xpressengine / xe-core

classes/security/EmbedFilter.class.php

Doc Comments +5 added lines, -4 removed lines

@@ -295,6 +295,7 @@ 
 
 	/**
 	 * Check the content.
+	 * @param string $content
 	 * @return void
 	 */
 	function check(&$content)
@@ -487,7 +488,7 @@ 
 
 	/**
 	 * Check white domain in object data attribute or embed src attribute.
-	 * @return string
+	 * @return boolean
 	 */
 	function isWhiteDomain($urlAttribute)
 	{
@@ -506,7 +507,7 @@ 
 
 	/**
 	 * Check white domain in iframe src attribute.
-	 * @return string
+	 * @return boolean
 	 */
 	function isWhiteIframeDomain($urlAttribute)
 	{
@@ -525,7 +526,7 @@ 
 
 	/**
 	 * Check white mime type in object type attribute or embed type attribute.
-	 * @return string
+	 * @return boolean
 	 */
 	function isWhiteMimetype($mimeType)
 	{
@@ -590,7 +591,7 @@ 
 
 	/**
 	 * Make white domain list cache file from xml config file.
-	 * @param $whitelist array
+	 * @param stdClass $whitelist array
 	 * @return void
 	 */
 	function _makeWhiteDomainList($whitelist = NULL)

Braces +11 added lines, -12 removed lines

@@ -563,14 +563,12 @@ 
 				}
 				$this->allowscriptaccessList[count($this->allowscriptaccessList) - 1]--;
 			}
-		}
-		else if($m[1] == 'embed')
+		} else if($m[1] == 'embed')
 		{
 			if(stripos($m[0], 'allowscriptaccess'))
 			{
 				$m[0] = preg_replace('/always|samedomain/i', 'never', $m[0]);
-			}
-			else
+			} else
 			{
 				$m[0] = preg_replace('/\<embed/i', '<embed allowscriptaccess="never"', $m[0]);
 			}
@@ -627,8 +625,7 @@ 
 			{
 				$whiteUrlList = $whitelist->object;
 				$whiteIframeUrlList = $whitelist->iframe;
-			}
-			else
+			} else
 			{
 				$xmlBuff = FileHandler::readFile($this->whiteUrlXmlFile);
 
@@ -636,8 +633,12 @@ 
 				$domainListObj = $xmlParser->parse($xmlBuff);
 				$embedDomainList = $domainListObj->whiteurl->embed->domain;
 				$iframeDomainList = $domainListObj->whiteurl->iframe->domain;
-				if(!is_array($embedDomainList)) $embedDomainList = array();
-				if(!is_array($iframeDomainList)) $iframeDomainList = array();
+				if(!is_array($embedDomainList)) {
+					$embedDomainList = array();
+				}
+				if(!is_array($iframeDomainList)) {
+					$iframeDomainList = array();
+				}
 
 				foreach($embedDomainList AS $key => $value)
 				{
@@ -648,8 +649,7 @@ 
 						{
 							$whiteUrlList[] = $value->body;
 						}
-					}
-					else
+					} else
 					{
 						$whiteUrlList[] = $patternList->body;
 					}
@@ -664,8 +664,7 @@ 
 						{
 							$whiteIframeUrlList[] = $value->body;
 						}
-					}
-					else
+					} else
 					{
 						$whiteIframeUrlList[] = $patternList->body;
 					}

Spacing +65 added lines, -65 removed lines

@@ -1,7 +1,7 @@ 
 <?php
 /* Copyright (C) NAVER <http://www.navercorp.com> */
 
-include _XE_PATH_ . 'classes/security/phphtmlparser/src/htmlparser.inc';
+include _XE_PATH_.'classes/security/phphtmlparser/src/htmlparser.inc';
 
 class EmbedFilter
 {
@@ -276,7 +276,7 @@ 
 	 */
 	function getInstance()
 	{
-		if(!isset($GLOBALS['__EMBEDFILTER_INSTANCE__']))
+		if (!isset($GLOBALS['__EMBEDFILTER_INSTANCE__']))
 		{
 			$GLOBALS['__EMBEDFILTER_INSTANCE__'] = new EmbedFilter();
 		}
@@ -316,9 +316,9 @@ 
 	{
 		preg_match_all('/<\s*object\s*[^>]+(?:\/?>?)/is', $content, $m);
 		$objectTagList = $m[0];
-		if($objectTagList)
+		if ($objectTagList)
 		{
-			foreach($objectTagList AS $key => $objectTag)
+			foreach ($objectTagList AS $key => $objectTag)
 			{
 				$isWhiteDomain = true;
 				$isWhiteMimetype = true;
@@ -326,21 +326,21 @@ 
 				$ext = '';
 
 				$parser = new HtmlParser($objectTag);
-				while($parser->parse())
+				while ($parser->parse())
 				{
-					if(is_array($parser->iNodeAttributes))
+					if (is_array($parser->iNodeAttributes))
 					{
-						foreach($parser->iNodeAttributes AS $attrName => $attrValue)
+						foreach ($parser->iNodeAttributes AS $attrName => $attrValue)
 						{
 							// data url check
-							if($attrValue && strtolower($attrName) == 'data')
+							if ($attrValue && strtolower($attrName) == 'data')
 							{
 								$ext = strtolower(substr(strrchr($attrValue, "."), 1));
 								$isWhiteDomain = $this->isWhiteDomain($attrValue);
 							}
 
 							// mime type check
-							if(strtolower($attrName) == 'type' && $attrValue)
+							if (strtolower($attrName) == 'type' && $attrValue)
 							{
 								$isWhiteMimetype = $this->isWhiteMimetype($attrValue);
 							}
@@ -348,7 +348,7 @@ 
 					}
 				}
 
-				if(!$isWhiteDomain || !$isWhiteMimetype)
+				if (!$isWhiteDomain || !$isWhiteMimetype)
 				{
 					$content = str_replace($objectTag, htmlspecialchars($objectTag, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), $content);
 				}
@@ -364,9 +364,9 @@ 
 	{
 		preg_match_all('/<\s*embed\s*[^>]+(?:\/?>?)/is', $content, $m);
 		$embedTagList = $m[0];
-		if($embedTagList)
+		if ($embedTagList)
 		{
-			foreach($embedTagList AS $key => $embedTag)
+			foreach ($embedTagList AS $key => $embedTag)
 			{
 				$isWhiteDomain = TRUE;
 				$isWhiteMimetype = TRUE;
@@ -374,21 +374,21 @@ 
 				$ext = '';
 
 				$parser = new HtmlParser($embedTag);
-				while($parser->parse())
+				while ($parser->parse())
 				{
-					if(is_array($parser->iNodeAttributes))
+					if (is_array($parser->iNodeAttributes))
 					{
-						foreach($parser->iNodeAttributes AS $attrName => $attrValue)
+						foreach ($parser->iNodeAttributes AS $attrName => $attrValue)
 						{
 							// src url check
-							if($attrValue && strtolower($attrName) == 'src')
+							if ($attrValue && strtolower($attrName) == 'src')
 							{
 								$ext = strtolower(substr(strrchr($attrValue, "."), 1));
 								$isWhiteDomain = $this->isWhiteDomain($attrValue);
 							}
 
 							// mime type check
-							if(strtolower($attrName) == 'type' && $attrValue)
+							if (strtolower($attrName) == 'type' && $attrValue)
 							{
 								$isWhiteMimetype = $this->isWhiteMimetype($attrValue);
 							}
@@ -396,7 +396,7 @@ 
 					}
 				}
 
-				if(!$isWhiteDomain || !$isWhiteMimetype)
+				if (!$isWhiteDomain || !$isWhiteMimetype)
 				{
 					$content = str_replace($embedTag, htmlspecialchars($embedTag, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), $content);
 				}
@@ -415,22 +415,22 @@ 
 
 		preg_match_all('/<\s*iframe\s*[^>]+(?:\/?>?)/is', $content, $m);
 		$iframeTagList = $m[0];
-		if($iframeTagList)
+		if ($iframeTagList)
 		{
-			foreach($iframeTagList AS $key => $iframeTag)
+			foreach ($iframeTagList AS $key => $iframeTag)
 			{
 				$isWhiteDomain = TRUE;
 				$ext = '';
 
 				$parser = new HtmlParser($iframeTag);
-				while($parser->parse())
+				while ($parser->parse())
 				{
-					if(is_array($parser->iNodeAttributes))
+					if (is_array($parser->iNodeAttributes))
 					{
-						foreach($parser->iNodeAttributes AS $attrName => $attrValue)
+						foreach ($parser->iNodeAttributes AS $attrName => $attrValue)
 						{
 							// src url check
-							if(strtolower($attrName) == 'src' && $attrValue)
+							if (strtolower($attrName) == 'src' && $attrValue)
 							{
 								$ext = strtolower(substr(strrchr($attrValue, "."), 1));
 								$isWhiteDomain = $this->isWhiteIframeDomain($attrValue);
@@ -439,7 +439,7 @@ 
 					}
 				}
 
-				if(!$isWhiteDomain)
+				if (!$isWhiteDomain)
 				{
 					$content = str_replace($iframeTag, htmlspecialchars($iframeTag, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), $content);
 				}
@@ -455,26 +455,26 @@ 
 	{
 		preg_match_all('/<\s*param\s*[^>]+(?:\/?>?)/is', $content, $m);
 		$paramTagList = $m[0];
-		if($paramTagList)
+		if ($paramTagList)
 		{
-			foreach($paramTagList AS $key => $paramTag)
+			foreach ($paramTagList AS $key => $paramTag)
 			{
 				$isWhiteDomain = TRUE;
 				$isWhiteExt = TRUE;
 				$ext = '';
 
 				$parser = new HtmlParser($paramTag);
-				while($parser->parse())
+				while ($parser->parse())
 				{
-					if($parser->iNodeAttributes['name'] && $parser->iNodeAttributes['value'])
+					if ($parser->iNodeAttributes['name'] && $parser->iNodeAttributes['value'])
 					{
 						$name = strtolower($parser->iNodeAttributes['name']);
-						if($name == 'movie' || $name == 'src' || $name == 'href' || $name == 'url' || $name == 'source')
+						if ($name == 'movie' || $name == 'src' || $name == 'href' || $name == 'url' || $name == 'source')
 						{
 							$ext = strtolower(substr(strrchr($parser->iNodeAttributes['value'], "."), 1));
 							$isWhiteDomain = $this->isWhiteDomain($parser->iNodeAttributes['value']);
 
-							if(!$isWhiteDomain)
+							if (!$isWhiteDomain)
 							{
 								$content = str_replace($paramTag, htmlspecialchars($paramTag, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), $content);
 							}
@@ -491,11 +491,11 @@ 
 	 */
 	function isWhiteDomain($urlAttribute)
 	{
-		if(is_array($this->whiteUrlList))
+		if (is_array($this->whiteUrlList))
 		{
-			foreach($this->whiteUrlList AS $key => $value)
+			foreach ($this->whiteUrlList AS $key => $value)
 			{
-				if(preg_match('@^' . preg_quote($value) . '@i', $urlAttribute))
+				if (preg_match('@^'.preg_quote($value).'@i', $urlAttribute))
 				{
 					return TRUE;
 				}
@@ -510,11 +510,11 @@ 
 	 */
 	function isWhiteIframeDomain($urlAttribute)
 	{
-		if(is_array($this->whiteIframeUrlList))
+		if (is_array($this->whiteIframeUrlList))
 		{
-			foreach($this->whiteIframeUrlList AS $key => $value)
+			foreach ($this->whiteIframeUrlList AS $key => $value)
 			{
-				if(preg_match('@^' . preg_quote($value) . '@i', $urlAttribute))
+				if (preg_match('@^'.preg_quote($value).'@i', $urlAttribute))
 				{
 					return TRUE;
 				}
@@ -529,7 +529,7 @@ 
 	 */
 	function isWhiteMimetype($mimeType)
 	{
-		if(isset($this->mimeTypeList[$mimeType]))
+		if (isset($this->mimeTypeList[$mimeType]))
 		{
 			return TRUE;
 		}
@@ -538,7 +538,7 @@ 
 
 	function isWhiteExt($ext)
 	{
-		if(isset($this->extList[$ext]))
+		if (isset($this->extList[$ext]))
 		{
 			return TRUE;
 		}
@@ -547,26 +547,26 @@ 
 
 	function _checkAllowScriptAccess($m)
 	{
-		if($m[1] == 'object')
+		if ($m[1] == 'object')
 		{
 			$this->allowscriptaccessList[] = 1;
 		}
 
-		if($m[1] == 'param')
+		if ($m[1] == 'param')
 		{
-			if(stripos($m[0], 'allowscriptaccess'))
+			if (stripos($m[0], 'allowscriptaccess'))
 			{
 				$m[0] = '<param name="allowscriptaccess" value="never"';
-				if(substr($m[0], -1) == '/')
+				if (substr($m[0], -1) == '/')
 				{
 					$m[0] .= '/';
 				}
 				$this->allowscriptaccessList[count($this->allowscriptaccessList) - 1]--;
 			}
 		}
-		else if($m[1] == 'embed')
+		else if ($m[1] == 'embed')
 		{
-			if(stripos($m[0], 'allowscriptaccess'))
+			if (stripos($m[0], 'allowscriptaccess'))
 			{
 				$m[0] = preg_replace('/always|samedomain/i', 'never', $m[0]);
 			}
@@ -580,9 +580,9 @@ 
 
 	function _addAllowScriptAccess($m)
 	{
-		if($this->allowscriptaccessList[$this->allowscriptaccessKey] == 1)
+		if ($this->allowscriptaccessList[$this->allowscriptaccessKey] == 1)
 		{
-			$m[0] = $m[0] . '<param name="allowscriptaccess" value="never"></param>';
+			$m[0] = $m[0].'<param name="allowscriptaccess" value="never"></param>';
 		}
 		$this->allowscriptaccessKey++;
 		return $m[0];
@@ -599,31 +599,31 @@ 
 		$whiteUrlCacheFile = FileHandler::getRealPath($this->whiteUrlCacheFile);
 
 		$isMake = FALSE;
-		if(!file_exists($whiteUrlCacheFile))
+		if (!file_exists($whiteUrlCacheFile))
 		{
 			$isMake = TRUE;
 		}
-		if(file_exists($whiteUrlCacheFile) && filemtime($whiteUrlCacheFile) < filemtime($whiteUrlXmlFile))
+		if (file_exists($whiteUrlCacheFile) && filemtime($whiteUrlCacheFile) < filemtime($whiteUrlXmlFile))
 		{
 			$isMake = TRUE;
 		}
 
-		if(gettype($whitelist) == 'array' && gettype($whitelist['object']) == 'array' && gettype($whitelist['iframe']) == 'array')
+		if (gettype($whitelist) == 'array' && gettype($whitelist['object']) == 'array' && gettype($whitelist['iframe']) == 'array')
 		{
 			$isMake = FALSE;
 		}
 
-		if(isset($whitelist) && gettype($whitelist) == 'object')
+		if (isset($whitelist) && gettype($whitelist) == 'object')
 		{
 			$isMake = TRUE;
 		}
 
-		if($isMake)
+		if ($isMake)
 		{
 			$whiteUrlList = array();
 			$whiteIframeUrlList = array();
 
-			if(gettype($whitelist->object) == 'array' && gettype($whitelist->iframe) == 'array')
+			if (gettype($whitelist->object) == 'array' && gettype($whitelist->iframe) == 'array')
 			{
 				$whiteUrlList = $whitelist->object;
 				$whiteIframeUrlList = $whitelist->iframe;
@@ -636,15 +636,15 @@ 
 				$domainListObj = $xmlParser->parse($xmlBuff);
 				$embedDomainList = $domainListObj->whiteurl->embed->domain;
 				$iframeDomainList = $domainListObj->whiteurl->iframe->domain;
-				if(!is_array($embedDomainList)) $embedDomainList = array();
-				if(!is_array($iframeDomainList)) $iframeDomainList = array();
+				if (!is_array($embedDomainList)) $embedDomainList = array();
+				if (!is_array($iframeDomainList)) $iframeDomainList = array();
 
-				foreach($embedDomainList AS $key => $value)
+				foreach ($embedDomainList AS $key => $value)
 				{
 					$patternList = $value->pattern;
-					if(is_array($patternList))
+					if (is_array($patternList))
 					{
-						foreach($patternList AS $key => $value)
+						foreach ($patternList AS $key => $value)
 						{
 							$whiteUrlList[] = $value->body;
 						}
@@ -655,12 +655,12 @@ 
 					}
 				}
 
-				foreach($iframeDomainList AS $key => $value)
+				foreach ($iframeDomainList AS $key => $value)
 				{
 					$patternList = $value->pattern;
-					if(is_array($patternList))
+					if (is_array($patternList))
 					{
-						foreach($patternList AS $key => $value)
+						foreach ($patternList AS $key => $value)
 						{
 							$whiteIframeUrlList[] = $value->body;
 						}
@@ -674,12 +674,12 @@ 
 
 			$db_info = Context::getDBInfo();
 
-			if($db_info->embed_white_object)
+			if ($db_info->embed_white_object)
 			{
 				$whiteUrlList = array_merge($whiteUrlList, $db_info->embed_white_object);
 			}
 
-			if($db_info->embed_white_iframe)
+			if ($db_info->embed_white_iframe)
 			{
 				$whiteIframeUrlList = array_merge($whiteIframeUrlList, $db_info->embed_white_iframe);
 			}
@@ -691,8 +691,8 @@ 
 
 			$buff = array();
 			$buff[] = '<?php if(!defined("__XE__")) exit();';
-			$buff[] = '$whiteUrlList = ' . var_export($whiteUrlList, TRUE) . ';';
-			$buff[] = '$whiteIframeUrlList = ' . var_export($whiteIframeUrlList, TRUE) . ';';
+			$buff[] = '$whiteUrlList = '.var_export($whiteUrlList, TRUE).';';
+			$buff[] = '$whiteIframeUrlList = '.var_export($whiteIframeUrlList, TRUE).';';
 
 			FileHandler::writeFile($this->whiteUrlCacheFile, implode(PHP_EOL, $buff));
 		}

classes/security/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Length.php

Doc Comments +1 added lines

@@ -11,6 +11,7 @@
     /**
      * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable.
      * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable.
+     * @param string $min
      */
     public function __construct($min = null, $max = null) {
         $this->min = $min !== null ? HTMLPurifier_Length::make($min) : null;

Indentation +35 added lines, -35 removed lines

@@ -6,41 +6,41 @@
 class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef
 {
 
-    protected $min, $max;
-
-    /**
-     * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable.
-     * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable.
-     */
-    public function __construct($min = null, $max = null) {
-        $this->min = $min !== null ? HTMLPurifier_Length::make($min) : null;
-        $this->max = $max !== null ? HTMLPurifier_Length::make($max) : null;
-    }
-
-    public function validate($string, $config, $context) {
-        $string = $this->parseCDATA($string);
-
-        // Optimizations
-        if ($string === '') return false;
-        if ($string === '0') return '0';
-        if (strlen($string) === 1) return false;
-
-        $length = HTMLPurifier_Length::make($string);
-        if (!$length->isValid()) return false;
-
-        if ($this->min) {
-            $c = $length->compareTo($this->min);
-            if ($c === false) return false;
-            if ($c < 0) return false;
-        }
-        if ($this->max) {
-            $c = $length->compareTo($this->max);
-            if ($c === false) return false;
-            if ($c > 0) return false;
-        }
-
-        return $length->toString();
-    }
+	protected $min, $max;
+
+	/**
+	 * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable.
+	 * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable.
+	 */
+	public function __construct($min = null, $max = null) {
+		$this->min = $min !== null ? HTMLPurifier_Length::make($min) : null;
+		$this->max = $max !== null ? HTMLPurifier_Length::make($max) : null;
+	}
+
+	public function validate($string, $config, $context) {
+		$string = $this->parseCDATA($string);
+
+		// Optimizations
+		if ($string === '') return false;
+		if ($string === '0') return '0';
+		if (strlen($string) === 1) return false;
+
+		$length = HTMLPurifier_Length::make($string);
+		if (!$length->isValid()) return false;
+
+		if ($this->min) {
+			$c = $length->compareTo($this->min);
+			if ($c === false) return false;
+			if ($c < 0) return false;
+		}
+		if ($this->max) {
+			$c = $length->compareTo($this->max);
+			if ($c === false) return false;
+			if ($c > 0) return false;
+		}
+
+		return $length->toString();
+	}
 
