +13,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
      * Assoc array of attribute name to definition object.
      * @type HTMLPurifier_AttrDef[]
      */
-    public $info = array();
+    public $info = [];
 
     /**
      * Constructs the info array.  The meat of this class.
@@ -22,7 +22,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
     protected function doSetup($config)
     {
         $this->info['text-align'] = new HTMLPurifier_AttrDef_Enum(
-            array('left', 'right', 'center', 'justify'),
+            ['left', 'right', 'center', 'justify'],
             false
         );
 
@@ -31,7 +31,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             $this->info['border-right-style'] =
             $this->info['border-left-style'] =
             $this->info['border-top-style'] = new HTMLPurifier_AttrDef_Enum(
-                array(
+                [
                     'none',
                     'hidden',
                     'dotted',
@@ -42,42 +42,42 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                     'ridge',
                     'inset',
                     'outset'
-                ),
+                ],
                 false
             );
 
         $this->info['border-style'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_style);
 
         $this->info['clear'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right', 'both'),
+            ['none', 'left', 'right', 'both'],
             false
         );
         $this->info['float'] = new HTMLPurifier_AttrDef_Enum(
-            array('none', 'left', 'right'),
+            ['none', 'left', 'right'],
             false
         );
         $this->info['font-style'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'italic', 'oblique'),
+            ['normal', 'italic', 'oblique'],
             false
         );
         $this->info['font-variant'] = new HTMLPurifier_AttrDef_Enum(
-            array('normal', 'small-caps'),
+            ['normal', 'small-caps'],
             false
         );
 
         $uri_or_none = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('none')),
+                new HTMLPurifier_AttrDef_Enum(['none']),
                 new HTMLPurifier_AttrDef_CSS_URI()
-            )
+            ]
         );
 
         $this->info['list-style-position'] = new HTMLPurifier_AttrDef_Enum(
-            array('inside', 'outside'),
+            ['inside', 'outside'],
             false
         );
         $this->info['list-style-type'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                 'disc',
                 'circle',
                 'square',
@@ -87,7 +87,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                 'lower-alpha',
                 'upper-alpha',
                 'none'
-            ),
+            ],
             false
         );
         $this->info['list-style-image'] = $uri_or_none;
@@ -95,30 +95,46 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['list-style'] = new HTMLPurifier_AttrDef_CSS_ListStyle($config);
 
         $this->info['text-transform'] = new HTMLPurifier_AttrDef_Enum(
-            array('capitalize', 'uppercase', 'lowercase', 'none'),
+            ['capitalize', 'uppercase', 'lowercase', 'none'],
             false
         );
         $this->info['color'] = new HTMLPurifier_AttrDef_CSS_Color();
 
         $this->info['background-image'] = $uri_or_none;
         $this->info['background-repeat'] = new HTMLPurifier_AttrDef_Enum(
-            array('repeat', 'repeat-x', 'repeat-y', 'no-repeat')
+            ['repeat', 'repeat-x', 'repeat-y', 'no-repeat']
         );
         $this->info['background-attachment'] = new HTMLPurifier_AttrDef_Enum(
-            array('scroll', 'fixed')
+            ['scroll', 'fixed']
         );
         $this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition();
 
+        $this->info['background-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
+            [
+                new HTMLPurifier_AttrDef_Enum(
+                    [
+                        'auto',
+                        'cover',
+                        'contain',
+                        'initial',
+                        'inherit',
+                    ]
+                ),
+                new HTMLPurifier_AttrDef_CSS_Percentage(),
+                new HTMLPurifier_AttrDef_CSS_Length()
+            ]
+        );
+
         $border_color =
             $this->info['border-top-color'] =
             $this->info['border-bottom-color'] =
             $this->info['border-left-color'] =
             $this->info['border-right-color'] =
             $this->info['background-color'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
-                    new HTMLPurifier_AttrDef_Enum(array('transparent')),
+                    new HTMLPurifier_AttrDef_Enum(['transparent']),
                     new HTMLPurifier_AttrDef_CSS_Color()
-                )
+                ]
             );
 
         $this->info['background'] = new HTMLPurifier_AttrDef_CSS_Background($config);
@@ -130,32 +146,32 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             $this->info['border-bottom-width'] =
             $this->info['border-left-width'] =
             $this->info['border-right-width'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
-                    new HTMLPurifier_AttrDef_Enum(array('thin', 'medium', 'thick')),
+                    new HTMLPurifier_AttrDef_Enum(['thin', 'medium', 'thick']),
                     new HTMLPurifier_AttrDef_CSS_Length('0') //disallow negative
-                )
+                ]
             );
 
         $this->info['border-width'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_width);
 
         $this->info['letter-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                 new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
         );
 
         $this->info['word-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                 new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
         );
 
         $this->info['font-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                         'xx-small',
                         'x-small',
                         'small',
@@ -165,20 +181,20 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                         'xx-large',
                         'larger',
                         'smaller'
-                    )
+                    ]
                 ),
                 new HTMLPurifier_AttrDef_CSS_Percentage(),
                 new HTMLPurifier_AttrDef_CSS_Length()
-            )
+            ]
         );
 
         $this->info['line-height'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
-                new HTMLPurifier_AttrDef_Enum(array('normal')),
+                new HTMLPurifier_AttrDef_Enum(['normal']),
                 new HTMLPurifier_AttrDef_CSS_Number(true), // no negatives
                 new HTMLPurifier_AttrDef_CSS_Length('0'),
                 new HTMLPurifier_AttrDef_CSS_Percentage(true)
-            )
+            ]
         );
 
         $margin =
@@ -186,11 +202,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             $this->info['margin-bottom'] =
             $this->info['margin-left'] =
             $this->info['margin-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                     new HTMLPurifier_AttrDef_CSS_Length(),
                     new HTMLPurifier_AttrDef_CSS_Percentage(),
-                    new HTMLPurifier_AttrDef_Enum(array('auto'))
+                    new HTMLPurifier_AttrDef_Enum(['auto'])
-                )
+                ]
             );
 
         $this->info['margin'] = new HTMLPurifier_AttrDef_CSS_Multiple($margin);
@@ -201,34 +217,44 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             $this->info['padding-bottom'] =
             $this->info['padding-left'] =
             $this->info['padding-right'] = new HTMLPurifier_AttrDef_CSS_Composite(
-                array(
+                [
                     new HTMLPurifier_AttrDef_CSS_Length('0'),
                     new HTMLPurifier_AttrDef_CSS_Percentage(true)
-                )
+                ]
             );
 
         $this->info['padding'] = new HTMLPurifier_AttrDef_CSS_Multiple($padding);
 
         $this->info['text-indent'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_CSS_Length(),
                 new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
         );
 
         $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_CSS_Length('0'),
                 new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('auto'))
+                new HTMLPurifier_AttrDef_Enum(['auto', 'initial', 'inherit'])
-            )
+            ]
+        );
+        $trusted_min_wh = new HTMLPurifier_AttrDef_CSS_Composite(
+            [
+                new HTMLPurifier_AttrDef_CSS_Length('0'),
+                new HTMLPurifier_AttrDef_CSS_Percentage(true),
+                new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
+            ]
+        );
+        $trusted_max_wh = new HTMLPurifier_AttrDef_CSS_Composite(
+            [
+                new HTMLPurifier_AttrDef_CSS_Length('0'),
+                new HTMLPurifier_AttrDef_CSS_Percentage(true),
+                new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
+            ]
         );
         $max = $config->get('CSS.MaxImgLength');
 
-        $this->info['min-width'] =
-        $this->info['max-width'] =
-        $this->info['min-height'] =
-        $this->info['max-height'] =
         $this->info['width'] =
         $this->info['height'] =
             $max === null ?
@@ -237,22 +263,71 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                     'img',
                     // For img tags:
                     new HTMLPurifier_AttrDef_CSS_Composite(
-                        array(
+                        [
                             new HTMLPurifier_AttrDef_CSS_Length('0', $max),
-                            new HTMLPurifier_AttrDef_Enum(array('auto'))
+                            new HTMLPurifier_AttrDef_Enum(['auto'])
-                        )
+                        ]
                     ),
                     // For everyone else:
                     $trusted_wh
                 );
+        $this->info['min-width'] =
+        $this->info['min-height'] =
+            $max === null ?
+                $trusted_min_wh :
+                new HTMLPurifier_AttrDef_Switch(
+                    'img',
+                    // For img tags:
+                    new HTMLPurifier_AttrDef_CSS_Composite(
+                        [
+                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
+                            new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
+                        ]
+                    ),
+                    // For everyone else:
+                    $trusted_min_wh
+                );
+        $this->info['max-width'] =
+        $this->info['max-height'] =
+            $max === null ?
+                $trusted_max_wh :
+                new HTMLPurifier_AttrDef_Switch(
+                    'img',
+                    // For img tags:
+                    new HTMLPurifier_AttrDef_CSS_Composite(
+                        [
+                            new HTMLPurifier_AttrDef_CSS_Length('0', $max),
+                            new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
+                        ]
+                    ),
+                    // For everyone else:
+                    $trusted_max_wh
+                );
 
+        // text-decoration and related shorthands
         $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();
 