 }
 

Braces +24 added lines, -8 removed lines

@@ -21,22 +21,38 @@
         $string = $this->parseCDATA($string);
 
         // Optimizations
-        if ($string === '') return false;
-        if ($string === '0') return '0';
-        if (strlen($string) === 1) return false;
+        if ($string === '') {
+        	return false;
+        }
+        if ($string === '0') {
+        	return '0';
+        }
+        if (strlen($string) === 1) {
+        	return false;
+        }
 
         $length = HTMLPurifier_Length::make($string);
-        if (!$length->isValid()) return false;
+        if (!$length->isValid()) {
+        	return false;
+        }
 
         if ($this->min) {
             $c = $length->compareTo($this->min);
-            if ($c === false) return false;
-            if ($c < 0) return false;
+            if ($c === false) {
+            	return false;
+            }
+            if ($c < 0) {
+            	return false;
+            }
         }
         if ($this->max) {
             $c = $length->compareTo($this->max);
-            if ($c === false) return false;
-            if ($c > 0) return false;
+            if ($c === false) {
+            	return false;
+            }
+            if ($c > 0) {
+            	return false;
+            }
         }
 
         return $length->toString();

classes/security/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv6.php

Doc Comments +3 added lines

@@ -9,6 +9,9 @@
 class HTMLPurifier_AttrDef_URI_IPv6 extends HTMLPurifier_AttrDef_URI_IPv4
 {
 
+    /**
+     * @param string $aIP
+     */
     public function validate($aIP, $config, $context) {
 
         if (!$this->ip4) $this->_loadRegex();

Indentation +84 added lines, -84 removed lines

@@ -9,90 +9,90 @@
 class HTMLPurifier_AttrDef_URI_IPv6 extends HTMLPurifier_AttrDef_URI_IPv4
 {
 
-    public function validate($aIP, $config, $context) {
-
-        if (!$this->ip4) $this->_loadRegex();
-
-        $original = $aIP;
-
-        $hex = '[0-9a-fA-F]';
-        $blk = '(?:' . $hex . '{1,4})';
-        $pre = '(?:/(?:12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))';   // /0 - /128
-
-        //      prefix check
-        if (strpos($aIP, '/') !== false)
-        {
-                if (preg_match('#' . $pre . '$#s', $aIP, $find))
-                {
-                        $aIP = substr($aIP, 0, 0-strlen($find[0]));
-                        unset($find);
-                }
-                else
-                {
-                        return false;
-                }
-        }
-
-        //      IPv4-compatiblity check
-        if (preg_match('#(?<=:'.')' . $this->ip4 . '$#s', $aIP, $find))
-        {
-                $aIP = substr($aIP, 0, 0-strlen($find[0]));
-                $ip = explode('.', $find[0]);
-                $ip = array_map('dechex', $ip);
-                $aIP .= $ip[0] . $ip[1] . ':' . $ip[2] . $ip[3];
-                unset($find, $ip);
-        }
-
-        //      compression check
-        $aIP = explode('::', $aIP);
-        $c = count($aIP);
-        if ($c > 2)
-        {
-                return false;
-        }
-        elseif ($c == 2)
-        {
-                list($first, $second) = $aIP;
-                $first = explode(':', $first);
-                $second = explode(':', $second);
-
-                if (count($first) + count($second) > 8)
-                {
-                        return false;
-                }
-
-                while(count($first) < 8)
-                {
-                        array_push($first, '0');
-                }
-
-                array_splice($first, 8 - count($second), 8, $second);
-                $aIP = $first;
-                unset($first,$second);
-        }
-        else
-        {
-                $aIP = explode(':', $aIP[0]);
-        }
-        $c = count($aIP);
-
-        if ($c != 8)
-        {
-                return false;
-        }
-
-        //      All the pieces should be 16-bit hex strings. Are they?
-        foreach ($aIP as $piece)
-        {
-                if (!preg_match('#^[0-9a-fA-F]{4}$#s', sprintf('%04s', $piece)))
-                {
-                        return false;
-                }
-        }
-
-        return $original;
-
-    }
+	public function validate($aIP, $config, $context) {
+
+		if (!$this->ip4) $this->_loadRegex();
+
+		$original = $aIP;
+
+		$hex = '[0-9a-fA-F]';
+		$blk = '(?:' . $hex . '{1,4})';
+		$pre = '(?:/(?:12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))';   // /0 - /128
+
+		//      prefix check
+		if (strpos($aIP, '/') !== false)
+		{
+				if (preg_match('#' . $pre . '$#s', $aIP, $find))
+				{
+						$aIP = substr($aIP, 0, 0-strlen($find[0]));
+						unset($find);
+				}
+				else
+				{
+						return false;
+				}
+		}
+
+		//      IPv4-compatiblity check
+		if (preg_match('#(?<=:'.')' . $this->ip4 . '$#s', $aIP, $find))
+		{
+				$aIP = substr($aIP, 0, 0-strlen($find[0]));
+				$ip = explode('.', $find[0]);
+				$ip = array_map('dechex', $ip);
+				$aIP .= $ip[0] . $ip[1] . ':' . $ip[2] . $ip[3];
+				unset($find, $ip);
+		}
+
+		//      compression check
+		$aIP = explode('::', $aIP);
+		$c = count($aIP);
+		if ($c > 2)
+		{
+				return false;
+		}
+		elseif ($c == 2)
+		{
+				list($first, $second) = $aIP;
+				$first = explode(':', $first);
+				$second = explode(':', $second);
+
+				if (count($first) + count($second) > 8)
+				{
+						return false;
+				}
+
+				while(count($first) < 8)
+				{
+						array_push($first, '0');
+				}
+
+				array_splice($first, 8 - count($second), 8, $second);
+				$aIP = $first;
+				unset($first,$second);
+		}
+		else
+		{
+				$aIP = explode(':', $aIP[0]);
+		}
+		$c = count($aIP);
+
+		if ($c != 8)
+		{
+				return false;
+		}
+
+		//      All the pieces should be 16-bit hex strings. Are they?
+		foreach ($aIP as $piece)
+		{
+				if (!preg_match('#^[0-9a-fA-F]{4}$#s', sprintf('%04s', $piece)))
+				{
+						return false;
+				}
+		}
+
+		return $original;
+
+	}
 
 }
 

Braces +6 added lines, -7 removed lines

@@ -11,7 +11,9 @@ 
 
     public function validate($aIP, $config, $context) {
 
-        if (!$this->ip4) $this->_loadRegex();
+        if (!$this->ip4) {
+        	$this->_loadRegex();
+        }
 
         $original = $aIP;
 
@@ -26,8 +28,7 @@ 
                 {
                         $aIP = substr($aIP, 0, 0-strlen($find[0]));
                         unset($find);
-                }
-                else
+                } else
                 {
                         return false;
                 }
@@ -49,8 +50,7 @@ 
         if ($c > 2)
         {
                 return false;
-        }
-        elseif ($c == 2)
+        } elseif ($c == 2)
         {
                 list($first, $second) = $aIP;
                 $first = explode(':', $first);
@@ -69,8 +69,7 @@ 
                 array_splice($first, 8 - count($second), 8, $second);
                 $aIP = $first;
                 unset($first,$second);
-        }
-        else
+        } else
         {
                 $aIP = explode(':', $aIP[0]);
         }

Spacing +9 added lines, -9 removed lines

@@ -16,15 +16,15 @@ 
         $original = $aIP;
 
         $hex = '[0-9a-fA-F]';
-        $blk = '(?:' . $hex . '{1,4})';
-        $pre = '(?:/(?:12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))';   // /0 - /128
+        $blk = '(?:'.$hex.'{1,4})';
+        $pre = '(?:/(?:12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))'; // /0 - /128
 
         //      prefix check
         if (strpos($aIP, '/') !== false)
         {
-                if (preg_match('#' . $pre . '$#s', $aIP, $find))
+                if (preg_match('#'.$pre.'$#s', $aIP, $find))
                 {
-                        $aIP = substr($aIP, 0, 0-strlen($find[0]));
+                        $aIP = substr($aIP, 0, 0 - strlen($find[0]));
                         unset($find);
                 }
                 else
@@ -34,12 +34,12 @@ 
         }
 
         //      IPv4-compatiblity check
-        if (preg_match('#(?<=:'.')' . $this->ip4 . '$#s', $aIP, $find))
+        if (preg_match('#(?<=:'.')'.$this->ip4.'$#s', $aIP, $find))
         {
-                $aIP = substr($aIP, 0, 0-strlen($find[0]));
+                $aIP = substr($aIP, 0, 0 - strlen($find[0]));
                 $ip = explode('.', $find[0]);
                 $ip = array_map('dechex', $ip);
-                $aIP .= $ip[0] . $ip[1] . ':' . $ip[2] . $ip[3];
+                $aIP .= $ip[0].$ip[1].':'.$ip[2].$ip[3];
                 unset($find, $ip);
         }
 
@@ -61,14 +61,14 @@ 
                         return false;
                 }
 
-                while(count($first) < 8)
+                while (count($first) < 8)
                 {
                         array_push($first, '0');
                 }
 
                 array_splice($first, 8 - count($second), 8, $second);
                 $aIP = $first;
-                unset($first,$second);
+                unset($first, $second);
         }
         else
         {

classes/security/htmlpurifier/library/HTMLPurifier/Config.php

Doc Comments +8 added lines, -7 removed lines

@@ -89,6 +89,7 @@ 
     /**
      * @param $definition HTMLPurifier_ConfigSchema that defines what directives
      *                    are allowed.
+     * @param HTMLPurifier_PropertyList $parent
      */
     public function __construct($definition, $parent = null) {
         $parent = $parent ? $parent : $definition->defaultPlist;
@@ -104,7 +105,7 @@ 
      *                      an array of directives based on loadArray(),
      *                      or a string filename of an ini file.
      * @param HTMLPurifier_ConfigSchema Schema object
-     * @return Configured HTMLPurifier_Config object
+     * @return HTMLPurifier_Config HTMLPurifier_Config object
      */
     public static function create($config, $schema = null) {
         if ($config instanceof HTMLPurifier_Config) {
@@ -133,7 +134,7 @@ 
 
     /**
      * Convenience constructor that creates a default configuration object.
-     * @return Default HTMLPurifier_Config object.
+     * @return HTMLPurifier_Config HTMLPurifier_Config object.
      */
     public static function createDefault() {
         $definition = HTMLPurifier_ConfigSchema::instance();
@@ -143,7 +144,7 @@ 
 
     /**
      * Retreives a value from the configuration.
-     * @param $key String key
+     * @param string $key String key
      */
     public function get($key, $a = null) {
         if ($a !== null) {
@@ -231,7 +232,7 @@ 
 
     /**
      * Sets a value to configuration.
-     * @param $key String key
+     * @param string $key String key
      * @param $value Mixed value
      */
     public function set($key, $value, $a = null) {
@@ -543,7 +544,7 @@ 
      * Returns a list of array(namespace, directive) for all directives
      * that are allowed in a web-form context as per an allowed
      * namespaces/directives list.
-     * @param $allowed List of allowed namespaces/directives
+     * @param boolean $allowed List of allowed namespaces/directives
      */
     public static function getAllowedDirectivesForForm($allowed, $schema = null) {
         if (!$schema) {
@@ -585,7 +586,6 @@ 
     /**
      * Loads configuration values from $_GET/$_POST that were posted
      * via ConfigForm
-     * @param $array $_GET or $_POST array to import
      * @param $index Index/name that the config variables are in
      * @param $allowed List of allowed namespaces/directives
      * @param $mq_fix Boolean whether or not to enable magic quotes fix
@@ -632,7 +632,7 @@ 
 
     /**
      * Loads configuration values from an ini file
-     * @param $filename Name of ini file
+     * @param string $filename Name of ini file
      */
     public function loadIni($filename) {
         if ($this->isFinalized('Cannot load directives after finalization')) return;
@@ -674,6 +674,7 @@ 
     /**
      * Produces a nicely formatted error message by supplying the
      * stack frame information OUTSIDE of HTMLPurifier_Config.
+     * @param integer $no
      */
     protected function triggerError($msg, $no) {
         // determine previous stack frame