+        $this->info['text-decoration-line'] = new HTMLPurifier_AttrDef_Enum(
+            ['none', 'underline', 'overline', 'line-through', 'initial', 'inherit']
+        );
+
+        $this->info['text-decoration-style'] = new HTMLPurifier_AttrDef_Enum(
+            ['solid', 'double', 'dotted', 'dashed', 'wavy', 'initial', 'inherit']
+        );
+
+        $this->info['text-decoration-color'] = new HTMLPurifier_AttrDef_CSS_Color();
+
+        $this->info['text-decoration-thickness'] = new HTMLPurifier_AttrDef_CSS_Composite([
+            new HTMLPurifier_AttrDef_CSS_Length(),
+            new HTMLPurifier_AttrDef_CSS_Percentage(),
+            new HTMLPurifier_AttrDef_Enum(['auto', 'from-font', 'initial', 'inherit'])
+        ]);
+
         $this->info['font-family'] = new HTMLPurifier_AttrDef_CSS_FontFamily();
 
         // this could use specialized code
         $this->info['font-weight'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                 'normal',
                 'bold',
                 'bolder',
@@ -266,7 +341,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                 '700',
                 '800',
                 '900'
-            ),
+            ],
             false
         );
 
@@ -282,21 +357,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['border-right'] = new HTMLPurifier_AttrDef_CSS_Border($config);
 
         $this->info['border-collapse'] = new HTMLPurifier_AttrDef_Enum(
-            array('collapse', 'separate')
+            ['collapse', 'separate']
         );
 
         $this->info['caption-side'] = new HTMLPurifier_AttrDef_Enum(
-            array('top', 'bottom')
+            ['top', 'bottom']
         );
 
         $this->info['table-layout'] = new HTMLPurifier_AttrDef_Enum(
-            array('auto', 'fixed')
+            ['auto', 'fixed']
         );
 
         $this->info['vertical-align'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_Enum(
-                    array(
+                    [
                         'baseline',
                         'sub',
                         'super',
@@ -305,11 +380,11 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                         'middle',
                         'bottom',
                         'text-bottom'
-                    )
+                    ]
                 ),
                 new HTMLPurifier_AttrDef_CSS_Length(),
                 new HTMLPurifier_AttrDef_CSS_Percentage()
-            )
+            ]
         );
 
         $this->info['border-spacing'] = new HTMLPurifier_AttrDef_CSS_Multiple(new HTMLPurifier_AttrDef_CSS_Length(), 2);
@@ -317,7 +392,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         // These CSS properties don't work on many browsers, but we live
         // in THE FUTURE!
         $this->info['white-space'] = new HTMLPurifier_AttrDef_Enum(
-            array('nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line')
+            ['nowrap', 'normal', 'pre', 'pre-wrap', 'pre-line']
         );
 
         if ($config->get('CSS.Proprietary')) {
@@ -364,21 +439,21 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         // more CSS3
         $this->info['page-break-after'] =
         $this->info['page-break-before'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                 'auto',
                 'always',
                 'avoid',
                 'left',
                 'right'
-            )
+            ]
         );
-        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(array('auto', 'avoid'));
+        $this->info['page-break-inside'] = new HTMLPurifier_AttrDef_Enum(['auto', 'avoid']);
 
         $border_radius = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_CSS_Percentage(true), // disallow negative
                 new HTMLPurifier_AttrDef_CSS_Length('0') // disallow negative
-            ));
+            ]);
 
         $this->info['border-top-left-radius'] =
         $this->info['border-top-right-radius'] =
@@ -395,7 +470,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
     protected function doSetupTricky($config)
     {
         $this->info['display'] = new HTMLPurifier_AttrDef_Enum(
-            array(
+            [
                 'inline',
                 'block',
                 'list-item',
@@ -414,12 +489,12 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
                 'table-cell',
                 'table-caption',
                 'none'
-            )
+            ]
         );
         $this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(
-            array('visible', 'hidden', 'collapse')
+            ['visible', 'hidden', 'collapse']
         );
-        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
+        $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(['visible', 'hidden', 'auto', 'scroll']);
         $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue();
     }
 
@@ -429,23 +504,23 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
     protected function doSetupTrusted($config)
     {
         $this->info['position'] = new HTMLPurifier_AttrDef_Enum(
-            array('static', 'relative', 'absolute', 'fixed')
+            ['static', 'relative', 'absolute', 'fixed']
         );
         $this->info['top'] =
         $this->info['left'] =
         $this->info['right'] =
         $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_CSS_Length(),
                 new HTMLPurifier_AttrDef_CSS_Percentage(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
+                new HTMLPurifier_AttrDef_Enum(['auto']),
-            )
+            ]
         );
         $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(
-            array(
+            [
                 new HTMLPurifier_AttrDef_Integer(),
-                new HTMLPurifier_AttrDef_Enum(array('auto')),
+                new HTMLPurifier_AttrDef_Enum(['auto']),
-            )
+            ]
         );
     }
 

library/HTMLPurifier/ChildDef/Custom.php

@@ -45,7 +45,7 @@ class HTMLPurifier_ChildDef_Custom extends HTMLPurifier_ChildDef
     protected function _compileRegex()
     {
         $raw = str_replace(' ', '', $this->dtd_regex);
-        if ($raw{0} != '(') {
+        if ($raw[0] != '(') {
             $raw = "($raw)";
         }
         $el = '[#a-zA-Z0-9_.-]+';

library/HTMLPurifier/ChildDef/List.php

@@ -22,6 +22,8 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
     // XXX: This whole business with 'wrap' is all a bit unsatisfactory
     public $elements = array('li' => true, 'ul' => true, 'ol' => true);
 
+    public $whitespace;
+
     /**
      * @param array $children
      * @param HTMLPurifier_Config $config

library/HTMLPurifier/ChildDef/Table.php

@@ -164,7 +164,7 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
             }
         }
 
-        if (empty($content)) {
+        if (empty($content) && $thead === false && $tfoot === false) {
             return false;
         }
 

library/HTMLPurifier/Config.php

@@ -21,7 +21,7 @@ class HTMLPurifier_Config
      * HTML Purifier's version
      * @type string
      */
-    public $version = '4.9.3';
+    public $version = '4.15.0';
 
     /**
      * Whether or not to automatically finalize
@@ -408,7 +408,7 @@ class HTMLPurifier_Config
      *             maybeGetRawHTMLDefinition, which is more explicitly
      *             named, instead.
      *
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
      */
     public function getHTMLDefinition($raw = false, $optimized = false)
     {
@@ -427,7 +427,7 @@ class HTMLPurifier_Config
      *             maybeGetRawCSSDefinition, which is more explicitly
      *             named, instead.
      *
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
      */
     public function getCSSDefinition($raw = false, $optimized = false)
     {
@@ -446,7 +446,7 @@ class HTMLPurifier_Config
      *             maybeGetRawURIDefinition, which is more explicitly
      *             named, instead.
      *
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
      */
     public function getURIDefinition($raw = false, $optimized = false)
     {
@@ -468,7 +468,7 @@ class HTMLPurifier_Config
      *        maybe semantics is the "right thing to do."
      *
      * @throws HTMLPurifier_Exception
-     * @return HTMLPurifier_Definition
+     * @return HTMLPurifier_Definition|null
      */
     public function getDefinition($type, $raw = false, $optimized = false)
     {
@@ -647,7 +647,7 @@ class HTMLPurifier_Config
     }
 
     /**
-     * @return HTMLPurifier_HTMLDefinition
+     * @return HTMLPurifier_HTMLDefinition|null
      */
     public function maybeGetRawHTMLDefinition()
     {
@@ -655,7 +655,7 @@ class HTMLPurifier_Config
     }
     
     /**
-     * @return HTMLPurifier_CSSDefinition
+     * @return HTMLPurifier_CSSDefinition|null
      */
     public function maybeGetRawCSSDefinition()
     {
@@ -663,7 +663,7 @@ class HTMLPurifier_Config
     }
     
     /**
-     * @return HTMLPurifier_URIDefinition
+     * @return HTMLPurifier_URIDefinition|null
      */
     public function maybeGetRawURIDefinition()
     {
@@ -803,7 +803,7 @@ class HTMLPurifier_Config
         if ($index !== false) {
             $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
         }
-        $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
+        $mq = $mq_fix && version_compare(PHP_VERSION, '7.4.0', '<') && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
 
         $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
         $ret = array();
@@ -890,7 +890,7 @@ class HTMLPurifier_Config
             // zip(tail(trace), trace) -- but PHP is not Haskell har har
             for ($i = 0, $c = count($trace); $i < $c - 1; $i++) {
                 // XXX this is not correct on some versions of HTML Purifier
-                if ($trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
+                if (isset($trace[$i + 1]['class']) && $trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
                     continue;
                 }
                 $frame = $trace[$i];

library/HTMLPurifier/ConfigSchema.php

@@ -100,7 +100,7 @@ class HTMLPurifier_ConfigSchema
      * @param string $key Name of directive
      * @param mixed $default Default value of directive
      * @param string $type Allowed type of the directive. See
-     *      HTMLPurifier_DirectiveDef::$type for allowed values
+     *      HTMLPurifier_VarParser::$types for allowed values
      * @param bool $allow_null Whether or not to allow null values
      */
     public function add($key, $default, $type, $allow_null)

library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt

@@ -6,7 +6,7 @@ DEFAULT: false
 <p>
   When enabled, HTML Purifier will treat any elements that contain only
   non-breaking spaces as well as regular whitespace as empty, and remove
-  them when %AutoForamt.RemoveEmpty is enabled.
+  them when %AutoFormat.RemoveEmpty is enabled.
 </p>
 <p>
   See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements

library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt

@@ -0,0 +1,12 @@
+Core.AllowParseManyTags
+TYPE: bool
+DEFAULT: false
+VERSION: 4.10.1
+--DESCRIPTION--
+<p>
+    This directive allows parsing of many nested tags.
+    If you set true, relaxes any hardcoded limit from the parser.
+    However, in that case it may cause a Dos attack.
+    Be careful when enabling it.
+</p>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt

@@ -3,23 +3,154 @@ TYPE: hash
 VERSION: 2.0.0
 --DEFAULT--
 array (
-  'maroon' => '#800000',
+  'aliceblue' => '#F0F8FF',
-  'red' => '#FF0000',
+  'antiquewhite' => '#FAEBD7',
-  'orange' => '#FFA500',
-  'yellow' => '#FFFF00',
-  'olive' => '#808000',
-  'purple' => '#800080',
-  'fuchsia' => '#FF00FF',
-  'white' => '#FFFFFF',
-  'lime' => '#00FF00',
-  'green' => '#008000',
-  'navy' => '#000080',
-  'blue' => '#0000FF',
   'aqua' => '#00FFFF',
-  'teal' => '#008080',
+  'aquamarine' => '#7FFFD4',
+  'azure' => '#F0FFFF',
+  'beige' => '#F5F5DC',
+  'bisque' => '#FFE4C4',
   'black' => '#000000',
-  'silver' => '#C0C0C0',
+  'blanchedalmond' => '#FFEBCD',
+  'blue' => '#0000FF',
+  'blueviolet' => '#8A2BE2',
+  'brown' => '#A52A2A',
+  'burlywood' => '#DEB887',
+  'cadetblue' => '#5F9EA0',
+  'chartreuse' => '#7FFF00',
+  'chocolate' => '#D2691E',
+  'coral' => '#FF7F50',
+  'cornflowerblue' => '#6495ED',
+  'cornsilk' => '#FFF8DC',
+  'crimson' => '#DC143C',
+  'cyan' => '#00FFFF',
+  'darkblue' => '#00008B',
+  'darkcyan' => '#008B8B',
+  'darkgoldenrod' => '#B8860B',
+  'darkgray' => '#A9A9A9',
+  'darkgrey' => '#A9A9A9',
+  'darkgreen' => '#006400',
+  'darkkhaki' => '#BDB76B',
+  'darkmagenta' => '#8B008B',
+  'darkolivegreen' => '#556B2F',
+  'darkorange' => '#FF8C00',
+  'darkorchid' => '#9932CC',
+  'darkred' => '#8B0000',
+  'darksalmon' => '#E9967A',
+  'darkseagreen' => '#8FBC8F',
+  'darkslateblue' => '#483D8B',
+  'darkslategray' => '#2F4F4F',
+  'darkslategrey' => '#2F4F4F',
+  'darkturquoise' => '#00CED1',
+  'darkviolet' => '#9400D3',
+  'deeppink' => '#FF1493',
+  'deepskyblue' => '#00BFFF',
+  'dimgray' => '#696969',
+  'dimgrey' => '#696969',
+  'dodgerblue' => '#1E90FF',
+  'firebrick' => '#B22222',
+  'floralwhite' => '#FFFAF0',
+  'forestgreen' => '#228B22',
+  'fuchsia' => '#FF00FF',
+  'gainsboro' => '#DCDCDC',
+  'ghostwhite' => '#F8F8FF',
+  'gold' => '#FFD700',
+  'goldenrod' => '#DAA520',
   'gray' => '#808080',
+  'grey' => '#808080',
+  'green' => '#008000',
+  'greenyellow' => '#ADFF2F',
+  'honeydew' => '#F0FFF0',
+  'hotpink' => '#FF69B4',
+  'indianred' => '#CD5C5C',
+  'indigo' => '#4B0082',
+  'ivory' => '#FFFFF0',
+  'khaki' => '#F0E68C',
+  'lavender' => '#E6E6FA',
+  'lavenderblush' => '#FFF0F5',
+  'lawngreen' => '#7CFC00',
+  'lemonchiffon' => '#FFFACD',
+  'lightblue' => '#ADD8E6',
+  'lightcoral' => '#F08080',
+  'lightcyan' => '#E0FFFF',
+  'lightgoldenrodyellow' => '#FAFAD2',
+  'lightgray' => '#D3D3D3',
+  'lightgrey' => '#D3D3D3',
+  'lightgreen' => '#90EE90',
+  'lightpink' => '#FFB6C1',
+  'lightsalmon' => '#FFA07A',
+  'lightseagreen' => '#20B2AA',
+  'lightskyblue' => '#87CEFA',
+  'lightslategray' => '#778899',
+  'lightslategrey' => '#778899',
+  'lightsteelblue' => '#B0C4DE',
+  'lightyellow' => '#FFFFE0',
+  'lime' => '#00FF00',
+  'limegreen' => '#32CD32',
+  'linen' => '#FAF0E6',
+  'magenta' => '#FF00FF',
+  'maroon' => '#800000',
+  'mediumaquamarine' => '#66CDAA',
+  'mediumblue' => '#0000CD',
+  'mediumorchid' => '#BA55D3',
+  'mediumpurple' => '#9370DB',
+  'mediumseagreen' => '#3CB371',
+  'mediumslateblue' => '#7B68EE',
+  'mediumspringgreen' => '#00FA9A',
+  'mediumturquoise' => '#48D1CC',
+  'mediumvioletred' => '#C71585',
+  'midnightblue' => '#191970',
+  'mintcream' => '#F5FFFA',
+  'mistyrose' => '#FFE4E1',
+  'moccasin' => '#FFE4B5',
+  'navajowhite' => '#FFDEAD',
+  'navy' => '#000080',
+  'oldlace' => '#FDF5E6',
+  'olive' => '#808000',
+  'olivedrab' => '#6B8E23',
+  'orange' => '#FFA500',
+  'orangered' => '#FF4500',
+  'orchid' => '#DA70D6',
+  'palegoldenrod' => '#EEE8AA',
+  'palegreen' => '#98FB98',
+  'paleturquoise' => '#AFEEEE',
+  'palevioletred' => '#DB7093',
+  'papayawhip' => '#FFEFD5',
+  'peachpuff' => '#FFDAB9',
+  'peru' => '#CD853F',
+  'pink' => '#FFC0CB',
+  'plum' => '#DDA0DD',
+  'powderblue' => '#B0E0E6',
+  'purple' => '#800080',
+  'rebeccapurple' => '#663399',
+  'red' => '#FF0000',
+  'rosybrown' => '#BC8F8F',
+  'royalblue' => '#4169E1',
+  'saddlebrown' => '#8B4513',
+  'salmon' => '#FA8072',
+  'sandybrown' => '#F4A460',
+  'seagreen' => '#2E8B57',
+  'seashell' => '#FFF5EE',
+  'sienna' => '#A0522D',
+  'silver' => '#C0C0C0',
+  'skyblue' => '#87CEEB',
+  'slateblue' => '#6A5ACD',
+  'slategray' => '#708090',
+  'slategrey' => '#708090',
+  'snow' => '#FFFAFA',
+  'springgreen' => '#00FF7F',
+  'steelblue' => '#4682B4',
+  'tan' => '#D2B48C',
+  'teal' => '#008080',
+  'thistle' => '#D8BFD8',
+  'tomato' => '#FF6347',
+  'turquoise' => '#40E0D0',
+  'violet' => '#EE82EE',
+  'wheat' => '#F5DEB3',
+  'white' => '#FFFFFF',
+  'whitesmoke' => '#F5F5F5',
+  'yellow' => '#FFFF00',
+  'yellowgreen' => '#9ACD32'
 )
 --DESCRIPTION--
 

library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt

@@ -0,0 +1,11 @@
+HTML.Forms
+TYPE: bool
+VERSION: 4.13.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit form elements in the user input, regardless of
+    %HTML.Trusted value. Please be very careful when using this functionality, as
+    enabling forms in untrusted documents may allow for phishing attacks.
+</p>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/DefinitionCache/Serializer.php