Indentation +686 added lines, -686 removed lines

@@ -17,692 +17,692 @@
 class HTMLPurifier_Config
 {
 
-    /**
-     * HTML Purifier's version
-     */
-    public $version = '4.4.0';
-
-    /**
-     * Bool indicator whether or not to automatically finalize
-     * the object if a read operation is done
-     */
-    public $autoFinalize = true;
-
-    // protected member variables
-
-    /**
-     * Namespace indexed array of serials for specific namespaces (see
-     * getSerial() for more info).
-     */
-    protected $serials = array();
-
-    /**
-     * Serial for entire configuration object
-     */
-    protected $serial;
-
-    /**
-     * Parser for variables
-     */
-    protected $parser = null;
-
-    /**
-     * Reference HTMLPurifier_ConfigSchema for value checking
-     * @note This is public for introspective purposes. Please don't
-     *       abuse!
-     */
-    public $def;
-
-    /**
-     * Indexed array of definitions
-     */
-    protected $definitions;
-
-    /**
-     * Bool indicator whether or not config is finalized
-     */
-    protected $finalized = false;
-
-    /**
-     * Property list containing configuration directives.
-     */
-    protected $plist;
-
-    /**
-     * Whether or not a set is taking place due to an
-     * alias lookup.
-     */
-    private $aliasMode;
-
-    /**
-     * Set to false if you do not want line and file numbers in errors
-     * (useful when unit testing).  This will also compress some errors
-     * and exceptions.
-     */
-    public $chatty = true;
-
-    /**
-     * Current lock; only gets to this namespace are allowed.
-     */
-    private $lock;
-
-    /**
-     * @param $definition HTMLPurifier_ConfigSchema that defines what directives
-     *                    are allowed.
-     */
-    public function __construct($definition, $parent = null) {
-        $parent = $parent ? $parent : $definition->defaultPlist;
-        $this->plist = new HTMLPurifier_PropertyList($parent);
-        $this->def = $definition; // keep a copy around for checking
-        $this->parser = new HTMLPurifier_VarParser_Flexible();
-    }
-
-    /**
-     * Convenience constructor that creates a config object based on a mixed var
-     * @param mixed $config Variable that defines the state of the config
-     *                      object. Can be: a HTMLPurifier_Config() object,
-     *                      an array of directives based on loadArray(),
-     *                      or a string filename of an ini file.
-     * @param HTMLPurifier_ConfigSchema Schema object
-     * @return Configured HTMLPurifier_Config object
-     */
-    public static function create($config, $schema = null) {
-        if ($config instanceof HTMLPurifier_Config) {
-            // pass-through
-            return $config;
-        }
-        if (!$schema) {
-            $ret = HTMLPurifier_Config::createDefault();
-        } else {
-            $ret = new HTMLPurifier_Config($schema);
-        }
-        if (is_string($config)) $ret->loadIni($config);
-        elseif (is_array($config)) $ret->loadArray($config);
-        return $ret;
-    }
-
-    /**
-     * Creates a new config object that inherits from a previous one.
-     * @param HTMLPurifier_Config $config Configuration object to inherit
-     *        from.
-     * @return HTMLPurifier_Config object with $config as its parent.
-     */
-    public static function inherit(HTMLPurifier_Config $config) {
-        return new HTMLPurifier_Config($config->def, $config->plist);
-    }
-
-    /**
-     * Convenience constructor that creates a default configuration object.
-     * @return Default HTMLPurifier_Config object.
-     */
-    public static function createDefault() {
-        $definition = HTMLPurifier_ConfigSchema::instance();
-        $config = new HTMLPurifier_Config($definition);
-        return $config;
-    }
-
-    /**
-     * Retreives a value from the configuration.
-     * @param $key String key
-     */
-    public function get($key, $a = null) {
-        if ($a !== null) {
-            $this->triggerError("Using deprecated API: use \$config->get('$key.$a') instead", E_USER_WARNING);
-            $key = "$key.$a";
-        }
-        if (!$this->finalized) $this->autoFinalize();
-        if (!isset($this->def->info[$key])) {
-            // can't add % due to SimpleTest bug
-            $this->triggerError('Cannot retrieve value of undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
-                E_USER_WARNING);
-            return;
-        }
-        if (isset($this->def->info[$key]->isAlias)) {
-            $d = $this->def->info[$key];
-            $this->triggerError('Cannot get value from aliased directive, use real name ' . $d->key,
-                E_USER_ERROR);
-            return;
-        }
-        if ($this->lock) {
-            list($ns) = explode('.', $key);
-            if ($ns !== $this->lock) {
-                $this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR);
-                return;
-            }
-        }
-        return $this->plist->get($key);
-    }
-
-    /**
-     * Retreives an array of directives to values from a given namespace
-     * @param $namespace String namespace
-     */
-    public function getBatch($namespace) {
-        if (!$this->finalized) $this->autoFinalize();
-        $full = $this->getAll();
-        if (!isset($full[$namespace])) {
-            $this->triggerError('Cannot retrieve undefined namespace ' . htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
-                E_USER_WARNING);
-            return;
-        }
-        return $full[$namespace];
-    }
-
-    /**
-     * Returns a md5 signature of a segment of the configuration object
-     * that uniquely identifies that particular configuration
-     * @note Revision is handled specially and is removed from the batch
-     *       before processing!
-     * @param $namespace Namespace to get serial for
-     */
-    public function getBatchSerial($namespace) {
-        if (empty($this->serials[$namespace])) {
-            $batch = $this->getBatch($namespace);
-            unset($batch['DefinitionRev']);
-            $this->serials[$namespace] = md5(serialize($batch));
-        }
-        return $this->serials[$namespace];
-    }
-
-    /**
-     * Returns a md5 signature for the entire configuration object
-     * that uniquely identifies that particular configuration
-     */
-    public function getSerial() {
-        if (empty($this->serial)) {
-            $this->serial = md5(serialize($this->getAll()));
-        }
-        return $this->serial;
-    }
-
-    /**
-     * Retrieves all directives, organized by namespace
-     * @warning This is a pretty inefficient function, avoid if you can
-     */
-    public function getAll() {
-        if (!$this->finalized) $this->autoFinalize();
-        $ret = array();
-        foreach ($this->plist->squash() as $name => $value) {
-            list($ns, $key) = explode('.', $name, 2);
-            $ret[$ns][$key] = $value;
-        }
-        return $ret;
-    }
-
-    /**
-     * Sets a value to configuration.
-     * @param $key String key
-     * @param $value Mixed value
-     */
-    public function set($key, $value, $a = null) {
-        if (strpos($key, '.') === false) {
-            $namespace = $key;
-            $directive = $value;
-            $value = $a;
-            $key = "$key.$directive";
-            $this->triggerError("Using deprecated API: use \$config->set('$key', ...) instead", E_USER_NOTICE);
-        } else {
-            list($namespace) = explode('.', $key);
-        }
-        if ($this->isFinalized('Cannot set directive after finalization')) return;
-        if (!isset($this->def->info[$key])) {
-            $this->triggerError('Cannot set undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' to value',
-                E_USER_WARNING);
-            return;
-        }
-        $def = $this->def->info[$key];
-
-        if (isset($def->isAlias)) {
-            if ($this->aliasMode) {
-                $this->triggerError('Double-aliases not allowed, please fix '.
-                    'ConfigSchema bug with' . $key, E_USER_ERROR);
-                return;
-            }
-            $this->aliasMode = true;
-            $this->set($def->key, $value);
-            $this->aliasMode = false;
-            $this->triggerError("$key is an alias, preferred directive name is {$def->key}", E_USER_NOTICE);
-            return;
-        }
-
-        // Raw type might be negative when using the fully optimized form
-        // of stdclass, which indicates allow_null == true
-        $rtype = is_int($def) ? $def : $def->type;
-        if ($rtype < 0) {
-            $type = -$rtype;
-            $allow_null = true;
-        } else {
-            $type = $rtype;
-            $allow_null = isset($def->allow_null);
-        }
-
-        try {
-            $value = $this->parser->parse($value, $type, $allow_null);
-        } catch (HTMLPurifier_VarParserException $e) {
-            $this->triggerError('Value for ' . $key . ' is of invalid type, should be ' . HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING);
-            return;
-        }
-        if (is_string($value) && is_object($def)) {
-            // resolve value alias if defined
-            if (isset($def->aliases[$value])) {
-                $value = $def->aliases[$value];
-            }
-            // check to see if the value is allowed
-            if (isset($def->allowed) && !isset($def->allowed[$value])) {
-                $this->triggerError('Value not supported, valid values are: ' .
-                    $this->_listify($def->allowed), E_USER_WARNING);
-                return;
-            }
-        }
-        $this->plist->set($key, $value);
-
-        // reset definitions if the directives they depend on changed
-        // this is a very costly process, so it's discouraged
-        // with finalization
-        if ($namespace == 'HTML' || $namespace == 'CSS' || $namespace == 'URI') {
-            $this->definitions[$namespace] = null;
-        }
-
-        $this->serials[$namespace] = false;
-    }
-
-    /**
-     * Convenience function for error reporting
-     */
-    private function _listify($lookup) {
-        $list = array();
-        foreach ($lookup as $name => $b) $list[] = $name;
-        return implode(', ', $list);
-    }
-
-    /**
-     * Retrieves object reference to the HTML definition.
-     * @param $raw Return a copy that has not been setup yet. Must be
-     *             called before it's been setup, otherwise won't work.
-     * @param $optimized If true, this method may return null, to
-     *             indicate that a cached version of the modified
-     *             definition object is available and no further edits
-     *             are necessary.  Consider using
-     *             maybeGetRawHTMLDefinition, which is more explicitly
-     *             named, instead.
-     */
-    public function getHTMLDefinition($raw = false, $optimized = false) {
-        return $this->getDefinition('HTML', $raw, $optimized);
-    }
-
-    /**
-     * Retrieves object reference to the CSS definition
-     * @param $raw Return a copy that has not been setup yet. Must be
-     *             called before it's been setup, otherwise won't work.
-     * @param $optimized If true, this method may return null, to
-     *             indicate that a cached version of the modified
-     *             definition object is available and no further edits
-     *             are necessary.  Consider using
-     *             maybeGetRawCSSDefinition, which is more explicitly
-     *             named, instead.
-     */
-    public function getCSSDefinition($raw = false, $optimized = false) {
-        return $this->getDefinition('CSS', $raw, $optimized);
-    }
-
-    /**
-     * Retrieves object reference to the URI definition
-     * @param $raw Return a copy that has not been setup yet. Must be
-     *             called before it's been setup, otherwise won't work.
-     * @param $optimized If true, this method may return null, to
-     *             indicate that a cached version of the modified
-     *             definition object is available and no further edits
-     *             are necessary.  Consider using
-     *             maybeGetRawURIDefinition, which is more explicitly
-     *             named, instead.
-     */
-    public function getURIDefinition($raw = false, $optimized = false) {
-        return $this->getDefinition('URI', $raw, $optimized);
-    }
-
-    /**
-     * Retrieves a definition
-     * @param $type Type of definition: HTML, CSS, etc
-     * @param $raw  Whether or not definition should be returned raw
-     * @param $optimized Only has an effect when $raw is true.  Whether
-     *        or not to return null if the result is already present in
-     *        the cache.  This is off by default for backwards
-     *        compatibility reasons, but you need to do things this
-     *        way in order to ensure that caching is done properly.
-     *        Check out enduser-customize.html for more details.
-     *        We probably won't ever change this default, as much as the
-     *        maybe semantics is the "right thing to do."
-     */
-    public function getDefinition($type, $raw = false, $optimized = false) {
-        if ($optimized && !$raw) {
-            throw new HTMLPurifier_Exception("Cannot set optimized = true when raw = false");
-        }
-        if (!$this->finalized) $this->autoFinalize();
-        // temporarily suspend locks, so we can handle recursive definition calls
-        $lock = $this->lock;
-        $this->lock = null;
-        $factory = HTMLPurifier_DefinitionCacheFactory::instance();
-        $cache = $factory->create($type, $this);
-        $this->lock = $lock;
-        if (!$raw) {
-            // full definition
-            // ---------------
-            // check if definition is in memory
-            if (!empty($this->definitions[$type])) {
-                $def = $this->definitions[$type];
-                // check if the definition is setup
-                if ($def->setup) {
-                    return $def;
-                } else {
-                    $def->setup($this);
-                    if ($def->optimized) $cache->add($def, $this);
-                    return $def;
-                }
-            }
-            // check if definition is in cache
-            $def = $cache->get($this);
-            if ($def) {
-                // definition in cache, save to memory and return it
-                $this->definitions[$type] = $def;
-                return $def;
-            }
-            // initialize it
-            $def = $this->initDefinition($type);
-            // set it up
-            $this->lock = $type;
-            $def->setup($this);
-            $this->lock = null;
-            // save in cache
-            $cache->add($def, $this);
-            // return it
-            return $def;
-        } else {
-            // raw definition
-            // --------------
-            // check preconditions
-            $def = null;
-            if ($optimized) {
-                if (is_null($this->get($type . '.DefinitionID'))) {
-                    // fatally error out if definition ID not set
-                    throw new HTMLPurifier_Exception("Cannot retrieve raw version without specifying %$type.DefinitionID");
-                }
-            }
-            if (!empty($this->definitions[$type])) {
-                $def = $this->definitions[$type];
-                if ($def->setup && !$optimized) {
-                    $extra = $this->chatty ? " (try moving this code block earlier in your initialization)" : "";
-                    throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra);
-                }
-                if ($def->optimized === null) {
-                    $extra = $this->chatty ? " (try flushing your cache)" : "";
-                    throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra);
-                }
-                if ($def->optimized !== $optimized) {
-                    $msg = $optimized ? "optimized" : "unoptimized";
-                    $extra = $this->chatty ? " (this backtrace is for the first inconsistent call, which was for a $msg raw definition)" : "";
-                    throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra);
-                }
-            }
-            // check if definition was in memory
-            if ($def) {
-                if ($def->setup) {
-                    // invariant: $optimized === true (checked above)
-                    return null;
-                } else {
-                    return $def;
-                }
-            }
-            // if optimized, check if definition was in cache
-            // (because we do the memory check first, this formulation
-            // is prone to cache slamming, but I think
-            // guaranteeing that either /all/ of the raw
-            // setup code or /none/ of it is run is more important.)
-            if ($optimized) {
-                // This code path only gets run once; once we put
-                // something in $definitions (which is guaranteed by the
-                // trailing code), we always short-circuit above.
-                $def = $cache->get($this);
-                if ($def) {
-                    // save the full definition for later, but don't
-                    // return it yet
-                    $this->definitions[$type] = $def;
-                    return null;
-                }
-            }
-            // check invariants for creation
-            if (!$optimized) {
-                if (!is_null($this->get($type . '.DefinitionID'))) {
-                    if ($this->chatty) {
-                        $this->triggerError("Due to a documentation error in previous version of HTML Purifier, your definitions are not being cached.  If this is OK, you can remove the %$type.DefinitionRev and %$type.DefinitionID declaration.  Otherwise, modify your code to use maybeGetRawDefinition, and test if the returned value is null before making any edits (if it is null, that means that a cached version is available, and no raw operations are necessary).  See <a href='http://htmlpurifier.org/docs/enduser-customize.html#optimized'>Customize</a> for more details", E_USER_WARNING);
-                    } else {
-                        $this->triggerError("Useless DefinitionID declaration", E_USER_WARNING);
-                    }
-                }
-            }
-            // initialize it
-            $def = $this->initDefinition($type);
-            $def->optimized = $optimized;
-            return $def;
-        }
-        throw new HTMLPurifier_Exception("The impossible happened!");
-    }
-
-    private function initDefinition($type) {
-        // quick checks failed, let's create the object
-        if ($type == 'HTML') {
-            $def = new HTMLPurifier_HTMLDefinition();
-        } elseif ($type == 'CSS') {
-            $def = new HTMLPurifier_CSSDefinition();
-        } elseif ($type == 'URI') {
-            $def = new HTMLPurifier_URIDefinition();
-        } else {
-            throw new HTMLPurifier_Exception("Definition of $type type not supported");
-        }
-        $this->definitions[$type] = $def;
-        return $def;
-    }
-
-    public function maybeGetRawDefinition($name) {
-        return $this->getDefinition($name, true, true);
-    }
-
-    public function maybeGetRawHTMLDefinition() {
-        return $this->getDefinition('HTML', true, true);
-    }
-
-    public function maybeGetRawCSSDefinition() {
-        return $this->getDefinition('CSS', true, true);
-    }
-
-    public function maybeGetRawURIDefinition() {
-        return $this->getDefinition('URI', true, true);
-    }
-
-    /**
-     * Loads configuration values from an array with the following structure:
-     * Namespace.Directive => Value
-     * @param $config_array Configuration associative array
-     */
-    public function loadArray($config_array) {
-        if ($this->isFinalized('Cannot load directives after finalization')) return;
-        foreach ($config_array as $key => $value) {
-            $key = str_replace('_', '.', $key);
-            if (strpos($key, '.') !== false) {
-                $this->set($key, $value);
-            } else {
-                $namespace = $key;
-                $namespace_values = $value;
-                foreach ($namespace_values as $directive => $value) {
-                    $this->set($namespace .'.'. $directive, $value);
-                }
-            }
-        }
-    }
-
-    /**
-     * Returns a list of array(namespace, directive) for all directives
-     * that are allowed in a web-form context as per an allowed
-     * namespaces/directives list.
-     * @param $allowed List of allowed namespaces/directives
-     */
-    public static function getAllowedDirectivesForForm($allowed, $schema = null) {
-        if (!$schema) {
-            $schema = HTMLPurifier_ConfigSchema::instance();
-        }
-        if ($allowed !== true) {
-             if (is_string($allowed)) $allowed = array($allowed);
-             $allowed_ns = array();
-             $allowed_directives = array();
-             $blacklisted_directives = array();
-             foreach ($allowed as $ns_or_directive) {
-                 if (strpos($ns_or_directive, '.') !== false) {
-                     // directive
-                     if ($ns_or_directive[0] == '-') {
-                         $blacklisted_directives[substr($ns_or_directive, 1)] = true;
-                     } else {
-                         $allowed_directives[$ns_or_directive] = true;
-                     }
-                 } else {
-                     // namespace
-                     $allowed_ns[$ns_or_directive] = true;
-                 }
-             }
-        }
-        $ret = array();
-        foreach ($schema->info as $key => $def) {
-            list($ns, $directive) = explode('.', $key, 2);
-            if ($allowed !== true) {
-                if (isset($blacklisted_directives["$ns.$directive"])) continue;
-                if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) continue;
-            }
-            if (isset($def->isAlias)) continue;
-            if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') continue;
-            $ret[] = array($ns, $directive);
-        }
-        return $ret;
-    }
-
-    /**
-     * Loads configuration values from $_GET/$_POST that were posted
-     * via ConfigForm
-     * @param $array $_GET or $_POST array to import
-     * @param $index Index/name that the config variables are in
-     * @param $allowed List of allowed namespaces/directives
-     * @param $mq_fix Boolean whether or not to enable magic quotes fix
-     * @param $schema Instance of HTMLPurifier_ConfigSchema to use, if not global copy
-     */
-    public static function loadArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
-        $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $schema);
-        $config = HTMLPurifier_Config::create($ret, $schema);
-        return $config;
-    }
-
-    /**
-     * Merges in configuration values from $_GET/$_POST to object. NOT STATIC.
-     * @note Same parameters as loadArrayFromForm
-     */
-    public function mergeArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true) {
-         $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $this->def);
-         $this->loadArray($ret);
-    }
-
-    /**
-     * Prepares an array from a form into something usable for the more
-     * strict parts of HTMLPurifier_Config
-     */
-    public static function prepareArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
-        if ($index !== false) $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
-        $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
-
-        $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
-        $ret = array();
-        foreach ($allowed as $key) {
-            list($ns, $directive) = $key;
-            $skey = "$ns.$directive";
-            if (!empty($array["Null_$skey"])) {
-                $ret[$ns][$directive] = null;
-                continue;
-            }
-            if (!isset($array[$skey])) continue;
-            $value = $mq ? stripslashes($array[$skey]) : $array[$skey];
-            $ret[$ns][$directive] = $value;
-        }
-        return $ret;
-    }
-
-    /**
-     * Loads configuration values from an ini file
-     * @param $filename Name of ini file
-     */
-    public function loadIni($filename) {
-        if ($this->isFinalized('Cannot load directives after finalization')) return;