@@ -217,9 +217,14 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
         $directory = $this->generateDirectoryPath($config);
         $chmod = $config->get('Cache.SerializerPermissions');
         if ($chmod === null) {
-            // TODO: This races
+            if (!@mkdir($directory) && !is_dir($directory)) {
-            if (is_dir($directory)) return true;
+                trigger_error(
-            return mkdir($directory);
+                    'Could not create directory ' . $directory . '',
+                    E_USER_WARNING
+                );
+                return false;
+            }
+            return true;
         }
         if (!is_dir($directory)) {
             $base = $this->generateBaseDirectoryPath($config);
@@ -233,7 +238,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
             } elseif (!$this->_testPermissions($base, $chmod)) {
                 return false;
             }
-            if (!mkdir($directory, $chmod)) {
+            if (!@mkdir($directory, $chmod) && !is_dir($directory)) {
                 trigger_error(
                     'Could not create directory ' . $directory . '',
                     E_USER_WARNING

library/HTMLPurifier/ElementDef.php

@@ -176,7 +176,7 @@ class HTMLPurifier_ElementDef
 
         if (!empty($def->content_model)) {
             $this->content_model =
-                str_replace("#SUPER", $this->content_model, $def->content_model);
+                str_replace("#SUPER", (string)$this->content_model, $def->content_model);
             $this->child = false;
         }
         if (!empty($def->content_model_type)) {

library/HTMLPurifier/Encoder.php

@@ -159,7 +159,7 @@ class HTMLPurifier_Encoder
 
         $len = strlen($str);
         for ($i = 0; $i < $len; $i++) {
-            $in = ord($str{$i});
+            $in = ord($str[$i]);
             $char .= $str[$i]; // append byte to char
             if (0 == $mState) {
                 // When mState is zero we expect either a US-ASCII character
@@ -398,8 +398,8 @@ class HTMLPurifier_Encoder
             // characters to their true byte-wise ASCII/UTF-8 equivalents.
             $str = strtr($str, self::testEncodingSupportsASCII($encoding));
             return $str;
-        } elseif ($encoding === 'iso-8859-1') {
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
-            $str = utf8_encode($str);
+            $str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
             return $str;
         }
         $bug = HTMLPurifier_Encoder::testIconvTruncateBug();
@@ -450,8 +450,8 @@ class HTMLPurifier_Encoder
             // Normal stuff
             $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
             return $str;
-        } elseif ($encoding === 'iso-8859-1') {
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
-            $str = utf8_decode($str);
+            $str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
             return $str;
         }
         trigger_error('Encoding not supported', E_USER_ERROR);

library/HTMLPurifier/EntityParser.php

@@ -118,7 +118,7 @@ class HTMLPurifier_EntityParser
         $entity = $matches[0];
         $hex_part = @$matches[1];
         $dec_part = @$matches[2];
-        $named_part = empty($matches[3]) ? @$matches[4] : $matches[3];
+        $named_part = empty($matches[3]) ? (empty($matches[4]) ? "" : $matches[4]) : $matches[3];
         if ($hex_part !== NULL && $hex_part !== "") {
             return HTMLPurifier_Encoder::unichr(hexdec($hex_part));
         } elseif ($dec_part !== NULL && $dec_part !== "") {

library/HTMLPurifier/HTMLModule.php

@@ -132,9 +132,9 @@ class HTMLPurifier_HTMLModule
      * @param string $element Name of element to add
      * @param string|bool $type What content set should element be registered to?
      *              Set as false to skip this step.
-     * @param string $contents Allowed children in form of:
+     * @param string|HTMLPurifier_ChildDef $contents Allowed children in form of:
      *              "$content_model_type: $content_model"
-     * @param array $attr_includes What attribute collections to register to
+     * @param array|string $attr_includes What attribute collections to register to
      *              element?
      * @param array $attr What unique attributes does the element define?
      * @see HTMLPurifier_ElementDef:: for in-depth descriptions of these parameters.
@@ -257,8 +257,9 @@ class HTMLPurifier_HTMLModule
      */
     public function makeLookup($list)
     {
+        $args = func_get_args();
         if (is_string($list)) {
-            $list = func_get_args();
+            $list = $args;
         }
         $ret = array();
         foreach ($list as $value) {

library/HTMLPurifier/HTMLModule/CommonAttributes.php

@@ -17,6 +17,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
             'class' => 'Class',
             'id' => 'ID',
             'title' => 'CDATA',
+            'contenteditable' => 'ContentEditable',
         ),
         'Lang' => array(),
         'I18N' => array(

library/HTMLPurifier/HTMLModule/Forms.php

@@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
      */
     public function setup($config)
     {
+        if ($config->get('HTML.Forms')) {
+            $this->safe = true;
+        }
+
         $form = $this->addElement(
             'form',
             'Form',

library/HTMLPurifier/HTMLModule/SafeScripting.php

@@ -23,13 +23,13 @@ class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
         $script = $this->addElement(
             'script',
             'Inline',
-            'Empty',
+            'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
             null,
             array(
                 // While technically not required by the spec, we're forcing
                 // it to this value.
                 'type' => 'Enum#text/javascript',
-                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
             )
         );
         $script->attr_transform_pre[] =

library/HTMLPurifier/HTMLModule/Tidy.php

@@ -146,10 +146,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
                         $type = "info_$type";
                         $e = $this;
                     }
-                    // PHP does some weird parsing when I do
+                    $e->{$type}[$attr] = $fix;
-                    // $e->$type[$attr], so I have to assign a ref.
-                    $f =& $e->$type;
-                    $f[$attr] = $fix;
                     break;
                 case 'tag_transform':
                     $this->info_tag_transform[$params['element']] = $fix;
@@ -224,6 +221,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
      */
     public function makeFixes()
     {
+        return array();
     }
 }
 

library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php

@@ -96,6 +96,7 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
 
         // @bgcolor for table, tr, td, th ---------------------------------
         $r['table@bgcolor'] =
+        $r['tr@bgcolor'] =
         $r['td@bgcolor'] =
         $r['th@bgcolor'] =
             new HTMLPurifier_AttrTransform_BgColor();
@@ -167,9 +168,11 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
         // @vspace for img ------------------------------------------------
         $r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace');
 
-        // @width for hr, td, th ------------------------------------------
+        // @width for table, hr, td, th, col ------------------------------------------
+        $r['table@width'] =
         $r['td@width'] =
         $r['th@width'] =
+        $r['col@width'] =
         $r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width');
 
         return $r;

library/HTMLPurifier/Injector.php

@@ -157,11 +157,13 @@ abstract class HTMLPurifier_Injector
             return false;
         }
         // check for exclusion
-        for ($i = count($this->currentNesting) - 2; $i >= 0; $i--) {
+        if (!empty($this->currentNesting)) {
-            $node = $this->currentNesting[$i];
+            for ($i = count($this->currentNesting) - 2; $i >= 0; $i--) {
-            $def  = $this->htmlDefinition->info[$node->name];
+                $node = $this->currentNesting[$i];
-            if (isset($def->excludes[$name])) {
+                $def  = $this->htmlDefinition->info[$node->name];
-                return false;
+                if (isset($def->excludes[$name])) {
+                    return false;
+                }
             }
         }
         return true;

library/HTMLPurifier/Injector/Linkify.php

@@ -40,6 +40,9 @@ class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector
             '/\\b((?:[a-z][\\w\\-]+:(?:\\/{1,3}|[a-z0-9%])|www\\d{0,3}[.]|[a-z0-9.\\-]+[.][a-z]{2,4}\\/)(?:[^\\s()<>]|\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\))+(?:\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\)|[^\\s`!()\\[\\]{};:\'".,<>?\x{00ab}\x{00bb}\x{201c}\x{201d}\x{2018}\x{2019}]))/iu',
             $token->data, -1, PREG_SPLIT_DELIM_CAPTURE);
 
+        if ($bits === false) {
+            return;
+        }
 
         $token = array();
 

library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php

@@ -31,6 +31,16 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
      */
     private $context;
 
+    /**
+     * @type SplObjectStorage
+     */
+    private $markForDeletion;
+
+    public function __construct()
+    {
+        $this->markForDeletion = new SplObjectStorage();
+    }
+
     public function prepare($config, $context)
     {
         $this->attrValidator = new HTMLPurifier_AttrValidator();
@@ -64,7 +74,7 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
 
         if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
             // Mark closing span tag for deletion
-            $current->markForDeletion = true;
+            $this->markForDeletion->attach($current);
             // Delete open span tag
             $token = false;
         }
@@ -75,7 +85,8 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
      */
     public function handleEnd(&$token)
     {
-        if ($token->markForDeletion) {
+        if ($this->markForDeletion->contains($token)) {
+            $this->markForDeletion->detach($token);
             $token = false;
         }
     }

library/HTMLPurifier/Language/classes/en-x-test.php

@@ -1,9 +0,0 @@
-<?php
-
-// private class for unit testing
-
-class HTMLPurifier_Language_en_x_test extends HTMLPurifier_Language
-{
-}
-
-// vim: et sw=4 sts=4

library/HTMLPurifier/Language/messages/en-x-test.php

@@ -1,11 +0,0 @@
-<?php
-
-// private language message file for unit testing purposes
-
-$fallback = 'en';
-
-$messages = array(
-    'HTMLPurifier' => 'HTML Purifier X'
-);
-
-// vim: et sw=4 sts=4

library/HTMLPurifier/Language/messages/en-x-testmini.php

@@ -1,12 +0,0 @@
-<?php
-
-// private language message file for unit testing purposes
-// this language file has no class associated with it
-
-$fallback = 'en';
-
-$messages = array(
-    'HTMLPurifier' => 'HTML Purifier XNone'
-);
-
-// vim: et sw=4 sts=4

library/HTMLPurifier/Length.php

@@ -26,12 +26,14 @@ class HTMLPurifier_Length
     protected $isValid;
 
     /**
-     * Array Lookup array of units recognized by CSS 2.1
+     * Array Lookup array of units recognized by CSS 3
      * @type array
      */
     protected static $allowedUnits = array(
         'em' => true, 'ex' => true, 'px' => true, 'in' => true,
-        'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true
+        'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true,
+        'ch' => true, 'rem' => true, 'vw' => true, 'vh' => true,
+        'vmin' => true, 'vmax' => true
     );
 
     /**
@@ -76,7 +78,7 @@ class HTMLPurifier_Length
         if ($this->n === '0' && $this->unit === false) {
             return true;
         }
-        if (!ctype_lower($this->unit)) {
+        if ($this->unit === false || !ctype_lower($this->unit)) {
             $this->unit = strtolower($this->unit);
         }
         if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) {

library/HTMLPurifier/Lexer.php

@@ -48,6 +48,11 @@ class HTMLPurifier_Lexer
      */
     public $tracksLineNumbers = false;
 
+    /**
+     * @type HTMLPurifier_EntityParser
+     */
+    private $_entity_parser;
+
     // -- STATIC ----------------------------------------------------------
 
     /**
@@ -306,8 +311,8 @@ class HTMLPurifier_Lexer
     {
         // normalize newlines to \n
         if ($config->get('Core.NormalizeNewlines')) {
-            $html = str_replace("\r\n", "\n", $html);
+            $html = str_replace("\r\n", "\n", (string)$html);
-            $html = str_replace("\r", "\n", $html);
+            $html = str_replace("\r", "\n", (string)$html);
         }
 
         if ($config->get('HTML.Trusted')) {

library/HTMLPurifier/Lexer/DOMLex.php

@@ -68,8 +68,18 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         $doc = new DOMDocument();
         $doc->encoding = 'UTF-8'; // theoretically, the above has this covered
 
+        $options = 0;
+        if ($config->get('Core.AllowParseManyTags') && defined('LIBXML_PARSEHUGE')) {
+            $options |= LIBXML_PARSEHUGE;
+        }
+
         set_error_handler(array($this, 'muteErrorHandler'));
-        $doc->loadHTML($html);
+        // loadHTML() fails on PHP 5.3 when second parameter is given
+        if ($options) {
+            $doc->loadHTML($html, $options);
+        } else {
+            $doc->loadHTML($html);
+        }
         restore_error_handler();
 
         $body = $doc->getElementsByTagName('html')->item(0)-> // <html>
@@ -94,7 +104,6 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
      * To iterate is human, to recurse divine - L. Peter Deutsch
      * @param DOMNode $node DOMNode to be tokenized.
      * @param HTMLPurifier_Token[] $tokens   Array-list of already tokenized tokens.
-     * @return HTMLPurifier_Token of node appended to previously passed tokens.
      */
     protected function tokenizeDOM($node, &$tokens, $config)
     {
@@ -126,6 +135,41 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         } while ($level > 0);
     }
 
+    /**
+     * Portably retrieve the tag name of a node; deals with older versions
+     * of libxml like 2.7.6
+     * @param DOMNode $node
+     */
+    protected function getTagName($node)
+    {
+        if (isset($node->tagName)) {
+            return $node->tagName;
+        } else if (isset($node->nodeName)) {
+            return $node->nodeName;
+        } else if (isset($node->localName)) {
+            return $node->localName;
+        }
+        return null;
+    }
+
+    /**
+     * Portably retrieve the data of a node; deals with older versions
+     * of libxml like 2.7.6
+     * @param DOMNode $node
+     */
+    protected function getData($node)
+    {
+        if (isset($node->data)) {
+            return $node->data;
+        } else if (isset($node->nodeValue)) {
+            return $node->nodeValue;
+        } else if (isset($node->textContent)) {
+            return $node->textContent;
+        }
+        return null;
+    }
+
+
     /**
      * @param DOMNode $node DOMNode to be tokenized.
      * @param HTMLPurifier_Token[] $tokens   Array-list of already tokenized tokens.
@@ -141,7 +185,10 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         // but we're not getting the character reference nodes because
         // those should have been preprocessed
         if ($node->nodeType === XML_TEXT_NODE) {
-            $tokens[] = $this->factory->createText($node->data);
+            $data = $this->getData($node); // Handle variable data property
+            if ($data !== null) {
+              $tokens[] = $this->factory->createText($data);
+            }
             return false;
         } elseif ($node->nodeType === XML_CDATA_SECTION_NODE) {
             // undo libxml's special treatment of <script> and <style> tags
@@ -171,21 +218,20 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
             // not-well tested: there may be other nodes we have to grab
             return false;
         }
-
         $attr = $node->hasAttributes() ? $this->transformAttrToAssoc($node->attributes) : array();
-
+        $tag_name = $this->getTagName($node); // Handle variable tagName property
+        if (empty($tag_name)) {
+            return (bool) $node->childNodes->length;
+        }
         // We still have to make sure that the element actually IS empty
         if (!$node->childNodes->length) {
             if ($collect) {
-                $tokens[] = $this->factory->createEmpty($node->tagName, $attr);
+                $tokens[] = $this->factory->createEmpty($tag_name, $attr);
             }
             return false;
         } else {
             if ($collect) {
-                $tokens[] = $this->factory->createStart(
+                $tokens[] = $this->factory->createStart($tag_name, $attr);
-                    $tag_name = $node->tagName, // somehow, it get's dropped
-                    $attr
-                );
             }
             return true;
         }
@@ -197,10 +243,10 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
      */
     protected function createEndNode($node, &$tokens)
     {
-        $tokens[] = $this->factory->createEnd($node->tagName);
+        $tag_name = $this->getTagName($node); // Handle variable tagName property
+        $tokens[] = $this->factory->createEnd($tag_name);
     }
 
-
     /**
      * Converts a DOMNamedNodeMap of DOMAttr objects into an assoc array.
      *

library/HTMLPurifier/Lexer/PH5P.php

@@ -1507,7 +1507,7 @@ class HTML5
                 $entity = $this->character($start, $this->char);
                 $cond = strlen($e_name) > 0;
 
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
                 break;
 
             // Anything else
@@ -1535,7 +1535,7 @@ class HTML5
                 }
 
                 $cond = isset($entity);
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
                 break;
         }
 
@@ -4410,7 +4410,7 @@ class HTML5TreeConstructer
 
         foreach ($token['attr'] as $attr) {
             if (!$el->hasAttribute($attr['name'])) {
-                $el->setAttribute($attr['name'], $attr['value']);
+                $el->setAttribute($attr['name'], (string)$attr['value']);
             }
         }
 

library/HTMLPurifier/Printer/ConfigForm.php

@@ -32,6 +32,11 @@ class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer
      */
     protected $compress = false;
 
+    /**
+     * @var HTMLPurifier_Config
+     */
+    protected $genConfig;
+
     /**
      * @param string $name Form element name for directives to be stuffed into
      * @param string $doc_url String documentation URL, will have fragment tagged on
@@ -48,7 +53,7 @@ class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer
         $this->compress = $compress;
         // initialize sub-printers
         $this->fields[0] = new HTMLPurifier_Printer_ConfigForm_default();
-        $this->fields[HTMLPurifier_VarParser::BOOL] = new HTMLPurifier_Printer_ConfigForm_bool();
+        $this->fields[HTMLPurifier_VarParser::C_BOOL] = new HTMLPurifier_Printer_ConfigForm_bool();
     }
 
     /**
@@ -339,7 +344,7 @@ class HTMLPurifier_Printer_ConfigForm_default extends HTMLPurifier_Printer
                     $value = '';
             }
         }
-        if ($type === HTMLPurifier_VarParser::MIXED) {
+        if ($type === HTMLPurifier_VarParser::C_MIXED) {
             return 'Not supported';
             $value = serialize($value);
         }

library/HTMLPurifier/Printer/HTMLDefinition.php

@@ -43,8 +43,8 @@ class HTMLPurifier_Printer_HTMLDefinition extends HTMLPurifier_Printer
         $ret .= $this->element('caption', 'Doctype');
         $ret .= $this->row('Name', $doctype->name);
         $ret .= $this->row('XML', $doctype->xml ? 'Yes' : 'No');
-        $ret .= $this->row('Default Modules', implode($doctype->modules, ', '));
+        $ret .= $this->row('Default Modules', implode(', ', $doctype->modules));
-        $ret .= $this->row('Default Tidy Modules', implode($doctype->tidyModules, ', '));
+        $ret .= $this->row('Default Tidy Modules', implode(', ', $doctype->tidyModules));
         $ret .= $this->end('table');
         return $ret;
     }

library/HTMLPurifier/PropertyListIterator.php

@@ -29,6 +29,7 @@ class HTMLPurifier_PropertyListIterator extends FilterIterator
     /**
      * @return bool
      */
+    #[\ReturnTypeWillChange]
     public function accept()
     {
         $key = $this->getInnerIterator()->key();

library/HTMLPurifier/StringHash.php

@@ -20,6 +20,7 @@ class HTMLPurifier_StringHash extends ArrayObject
      * @param mixed $index
      * @return mixed
      */
+    #[\ReturnTypeWillChange]
     public function offsetGet($index)
     {
         $this->accessed[$index] = true;

library/HTMLPurifier/TagTransform/Font.php

@@ -75,7 +75,7 @@ class HTMLPurifier_TagTransform_Font extends HTMLPurifier_TagTransform
         if (isset($attr['size'])) {
             // normalize large numbers
             if ($attr['size'] !== '') {
-                if ($attr['size']{0} == '+' || $attr['size']{0} == '-') {
+                if ($attr['size'][0] == '+' || $attr['size'][0] == '-') {
                     $size = (int)$attr['size'];
                     if ($size < -2) {
                         $attr['size'] = '-2';

library/HTMLPurifier/URIFilter/HostBlacklist.php

@@ -35,7 +35,7 @@ class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
     public function filter(&$uri, $config, $context)
     {
         foreach ($this->blacklist as $blacklisted_host_fragment) {
-            if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
+            if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
                 return false;
             }
         }