-        $array = parse_ini_file($filename, true);
-        $this->loadArray($array);
-    }
-
-    /**
-     * Checks whether or not the configuration object is finalized.
-     * @param $error String error message, or false for no error
-     */
-    public function isFinalized($error = false) {
-        if ($this->finalized && $error) {
-            $this->triggerError($error, E_USER_ERROR);
-        }
-        return $this->finalized;
-    }
-
-    /**
-     * Finalizes configuration only if auto finalize is on and not
-     * already finalized
-     */
-    public function autoFinalize() {
-        if ($this->autoFinalize) {
-            $this->finalize();
-        } else {
-            $this->plist->squash(true);
-        }
-    }
-
-    /**
-     * Finalizes a configuration object, prohibiting further change
-     */
-    public function finalize() {
-        $this->finalized = true;
-        $this->parser = null;
-    }
-
-    /**
-     * Produces a nicely formatted error message by supplying the
-     * stack frame information OUTSIDE of HTMLPurifier_Config.
-     */
-    protected function triggerError($msg, $no) {
-        // determine previous stack frame
-        $extra = '';
-        if ($this->chatty) {
-            $trace = debug_backtrace();
-            // zip(tail(trace), trace) -- but PHP is not Haskell har har
-            for ($i = 0, $c = count($trace); $i < $c - 1; $i++) {
-                if ($trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
-                    continue;
-                }
-                $frame = $trace[$i];
-                $extra = " invoked on line {$frame['line']} in file {$frame['file']}";
-                break;
-            }
-        }
-        trigger_error($msg . $extra, $no);
-    }
-
-    /**
-     * Returns a serialized form of the configuration object that can
-     * be reconstituted.
-     */
-    public function serialize() {
-        $this->getDefinition('HTML');
-        $this->getDefinition('CSS');
-        $this->getDefinition('URI');
-        return serialize($this);
-    }
+	/**
+	 * HTML Purifier's version
+	 */
+	public $version = '4.4.0';
+
+	/**
+	 * Bool indicator whether or not to automatically finalize
+	 * the object if a read operation is done
+	 */
+	public $autoFinalize = true;
+
+	// protected member variables
+
+	/**
+	 * Namespace indexed array of serials for specific namespaces (see
+	 * getSerial() for more info).
+	 */
+	protected $serials = array();
+
+	/**
+	 * Serial for entire configuration object
+	 */
+	protected $serial;
+
+	/**
+	 * Parser for variables
+	 */
+	protected $parser = null;
+
+	/**
+	 * Reference HTMLPurifier_ConfigSchema for value checking
+	 * @note This is public for introspective purposes. Please don't
+	 *       abuse!
+	 */
+	public $def;
+
+	/**
+	 * Indexed array of definitions
+	 */
+	protected $definitions;
+
+	/**
+	 * Bool indicator whether or not config is finalized
+	 */
+	protected $finalized = false;
+
+	/**
+	 * Property list containing configuration directives.
+	 */
+	protected $plist;
+
+	/**
+	 * Whether or not a set is taking place due to an
+	 * alias lookup.
+	 */
+	private $aliasMode;
+
+	/**
+	 * Set to false if you do not want line and file numbers in errors
+	 * (useful when unit testing).  This will also compress some errors
+	 * and exceptions.
+	 */
+	public $chatty = true;
+
+	/**
+	 * Current lock; only gets to this namespace are allowed.
+	 */
+	private $lock;
+
+	/**
+	 * @param $definition HTMLPurifier_ConfigSchema that defines what directives
+	 *                    are allowed.
+	 */
+	public function __construct($definition, $parent = null) {
+		$parent = $parent ? $parent : $definition->defaultPlist;
+		$this->plist = new HTMLPurifier_PropertyList($parent);
+		$this->def = $definition; // keep a copy around for checking
+		$this->parser = new HTMLPurifier_VarParser_Flexible();
+	}
+
+	/**
+	 * Convenience constructor that creates a config object based on a mixed var
+	 * @param mixed $config Variable that defines the state of the config
+	 *                      object. Can be: a HTMLPurifier_Config() object,
+	 *                      an array of directives based on loadArray(),
+	 *                      or a string filename of an ini file.
+	 * @param HTMLPurifier_ConfigSchema Schema object
+	 * @return Configured HTMLPurifier_Config object
+	 */
+	public static function create($config, $schema = null) {
+		if ($config instanceof HTMLPurifier_Config) {
+			// pass-through
+			return $config;
+		}
+		if (!$schema) {
+			$ret = HTMLPurifier_Config::createDefault();
+		} else {
+			$ret = new HTMLPurifier_Config($schema);
+		}
+		if (is_string($config)) $ret->loadIni($config);
+		elseif (is_array($config)) $ret->loadArray($config);
+		return $ret;
+	}
+
+	/**
+	 * Creates a new config object that inherits from a previous one.
+	 * @param HTMLPurifier_Config $config Configuration object to inherit
+	 *        from.
+	 * @return HTMLPurifier_Config object with $config as its parent.
+	 */
+	public static function inherit(HTMLPurifier_Config $config) {
+		return new HTMLPurifier_Config($config->def, $config->plist);
+	}
+
+	/**
+	 * Convenience constructor that creates a default configuration object.
+	 * @return Default HTMLPurifier_Config object.
+	 */
+	public static function createDefault() {
+		$definition = HTMLPurifier_ConfigSchema::instance();
+		$config = new HTMLPurifier_Config($definition);
+		return $config;
+	}
+
+	/**
+	 * Retreives a value from the configuration.
+	 * @param $key String key
+	 */
+	public function get($key, $a = null) {
+		if ($a !== null) {
+			$this->triggerError("Using deprecated API: use \$config->get('$key.$a') instead", E_USER_WARNING);
+			$key = "$key.$a";
+		}
+		if (!$this->finalized) $this->autoFinalize();
+		if (!isset($this->def->info[$key])) {
+			// can't add % due to SimpleTest bug
+			$this->triggerError('Cannot retrieve value of undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+				E_USER_WARNING);
+			return;
+		}
+		if (isset($this->def->info[$key]->isAlias)) {
+			$d = $this->def->info[$key];
+			$this->triggerError('Cannot get value from aliased directive, use real name ' . $d->key,
+				E_USER_ERROR);
+			return;
+		}
+		if ($this->lock) {
+			list($ns) = explode('.', $key);
+			if ($ns !== $this->lock) {
+				$this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR);
+				return;
+			}
+		}
+		return $this->plist->get($key);
+	}
+
+	/**
+	 * Retreives an array of directives to values from a given namespace
+	 * @param $namespace String namespace
+	 */
+	public function getBatch($namespace) {
+		if (!$this->finalized) $this->autoFinalize();
+		$full = $this->getAll();
+		if (!isset($full[$namespace])) {
+			$this->triggerError('Cannot retrieve undefined namespace ' . htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+				E_USER_WARNING);
+			return;
+		}
+		return $full[$namespace];
+	}
+
+	/**
+	 * Returns a md5 signature of a segment of the configuration object
+	 * that uniquely identifies that particular configuration
+	 * @note Revision is handled specially and is removed from the batch
+	 *       before processing!
+	 * @param $namespace Namespace to get serial for
+	 */
+	public function getBatchSerial($namespace) {
+		if (empty($this->serials[$namespace])) {
+			$batch = $this->getBatch($namespace);
+			unset($batch['DefinitionRev']);
+			$this->serials[$namespace] = md5(serialize($batch));
+		}
+		return $this->serials[$namespace];
+	}
+
+	/**
+	 * Returns a md5 signature for the entire configuration object
+	 * that uniquely identifies that particular configuration
+	 */
+	public function getSerial() {
+		if (empty($this->serial)) {
+			$this->serial = md5(serialize($this->getAll()));
+		}
+		return $this->serial;
+	}
+
+	/**
+	 * Retrieves all directives, organized by namespace
+	 * @warning This is a pretty inefficient function, avoid if you can
+	 */
+	public function getAll() {
+		if (!$this->finalized) $this->autoFinalize();
+		$ret = array();
+		foreach ($this->plist->squash() as $name => $value) {
+			list($ns, $key) = explode('.', $name, 2);
+			$ret[$ns][$key] = $value;
+		}
+		return $ret;
+	}
+
+	/**
+	 * Sets a value to configuration.
+	 * @param $key String key
+	 * @param $value Mixed value
+	 */
+	public function set($key, $value, $a = null) {
+		if (strpos($key, '.') === false) {
+			$namespace = $key;
+			$directive = $value;
+			$value = $a;
+			$key = "$key.$directive";
+			$this->triggerError("Using deprecated API: use \$config->set('$key', ...) instead", E_USER_NOTICE);
+		} else {
+			list($namespace) = explode('.', $key);
+		}
+		if ($this->isFinalized('Cannot set directive after finalization')) return;
+		if (!isset($this->def->info[$key])) {
+			$this->triggerError('Cannot set undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' to value',
+				E_USER_WARNING);
+			return;
+		}
+		$def = $this->def->info[$key];
+
+		if (isset($def->isAlias)) {
+			if ($this->aliasMode) {
+				$this->triggerError('Double-aliases not allowed, please fix '.
+					'ConfigSchema bug with' . $key, E_USER_ERROR);
+				return;
+			}
+			$this->aliasMode = true;
+			$this->set($def->key, $value);
+			$this->aliasMode = false;
+			$this->triggerError("$key is an alias, preferred directive name is {$def->key}", E_USER_NOTICE);
+			return;
+		}
+
+		// Raw type might be negative when using the fully optimized form
+		// of stdclass, which indicates allow_null == true
+		$rtype = is_int($def) ? $def : $def->type;
+		if ($rtype < 0) {
+			$type = -$rtype;
+			$allow_null = true;
+		} else {
+			$type = $rtype;
+			$allow_null = isset($def->allow_null);
+		}
+
+		try {
+			$value = $this->parser->parse($value, $type, $allow_null);
+		} catch (HTMLPurifier_VarParserException $e) {
+			$this->triggerError('Value for ' . $key . ' is of invalid type, should be ' . HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING);
+			return;
+		}
+		if (is_string($value) && is_object($def)) {
+			// resolve value alias if defined
+			if (isset($def->aliases[$value])) {
+				$value = $def->aliases[$value];
+			}
+			// check to see if the value is allowed
+			if (isset($def->allowed) && !isset($def->allowed[$value])) {
+				$this->triggerError('Value not supported, valid values are: ' .
+					$this->_listify($def->allowed), E_USER_WARNING);
+				return;
+			}
+		}
+		$this->plist->set($key, $value);
+
+		// reset definitions if the directives they depend on changed
+		// this is a very costly process, so it's discouraged
+		// with finalization
+		if ($namespace == 'HTML' || $namespace == 'CSS' || $namespace == 'URI') {
+			$this->definitions[$namespace] = null;
+		}
+
+		$this->serials[$namespace] = false;
+	}
+
+	/**
+	 * Convenience function for error reporting
+	 */
+	private function _listify($lookup) {
+		$list = array();
+		foreach ($lookup as $name => $b) $list[] = $name;
+		return implode(', ', $list);
+	}
+
+	/**
+	 * Retrieves object reference to the HTML definition.
+	 * @param $raw Return a copy that has not been setup yet. Must be
+	 *             called before it's been setup, otherwise won't work.
+	 * @param $optimized If true, this method may return null, to
+	 *             indicate that a cached version of the modified
+	 *             definition object is available and no further edits
+	 *             are necessary.  Consider using
+	 *             maybeGetRawHTMLDefinition, which is more explicitly
+	 *             named, instead.
+	 */
+	public function getHTMLDefinition($raw = false, $optimized = false) {
+		return $this->getDefinition('HTML', $raw, $optimized);
+	}
+
+	/**
+	 * Retrieves object reference to the CSS definition
+	 * @param $raw Return a copy that has not been setup yet. Must be
+	 *             called before it's been setup, otherwise won't work.
+	 * @param $optimized If true, this method may return null, to
+	 *             indicate that a cached version of the modified
+	 *             definition object is available and no further edits
+	 *             are necessary.  Consider using
+	 *             maybeGetRawCSSDefinition, which is more explicitly
+	 *             named, instead.
+	 */
+	public function getCSSDefinition($raw = false, $optimized = false) {
+		return $this->getDefinition('CSS', $raw, $optimized);
+	}
+
+	/**
+	 * Retrieves object reference to the URI definition
+	 * @param $raw Return a copy that has not been setup yet. Must be
+	 *             called before it's been setup, otherwise won't work.
+	 * @param $optimized If true, this method may return null, to
+	 *             indicate that a cached version of the modified
+	 *             definition object is available and no further edits
+	 *             are necessary.  Consider using
+	 *             maybeGetRawURIDefinition, which is more explicitly
+	 *             named, instead.
+	 */
+	public function getURIDefinition($raw = false, $optimized = false) {
+		return $this->getDefinition('URI', $raw, $optimized);
+	}
+
+	/**
+	 * Retrieves a definition
+	 * @param $type Type of definition: HTML, CSS, etc
+	 * @param $raw  Whether or not definition should be returned raw
+	 * @param $optimized Only has an effect when $raw is true.  Whether
+	 *        or not to return null if the result is already present in
+	 *        the cache.  This is off by default for backwards
+	 *        compatibility reasons, but you need to do things this
+	 *        way in order to ensure that caching is done properly.
+	 *        Check out enduser-customize.html for more details.
+	 *        We probably won't ever change this default, as much as the
+	 *        maybe semantics is the "right thing to do."
+	 */
+	public function getDefinition($type, $raw = false, $optimized = false) {
+		if ($optimized && !$raw) {
+			throw new HTMLPurifier_Exception("Cannot set optimized = true when raw = false");
+		}
+		if (!$this->finalized) $this->autoFinalize();
+		// temporarily suspend locks, so we can handle recursive definition calls
+		$lock = $this->lock;
+		$this->lock = null;
+		$factory = HTMLPurifier_DefinitionCacheFactory::instance();
+		$cache = $factory->create($type, $this);
+		$this->lock = $lock;
+		if (!$raw) {
+			// full definition
+			// ---------------
+			// check if definition is in memory
+			if (!empty($this->definitions[$type])) {
+				$def = $this->definitions[$type];
+				// check if the definition is setup
+				if ($def->setup) {
+					return $def;
+				} else {
+					$def->setup($this);
+					if ($def->optimized) $cache->add($def, $this);
+					return $def;
+				}
+			}
+			// check if definition is in cache
+			$def = $cache->get($this);
+			if ($def) {
+				// definition in cache, save to memory and return it
+				$this->definitions[$type] = $def;
+				return $def;
+			}
+			// initialize it
+			$def = $this->initDefinition($type);
+			// set it up
+			$this->lock = $type;
+			$def->setup($this);
+			$this->lock = null;
+			// save in cache
+			$cache->add($def, $this);
+			// return it
+			return $def;
+		} else {
+			// raw definition
+			// --------------
+			// check preconditions
+			$def = null;
+			if ($optimized) {
+				if (is_null($this->get($type . '.DefinitionID'))) {
+					// fatally error out if definition ID not set
+					throw new HTMLPurifier_Exception("Cannot retrieve raw version without specifying %$type.DefinitionID");
+				}
+			}
+			if (!empty($this->definitions[$type])) {
+				$def = $this->definitions[$type];
+				if ($def->setup && !$optimized) {
+					$extra = $this->chatty ? " (try moving this code block earlier in your initialization)" : "";
+					throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra);
+				}
+				if ($def->optimized === null) {
+					$extra = $this->chatty ? " (try flushing your cache)" : "";
+					throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra);
+				}
+				if ($def->optimized !== $optimized) {
+					$msg = $optimized ? "optimized" : "unoptimized";
+					$extra = $this->chatty ? " (this backtrace is for the first inconsistent call, which was for a $msg raw definition)" : "";
+					throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra);
+				}
+			}
+			// check if definition was in memory
+			if ($def) {
+				if ($def->setup) {
+					// invariant: $optimized === true (checked above)
+					return null;
+				} else {
+					return $def;
+				}
+			}
+			// if optimized, check if definition was in cache
+			// (because we do the memory check first, this formulation
+			// is prone to cache slamming, but I think
+			// guaranteeing that either /all/ of the raw
+			// setup code or /none/ of it is run is more important.)
+			if ($optimized) {
+				// This code path only gets run once; once we put
+				// something in $definitions (which is guaranteed by the
+				// trailing code), we always short-circuit above.
+				$def = $cache->get($this);
+				if ($def) {
+					// save the full definition for later, but don't
+					// return it yet
+					$this->definitions[$type] = $def;
+					return null;
+				}
+			}
+			// check invariants for creation
+			if (!$optimized) {
+				if (!is_null($this->get($type . '.DefinitionID'))) {
+					if ($this->chatty) {
+						$this->triggerError("Due to a documentation error in previous version of HTML Purifier, your definitions are not being cached.  If this is OK, you can remove the %$type.DefinitionRev and %$type.DefinitionID declaration.  Otherwise, modify your code to use maybeGetRawDefinition, and test if the returned value is null before making any edits (if it is null, that means that a cached version is available, and no raw operations are necessary).  See <a href='http://htmlpurifier.org/docs/enduser-customize.html#optimized'>Customize</a> for more details", E_USER_WARNING);
+					} else {
+						$this->triggerError("Useless DefinitionID declaration", E_USER_WARNING);
+					}
+				}
+			}
+			// initialize it
+			$def = $this->initDefinition($type);
+			$def->optimized = $optimized;
+			return $def;
+		}
+		throw new HTMLPurifier_Exception("The impossible happened!");
+	}
+
+	private function initDefinition($type) {
+		// quick checks failed, let's create the object
+		if ($type == 'HTML') {
+			$def = new HTMLPurifier_HTMLDefinition();
+		} elseif ($type == 'CSS') {
+			$def = new HTMLPurifier_CSSDefinition();
+		} elseif ($type == 'URI') {
+			$def = new HTMLPurifier_URIDefinition();
+		} else {
+			throw new HTMLPurifier_Exception("Definition of $type type not supported");
+		}
+		$this->definitions[$type] = $def;
+		return $def;
+	}
+
+	public function maybeGetRawDefinition($name) {
+		return $this->getDefinition($name, true, true);
+	}
+
+	public function maybeGetRawHTMLDefinition() {
+		return $this->getDefinition('HTML', true, true);
+	}
+
+	public function maybeGetRawCSSDefinition() {
+		return $this->getDefinition('CSS', true, true);
+	}
+
+	public function maybeGetRawURIDefinition() {
+		return $this->getDefinition('URI', true, true);
+	}
+
+	/**
+	 * Loads configuration values from an array with the following structure:
+	 * Namespace.Directive => Value
+	 * @param $config_array Configuration associative array
+	 */
+	public function loadArray($config_array) {
+		if ($this->isFinalized('Cannot load directives after finalization')) return;
+		foreach ($config_array as $key => $value) {
+			$key = str_replace('_', '.', $key);
+			if (strpos($key, '.') !== false) {
+				$this->set($key, $value);
+			} else {
+				$namespace = $key;
+				$namespace_values = $value;
+				foreach ($namespace_values as $directive => $value) {
+					$this->set($namespace .'.'. $directive, $value);
+				}
+			}
+		}
+	}
+
+	/**
+	 * Returns a list of array(namespace, directive) for all directives
+	 * that are allowed in a web-form context as per an allowed
+	 * namespaces/directives list.
+	 * @param $allowed List of allowed namespaces/directives
+	 */
+	public static function getAllowedDirectivesForForm($allowed, $schema = null) {
+		if (!$schema) {
+			$schema = HTMLPurifier_ConfigSchema::instance();
+		}
+		if ($allowed !== true) {
+			 if (is_string($allowed)) $allowed = array($allowed);
+			 $allowed_ns = array();
+			 $allowed_directives = array();
+			 $blacklisted_directives = array();
+			 foreach ($allowed as $ns_or_directive) {
+				 if (strpos($ns_or_directive, '.') !== false) {
+					 // directive
+					 if ($ns_or_directive[0] == '-') {
+						 $blacklisted_directives[substr($ns_or_directive, 1)] = true;
+					 } else {
+						 $allowed_directives[$ns_or_directive] = true;
+					 }
+				 } else {
+					 // namespace
+					 $allowed_ns[$ns_or_directive] = true;
+				 }
+			 }
+		}
+		$ret = array();
+		foreach ($schema->info as $key => $def) {
+			list($ns, $directive) = explode('.', $key, 2);
+			if ($allowed !== true) {
+				if (isset($blacklisted_directives["$ns.$directive"])) continue;
+				if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) continue;
+			}
+			if (isset($def->isAlias)) continue;
+			if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') continue;
+			$ret[] = array($ns, $directive);
+		}
+		return $ret;
+	}
+
+	/**
+	 * Loads configuration values from $_GET/$_POST that were posted
+	 * via ConfigForm
+	 * @param $array $_GET or $_POST array to import
+	 * @param $index Index/name that the config variables are in
+	 * @param $allowed List of allowed namespaces/directives
+	 * @param $mq_fix Boolean whether or not to enable magic quotes fix
+	 * @param $schema Instance of HTMLPurifier_ConfigSchema to use, if not global copy
+	 */
+	public static function loadArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
+		$ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $schema);
+		$config = HTMLPurifier_Config::create($ret, $schema);
+		return $config;
+	}
+
+	/**
+	 * Merges in configuration values from $_GET/$_POST to object. NOT STATIC.
+	 * @note Same parameters as loadArrayFromForm
+	 */
+	public function mergeArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true) {
+		 $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $this->def);
+		 $this->loadArray($ret);
+	}
+
+	/**
+	 * Prepares an array from a form into something usable for the more
+	 * strict parts of HTMLPurifier_Config
+	 */
+	public static function prepareArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
+		if ($index !== false) $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
+		$mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
+
+		$allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
+		$ret = array();
+		foreach ($allowed as $key) {
+			list($ns, $directive) = $key;
+			$skey = "$ns.$directive";
+			if (!empty($array["Null_$skey"])) {
+				$ret[$ns][$directive] = null;
+				continue;
+			}
+			if (!isset($array[$skey])) continue;
+			$value = $mq ? stripslashes($array[$skey]) : $array[$skey];
+			$ret[$ns][$directive] = $value;
+		}
+		return $ret;
+	}
+
+	/**
+	 * Loads configuration values from an ini file
+	 * @param $filename Name of ini file
+	 */
+	public function loadIni($filename) {
+		if ($this->isFinalized('Cannot load directives after finalization')) return;
+		$array = parse_ini_file($filename, true);
+		$this->loadArray($array);
+	}
+
+	/**
+	 * Checks whether or not the configuration object is finalized.
+	 * @param $error String error message, or false for no error
+	 */
+	public function isFinalized($error = false) {
+		if ($this->finalized && $error) {
+			$this->triggerError($error, E_USER_ERROR);
+		}
+		return $this->finalized;
+	}
+
+	/**
+	 * Finalizes configuration only if auto finalize is on and not
+	 * already finalized
+	 */
+	public function autoFinalize() {
+		if ($this->autoFinalize) {
+			$this->finalize();
+		} else {
+			$this->plist->squash(true);
+		}
+	}
+
+	/**
+	 * Finalizes a configuration object, prohibiting further change
+	 */
+	public function finalize() {
+		$this->finalized = true;
+		$this->parser = null;
+	}
+
+	/**
+	 * Produces a nicely formatted error message by supplying the
+	 * stack frame information OUTSIDE of HTMLPurifier_Config.
+	 */
+	protected function triggerError($msg, $no) {
+		// determine previous stack frame
+		$extra = '';
+		if ($this->chatty) {
+			$trace = debug_backtrace();
+			// zip(tail(trace), trace) -- but PHP is not Haskell har har
+			for ($i = 0, $c = count($trace); $i < $c - 1; $i++) {
+				if ($trace[$i + 1]['class'] === 'HTMLPurifier_Config') {
+					continue;
+				}
+				$frame = $trace[$i];
+				$extra = " invoked on line {$frame['line']} in file {$frame['file']}";
+				break;
+			}
+		}
+		trigger_error($msg . $extra, $no);
+	}
+
+	/**
+	 * Returns a serialized form of the configuration object that can
+	 * be reconstituted.
+	 */
+	public function serialize() {
+		$this->getDefinition('HTML');
+		$this->getDefinition('CSS');
+		$this->getDefinition('URI');
+		return serialize($this);
+	}
 