library/HTMLPurifier/URIFilter/Munge.php

@@ -100,11 +100,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
         $string = $uri->toString();
         // always available
         $this->replace['%s'] = $string;
-        $this->replace['%r'] = $context->get('EmbeddedURI', true);
+        $this->replace['%r'] = $context->get('EmbeddedURI', true) ?: '';
-        $token = $context->get('CurrentToken', true);
+        $token = $context->get('CurrentToken', true) ?: '';
-        $this->replace['%n'] = $token ? $token->name : null;
+        $this->replace['%n'] = $token ? $token->name : '';
-        $this->replace['%m'] = $context->get('CurrentAttr', true);
+        $this->replace['%m'] = $context->get('CurrentAttr', true) ?: '';
-        $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
+        $this->replace['%p'] = $context->get('CurrentCSSProperty', true) ?: '';
         // not always available
         if ($this->secretKey) {
             $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);

library/HTMLPurifier/URIScheme/tel.php

@@ -37,7 +37,7 @@ class HTMLPurifier_URIScheme_tel extends HTMLPurifier_URIScheme
         // from phone number, EXCEPT for a leading plus sign.
         $uri->path = preg_replace('/(?!^\+)[^\dx]/', '',
                      // Normalize e(x)tension to lower-case
-                     str_replace('X', 'x', $uri->path));
+                     str_replace('X', 'x', rawurldecode($uri->path)));
 
         return true;
     }

library/HTMLPurifier/VarParser.php

@@ -7,34 +7,34 @@
 class HTMLPurifier_VarParser
 {
 
-    const STRING = 1;
+    const C_STRING = 1;
     const ISTRING = 2;
     const TEXT = 3;
     const ITEXT = 4;
-    const INT = 5;
+    const C_INT = 5;
-    const FLOAT = 6;
+    const C_FLOAT = 6;
-    const BOOL = 7;
+    const C_BOOL = 7;
     const LOOKUP = 8;
     const ALIST = 9;
     const HASH = 10;
-    const MIXED = 11;
+    const C_MIXED = 11;
 
     /**
      * Lookup table of allowed types. Mainly for backwards compatibility, but
      * also convenient for transforming string type names to the integer constants.
      */
     public static $types = array(
-        'string' => self::STRING,
+        'string' => self::C_STRING,
         'istring' => self::ISTRING,
         'text' => self::TEXT,
         'itext' => self::ITEXT,
-        'int' => self::INT,
+        'int' => self::C_INT,
-        'float' => self::FLOAT,
+        'float' => self::C_FLOAT,
-        'bool' => self::BOOL,
+        'bool' => self::C_BOOL,
         'lookup' => self::LOOKUP,
         'list' => self::ALIST,
         'hash' => self::HASH,
-        'mixed' => self::MIXED
+        'mixed' => self::C_MIXED
     );
 
     /**
@@ -42,7 +42,7 @@ class HTMLPurifier_VarParser
      * allowed value lists.
      */
     public static $stringTypes = array(
-        self::STRING => true,
+        self::C_STRING => true,
         self::ISTRING => true,
         self::TEXT => true,
         self::ITEXT => true,
@@ -74,7 +74,7 @@ class HTMLPurifier_VarParser
         // These are basic checks, to make sure nothing horribly wrong
         // happened in our implementations.
         switch ($type) {
-            case (self::STRING):
+            case (self::C_STRING):
             case (self::ISTRING):
             case (self::TEXT):
             case (self::ITEXT):
@@ -85,17 +85,17 @@ class HTMLPurifier_VarParser
                     $var = strtolower($var);
                 }
                 return $var;
-            case (self::INT):
+            case (self::C_INT):
                 if (!is_int($var)) {
                     break;
                 }
                 return $var;
-            case (self::FLOAT):
+            case (self::C_FLOAT):
                 if (!is_float($var)) {
                     break;
                 }
                 return $var;
-            case (self::BOOL):
+            case (self::C_BOOL):
                 if (!is_bool($var)) {
                     break;
                 }
@@ -119,7 +119,7 @@ class HTMLPurifier_VarParser
                     }
                 }
                 return $var;
-            case (self::MIXED):
+            case (self::C_MIXED):
                 return $var;
             default:
                 $this->errorInconsistent(get_class($this), $type);

library/HTMLPurifier/VarParser/Flexible.php

@@ -23,23 +23,23 @@ class HTMLPurifier_VarParser_Flexible extends HTMLPurifier_VarParser
             // Note: if code "breaks" from the switch, it triggers a generic
             // exception to be thrown. Specific errors can be specifically
             // done here.
-            case self::MIXED:
+            case self::C_MIXED:
             case self::ISTRING:
-            case self::STRING:
+            case self::C_STRING:
             case self::TEXT:
             case self::ITEXT:
                 return $var;
-            case self::INT:
+            case self::C_INT:
                 if (is_string($var) && ctype_digit($var)) {
                     $var = (int)$var;
                 }
                 return $var;
-            case self::FLOAT:
+            case self::C_FLOAT:
                 if ((is_string($var) && is_numeric($var)) || is_int($var)) {
                     $var = (float)$var;
                 }
                 return $var;
-            case self::BOOL:
+            case self::C_BOOL:
                 if (is_int($var) && ($var === 0 || $var === 1)) {
                     $var = (bool)$var;
                 } elseif (is_string($var)) {

maintenance/.htaccess

@@ -1 +1,7 @@
-Deny from all
+<IfModule mod_authz_core.c>
+    Require all denied
+</IfModule>
+
+<IfModule !mod_authz_core.c>
+    Deny from all
+</ifModule>

maintenance/PH5P.php

@@ -1080,7 +1080,7 @@ class HTML5
                 $entity = $this->character($start, $this->char);
                 $cond = strlen($e_name) > 0;
 
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
             break;
 
             // Anything else
@@ -1102,7 +1102,7 @@ class HTML5
                 }
 
                 $cond = isset($entity);
-                // The rest of the parsing happens bellow.
+                // The rest of the parsing happens below.
             break;
         }
 

maintenance/add-vimline.php

@@ -34,7 +34,6 @@ foreach ($files as $file) {
         postfix_is('.svg', $file) ||
         postfix_is('.phpt', $file) ||
         postfix_is('VERSION', $file) ||
-        postfix_is('WHATSNEW', $file) ||
         postfix_is('configdoc/usage.xml', $file) ||
         postfix_is('library/HTMLPurifier.includes.php', $file) ||
         postfix_is('library/HTMLPurifier.safe-includes.php', $file) ||

maintenance/flush.php

@@ -1,30 +0,0 @@
-#!/usr/bin/php
-<?php
-
-chdir(dirname(__FILE__));
-require_once 'common.php';
-assertCli();
-
-/**
- * @file
- * Runs all generation/flush cache scripts to ensure that somewhat volatile
- * generated files are up-to-date.
- */
-
-function e($cmd)
-{
-    echo "\$ $cmd\n";
-    passthru($cmd, $status);
-    echo "\n";
-    if ($status) exit($status);
-}
-
-$php = empty($_SERVER['argv'][1]) ? 'php' : $_SERVER['argv'][1];
-
-e($php . ' generate-includes.php');
-e($php . ' generate-schema-cache.php');
-e($php . ' flush-definition-cache.php');
-e($php . ' generate-standalone.php');
-e($php . ' config-scanner.php');
-
-// vim: et sw=4 sts=4

maintenance/flush.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -ex
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+php "$DIR/generate-includes.php"
+php "$DIR/generate-schema-cache.php"
+php "$DIR/flush-definition-cache.php"
+php "$DIR/generate-standalone.php"
+php "$DIR/config-scanner.php"

maintenance/update-config.php

@@ -1,34 +0,0 @@
-#!/usr/bin/php
-<?php
-
-chdir(dirname(__FILE__));
-require_once 'common.php';
-assertCli();
-
-/**
- * @file
- * Converts all instances of $config->set and $config->get to the new
- * format, as described by docs/dev-config-bcbreaks.txt
- */
-
-$FS = new FSTools();
-chdir(dirname(__FILE__) . '/..');
-$raw_files = $FS->globr('.', '*.php');
-foreach ($raw_files as $file) {
-    $file = substr($file, 2); // rm leading './'
-    if (strpos($file, 'library/standalone/') === 0) continue;
-    if (strpos($file, 'maintenance/update-config.php') === 0) continue;
-    if (strpos($file, 'test-settings.php') === 0) continue;
-    if (substr_count($file, '.') > 1) continue; // rm meta files
-    // process the file
-    $contents = file_get_contents($file);
-    $contents = preg_replace(
-        "#config->(set|get)\('(.+?)', '(.+?)'#",
-        "config->\\1('\\2.\\3'",
-        $contents
-    );
-    if ($contents === '') continue;
-    file_put_contents($file, $contents);
-}
-
-// vim: et sw=4 sts=4

package.php

@@ -48,7 +48,6 @@ $pkg->setReleaseStability('stable');
 
 $pkg->addRelease();
 
-$pkg->setNotes(file_get_contents('WHATSNEW'));
 $pkg->setPackageType('php');
 
 $pkg->setPhpDep('5.0.0');

plugins/phorum/config.default.php

@@ -53,5 +53,6 @@ $config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll c
 if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') {
   $config->set('Core.EscapeNonASCIICharacters', true);
 }
+$config->set('Core.AllowParseManyTags', false);
 