 }
 

Braces +53 added lines, -18 removed lines

@@ -116,8 +116,11 @@ 
         } else {
             $ret = new HTMLPurifier_Config($schema);
         }
-        if (is_string($config)) $ret->loadIni($config);
-        elseif (is_array($config)) $ret->loadArray($config);
+        if (is_string($config)) {
+        	$ret->loadIni($config);
+        } elseif (is_array($config)) {
+        	$ret->loadArray($config);
+        }
         return $ret;
     }
 
@@ -150,7 +153,9 @@ 
             $this->triggerError("Using deprecated API: use \$config->get('$key.$a') instead", E_USER_WARNING);
             $key = "$key.$a";
         }
-        if (!$this->finalized) $this->autoFinalize();
+        if (!$this->finalized) {
+        	$this->autoFinalize();
+        }
         if (!isset($this->def->info[$key])) {
             // can't add % due to SimpleTest bug
             $this->triggerError('Cannot retrieve value of undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
@@ -178,7 +183,9 @@ 
      * @param $namespace String namespace
      */
     public function getBatch($namespace) {
-        if (!$this->finalized) $this->autoFinalize();
+        if (!$this->finalized) {
+        	$this->autoFinalize();
+        }
         $full = $this->getAll();
         if (!isset($full[$namespace])) {
             $this->triggerError('Cannot retrieve undefined namespace ' . htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
@@ -220,7 +227,9 @@ 
      * @warning This is a pretty inefficient function, avoid if you can
      */
     public function getAll() {
-        if (!$this->finalized) $this->autoFinalize();
+        if (!$this->finalized) {
+        	$this->autoFinalize();
+        }
         $ret = array();
         foreach ($this->plist->squash() as $name => $value) {
             list($ns, $key) = explode('.', $name, 2);
@@ -244,7 +253,9 @@ 
         } else {
             list($namespace) = explode('.', $key);
         }
-        if ($this->isFinalized('Cannot set directive after finalization')) return;
+        if ($this->isFinalized('Cannot set directive after finalization')) {
+        	return;
+        }
         if (!isset($this->def->info[$key])) {
             $this->triggerError('Cannot set undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' to value',
                 E_USER_WARNING);
@@ -311,7 +322,9 @@ 
      */
     private function _listify($lookup) {
         $list = array();
-        foreach ($lookup as $name => $b) $list[] = $name;
+        foreach ($lookup as $name => $b) {
+        	$list[] = $name;
+        }
         return implode(', ', $list);
     }
 
@@ -377,7 +390,9 @@ 
         if ($optimized && !$raw) {
             throw new HTMLPurifier_Exception("Cannot set optimized = true when raw = false");
         }
-        if (!$this->finalized) $this->autoFinalize();
+        if (!$this->finalized) {
+        	$this->autoFinalize();
+        }
         // temporarily suspend locks, so we can handle recursive definition calls
         $lock = $this->lock;
         $this->lock = null;
@@ -395,7 +410,9 @@ 
                     return $def;
                 } else {
                     $def->setup($this);
-                    if ($def->optimized) $cache->add($def, $this);
+                    if ($def->optimized) {
+                    	$cache->add($def, $this);
+                    }
                     return $def;
                 }
             }
@@ -524,7 +541,9 @@ 
      * @param $config_array Configuration associative array
      */
     public function loadArray($config_array) {
-        if ($this->isFinalized('Cannot load directives after finalization')) return;
+        if ($this->isFinalized('Cannot load directives after finalization')) {
+        	return;
+        }
         foreach ($config_array as $key => $value) {
             $key = str_replace('_', '.', $key);
             if (strpos($key, '.') !== false) {
@@ -550,7 +569,9 @@ 
             $schema = HTMLPurifier_ConfigSchema::instance();
         }
         if ($allowed !== true) {
-             if (is_string($allowed)) $allowed = array($allowed);
+             if (is_string($allowed)) {
+             	$allowed = array($allowed);
+             }
              $allowed_ns = array();
              $allowed_directives = array();
              $blacklisted_directives = array();
@@ -572,11 +593,19 @@ 
         foreach ($schema->info as $key => $def) {
             list($ns, $directive) = explode('.', $key, 2);
             if ($allowed !== true) {
-                if (isset($blacklisted_directives["$ns.$directive"])) continue;
-                if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) continue;
+                if (isset($blacklisted_directives["$ns.$directive"])) {
+                	continue;
+                }
+                if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) {
+                	continue;
+                }
+            }
+            if (isset($def->isAlias)) {
+            	continue;
+            }
+            if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') {
+            	continue;
             }
-            if (isset($def->isAlias)) continue;
-            if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') continue;
             $ret[] = array($ns, $directive);
         }
         return $ret;
@@ -611,7 +640,9 @@ 
      * strict parts of HTMLPurifier_Config
      */
     public static function prepareArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) {
-        if ($index !== false) $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
+        if ($index !== false) {
+        	$array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
+        }
         $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
 
         $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
@@ -623,7 +654,9 @@ 
                 $ret[$ns][$directive] = null;
                 continue;
             }
-            if (!isset($array[$skey])) continue;
+            if (!isset($array[$skey])) {
+            	continue;
+            }
             $value = $mq ? stripslashes($array[$skey]) : $array[$skey];
             $ret[$ns][$directive] = $value;
         }
@@ -635,7 +668,9 @@ 
      * @param $filename Name of ini file
      */
     public function loadIni($filename) {
-        if ($this->isFinalized('Cannot load directives after finalization')) return;
+        if ($this->isFinalized('Cannot load directives after finalization')) {
+        	return;
+        }
         $array = parse_ini_file($filename, true);
         $this->loadArray($array);
     }

Spacing +15 added lines, -15 removed lines

@@ -153,20 +153,20 @@ 
         if (!$this->finalized) $this->autoFinalize();
         if (!isset($this->def->info[$key])) {
             // can't add % due to SimpleTest bug
-            $this->triggerError('Cannot retrieve value of undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+            $this->triggerError('Cannot retrieve value of undefined directive '.htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
                 E_USER_WARNING);
             return;
         }
         if (isset($this->def->info[$key]->isAlias)) {
             $d = $this->def->info[$key];
-            $this->triggerError('Cannot get value from aliased directive, use real name ' . $d->key,
+            $this->triggerError('Cannot get value from aliased directive, use real name '.$d->key,
                 E_USER_ERROR);
             return;
         }
         if ($this->lock) {
             list($ns) = explode('.', $key);
             if ($ns !== $this->lock) {
-                $this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR);
+                $this->triggerError('Cannot get value of namespace '.$ns.' when lock for '.$this->lock.' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR);
                 return;
             }
         }
@@ -181,7 +181,7 @@ 
         if (!$this->finalized) $this->autoFinalize();
         $full = $this->getAll();
         if (!isset($full[$namespace])) {
-            $this->triggerError('Cannot retrieve undefined namespace ' . htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+            $this->triggerError('Cannot retrieve undefined namespace '.htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
                 E_USER_WARNING);
             return;
         }
@@ -246,7 +246,7 @@ 
         }
         if ($this->isFinalized('Cannot set directive after finalization')) return;
         if (!isset($this->def->info[$key])) {
-            $this->triggerError('Cannot set undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' to value',
+            $this->triggerError('Cannot set undefined directive '.htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false).' to value',
                 E_USER_WARNING);
             return;
         }
@@ -255,7 +255,7 @@ 
         if (isset($def->isAlias)) {
             if ($this->aliasMode) {
                 $this->triggerError('Double-aliases not allowed, please fix '.
-                    'ConfigSchema bug with' . $key, E_USER_ERROR);
+                    'ConfigSchema bug with'.$key, E_USER_ERROR);
                 return;
             }
             $this->aliasMode = true;
@@ -279,7 +279,7 @@ 
         try {
             $value = $this->parser->parse($value, $type, $allow_null);
         } catch (HTMLPurifier_VarParserException $e) {
-            $this->triggerError('Value for ' . $key . ' is of invalid type, should be ' . HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING);
+            $this->triggerError('Value for '.$key.' is of invalid type, should be '.HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING);
             return;
         }
         if (is_string($value) && is_object($def)) {
@@ -289,7 +289,7 @@ 
             }
             // check to see if the value is allowed
             if (isset($def->allowed) && !isset($def->allowed[$value])) {
-                $this->triggerError('Value not supported, valid values are: ' .
+                $this->triggerError('Value not supported, valid values are: '.
                     $this->_listify($def->allowed), E_USER_WARNING);
                 return;
             }
@@ -422,7 +422,7 @@ 
             // check preconditions
             $def = null;
             if ($optimized) {
-                if (is_null($this->get($type . '.DefinitionID'))) {
+                if (is_null($this->get($type.'.DefinitionID'))) {
                     // fatally error out if definition ID not set
                     throw new HTMLPurifier_Exception("Cannot retrieve raw version without specifying %$type.DefinitionID");
                 }
@@ -431,16 +431,16 @@ 
                 $def = $this->definitions[$type];
                 if ($def->setup && !$optimized) {
                     $extra = $this->chatty ? " (try moving this code block earlier in your initialization)" : "";
-                    throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra);
+                    throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup".$extra);
                 }
                 if ($def->optimized === null) {
                     $extra = $this->chatty ? " (try flushing your cache)" : "";
-                    throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra);
+                    throw new HTMLPurifier_Exception("Optimization status of definition is unknown".$extra);
                 }
                 if ($def->optimized !== $optimized) {
                     $msg = $optimized ? "optimized" : "unoptimized";
                     $extra = $this->chatty ? " (this backtrace is for the first inconsistent call, which was for a $msg raw definition)" : "";
-                    throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra);
+                    throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals".$extra);
                 }
             }
             // check if definition was in memory
@@ -471,7 +471,7 @@ 
             }
             // check invariants for creation
             if (!$optimized) {
-                if (!is_null($this->get($type . '.DefinitionID'))) {
+                if (!is_null($this->get($type.'.DefinitionID'))) {
                     if ($this->chatty) {
                         $this->triggerError("Due to a documentation error in previous version of HTML Purifier, your definitions are not being cached.  If this is OK, you can remove the %$type.DefinitionRev and %$type.DefinitionID declaration.  Otherwise, modify your code to use maybeGetRawDefinition, and test if the returned value is null before making any edits (if it is null, that means that a cached version is available, and no raw operations are necessary).  See <a href='http://htmlpurifier.org/docs/enduser-customize.html#optimized'>Customize</a> for more details", E_USER_WARNING);
                     } else {
@@ -533,7 +533,7 @@ 
                 $namespace = $key;
                 $namespace_values = $value;
                 foreach ($namespace_values as $directive => $value) {
-                    $this->set($namespace .'.'. $directive, $value);
+                    $this->set($namespace.'.'.$directive, $value);
                 }
             }
         }
@@ -690,7 +690,7 @@ 
                 break;
             }
         }
-        trigger_error($msg . $extra, $no);
+        trigger_error($msg.$extra, $no);
     }
 
     /**

classes/security/htmlpurifier/library/HTMLPurifier/DoctypeRegistry.php

Doc Comments +3 added lines, -1 removed lines

@@ -17,10 +17,12 @@
      * Registers a doctype to the registry
      * @note Accepts a fully-formed doctype object, or the
      *       parameters for constructing a doctype object
-     * @param $doctype Name of doctype or literal doctype object
+     * @param string $doctype Name of doctype or literal doctype object
      * @param $modules Modules doctype will load
      * @param $modules_for_modes Modules doctype will load for certain modes
      * @param $aliases Alias names for doctype
+     * @param string $dtd_public
+     * @param string $dtd_system
      * @return Editable registered doctype
      */
     public function register($doctype, $xml = true, $modules = array(),

Indentation +89 added lines, -89 removed lines

@@ -3,100 +3,100 @@
 class HTMLPurifier_DoctypeRegistry
 {
 
-    /**
-     * Hash of doctype names to doctype objects
-     */
-    protected $doctypes;
+	/**
+	 * Hash of doctype names to doctype objects
+	 */
+	protected $doctypes;
 
-    /**
-     * Lookup table of aliases to real doctype names
-     */
-    protected $aliases;
+	/**
+	 * Lookup table of aliases to real doctype names
+	 */
+	protected $aliases;
 
-    /**
-     * Registers a doctype to the registry
-     * @note Accepts a fully-formed doctype object, or the
-     *       parameters for constructing a doctype object
-     * @param $doctype Name of doctype or literal doctype object
-     * @param $modules Modules doctype will load
-     * @param $modules_for_modes Modules doctype will load for certain modes
-     * @param $aliases Alias names for doctype
-     * @return Editable registered doctype
-     */
-    public function register($doctype, $xml = true, $modules = array(),
-        $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null
-    ) {
-        if (!is_array($modules)) $modules = array($modules);
-        if (!is_array($tidy_modules)) $tidy_modules = array($tidy_modules);
-        if (!is_array($aliases)) $aliases = array($aliases);
-        if (!is_object($doctype)) {
-            $doctype = new HTMLPurifier_Doctype(
-                $doctype, $xml, $modules, $tidy_modules, $aliases, $dtd_public, $dtd_system
-            );
-        }
-        $this->doctypes[$doctype->name] = $doctype;
-        $name = $doctype->name;
-        // hookup aliases
-        foreach ($doctype->aliases as $alias) {
-            if (isset($this->doctypes[$alias])) continue;
-            $this->aliases[$alias] = $name;
-        }
-        // remove old aliases
-        if (isset($this->aliases[$name])) unset($this->aliases[$name]);
-        return $doctype;
-    }
+	/**
+	 * Registers a doctype to the registry
+	 * @note Accepts a fully-formed doctype object, or the
+	 *       parameters for constructing a doctype object
+	 * @param $doctype Name of doctype or literal doctype object
+	 * @param $modules Modules doctype will load
+	 * @param $modules_for_modes Modules doctype will load for certain modes
+	 * @param $aliases Alias names for doctype
+	 * @return Editable registered doctype
+	 */
+	public function register($doctype, $xml = true, $modules = array(),
+		$tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null
+	) {
+		if (!is_array($modules)) $modules = array($modules);
+		if (!is_array($tidy_modules)) $tidy_modules = array($tidy_modules);
+		if (!is_array($aliases)) $aliases = array($aliases);
+		if (!is_object($doctype)) {
+			$doctype = new HTMLPurifier_Doctype(
+				$doctype, $xml, $modules, $tidy_modules, $aliases, $dtd_public, $dtd_system
+			);
+		}
+		$this->doctypes[$doctype->name] = $doctype;
+		$name = $doctype->name;
+		// hookup aliases
+		foreach ($doctype->aliases as $alias) {
+			if (isset($this->doctypes[$alias])) continue;
+			$this->aliases[$alias] = $name;
+		}
+		// remove old aliases
+		if (isset($this->aliases[$name])) unset($this->aliases[$name]);
+		return $doctype;
+	}
 
-    /**
-     * Retrieves reference to a doctype of a certain name
-     * @note This function resolves aliases
-     * @note When possible, use the more fully-featured make()
-     * @param $doctype Name of doctype
-     * @return Editable doctype object
-     */
-    public function get($doctype) {
-        if (isset($this->aliases[$doctype])) $doctype = $this->aliases[$doctype];
-        if (!isset($this->doctypes[$doctype])) {
-            trigger_error('Doctype ' . htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' does not exist', E_USER_ERROR);
-            $anon = new HTMLPurifier_Doctype($doctype);
-            return $anon;
-        }
-        return $this->doctypes[$doctype];
-    }
+	/**
+	 * Retrieves reference to a doctype of a certain name
+	 * @note This function resolves aliases
+	 * @note When possible, use the more fully-featured make()
+	 * @param $doctype Name of doctype
+	 * @return Editable doctype object
+	 */
+	public function get($doctype) {
+		if (isset($this->aliases[$doctype])) $doctype = $this->aliases[$doctype];
+		if (!isset($this->doctypes[$doctype])) {
+			trigger_error('Doctype ' . htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' does not exist', E_USER_ERROR);
+			$anon = new HTMLPurifier_Doctype($doctype);
+			return $anon;
+		}
+		return $this->doctypes[$doctype];
+	}
 
-    /**
-     * Creates a doctype based on a configuration object,
-     * will perform initialization on the doctype
-     * @note Use this function to get a copy of doctype that config
-     *       can hold on to (this is necessary in order to tell
-     *       Generator whether or not the current document is XML
-     *       based or not).
-     */
-    public function make($config) {
-        return clone $this->get($this->getDoctypeFromConfig($config));
-    }
+	/**
+	 * Creates a doctype based on a configuration object,
+	 * will perform initialization on the doctype
+	 * @note Use this function to get a copy of doctype that config
+	 *       can hold on to (this is necessary in order to tell
+	 *       Generator whether or not the current document is XML
+	 *       based or not).
+	 */
+	public function make($config) {
+		return clone $this->get($this->getDoctypeFromConfig($config));
+	}
 
-    /**
-     * Retrieves the doctype from the configuration object
-     */
-    public function getDoctypeFromConfig($config) {
-        // recommended test
-        $doctype = $config->get('HTML.Doctype');
-        if (!empty($doctype)) return $doctype;
-        $doctype = $config->get('HTML.CustomDoctype');
-        if (!empty($doctype)) return $doctype;
-        // backwards-compatibility
-        if ($config->get('HTML.XHTML')) {
-            $doctype = 'XHTML 1.0';
-        } else {
-            $doctype = 'HTML 4.01';
-        }
-        if ($config->get('HTML.Strict')) {
-            $doctype .= ' Strict';
-        } else {
-            $doctype .= ' Transitional';
-        }
-        return $doctype;
-    }
+	/**
+	 * Retrieves the doctype from the configuration object
+	 */
+	public function getDoctypeFromConfig($config) {
+		// recommended test
+		$doctype = $config->get('HTML.Doctype');
+		if (!empty($doctype)) return $doctype;
+		$doctype = $config->get('HTML.CustomDoctype');
+		if (!empty($doctype)) return $doctype;
+		// backwards-compatibility
+		if ($config->get('HTML.XHTML')) {
+			$doctype = 'XHTML 1.0';
+		} else {
+			$doctype = 'HTML 4.01';
+		}
+		if ($config->get('HTML.Strict')) {
+			$doctype .= ' Strict';
+		} else {
+			$doctype .= ' Transitional';
+		}
+		return $doctype;
+	}
 
 }
 

Braces +24 added lines, -8 removed lines

@@ -26,9 +26,15 @@ 
     public function register($doctype, $xml = true, $modules = array(),
         $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null
     ) {
-        if (!is_array($modules)) $modules = array($modules);
-        if (!is_array($tidy_modules)) $tidy_modules = array($tidy_modules);
-        if (!is_array($aliases)) $aliases = array($aliases);
+        if (!is_array($modules)) {
+        	$modules = array($modules);
+        }
+        if (!is_array($tidy_modules)) {
+        	$tidy_modules = array($tidy_modules);
+        }
+        if (!is_array($aliases)) {
+        	$aliases = array($aliases);
+        }
         if (!is_object($doctype)) {
             $doctype = new HTMLPurifier_Doctype(
                 $doctype, $xml, $modules, $tidy_modules, $aliases, $dtd_public, $dtd_system
@@ -38,11 +44,15 @@ 
         $name = $doctype->name;
         // hookup aliases
         foreach ($doctype->aliases as $alias) {
-            if (isset($this->doctypes[$alias])) continue;
+            if (isset($this->doctypes[$alias])) {
+            	continue;
+            }
             $this->aliases[$alias] = $name;
         }
         // remove old aliases
-        if (isset($this->aliases[$name])) unset($this->aliases[$name]);
+        if (isset($this->aliases[$name])) {
+        	unset($this->aliases[$name]);
+        }
         return $doctype;
     }
 
@@ -54,7 +64,9 @@ 
      * @return Editable doctype object
      */
     public function get($doctype) {
-        if (isset($this->aliases[$doctype])) $doctype = $this->aliases[$doctype];
+        if (isset($this->aliases[$doctype])) {
+        	$doctype = $this->aliases[$doctype];
+        }
         if (!isset($this->doctypes[$doctype])) {
             trigger_error('Doctype ' . htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' does not exist', E_USER_ERROR);
             $anon = new HTMLPurifier_Doctype($doctype);
@@ -81,9 +93,13 @@ 
     public function getDoctypeFromConfig($config) {
         // recommended test
         $doctype = $config->get('HTML.Doctype');
-        if (!empty($doctype)) return $doctype;
+        if (!empty($doctype)) {
+        	return $doctype;
+        }
         $doctype = $config->get('HTML.CustomDoctype');
-        if (!empty($doctype)) return $doctype;
+        if (!empty($doctype)) {
+        	return $doctype;
+        }
         // backwards-compatibility
         if ($config->get('HTML.XHTML')) {
             $doctype = 'XHTML 1.0';

Spacing +1 added lines, -1 removed lines

@@ -56,7 +56,7 @@
     public function get($doctype) {
         if (isset($this->aliases[$doctype])) $doctype = $this->aliases[$doctype];
         if (!isset($this->doctypes[$doctype])) {
-            trigger_error('Doctype ' . htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' does not exist', E_USER_ERROR);
+            trigger_error('Doctype '.htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false).' does not exist', E_USER_ERROR);
             $anon = new HTMLPurifier_Doctype($doctype);
             return $anon;
         }

classes/security/htmlpurifier/library/HTMLPurifier/Encoder.php

Doc Comments +5 added lines

@@ -31,6 +31,9 @@ 
 
     /**
      * iconv wrapper which mutes errors and works around bugs.
+     * @param string $in
+     * @param string $out
+     * @param string $text
      */
     public static function iconv($in, $out, $text, $max_chunk_size = 8000) {
         $code = self::testIconvTruncateBug();
@@ -332,6 +335,7 @@ 
 
     /**
      * Converts a string to UTF-8 based on configuration.
+     * @param HTMLPurifier_Context $context
      */
     public static function convertToUTF8($str, $config, $context) {
         $encoding = $config->get('Core.Encoding');
@@ -362,6 +366,7 @@ 
      * Converts a string from UTF-8 based on configuration.
      * @note Currently, this is a lossy conversion, with unexpressable
      *       characters being omitted.
+     * @param HTMLPurifier_Context $context
      */
     public static function convertFromUTF8($str, $config, $context) {
         $encoding = $config->get('Core.Encoding');