 // vim: et sw=4 sts=4

release.config.js

@@ -0,0 +1,33 @@
+module.exports = {
+  debug: true,
+  branch: 'master',
+  plugins: [
+    '@semantic-release/commit-analyzer',
+    '@semantic-release/release-notes-generator',
+    [
+      '@semantic-release/changelog',
+      {
+        'changelogFile': 'NEWS'
+      }
+    ],
+    [
+      '@semantic-release/exec',
+      {
+        'prepareCmd': 'php update-for-release ${nextRelease.version}'
+      }
+    ],
+    [
+      '@semantic-release/git',
+      {
+        'assets': [
+          'VERSION',
+          'NEWS',
+          'Doxyfile',
+          ['library/**/*', '!library/standalone/**/*', '!library/HTMLPurifier.standalone.php'],
+          'configdoc/**/*',
+        ],
+      }
+    ],
+    '@semantic-release/github'
+  ],
+}

release2-tag.php

@@ -1,22 +0,0 @@
-<?php
-
-// Tags releases
-
-if (php_sapi_name() != 'cli') {
-    echo 'Release script cannot be called from web-browser.';
-    exit;
-}
-
-require 'svn.php';
-
-$svn_info = my_svn_info('.');
-
-$version = trim(file_get_contents('VERSION'));
-
-$trunk_url  = $svn_info['Repository Root'] . '/htmlpurifier/trunk';
-$trunk_tag_url  = $svn_info['Repository Root'] . '/htmlpurifier/tags/' . $version;
-
-echo "Tagging trunk to tags/$version...";
-passthru("svn copy --message \"Tag $version release.\" $trunk_url $trunk_tag_url");
-
-// vim: et sw=4 sts=4

smoketests/common.php

@@ -2,6 +2,8 @@
 
 header('Content-type: text/html; charset=UTF-8');
 
+require_once __DIR__.'/../vendor/autoload.php';
+
 if (!isset($_GET['standalone'])) {
     require_once '../library/HTMLPurifier.auto.php';
 } else {

smoketests/extractStyleBlocks.php

@@ -3,23 +3,6 @@
 require_once 'common.php';
 require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php';
 
-// need CSSTidy location
-$csstidy_location = false;
-if (file_exists('../conf/test-settings.php')) include '../conf/test-settings.php';
-if (file_exists('../test-settings.php')) include '../test-settings.php';
-
-if (!$csstidy_location) {
-?>
-Error: <a href="http://csstidy.sourceforge.net/">CSSTidy</a> library not
-found, please install and configure <code>test-settings.php</code>
-accordingly.
-<?php
-    exit;
-}
-
-require_once $csstidy_location . 'class.csstidy.php';
-require_once $csstidy_location . 'class.csstidy_print.php';
-
 $purifier = new HTMLPurifier(array(
     'Filter.ExtractStyleBlocks' => true,
 ));

test-settings.sample.php

@@ -17,20 +17,6 @@ if ($data !== false && $data !== '') {
     exit;
 }
 
-// -----------------------------------------------------------------------------
-// REQUIRED SETTINGS
-
-// Note on running SimpleTest:
-//      You want the Git copy of SimpleTest, found here:
-//          https://github.com/simpletest/simpletest/
-//
-//      If SimpleTest is borked with HTML Purifier, please contact me or
-//      the SimpleTest devs; I am a developer for SimpleTest so I should be
-//      able to quickly assess a fix. SimpleTest's problem is my problem!
-
-// Where is SimpleTest located? Remember to include a trailing slash!
-$simpletest_location = '/path/to/simpletest/';
-
 // -----------------------------------------------------------------------------
 // OPTIONAL SETTINGS
 
@@ -50,9 +36,6 @@ $GLOBALS['HTMLPurifierTest']['PHPT'] = false;
 // If PHPT isn't in your Path via PEAR, set that here:
 // set_include_path('/path/to/phpt/Core/src' . PATH_SEPARATOR . get_include_path());
 
-// Where is CSSTidy located? (Include trailing slash. Leave false to disable.)
-$csstidy_location    = false;
-
 // For tests/multitest.php, which versions to test?
 $versions_to_test    = array();
 
@@ -69,6 +52,6 @@ $GLOBALS['HTMLPurifierTest']['PEAR'] = false;
 
 // If PEAR is enabled, what PEAR tests should be run? (Note: you will
 // need to ensure these libraries are installed)
-$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = true;
+$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = false;
 
 // vim: et sw=4 sts=4

test-settings.travis.php

@@ -1,72 +0,0 @@
-<?php
-
-// This file is the configuration for Travis testing.
-
-// Note: The only external library you *need* is SimpleTest; everything else
-//       is optional.
-
-// We've got a lot of tests, so we recommend turning the limit off.
-set_time_limit(0);
-
-// Turning off output buffering will prevent mysterious errors from core dumps.
-$data = @ob_get_clean();
-if ($data !== false && $data !== '') {
-    echo "Output buffer contains data [".urlencode($data)."]\n";
-    exit;
-}
-
-// -----------------------------------------------------------------------------
-// REQUIRED SETTINGS
-
-// Note on running SimpleTest:
-//      You want the Git copy of SimpleTest, found here:
-//          https://github.com/simpletest/simpletest/
-//
-//      If SimpleTest is borked with HTML Purifier, please contact me or
-//      the SimpleTest devs; I am a developer for SimpleTest so I should be
-//      able to quickly assess a fix. SimpleTest's problem is my problem!
-
-// Where is SimpleTest located? Remember to include a trailing slash!
-$simpletest_location = dirname(__FILE__) . '/simpletest/';
-
-// -----------------------------------------------------------------------------
-// OPTIONAL SETTINGS
-
-// Note on running PHPT:
-//      Vanilla PHPT from https://github.com/tswicegood/PHPT_Core should
-//      work fine on Linux w/o multitest.
-//
-//      To do multitest or Windows testing, you'll need some more
-//      patches at https://github.com/ezyang/PHPT_Core
-//
-//      I haven't tested the Windows setup in a while so I don't know if
-//      it still works.
-
-// Should PHPT tests be enabled?
-$GLOBALS['HTMLPurifierTest']['PHPT'] = false;
-
-// If PHPT isn't in your Path via PEAR, set that here:
-// set_include_path('/path/to/phpt/Core/src' . PATH_SEPARATOR . get_include_path());
-
-// Where is CSSTidy located? (Include trailing slash. Leave false to disable.)
-$csstidy_location    = false;
-
-// For tests/multitest.php, which versions to test?
-$versions_to_test    = array();
-
-// Stable PHP binary to use when invoking maintenance scripts.
-$php = 'php';
-
-// For tests/multitest.php, what is the multi-version executable? It must
-// accept an extra parameter (version number) before all other arguments
-$phpv = false;
-
-// Should PEAR tests be run? If you've got a valid PEAR installation, set this
-// to true (or, if it's not in the include path, to its install directory).
-$GLOBALS['HTMLPurifierTest']['PEAR'] = false;
-
-// If PEAR is enabled, what PEAR tests should be run? (Note: you will
-// need to ensure these libraries are installed)
-$GLOBALS['HTMLPurifierTest']['Net_IDNA2'] = true;
-
-// vim: et sw=4 sts=4

tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php

@@ -9,7 +9,7 @@ class HTMLPurifier_AttrDef_CSS_AlphaValueTest extends HTMLPurifier_AttrDefHarnes
 
         $this->assertDef('0');
         $this->assertDef('1');
-        $this->assertDef('.2');
+        $this->assertDef('0.2');
 
         // clamping to [0.0, 1,0]
         $this->assertDef('1.2', '1');

tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php

@@ -17,7 +17,7 @@ class HTMLPurifier_AttrDef_CSS_BackgroundTest extends HTMLPurifier_AttrDefHarnes
         );
         $this->assertDef(
             'rgba(74, 12, 85, 0.35) repeat fixed bottom',
-            'rgba(74,12,85,.35) repeat fixed bottom'
+            'rgba(74,12,85,0.35) repeat fixed bottom'
         );
         $this->assertDef(
             'hsl(244, 47.4%, 88.1%) right center',

tests/HTMLPurifier/AttrDef/CSS/ColorTest.php

@@ -20,8 +20,8 @@ class HTMLPurifier_AttrDef_CSS_ColorTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('rgb(12%,150%,0%)', 'rgb(12%,100%,0%)'); // percentage max values
 
         $this->assertDef('rgba(255, 0, 0, 0)', 'rgba(255,0,0,0)'); // rm spaces
-        $this->assertDef('rgba(100%,0%,0%,.4)');
+        $this->assertDef('rgba(100%,0%,0%,0.4)');
-        $this->assertDef('rgba(38.1%,59.7%,1.8%,0.7)', 'rgba(38.1%,59.7%,1.8%,.7)'); // decimals okay
+        $this->assertDef('rgba(38.1%,59.7%,1.8%,0.7)', 'rgba(38.1%,59.7%,1.8%,0.7)'); // decimals okay
 
         $this->assertDef('hsl(275, 45%, 81%)', 'hsl(275,45%,81%)'); // rm spaces
         $this->assertDef('hsl(100,0%,0%)');
@@ -30,8 +30,8 @@ class HTMLPurifier_AttrDef_CSS_ColorTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('hsl(380,125%,0%)', 'hsl(360,100%,0%)'); // max values
 