Indentation +526 added lines, -526 removed lines

@@ -7,532 +7,532 @@
 class HTMLPurifier_Encoder
 {
 
-    /**
-     * Constructor throws fatal error if you attempt to instantiate class
-     */
-    private function __construct() {
-        trigger_error('Cannot instantiate encoder, call methods statically', E_USER_ERROR);
-    }
-
-    /**
-     * Error-handler that mutes errors, alternative to shut-up operator.
-     */
-    public static function muteErrorHandler() {}
-
-    /**
-     * iconv wrapper which mutes errors, but doesn't work around bugs.
-     */
-    public static function unsafeIconv($in, $out, $text) {
-        set_error_handler(array('HTMLPurifier_Encoder', 'muteErrorHandler'));
-        $r = iconv($in, $out, $text);
-        restore_error_handler();
-        return $r;
-    }
-
-    /**
-     * iconv wrapper which mutes errors and works around bugs.
-     */
-    public static function iconv($in, $out, $text, $max_chunk_size = 8000) {
-        $code = self::testIconvTruncateBug();
-        if ($code == self::ICONV_OK) {
-            return self::unsafeIconv($in, $out, $text);
-        } elseif ($code == self::ICONV_TRUNCATES) {
-            // we can only work around this if the input character set
-            // is utf-8
-            if ($in == 'utf-8') {
-                if ($max_chunk_size < 4) {
-                    trigger_error('max_chunk_size is too small', E_USER_WARNING);
-                    return false;
-                }
-                // split into 8000 byte chunks, but be careful to handle
-                // multibyte boundaries properly
-                if (($c = strlen($text)) <= $max_chunk_size) {
-                    return self::unsafeIconv($in, $out, $text);
-                }
-                $r = '';
-                $i = 0;
-                while (true) {
-                    if ($i + $max_chunk_size >= $c) {
-                        $r .= self::unsafeIconv($in, $out, substr($text, $i));
-                        break;
-                    }
-                    // wibble the boundary
-                    if (0x80 != (0xC0 & ord($text[$i + $max_chunk_size]))) {
-                        $chunk_size = $max_chunk_size;
-                    } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 1]))) {
-                        $chunk_size = $max_chunk_size - 1;
-                    } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 2]))) {
-                        $chunk_size = $max_chunk_size - 2;
-                    } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 3]))) {
-                        $chunk_size = $max_chunk_size - 3;
-                    } else {
-                        return false; // rather confusing UTF-8...
-                    }
-                    $chunk = substr($text, $i, $chunk_size); // substr doesn't mind overlong lengths
-                    $r .= self::unsafeIconv($in, $out, $chunk);
-                    $i += $chunk_size;
-                }
-                return $r;
-            } else {
-                return false;
-            }
-        } else {
-            return false;
-        }
-    }
-
-    /**
-     * Cleans a UTF-8 string for well-formedness and SGML validity
-     *
-     * It will parse according to UTF-8 and return a valid UTF8 string, with
-     * non-SGML codepoints excluded.
-     *
-     * @note Just for reference, the non-SGML code points are 0 to 31 and
-     *       127 to 159, inclusive.  However, we allow code points 9, 10
-     *       and 13, which are the tab, line feed and carriage return
-     *       respectively. 128 and above the code points map to multibyte
-     *       UTF-8 representations.
-     *
-     * @note Fallback code adapted from utf8ToUnicode by Henri Sivonen and
-     *       hsivonen@iki.fi at <http://iki.fi/hsivonen/php-utf8/> under the
-     *       LGPL license.  Notes on what changed are inside, but in general,
-     *       the original code transformed UTF-8 text into an array of integer
-     *       Unicode codepoints. Understandably, transforming that back to
-     *       a string would be somewhat expensive, so the function was modded to
-     *       directly operate on the string.  However, this discourages code
-     *       reuse, and the logic enumerated here would be useful for any
-     *       function that needs to be able to understand UTF-8 characters.
-     *       As of right now, only smart lossless character encoding converters
-     *       would need that, and I'm probably not going to implement them.
-     *       Once again, PHP 6 should solve all our problems.
-     */
-    public static function cleanUTF8($str, $force_php = false) {
-
-        // UTF-8 validity is checked since PHP 4.3.5
-        // This is an optimization: if the string is already valid UTF-8, no
-        // need to do PHP stuff. 99% of the time, this will be the case.
-        // The regexp matches the XML char production, as well as well as excluding
-        // non-SGML codepoints U+007F to U+009F
-        if (preg_match('/^[\x{9}\x{A}\x{D}\x{20}-\x{7E}\x{A0}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]*$/Du', $str)) {
-            return $str;
-        }
-
-        $mState = 0; // cached expected number of octets after the current octet
-                     // until the beginning of the next UTF8 character sequence
-        $mUcs4  = 0; // cached Unicode character
-        $mBytes = 1; // cached expected number of octets in the current sequence
-
-        // original code involved an $out that was an array of Unicode
-        // codepoints.  Instead of having to convert back into UTF-8, we've
-        // decided to directly append valid UTF-8 characters onto a string
-        // $out once they're done.  $char accumulates raw bytes, while $mUcs4
-        // turns into the Unicode code point, so there's some redundancy.
-
-        $out = '';
-        $char = '';
-
-        $len = strlen($str);
-        for($i = 0; $i < $len; $i++) {
-            $in = ord($str{$i});
-            $char .= $str[$i]; // append byte to char
-            if (0 == $mState) {
-                // When mState is zero we expect either a US-ASCII character
-                // or a multi-octet sequence.
-                if (0 == (0x80 & ($in))) {
-                    // US-ASCII, pass straight through.
-                    if (($in <= 31 || $in == 127) &&
-                        !($in == 9 || $in == 13 || $in == 10) // save \r\t\n
-                    ) {
-                        // control characters, remove
-                    } else {
-                        $out .= $char;
-                    }
-                    // reset
-                    $char = '';
-                    $mBytes = 1;
-                } elseif (0xC0 == (0xE0 & ($in))) {
-                    // First octet of 2 octet sequence
-                    $mUcs4 = ($in);
-                    $mUcs4 = ($mUcs4 & 0x1F) << 6;
-                    $mState = 1;
-                    $mBytes = 2;
-                } elseif (0xE0 == (0xF0 & ($in))) {
-                    // First octet of 3 octet sequence
-                    $mUcs4 = ($in);
-                    $mUcs4 = ($mUcs4 & 0x0F) << 12;
-                    $mState = 2;
-                    $mBytes = 3;
-                } elseif (0xF0 == (0xF8 & ($in))) {
-                    // First octet of 4 octet sequence
-                    $mUcs4 = ($in);
-                    $mUcs4 = ($mUcs4 & 0x07) << 18;
-                    $mState = 3;
-                    $mBytes = 4;
-                } elseif (0xF8 == (0xFC & ($in))) {
-                    // First octet of 5 octet sequence.
-                    //
-                    // This is illegal because the encoded codepoint must be
-                    // either:
-                    // (a) not the shortest form or
-                    // (b) outside the Unicode range of 0-0x10FFFF.
-                    // Rather than trying to resynchronize, we will carry on
-                    // until the end of the sequence and let the later error
-                    // handling code catch it.
-                    $mUcs4 = ($in);
-                    $mUcs4 = ($mUcs4 & 0x03) << 24;
-                    $mState = 4;
-                    $mBytes = 5;
-                } elseif (0xFC == (0xFE & ($in))) {
-                    // First octet of 6 octet sequence, see comments for 5
-                    // octet sequence.
-                    $mUcs4 = ($in);
-                    $mUcs4 = ($mUcs4 & 1) << 30;
-                    $mState = 5;
-                    $mBytes = 6;
-                } else {
-                    // Current octet is neither in the US-ASCII range nor a
-                    // legal first octet of a multi-octet sequence.
-                    $mState = 0;
-                    $mUcs4  = 0;
-                    $mBytes = 1;
-                    $char = '';
-                }
-            } else {
-                // When mState is non-zero, we expect a continuation of the
-                // multi-octet sequence
-                if (0x80 == (0xC0 & ($in))) {
-                    // Legal continuation.
-                    $shift = ($mState - 1) * 6;
-                    $tmp = $in;
-                    $tmp = ($tmp & 0x0000003F) << $shift;
-                    $mUcs4 |= $tmp;
-
-                    if (0 == --$mState) {
-                        // End of the multi-octet sequence. mUcs4 now contains
-                        // the final Unicode codepoint to be output
-
-                        // Check for illegal sequences and codepoints.
-
-                        // From Unicode 3.1, non-shortest form is illegal
-                        if (((2 == $mBytes) && ($mUcs4 < 0x0080)) ||
-                            ((3 == $mBytes) && ($mUcs4 < 0x0800)) ||
-                            ((4 == $mBytes) && ($mUcs4 < 0x10000)) ||
-                            (4 < $mBytes) ||
-                            // From Unicode 3.2, surrogate characters = illegal
-                            (($mUcs4 & 0xFFFFF800) == 0xD800) ||
-                            // Codepoints outside the Unicode range are illegal
-                            ($mUcs4 > 0x10FFFF)
-                        ) {
-
-                        } elseif (0xFEFF != $mUcs4 && // omit BOM
-                            // check for valid Char unicode codepoints
-                            (
-                                0x9 == $mUcs4 ||
-                                0xA == $mUcs4 ||
-                                0xD == $mUcs4 ||
-                                (0x20 <= $mUcs4 && 0x7E >= $mUcs4) ||
-                                // 7F-9F is not strictly prohibited by XML,
-                                // but it is non-SGML, and thus we don't allow it
-                                (0xA0 <= $mUcs4 && 0xD7FF >= $mUcs4) ||
-                                (0x10000 <= $mUcs4 && 0x10FFFF >= $mUcs4)
-                            )
-                        ) {
-                            $out .= $char;
-                        }
-                        // initialize UTF8 cache (reset)
-                        $mState = 0;
-                        $mUcs4  = 0;
-                        $mBytes = 1;
-                        $char = '';
-                    }
-                } else {
-                    // ((0xC0 & (*in) != 0x80) && (mState != 0))
-                    // Incomplete multi-octet sequence.
-                    // used to result in complete fail, but we'll reset
-                    $mState = 0;
-                    $mUcs4  = 0;
-                    $mBytes = 1;
-                    $char ='';
-                }
-            }
-        }
-        return $out;
-    }
-
-    /**
-     * Translates a Unicode codepoint into its corresponding UTF-8 character.
-     * @note Based on Feyd's function at
-     *       <http://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
-     *       which is in public domain.
-     * @note While we're going to do code point parsing anyway, a good
-     *       optimization would be to refuse to translate code points that
-     *       are non-SGML characters.  However, this could lead to duplication.
-     * @note This is very similar to the unichr function in
-     *       maintenance/generate-entity-file.php (although this is superior,
-     *       due to its sanity checks).
-     */
-
-    // +----------+----------+----------+----------+
-    // | 33222222 | 22221111 | 111111   |          |
-    // | 10987654 | 32109876 | 54321098 | 76543210 | bit
-    // +----------+----------+----------+----------+
-    // |          |          |          | 0xxxxxxx | 1 byte 0x00000000..0x0000007F
-    // |          |          | 110yyyyy | 10xxxxxx | 2 byte 0x00000080..0x000007FF
-    // |          | 1110zzzz | 10yyyyyy | 10xxxxxx | 3 byte 0x00000800..0x0000FFFF
-    // | 11110www | 10wwzzzz | 10yyyyyy | 10xxxxxx | 4 byte 0x00010000..0x0010FFFF
-    // +----------+----------+----------+----------+
-    // | 00000000 | 00011111 | 11111111 | 11111111 | Theoretical upper limit of legal scalars: 2097151 (0x001FFFFF)
-    // | 00000000 | 00010000 | 11111111 | 11111111 | Defined upper limit of legal scalar codes
-    // +----------+----------+----------+----------+
-
-    public static function unichr($code) {
-        if($code > 1114111 or $code < 0 or
-          ($code >= 55296 and $code <= 57343) ) {
-            // bits are set outside the "valid" range as defined
-            // by UNICODE 4.1.0
-            return '';
-        }
-
-        $x = $y = $z = $w = 0;
-        if ($code < 128) {
-            // regular ASCII character
-            $x = $code;
-        } else {
-            // set up bits for UTF-8
-            $x = ($code & 63) | 128;
-            if ($code < 2048) {
-                $y = (($code & 2047) >> 6) | 192;
-            } else {
-                $y = (($code & 4032) >> 6) | 128;
-                if($code < 65536) {
-                    $z = (($code >> 12) & 15) | 224;
-                } else {
-                    $z = (($code >> 12) & 63) | 128;
-                    $w = (($code >> 18) & 7)  | 240;
-                }
-            }
-        }
-        // set up the actual character
-        $ret = '';
-        if($w) $ret .= chr($w);
-        if($z) $ret .= chr($z);
-        if($y) $ret .= chr($y);
-        $ret .= chr($x);
-
-        return $ret;
-    }
-
-    public static function iconvAvailable() {
-        static $iconv = null;
-        if ($iconv === null) {
-            $iconv = function_exists('iconv') && self::testIconvTruncateBug() != self::ICONV_UNUSABLE;
-        }
-        return $iconv;
-    }
-
-    /**
-     * Converts a string to UTF-8 based on configuration.
-     */
-    public static function convertToUTF8($str, $config, $context) {
-        $encoding = $config->get('Core.Encoding');
-        if ($encoding === 'utf-8') return $str;
-        static $iconv = null;
-        if ($iconv === null) $iconv = self::iconvAvailable();
-        if ($iconv && !$config->get('Test.ForceNoIconv')) {
-            // unaffected by bugs, since UTF-8 support all characters
-            $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
-            if ($str === false) {
-                // $encoding is not a valid encoding
-                trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR);
-                return '';
-            }
-            // If the string is bjorked by Shift_JIS or a similar encoding
-            // that doesn't support all of ASCII, convert the naughty
-            // characters to their true byte-wise ASCII/UTF-8 equivalents.
-            $str = strtr($str, self::testEncodingSupportsASCII($encoding));
-            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_encode($str);
-            return $str;
-        }
-        trigger_error('Encoding not supported, please install iconv', E_USER_ERROR);
-    }
-
-    /**
-     * Converts a string from UTF-8 based on configuration.
-     * @note Currently, this is a lossy conversion, with unexpressable
-     *       characters being omitted.
-     */
-    public static function convertFromUTF8($str, $config, $context) {
-        $encoding = $config->get('Core.Encoding');
-        if ($escape = $config->get('Core.EscapeNonASCIICharacters')) {
-            $str = self::convertToASCIIDumbLossless($str);
-        }
-        if ($encoding === 'utf-8') return $str;
-        static $iconv = null;
-        if ($iconv === null) $iconv = self::iconvAvailable();
-        if ($iconv && !$config->get('Test.ForceNoIconv')) {
-            // Undo our previous fix in convertToUTF8, otherwise iconv will barf
-            $ascii_fix = self::testEncodingSupportsASCII($encoding);
-            if (!$escape && !empty($ascii_fix)) {
-                $clear_fix = array();
-                foreach ($ascii_fix as $utf8 => $native) $clear_fix[$utf8] = '';
-                $str = strtr($str, $clear_fix);
-            }
-            $str = strtr($str, array_flip($ascii_fix));
-            // Normal stuff
-            $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
-            return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_decode($str);
-            return $str;
-        }
-        trigger_error('Encoding not supported', E_USER_ERROR);
-        // You might be tempted to assume that the ASCII representation
-        // might be OK, however, this is *not* universally true over all
-        // encodings.  So we take the conservative route here, rather
-        // than forcibly turn on %Core.EscapeNonASCIICharacters
-    }
-
-    /**
-     * Lossless (character-wise) conversion of HTML to ASCII
-     * @param $str UTF-8 string to be converted to ASCII
-     * @returns ASCII encoded string with non-ASCII character entity-ized
-     * @warning Adapted from MediaWiki, claiming fair use: this is a common
-     *       algorithm. If you disagree with this license fudgery,
-     *       implement it yourself.
-     * @note Uses decimal numeric entities since they are best supported.
-     * @note This is a DUMB function: it has no concept of keeping
-     *       character entities that the projected character encoding
-     *       can allow. We could possibly implement a smart version
-     *       but that would require it to also know which Unicode
-     *       codepoints the charset supported (not an easy task).
-     * @note Sort of with cleanUTF8() but it assumes that $str is
-     *       well-formed UTF-8
-     */
-    public static function convertToASCIIDumbLossless($str) {
-        $bytesleft = 0;
-        $result = '';
-        $working = 0;
-        $len = strlen($str);
-        for( $i = 0; $i < $len; $i++ ) {
-            $bytevalue = ord( $str[$i] );
-            if( $bytevalue <= 0x7F ) { //0xxx xxxx
-                $result .= chr( $bytevalue );
-                $bytesleft = 0;
-            } elseif( $bytevalue <= 0xBF ) { //10xx xxxx
-                $working = $working << 6;
-                $working += ($bytevalue & 0x3F);
-                $bytesleft--;
-                if( $bytesleft <= 0 ) {
-                    $result .= "&#" . $working . ";";
-                }
-            } elseif( $bytevalue <= 0xDF ) { //110x xxxx
-                $working = $bytevalue & 0x1F;
-                $bytesleft = 1;
-            } elseif( $bytevalue <= 0xEF ) { //1110 xxxx
-                $working = $bytevalue & 0x0F;
-                $bytesleft = 2;
-            } else { //1111 0xxx
-                $working = $bytevalue & 0x07;
-                $bytesleft = 3;
-            }
-        }
-        return $result;
-    }
-
-    /** No bugs detected in iconv. */
-    const ICONV_OK = 0;
-
-    /** Iconv truncates output if converting from UTF-8 to another
-     *  character set with //IGNORE, and a non-encodable character is found */
-    const ICONV_TRUNCATES = 1;
-
-    /** Iconv does not support //IGNORE, making it unusable for
-     *  transcoding purposes */
-    const ICONV_UNUSABLE = 2;
-
-    /**
-     * glibc iconv has a known bug where it doesn't handle the magic
-     * //IGNORE stanza correctly.  In particular, rather than ignore
-     * characters, it will return an EILSEQ after consuming some number
-     * of characters, and expect you to restart iconv as if it were
-     * an E2BIG.  Old versions of PHP did not respect the errno, and
-     * returned the fragment, so as a result you would see iconv
-     * mysteriously truncating output. We can work around this by
-     * manually chopping our input into segments of about 8000
-     * characters, as long as PHP ignores the error code.  If PHP starts
-     * paying attention to the error code, iconv becomes unusable.
-     *
-     * @returns Error code indicating severity of bug.
-     */
-    public static function testIconvTruncateBug() {
-        static $code = null;
-        if ($code === null) {
-            // better not use iconv, otherwise infinite loop!
-            $r = self::unsafeIconv('utf-8', 'ascii//IGNORE', "\xCE\xB1" . str_repeat('a', 9000));
-            if ($r === false) {
-                $code = self::ICONV_UNUSABLE;
-            } elseif (($c = strlen($r)) < 9000) {
-                $code = self::ICONV_TRUNCATES;
-            } elseif ($c > 9000) {
-                trigger_error('Your copy of iconv is extremely buggy. Please notify HTML Purifier maintainers: include your iconv version as per phpversion()', E_USER_ERROR);
-            } else {
-                $code = self::ICONV_OK;
-            }
-        }
-        return $code;
-    }
-
-    /**
-     * This expensive function tests whether or not a given character
-     * encoding supports ASCII. 7/8-bit encodings like Shift_JIS will
-     * fail this test, and require special processing. Variable width
-     * encodings shouldn't ever fail.
-     *
-     * @param string $encoding Encoding name to test, as per iconv format
-     * @param bool $bypass Whether or not to bypass the precompiled arrays.
-     * @return Array of UTF-8 characters to their corresponding ASCII,
-     *      which can be used to "undo" any overzealous iconv action.
-     */
-    public static function testEncodingSupportsASCII($encoding, $bypass = false) {
-        // All calls to iconv here are unsafe, proof by case analysis:
-        // If ICONV_OK, no difference.
-        // If ICONV_TRUNCATE, all calls involve one character inputs,
-        // so bug is not triggered.
-        // If ICONV_UNUSABLE, this call is irrelevant
-        static $encodings = array();
-        if (!$bypass) {
-            if (isset($encodings[$encoding])) return $encodings[$encoding];
-            $lenc = strtolower($encoding);
-            switch ($lenc) {
-                case 'shift_jis':
-                    return array("\xC2\xA5" => '\\', "\xE2\x80\xBE" => '~');
-                case 'johab':
-                    return array("\xE2\x82\xA9" => '\\');
-            }
-            if (strpos($lenc, 'iso-8859-') === 0) return array();
-        }
-        $ret = array();
-        if (self::unsafeIconv('UTF-8', $encoding, 'a') === false) return false;
-        for ($i = 0x20; $i <= 0x7E; $i++) { // all printable ASCII chars
-            $c = chr($i); // UTF-8 char
-            $r = self::unsafeIconv('UTF-8', "$encoding//IGNORE", $c); // initial conversion
-            if (
-                $r === '' ||
-                // This line is needed for iconv implementations that do not
-                // omit characters that do not exist in the target character set
-                ($r === $c && self::unsafeIconv($encoding, 'UTF-8//IGNORE', $r) !== $c)
-            ) {
-                // Reverse engineer: what's the UTF-8 equiv of this byte
-                // sequence? This assumes that there's no variable width
-                // encoding that doesn't support ASCII.
-                $ret[self::unsafeIconv($encoding, 'UTF-8//IGNORE', $c)] = $c;
-            }
-        }
-        $encodings[$encoding] = $ret;
-        return $ret;
-    }
+	/**
+	 * Constructor throws fatal error if you attempt to instantiate class
+	 */
+	private function __construct() {
+		trigger_error('Cannot instantiate encoder, call methods statically', E_USER_ERROR);
+	}
+
+	/**
+	 * Error-handler that mutes errors, alternative to shut-up operator.
+	 */
+	public static function muteErrorHandler() {}
+
+	/**
+	 * iconv wrapper which mutes errors, but doesn't work around bugs.
+	 */
+	public static function unsafeIconv($in, $out, $text) {
+		set_error_handler(array('HTMLPurifier_Encoder', 'muteErrorHandler'));
+		$r = iconv($in, $out, $text);
+		restore_error_handler();
+		return $r;
+	}
+
+	/**
+	 * iconv wrapper which mutes errors and works around bugs.
+	 */
+	public static function iconv($in, $out, $text, $max_chunk_size = 8000) {
+		$code = self::testIconvTruncateBug();
+		if ($code == self::ICONV_OK) {
+			return self::unsafeIconv($in, $out, $text);
+		} elseif ($code == self::ICONV_TRUNCATES) {
+			// we can only work around this if the input character set
+			// is utf-8
+			if ($in == 'utf-8') {
+				if ($max_chunk_size < 4) {
+					trigger_error('max_chunk_size is too small', E_USER_WARNING);
+					return false;
+				}
+				// split into 8000 byte chunks, but be careful to handle
+				// multibyte boundaries properly
+				if (($c = strlen($text)) <= $max_chunk_size) {
+					return self::unsafeIconv($in, $out, $text);
+				}
+				$r = '';
+				$i = 0;
+				while (true) {
+					if ($i + $max_chunk_size >= $c) {
+						$r .= self::unsafeIconv($in, $out, substr($text, $i));
+						break;
+					}
+					// wibble the boundary
+					if (0x80 != (0xC0 & ord($text[$i + $max_chunk_size]))) {
+						$chunk_size = $max_chunk_size;
+					} elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 1]))) {
+						$chunk_size = $max_chunk_size - 1;
+					} elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 2]))) {
+						$chunk_size = $max_chunk_size - 2;
+					} elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 3]))) {
+						$chunk_size = $max_chunk_size - 3;
+					} else {
+						return false; // rather confusing UTF-8...
+					}
+					$chunk = substr($text, $i, $chunk_size); // substr doesn't mind overlong lengths
+					$r .= self::unsafeIconv($in, $out, $chunk);
+					$i += $chunk_size;
+				}
+				return $r;
+			} else {
+				return false;
+			}
+		} else {
+			return false;
+		}
+	}
+
+	/**
+	 * Cleans a UTF-8 string for well-formedness and SGML validity
+	 *
+	 * It will parse according to UTF-8 and return a valid UTF8 string, with
+	 * non-SGML codepoints excluded.
+	 *
+	 * @note Just for reference, the non-SGML code points are 0 to 31 and
+	 *       127 to 159, inclusive.  However, we allow code points 9, 10
+	 *       and 13, which are the tab, line feed and carriage return
+	 *       respectively. 128 and above the code points map to multibyte
+	 *       UTF-8 representations.
+	 *
+	 * @note Fallback code adapted from utf8ToUnicode by Henri Sivonen and
+	 *       hsivonen@iki.fi at <http://iki.fi/hsivonen/php-utf8/> under the
+	 *       LGPL license.  Notes on what changed are inside, but in general,
+	 *       the original code transformed UTF-8 text into an array of integer
+	 *       Unicode codepoints. Understandably, transforming that back to
+	 *       a string would be somewhat expensive, so the function was modded to
+	 *       directly operate on the string.  However, this discourages code
+	 *       reuse, and the logic enumerated here would be useful for any
+	 *       function that needs to be able to understand UTF-8 characters.
+	 *       As of right now, only smart lossless character encoding converters
+	 *       would need that, and I'm probably not going to implement them.
+	 *       Once again, PHP 6 should solve all our problems.
+	 */
+	public static function cleanUTF8($str, $force_php = false) {
+
+		// UTF-8 validity is checked since PHP 4.3.5
+		// This is an optimization: if the string is already valid UTF-8, no
+		// need to do PHP stuff. 99% of the time, this will be the case.
+		// The regexp matches the XML char production, as well as well as excluding
+		// non-SGML codepoints U+007F to U+009F
+		if (preg_match('/^[\x{9}\x{A}\x{D}\x{20}-\x{7E}\x{A0}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]*$/Du', $str)) {
+			return $str;
+		}
+
+		$mState = 0; // cached expected number of octets after the current octet
+					 // until the beginning of the next UTF8 character sequence
+		$mUcs4  = 0; // cached Unicode character
+		$mBytes = 1; // cached expected number of octets in the current sequence
+
+		// original code involved an $out that was an array of Unicode
+		// codepoints.  Instead of having to convert back into UTF-8, we've
+		// decided to directly append valid UTF-8 characters onto a string
+		// $out once they're done.  $char accumulates raw bytes, while $mUcs4
+		// turns into the Unicode code point, so there's some redundancy.
+
+		$out = '';
+		$char = '';
+
+		$len = strlen($str);
+		for($i = 0; $i < $len; $i++) {
+			$in = ord($str{$i});
+			$char .= $str[$i]; // append byte to char
+			if (0 == $mState) {
+				// When mState is zero we expect either a US-ASCII character
+				// or a multi-octet sequence.
+				if (0 == (0x80 & ($in))) {
+					// US-ASCII, pass straight through.
+					if (($in <= 31 || $in == 127) &&
+						!($in == 9 || $in == 13 || $in == 10) // save \r\t\n
+					) {
+						// control characters, remove
+					} else {
+						$out .= $char;
+					}
+					// reset
+					$char = '';
+					$mBytes = 1;
+				} elseif (0xC0 == (0xE0 & ($in))) {
+					// First octet of 2 octet sequence
+					$mUcs4 = ($in);
+					$mUcs4 = ($mUcs4 & 0x1F) << 6;
+					$mState = 1;
+					$mBytes = 2;
+				} elseif (0xE0 == (0xF0 & ($in))) {
+					// First octet of 3 octet sequence
+					$mUcs4 = ($in);
+					$mUcs4 = ($mUcs4 & 0x0F) << 12;
+					$mState = 2;
+					$mBytes = 3;
+				} elseif (0xF0 == (0xF8 & ($in))) {
+					// First octet of 4 octet sequence
+					$mUcs4 = ($in);
+					$mUcs4 = ($mUcs4 & 0x07) << 18;
+					$mState = 3;
+					$mBytes = 4;
+				} elseif (0xF8 == (0xFC & ($in))) {
+					// First octet of 5 octet sequence.
+					//
+					// This is illegal because the encoded codepoint must be
+					// either:
+					// (a) not the shortest form or
+					// (b) outside the Unicode range of 0-0x10FFFF.
+					// Rather than trying to resynchronize, we will carry on
+					// until the end of the sequence and let the later error
+					// handling code catch it.
+					$mUcs4 = ($in);
+					$mUcs4 = ($mUcs4 & 0x03) << 24;
+					$mState = 4;
+					$mBytes = 5;
+				} elseif (0xFC == (0xFE & ($in))) {
+					// First octet of 6 octet sequence, see comments for 5
+					// octet sequence.
+					$mUcs4 = ($in);
+					$mUcs4 = ($mUcs4 & 1) << 30;
+					$mState = 5;
+					$mBytes = 6;
+				} else {
+					// Current octet is neither in the US-ASCII range nor a
+					// legal first octet of a multi-octet sequence.
+					$mState = 0;
+					$mUcs4  = 0;
+					$mBytes = 1;
+					$char = '';
+				}
+			} else {
+				// When mState is non-zero, we expect a continuation of the
+				// multi-octet sequence
+				if (0x80 == (0xC0 & ($in))) {
+					// Legal continuation.
+					$shift = ($mState - 1) * 6;
+					$tmp = $in;
+					$tmp = ($tmp & 0x0000003F) << $shift;
+					$mUcs4 |= $tmp;
+
+					if (0 == --$mState) {
+						// End of the multi-octet sequence. mUcs4 now contains
+						// the final Unicode codepoint to be output
+
+						// Check for illegal sequences and codepoints.
+
+						// From Unicode 3.1, non-shortest form is illegal
+						if (((2 == $mBytes) && ($mUcs4 < 0x0080)) ||
+							((3 == $mBytes) && ($mUcs4 < 0x0800)) ||
+							((4 == $mBytes) && ($mUcs4 < 0x10000)) ||
+							(4 < $mBytes) ||
+							// From Unicode 3.2, surrogate characters = illegal
+							(($mUcs4 & 0xFFFFF800) == 0xD800) ||
+							// Codepoints outside the Unicode range are illegal
+							($mUcs4 > 0x10FFFF)
+						) {
+
+						} elseif (0xFEFF != $mUcs4 && // omit BOM
+							// check for valid Char unicode codepoints
+							(
+								0x9 == $mUcs4 ||
+								0xA == $mUcs4 ||
+								0xD == $mUcs4 ||
+								(0x20 <= $mUcs4 && 0x7E >= $mUcs4) ||
+								// 7F-9F is not strictly prohibited by XML,
+								// but it is non-SGML, and thus we don't allow it
+								(0xA0 <= $mUcs4 && 0xD7FF >= $mUcs4) ||
+								(0x10000 <= $mUcs4 && 0x10FFFF >= $mUcs4)
+							)
+						) {
+							$out .= $char;
+						}
+						// initialize UTF8 cache (reset)
+						$mState = 0;
+						$mUcs4  = 0;
+						$mBytes = 1;
+						$char = '';
+					}
+				} else {
+					// ((0xC0 & (*in) != 0x80) && (mState != 0))
+					// Incomplete multi-octet sequence.
+					// used to result in complete fail, but we'll reset
+					$mState = 0;
+					$mUcs4  = 0;
+					$mBytes = 1;
+					$char ='';
+				}
+			}
+		}
+		return $out;
+	}
+
+	/**
+	 * Translates a Unicode codepoint into its corresponding UTF-8 character.
+	 * @note Based on Feyd's function at
+	 *       <http://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
+	 *       which is in public domain.
+	 * @note While we're going to do code point parsing anyway, a good
+	 *       optimization would be to refuse to translate code points that
+	 *       are non-SGML characters.  However, this could lead to duplication.
+	 * @note This is very similar to the unichr function in
+	 *       maintenance/generate-entity-file.php (although this is superior,
+	 *       due to its sanity checks).
+	 */
+
+	// +----------+----------+----------+----------+
+	// | 33222222 | 22221111 | 111111   |          |
+	// | 10987654 | 32109876 | 54321098 | 76543210 | bit
+	// +----------+----------+----------+----------+
+	// |          |          |          | 0xxxxxxx | 1 byte 0x00000000..0x0000007F
+	// |          |          | 110yyyyy | 10xxxxxx | 2 byte 0x00000080..0x000007FF
+	// |          | 1110zzzz | 10yyyyyy | 10xxxxxx | 3 byte 0x00000800..0x0000FFFF
+	// | 11110www | 10wwzzzz | 10yyyyyy | 10xxxxxx | 4 byte 0x00010000..0x0010FFFF
+	// +----------+----------+----------+----------+
+	// | 00000000 | 00011111 | 11111111 | 11111111 | Theoretical upper limit of legal scalars: 2097151 (0x001FFFFF)
+	// | 00000000 | 00010000 | 11111111 | 11111111 | Defined upper limit of legal scalar codes
+	// +----------+----------+----------+----------+
+
+	public static function unichr($code) {
+		if($code > 1114111 or $code < 0 or
+		  ($code >= 55296 and $code <= 57343) ) {
+			// bits are set outside the "valid" range as defined
+			// by UNICODE 4.1.0
+			return '';
+		}
+
+		$x = $y = $z = $w = 0;
+		if ($code < 128) {
+			// regular ASCII character
+			$x = $code;
+		} else {
+			// set up bits for UTF-8
+			$x = ($code & 63) | 128;
+			if ($code < 2048) {
+				$y = (($code & 2047) >> 6) | 192;
+			} else {
+				$y = (($code & 4032) >> 6) | 128;
+				if($code < 65536) {
+					$z = (($code >> 12) & 15) | 224;
+				} else {
+					$z = (($code >> 12) & 63) | 128;
+					$w = (($code >> 18) & 7)  | 240;
+				}
+			}
+		}
+		// set up the actual character
+		$ret = '';
+		if($w) $ret .= chr($w);
+		if($z) $ret .= chr($z);
+		if($y) $ret .= chr($y);
+		$ret .= chr($x);
+
+		return $ret;
+	}
+
+	public static function iconvAvailable() {
+		static $iconv = null;
+		if ($iconv === null) {
+			$iconv = function_exists('iconv') && self::testIconvTruncateBug() != self::ICONV_UNUSABLE;
+		}
+		return $iconv;
+	}
+
+	/**
+	 * Converts a string to UTF-8 based on configuration.
+	 */
+	public static function convertToUTF8($str, $config, $context) {
+		$encoding = $config->get('Core.Encoding');
+		if ($encoding === 'utf-8') return $str;
+		static $iconv = null;
+		if ($iconv === null) $iconv = self::iconvAvailable();
+		if ($iconv && !$config->get('Test.ForceNoIconv')) {
+			// unaffected by bugs, since UTF-8 support all characters
+			$str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
+			if ($str === false) {
+				// $encoding is not a valid encoding
+				trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR);
+				return '';
+			}
+			// If the string is bjorked by Shift_JIS or a similar encoding
+			// that doesn't support all of ASCII, convert the naughty
+			// characters to their true byte-wise ASCII/UTF-8 equivalents.
+			$str = strtr($str, self::testEncodingSupportsASCII($encoding));
+			return $str;
+		} elseif ($encoding === 'iso-8859-1') {
+			$str = utf8_encode($str);
+			return $str;
+		}
+		trigger_error('Encoding not supported, please install iconv', E_USER_ERROR);
+	}
+
+	/**
+	 * Converts a string from UTF-8 based on configuration.
+	 * @note Currently, this is a lossy conversion, with unexpressable
+	 *       characters being omitted.
+	 */
+	public static function convertFromUTF8($str, $config, $context) {
+		$encoding = $config->get('Core.Encoding');
+		if ($escape = $config->get('Core.EscapeNonASCIICharacters')) {
+			$str = self::convertToASCIIDumbLossless($str);
+		}
+		if ($encoding === 'utf-8') return $str;
+		static $iconv = null;
+		if ($iconv === null) $iconv = self::iconvAvailable();
+		if ($iconv && !$config->get('Test.ForceNoIconv')) {
+			// Undo our previous fix in convertToUTF8, otherwise iconv will barf
+			$ascii_fix = self::testEncodingSupportsASCII($encoding);
+			if (!$escape && !empty($ascii_fix)) {
+				$clear_fix = array();
+				foreach ($ascii_fix as $utf8 => $native) $clear_fix[$utf8] = '';
+				$str = strtr($str, $clear_fix);
+			}
+			$str = strtr($str, array_flip($ascii_fix));
+			// Normal stuff
+			$str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
+			return $str;
+		} elseif ($encoding === 'iso-8859-1') {
+			$str = utf8_decode($str);
+			return $str;
+		}
+		trigger_error('Encoding not supported', E_USER_ERROR);
+		// You might be tempted to assume that the ASCII representation
+		// might be OK, however, this is *not* universally true over all
+		// encodings.  So we take the conservative route here, rather
+		// than forcibly turn on %Core.EscapeNonASCIICharacters
+	}
+
+	/**
+	 * Lossless (character-wise) conversion of HTML to ASCII
+	 * @param $str UTF-8 string to be converted to ASCII
+	 * @returns ASCII encoded string with non-ASCII character entity-ized
+	 * @warning Adapted from MediaWiki, claiming fair use: this is a common
+	 *       algorithm. If you disagree with this license fudgery,
+	 *       implement it yourself.
+	 * @note Uses decimal numeric entities since they are best supported.
+	 * @note This is a DUMB function: it has no concept of keeping
+	 *       character entities that the projected character encoding
+	 *       can allow. We could possibly implement a smart version
+	 *       but that would require it to also know which Unicode
+	 *       codepoints the charset supported (not an easy task).
+	 * @note Sort of with cleanUTF8() but it assumes that $str is
+	 *       well-formed UTF-8
+	 */
+	public static function convertToASCIIDumbLossless($str) {
+		$bytesleft = 0;
+		$result = '';
+		$working = 0;
+		$len = strlen($str);
+		for( $i = 0; $i < $len; $i++ ) {
+			$bytevalue = ord( $str[$i] );
+			if( $bytevalue <= 0x7F ) { //0xxx xxxx
+				$result .= chr( $bytevalue );
+				$bytesleft = 0;
+			} elseif( $bytevalue <= 0xBF ) { //10xx xxxx
+				$working = $working << 6;
+				$working += ($bytevalue & 0x3F);
+				$bytesleft--;
+				if( $bytesleft <= 0 ) {
+					$result .= "&#" . $working . ";";
+				}
+			} elseif( $bytevalue <= 0xDF ) { //110x xxxx
+				$working = $bytevalue & 0x1F;
+				$bytesleft = 1;
+			} elseif( $bytevalue <= 0xEF ) { //1110 xxxx
+				$working = $bytevalue & 0x0F;
+				$bytesleft = 2;
+			} else { //1111 0xxx
+				$working = $bytevalue & 0x07;
+				$bytesleft = 3;
+			}
+		}
+		return $result;
+	}
+
+	/** No bugs detected in iconv. */
+	const ICONV_OK = 0;
+
+	/** Iconv truncates output if converting from UTF-8 to another
+	 *  character set with //IGNORE, and a non-encodable character is found */
+	const ICONV_TRUNCATES = 1;
+
+	/** Iconv does not support //IGNORE, making it unusable for
+	 *  transcoding purposes */
+	const ICONV_UNUSABLE = 2;
+
+	/**
+	 * glibc iconv has a known bug where it doesn't handle the magic
+	 * //IGNORE stanza correctly.  In particular, rather than ignore
+	 * characters, it will return an EILSEQ after consuming some number
+	 * of characters, and expect you to restart iconv as if it were
+	 * an E2BIG.  Old versions of PHP did not respect the errno, and
+	 * returned the fragment, so as a result you would see iconv
+	 * mysteriously truncating output. We can work around this by
+	 * manually chopping our input into segments of about 8000
+	 * characters, as long as PHP ignores the error code.  If PHP starts
+	 * paying attention to the error code, iconv becomes unusable.
+	 *
+	 * @returns Error code indicating severity of bug.
+	 */
+	public static function testIconvTruncateBug() {
+		static $code = null;
+		if ($code === null) {
+			// better not use iconv, otherwise infinite loop!
+			$r = self::unsafeIconv('utf-8', 'ascii//IGNORE', "\xCE\xB1" . str_repeat('a', 9000));
+			if ($r === false) {
+				$code = self::ICONV_UNUSABLE;
+			} elseif (($c = strlen($r)) < 9000) {
+				$code = self::ICONV_TRUNCATES;
+			} elseif ($c > 9000) {
+				trigger_error('Your copy of iconv is extremely buggy. Please notify HTML Purifier maintainers: include your iconv version as per phpversion()', E_USER_ERROR);
+			} else {
+				$code = self::ICONV_OK;
+			}
+		}
+		return $code;
+	}
+
+	/**
+	 * This expensive function tests whether or not a given character
+	 * encoding supports ASCII. 7/8-bit encodings like Shift_JIS will
+	 * fail this test, and require special processing. Variable width
+	 * encodings shouldn't ever fail.
+	 *
+	 * @param string $encoding Encoding name to test, as per iconv format
+	 * @param bool $bypass Whether or not to bypass the precompiled arrays.
+	 * @return Array of UTF-8 characters to their corresponding ASCII,
+	 *      which can be used to "undo" any overzealous iconv action.
+	 */
+	public static function testEncodingSupportsASCII($encoding, $bypass = false) {
+		// All calls to iconv here are unsafe, proof by case analysis:
+		// If ICONV_OK, no difference.
+		// If ICONV_TRUNCATE, all calls involve one character inputs,
+		// so bug is not triggered.
+		// If ICONV_UNUSABLE, this call is irrelevant
+		static $encodings = array();
+		if (!$bypass) {
+			if (isset($encodings[$encoding])) return $encodings[$encoding];
+			$lenc = strtolower($encoding);
+			switch ($lenc) {
+				case 'shift_jis':
+					return array("\xC2\xA5" => '\\', "\xE2\x80\xBE" => '~');
+				case 'johab':
+					return array("\xE2\x82\xA9" => '\\');
+			}
+			if (strpos($lenc, 'iso-8859-') === 0) return array();
+		}
+		$ret = array();
+		if (self::unsafeIconv('UTF-8', $encoding, 'a') === false) return false;
+		for ($i = 0x20; $i <= 0x7E; $i++) { // all printable ASCII chars
+			$c = chr($i); // UTF-8 char
+			$r = self::unsafeIconv('UTF-8', "$encoding//IGNORE", $c); // initial conversion
+			if (
+				$r === '' ||
+				// This line is needed for iconv implementations that do not
+				// omit characters that do not exist in the target character set
+				($r === $c && self::unsafeIconv($encoding, 'UTF-8//IGNORE', $r) !== $c)
+			) {
+				// Reverse engineer: what's the UTF-8 equiv of this byte
+				// sequence? This assumes that there's no variable width
+				// encoding that doesn't support ASCII.
+				$ret[self::unsafeIconv($encoding, 'UTF-8//IGNORE', $c)] = $c;
+			}
+		}
+		$encodings[$encoding] = $ret;
+		return $ret;
+	}
 