         $this->assertDef('hsla(100, 74%, 29%, 0)', 'hsla(100,74%,29%,0)'); // rm spaces
-        $this->assertDef('hsla(154,87%,21%,.4)');
+        $this->assertDef('hsla(154,87%,21%,0.4)');
-        $this->assertDef('hsla(45,94.3%,4.1%,0.7)', 'hsla(45,94.3%,4.1%,.7)'); // decimals okay
+        $this->assertDef('hsla(45,94.3%,4.1%,0.7)', 'hsla(45,94.3%,4.1%,0.7)'); // decimals okay
 
         $this->assertDef('#G00', false);
         $this->assertDef('cmyk(40, 23, 43, 23)', false);

tests/HTMLPurifier/AttrDef/CSS/NumberTest.php

@@ -12,8 +12,8 @@ class HTMLPurifier_AttrDef_CSS_NumberTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('1.0', '1');
         $this->assertDef('34');
         $this->assertDef('4.5');
-        $this->assertDef('.5');
+        $this->assertDef('0.5');
-        $this->assertDef('0.5', '.5');
+        $this->assertDef('0.5', '0.5');
         $this->assertDef('-56.9');
 
         $this->assertDef('0.', '0');
@@ -21,10 +21,10 @@ class HTMLPurifier_AttrDef_CSS_NumberTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('0.0', '0');
 
         $this->assertDef('1.', '1');
-        $this->assertDef('.1', '.1');
+        $this->assertDef('.1', '0.1');
 
         $this->assertDef('1.0', '1');
-        $this->assertDef('0.1', '.1');
+        $this->assertDef('0.1', '0.1');
 
         $this->assertDef('000', '0');
         $this->assertDef(' 9', '9');

tests/HTMLPurifier/AttrDef/CSSTest.php

@@ -64,9 +64,19 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('width:-50px;', false);
         $this->assertDef('min-width:50%;');
         $this->assertDef('min-width:50px;');
-        $this->assertDef('min-width:auto;');
+        $this->assertDef('min-width:auto;', false);
+        $this->assertDef('min-width:initial;');
+        $this->assertDef('min-width:inherit;');
         $this->assertDef('min-width:-50px;', false);
+        $this->assertDef('min-width:50ch;');
+        $this->assertDef('min-width:50rem;');
+        $this->assertDef('min-width:50vw;');
+        $this->assertDef('min-width:-50vw;', false);
         $this->assertDef('text-decoration:underline;');
+        $this->assertDef('text-decoration-line:overline;');
+        $this->assertDef('text-decoration-style:dashed;');
+        $this->assertDef('text-decoration-color:#F00;');
+        $this->assertDef('text-decoration-thickness:5%;');
         $this->assertDef('font-family:sans-serif;');
         $this->assertDef("font-family:Gill, 'Times New Roman', sans-serif;");
         $this->assertDef('font:12px serif;');
@@ -86,6 +96,9 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('background-repeat:repeat-y;');
         $this->assertDef('background-attachment:fixed;');
         $this->assertDef('background-position:left 90%;');
+        $this->assertDef('background-size:50%;');
+        $this->assertDef('background-size:cover;');
+        $this->assertDef('background-size:200px;');
         $this->assertDef('border-spacing:1em;');
         $this->assertDef('border-spacing:1em 2em;');
         $this->assertDef('border-color: rgb(0, 0, 0) rgb(10,0,10)', 'border-color:rgb(0,0,0) rgb(10,0,10);');
@@ -134,8 +147,8 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('scrollbar-highlight-color:#ff69b4;');
         $this->assertDef('scrollbar-shadow-color:#f0f;');
 
-        $this->assertDef('-moz-opacity:.2;');
+        $this->assertDef('-moz-opacity:0.2;');
-        $this->assertDef('-khtml-opacity:.2;');
+        $this->assertDef('-khtml-opacity:0.2;');
         $this->assertDef('filter:alpha(opacity=20);');
 
         $this->assertDef('border-top-left-radius:55pt 25pt;');
@@ -154,7 +167,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('display:none;');
         $this->assertDef('visibility:visible;');
         $this->assertDef('overflow:scroll;');
-        $this->assertDef('opacity:.2;');
+        $this->assertDef('opacity:0.2;');
     }
 
     public function testForbidden()

tests/HTMLPurifier/AttrDef/HTML/ContentEditableTest.php

@@ -0,0 +1,27 @@
+<?php
+
+class HTMLPurifier_AttrDef_HTML_ContentEditableTest extends HTMLPurifier_AttrDefHarness
+{
+    public function setUp()
+    {
+        parent::setUp();
+        $this->def = new HTMLPurifier_AttrDef_HTML_ContentEditable();
+    }
+
+    public function test()
+    {
+        $this->assertDef('', false);
+        $this->assertDef('true', false);
+        $this->assertDef('caret', false);
+        $this->assertDef('false');
+    }
+
+    public function testTrustedHtml()
+    {
+        $this->config->set('HTML.Trusted', true);
+        $this->assertDef('');
+        $this->assertDef('true');
+        $this->assertDef('false');
+        $this->assertDef('caret', false);
+    }
+}

tests/HTMLPurifier/AttrDef/URI/HostTest.php

@@ -49,6 +49,7 @@ class HTMLPurifier_AttrDef_URI_HostTest extends HTMLPurifier_AttrDefHarness
         }
         $this->config->set('Core.EnableIDNA', true);
         $this->assertDef("\xE4\xB8\xAD\xE6\x96\x87.com.cn", "xn--fiq228c.com.cn");
+        $this->assertDef("faß.de", "xn--fa-hia.de");
         $this->assertDef("\xe2\x80\x85.com", false); // rejected
     }
 

tests/HTMLPurifier/AttrDef/URITest.php

@@ -23,6 +23,8 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('nntp://news.example.com/324234');
         $this->assertDef('mailto:bob@example.com');
         $this->assertDef('tel:+15555555555');
+        $this->assertDef('tel:+15555 555 555', 'tel:+15555555555');
+        $this->assertDef('tel:+15555%20555%20555', 'tel:+15555555555');
     }
 
     public function testIntegrationWithPercentEncoder()

tests/HTMLPurifier/AttrTransform/NameSyncTest.php

@@ -3,6 +3,11 @@
 class HTMLPurifier_AttrTransform_NameSyncTest extends HTMLPurifier_AttrTransformHarness
 {
 
+    /**
+     * @type HTMLPurifier_IDAccumulator
+     */
+    public $accumulator;
+
     public function setUp()
     {
         parent::setUp();

tests/HTMLPurifier/AttrValidator_ErrorsTest.php

@@ -3,6 +3,11 @@
 class HTMLPurifier_AttrValidator_ErrorsTest extends HTMLPurifier_ErrorsHarness
 {
 
+    /**
+     * @type HTMLPurifier_Language
+     */
+    public $language;
+
     public function setup()
     {
         parent::setup();

tests/HTMLPurifier/ChildDef/TableTest.php

@@ -44,6 +44,22 @@ class HTMLPurifier_ChildDef_TableTest extends HTMLPurifier_ChildDefHarness
         );
     }
 
+    public function testTheadOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<thead><tr><th>a</th></tr></thead>',
+            '<thead><tr><th>a</th></tr></thead>'
+        );
+    }
+
+    public function testTbodyOnlyNotRemoved()
+    {
+        $this->assertResult(
+            '<tbody><tr><th>a</th></tr></tbody>',
+            '<tbody><tr><th>a</th></tr></tbody>'
+        );
+    }
+
     public function testTrOverflowAndClose()
     {
         $this->assertResult(

tests/HTMLPurifier/ConfigSchemaTest.php

@@ -15,12 +15,12 @@ class HTMLPurifier_ConfigSchemaTest extends HTMLPurifier_Harness
         $this->schema->add('Car.Seats', 5, 'int', false);
 
         $this->assertIdentical($this->schema->defaults['Car.Seats'], 5);
-        $this->assertIdentical($this->schema->info['Car.Seats']->type, HTMLPurifier_VarParser::INT);
+        $this->assertIdentical($this->schema->info['Car.Seats']->type, HTMLPurifier_VarParser::C_INT);
 
         $this->schema->add('Car.Age', null, 'int', true);
 
         $this->assertIdentical($this->schema->defaults['Car.Age'], null);
-        $this->assertIdentical($this->schema->info['Car.Age']->type, HTMLPurifier_VarParser::INT);
+        $this->assertIdentical($this->schema->info['Car.Age']->type, HTMLPurifier_VarParser::C_INT);
 
     }
 
@@ -35,7 +35,7 @@ class HTMLPurifier_ConfigSchemaTest extends HTMLPurifier_Harness
         );
 
         $this->assertIdentical($this->schema->defaults['QuantumNumber.Difficulty'], null);
-        $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->type, HTMLPurifier_VarParser::STRING);
+        $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->type, HTMLPurifier_VarParser::C_STRING);
         $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->allow_null, true);
         $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->allowed,
             array(
@@ -70,7 +70,7 @@ class HTMLPurifier_ConfigSchemaTest extends HTMLPurifier_Harness
         );
 
         $this->assertIdentical($this->schema->defaults['Abbrev.HTH'], 'Happy to Help');
-        $this->assertIdentical($this->schema->info['Abbrev.HTH']->type, HTMLPurifier_VarParser::STRING);
+        $this->assertIdentical($this->schema->info['Abbrev.HTH']->type, HTMLPurifier_VarParser::C_STRING);
         $this->assertIdentical($this->schema->info['Abbrev.HTH']->allowed,
             array(
                 'Happy to Help' => true,