 
 }

Braces +33 added lines, -11 removed lines

@@ -314,9 +314,15 @@ 
         }
         // set up the actual character
         $ret = '';
-        if($w) $ret .= chr($w);
-        if($z) $ret .= chr($z);
-        if($y) $ret .= chr($y);
+        if($w) {
+        	$ret .= chr($w);
+        }
+        if($z) {
+        	$ret .= chr($z);
+        }
+        if($y) {
+        	$ret .= chr($y);
+        }
         $ret .= chr($x);
 
         return $ret;
@@ -335,9 +341,13 @@ 
      */
     public static function convertToUTF8($str, $config, $context) {
         $encoding = $config->get('Core.Encoding');
-        if ($encoding === 'utf-8') return $str;
+        if ($encoding === 'utf-8') {
+        	return $str;
+        }
         static $iconv = null;
-        if ($iconv === null) $iconv = self::iconvAvailable();
+        if ($iconv === null) {
+        	$iconv = self::iconvAvailable();
+        }
         if ($iconv && !$config->get('Test.ForceNoIconv')) {
             // unaffected by bugs, since UTF-8 support all characters
             $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
@@ -368,15 +378,21 @@ 
         if ($escape = $config->get('Core.EscapeNonASCIICharacters')) {
             $str = self::convertToASCIIDumbLossless($str);
         }
-        if ($encoding === 'utf-8') return $str;
+        if ($encoding === 'utf-8') {
+        	return $str;
+        }
         static $iconv = null;
-        if ($iconv === null) $iconv = self::iconvAvailable();
+        if ($iconv === null) {
+        	$iconv = self::iconvAvailable();
+        }
         if ($iconv && !$config->get('Test.ForceNoIconv')) {
             // Undo our previous fix in convertToUTF8, otherwise iconv will barf
             $ascii_fix = self::testEncodingSupportsASCII($encoding);
             if (!$escape && !empty($ascii_fix)) {
                 $clear_fix = array();
-                foreach ($ascii_fix as $utf8 => $native) $clear_fix[$utf8] = '';
+                foreach ($ascii_fix as $utf8 => $native) {
+                	$clear_fix[$utf8] = '';
+                }
                 $str = strtr($str, $clear_fix);
             }
             $str = strtr($str, array_flip($ascii_fix));
@@ -503,7 +519,9 @@ 
         // If ICONV_UNUSABLE, this call is irrelevant
         static $encodings = array();
         if (!$bypass) {
-            if (isset($encodings[$encoding])) return $encodings[$encoding];
+            if (isset($encodings[$encoding])) {
+            	return $encodings[$encoding];
+            }
             $lenc = strtolower($encoding);
             switch ($lenc) {
                 case 'shift_jis':
@@ -511,10 +529,14 @@ 
                 case 'johab':
                     return array("\xE2\x82\xA9" => '\\');
             }
-            if (strpos($lenc, 'iso-8859-') === 0) return array();
+            if (strpos($lenc, 'iso-8859-') === 0) {
+            	return array();
+            }
         }
         $ret = array();
-        if (self::unsafeIconv('UTF-8', $encoding, 'a') === false) return false;
+        if (self::unsafeIconv('UTF-8', $encoding, 'a') === false) {
+        	return false;
+        }
         for ($i = 0x20; $i <= 0x7E; $i++) { // all printable ASCII chars
             $c = chr($i); // UTF-8 char
             $r = self::unsafeIconv('UTF-8', "$encoding//IGNORE", $c); // initial conversion

Spacing +21 added lines, -21 removed lines

@@ -132,7 +132,7 @@ 
         $char = '';
 
         $len = strlen($str);
-        for($i = 0; $i < $len; $i++) {
+        for ($i = 0; $i < $len; $i++) {
             $in = ord($str{$i});
             $char .= $str[$i]; // append byte to char
             if (0 == $mState) {
@@ -252,7 +252,7 @@ 
                     $mState = 0;
                     $mUcs4  = 0;
                     $mBytes = 1;
-                    $char ='';
+                    $char = '';
                 }
             }
         }
@@ -286,8 +286,8 @@ 
     // +----------+----------+----------+----------+
 
     public static function unichr($code) {
-        if($code > 1114111 or $code < 0 or
-          ($code >= 55296 and $code <= 57343) ) {
+        if ($code > 1114111 or $code < 0 or
+          ($code >= 55296 and $code <= 57343)) {
             // bits are set outside the "valid" range as defined
             // by UNICODE 4.1.0
             return '';
@@ -304,19 +304,19 @@ 
                 $y = (($code & 2047) >> 6) | 192;
             } else {
                 $y = (($code & 4032) >> 6) | 128;
-                if($code < 65536) {
+                if ($code < 65536) {
                     $z = (($code >> 12) & 15) | 224;
                 } else {
                     $z = (($code >> 12) & 63) | 128;
-                    $w = (($code >> 18) & 7)  | 240;
+                    $w = (($code >> 18) & 7) | 240;
                 }
             }
         }
         // set up the actual character
         $ret = '';
-        if($w) $ret .= chr($w);
-        if($z) $ret .= chr($z);
-        if($y) $ret .= chr($y);
+        if ($w) $ret .= chr($w);
+        if ($z) $ret .= chr($z);
+        if ($y) $ret .= chr($y);
         $ret .= chr($x);
 
         return $ret;
@@ -343,7 +343,7 @@ 
             $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str);
             if ($str === false) {
                 // $encoding is not a valid encoding
-                trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR);
+                trigger_error('Invalid encoding '.$encoding, E_USER_ERROR);
                 return '';
             }
             // If the string is bjorked by Shift_JIS or a similar encoding
@@ -381,7 +381,7 @@ 
             }
             $str = strtr($str, array_flip($ascii_fix));
             // Normal stuff
-            $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
+            $str = self::iconv('utf-8', $encoding.'//IGNORE', $str);
             return $str;
         } elseif ($encoding === 'iso-8859-1') {
             $str = utf8_decode($str);
@@ -415,22 +415,22 @@ 
         $result = '';
         $working = 0;
         $len = strlen($str);
-        for( $i = 0; $i < $len; $i++ ) {
-            $bytevalue = ord( $str[$i] );
-            if( $bytevalue <= 0x7F ) { //0xxx xxxx
-                $result .= chr( $bytevalue );
+        for ($i = 0; $i < $len; $i++) {
+            $bytevalue = ord($str[$i]);
+            if ($bytevalue <= 0x7F) { //0xxx xxxx
+                $result .= chr($bytevalue);
                 $bytesleft = 0;
-            } elseif( $bytevalue <= 0xBF ) { //10xx xxxx
+            } elseif ($bytevalue <= 0xBF) { //10xx xxxx
                 $working = $working << 6;
                 $working += ($bytevalue & 0x3F);
                 $bytesleft--;
-                if( $bytesleft <= 0 ) {
-                    $result .= "&#" . $working . ";";
+                if ($bytesleft <= 0) {
+                    $result .= "&#".$working.";";
                 }
-            } elseif( $bytevalue <= 0xDF ) { //110x xxxx
+            } elseif ($bytevalue <= 0xDF) { //110x xxxx
                 $working = $bytevalue & 0x1F;
                 $bytesleft = 1;
-            } elseif( $bytevalue <= 0xEF ) { //1110 xxxx
+            } elseif ($bytevalue <= 0xEF) { //1110 xxxx
                 $working = $bytevalue & 0x0F;
                 $bytesleft = 2;
             } else { //1111 0xxx
@@ -470,7 +470,7 @@ 
         static $code = null;
         if ($code === null) {
             // better not use iconv, otherwise infinite loop!
-            $r = self::unsafeIconv('utf-8', 'ascii//IGNORE', "\xCE\xB1" . str_repeat('a', 9000));
+            $r = self::unsafeIconv('utf-8', 'ascii//IGNORE', "\xCE\xB1".str_repeat('a', 9000));
             if ($r === false) {
                 $code = self::ICONV_UNUSABLE;
             } elseif (($c = strlen($r)) < 9000) {

classes/security/htmlpurifier/library/HTMLPurifier/ErrorCollector.php

Doc Comments +3 added lines

@@ -25,6 +25,9 @@
 
     protected $lines = array();
 
+    /**
+     * @param HTMLPurifier_Context $context
+     */
     public function __construct($context) {
         $this->locale    =& $context->get('Locale');
         $this->context   = $context;

Indentation +196 added lines, -196 removed lines

@@ -7,202 +7,202 @@
 class HTMLPurifier_ErrorCollector
 {
 
-    /**
-     * Identifiers for the returned error array. These are purposely numeric
-     * so list() can be used.
-     */
-    const LINENO   = 0;
-    const SEVERITY = 1;
-    const MESSAGE  = 2;
-    const CHILDREN = 3;
-
-    protected $errors;
-    protected $_current;
-    protected $_stacks = array(array());
-    protected $locale;
-    protected $generator;
-    protected $context;
-
-    protected $lines = array();
-
-    public function __construct($context) {
-        $this->locale    =& $context->get('Locale');
-        $this->context   = $context;
-        $this->_current  =& $this->_stacks[0];
-        $this->errors    =& $this->_stacks[0];
-    }
-
-    /**
-     * Sends an error message to the collector for later use
-     * @param $severity int Error severity, PHP error style (don't use E_USER_)
-     * @param $msg string Error message text
-     * @param $subst1 string First substitution for $msg
-     * @param $subst2 string ...
-     */
-    public function send($severity, $msg) {
-
-        $args = array();
-        if (func_num_args() > 2) {
-            $args = func_get_args();
-            array_shift($args);
-            unset($args[0]);
-        }
-
-        $token = $this->context->get('CurrentToken', true);
-        $line  = $token ? $token->line : $this->context->get('CurrentLine', true);
-        $col   = $token ? $token->col  : $this->context->get('CurrentCol',  true);
-        $attr  = $this->context->get('CurrentAttr', true);
-
-        // perform special substitutions, also add custom parameters
-        $subst = array();
-        if (!is_null($token)) {
-            $args['CurrentToken'] = $token;
-        }
-        if (!is_null($attr)) {
-            $subst['$CurrentAttr.Name'] = $attr;
-            if (isset($token->attr[$attr])) $subst['$CurrentAttr.Value'] = $token->attr[$attr];
-        }
-
-        if (empty($args)) {
-            $msg = $this->locale->getMessage($msg);
-        } else {
-            $msg = $this->locale->formatMessage($msg, $args);
-        }
-
-        if (!empty($subst)) $msg = strtr($msg, $subst);
-
-        // (numerically indexed)
-        $error = array(
-            self::LINENO   => $line,
-            self::SEVERITY => $severity,
-            self::MESSAGE  => $msg,
-            self::CHILDREN => array()
-        );
-        $this->_current[] = $error;
-
-
-        // NEW CODE BELOW ...
-
-        $struct = null;
-        // Top-level errors are either:
-        //  TOKEN type, if $value is set appropriately, or
-        //  "syntax" type, if $value is null
-        $new_struct = new HTMLPurifier_ErrorStruct();
-        $new_struct->type = HTMLPurifier_ErrorStruct::TOKEN;
-        if ($token) $new_struct->value = clone $token;
-        if (is_int($line) && is_int($col)) {
-            if (isset($this->lines[$line][$col])) {
-                $struct = $this->lines[$line][$col];
-            } else {
-                $struct = $this->lines[$line][$col] = $new_struct;
-            }
-            // These ksorts may present a performance problem
-            ksort($this->lines[$line], SORT_NUMERIC);
-        } else {
-            if (isset($this->lines[-1])) {
-                $struct = $this->lines[-1];
-            } else {
-                $struct = $this->lines[-1] = $new_struct;
-            }
-        }
-        ksort($this->lines, SORT_NUMERIC);
-
-        // Now, check if we need to operate on a lower structure
-        if (!empty($attr)) {
-            $struct = $struct->getChild(HTMLPurifier_ErrorStruct::ATTR, $attr);
-            if (!$struct->value) {
-                $struct->value = array($attr, 'PUT VALUE HERE');
-            }
-        }
-        if (!empty($cssprop)) {
-            $struct = $struct->getChild(HTMLPurifier_ErrorStruct::CSSPROP, $cssprop);
-            if (!$struct->value) {
-                // if we tokenize CSS this might be a little more difficult to do
-                $struct->value = array($cssprop, 'PUT VALUE HERE');
-            }
-        }
-
-        // Ok, structs are all setup, now time to register the error
-        $struct->addError($severity, $msg);
-    }
-
-    /**
-     * Retrieves raw error data for custom formatter to use
-     * @param List of arrays in format of array(line of error,
-     *        error severity, error message,
-     *        recursive sub-errors array)
-     */
-    public function getRaw() {
-        return $this->errors;
-    }
-
-    /**
-     * Default HTML formatting implementation for error messages
-     * @param $config Configuration array, vital for HTML output nature
-     * @param $errors Errors array to display; used for recursion.
-     */
-    public function getHTMLFormatted($config, $errors = null) {
-        $ret = array();
-
-        $this->generator = new HTMLPurifier_Generator($config, $this->context);
-        if ($errors === null) $errors = $this->errors;
-
-        // 'At line' message needs to be removed
-
-        // generation code for new structure goes here. It needs to be recursive.
-        foreach ($this->lines as $line => $col_array) {
-            if ($line == -1) continue;
-            foreach ($col_array as $col => $struct) {
-                $this->_renderStruct($ret, $struct, $line, $col);
-            }
-        }
-        if (isset($this->lines[-1])) {
-            $this->_renderStruct($ret, $this->lines[-1]);
-        }
-
-        if (empty($errors)) {
-            return '<p>' . $this->locale->getMessage('ErrorCollector: No errors') . '</p>';
-        } else {
-            return '<ul><li>' . implode('</li><li>', $ret) . '</li></ul>';
-        }
-
-    }
-
-    private function _renderStruct(&$ret, $struct, $line = null, $col = null) {
-        $stack = array($struct);
-        $context_stack = array(array());
-        while ($current = array_pop($stack)) {
-            $context = array_pop($context_stack);
-            foreach ($current->errors as $error) {
-                list($severity, $msg) = $error;
-                $string = '';
-                $string .= '<div>';
-                // W3C uses an icon to indicate the severity of the error.
-                $error = $this->locale->getErrorName($severity);
-                $string .= "<span class=\"error e$severity\"><strong>$error</strong></span> ";
-                if (!is_null($line) && !is_null($col)) {
-                    $string .= "<em class=\"location\">Line $line, Column $col: </em> ";
-                } else {
-                    $string .= '<em class="location">End of Document: </em> ';
-                }
-                $string .= '<strong class="description">' . $this->generator->escape($msg) . '</strong> ';
-                $string .= '</div>';
-                // Here, have a marker for the character on the column appropriate.
-                // Be sure to clip extremely long lines.
-                //$string .= '<pre>';
-                //$string .= '';
-                //$string .= '</pre>';
-                $ret[] = $string;
-            }
-            foreach ($current->children as $type => $array) {
-                $context[] = $current;
-                $stack = array_merge($stack, array_reverse($array, true));
-                for ($i = count($array); $i > 0; $i--) {
-                    $context_stack[] = $context;
-                }
-            }
-        }
-    }
+	/**
+	 * Identifiers for the returned error array. These are purposely numeric
+	 * so list() can be used.
+	 */
+	const LINENO   = 0;
+	const SEVERITY = 1;
+	const MESSAGE  = 2;
+	const CHILDREN = 3;
+
+	protected $errors;
+	protected $_current;
+	protected $_stacks = array(array());
+	protected $locale;
+	protected $generator;
+	protected $context;
+
+	protected $lines = array();
+
+	public function __construct($context) {
+		$this->locale    =& $context->get('Locale');
+		$this->context   = $context;
+		$this->_current  =& $this->_stacks[0];
+		$this->errors    =& $this->_stacks[0];
+	}
+
+	/**
+	 * Sends an error message to the collector for later use
+	 * @param $severity int Error severity, PHP error style (don't use E_USER_)
+	 * @param $msg string Error message text
+	 * @param $subst1 string First substitution for $msg
+	 * @param $subst2 string ...
+	 */
+	public function send($severity, $msg) {
+
+		$args = array();
+		if (func_num_args() > 2) {
+			$args = func_get_args();
+			array_shift($args);
+			unset($args[0]);
+		}
+
+		$token = $this->context->get('CurrentToken', true);
+		$line  = $token ? $token->line : $this->context->get('CurrentLine', true);
+		$col   = $token ? $token->col  : $this->context->get('CurrentCol',  true);
+		$attr  = $this->context->get('CurrentAttr', true);
+
+		// perform special substitutions, also add custom parameters
+		$subst = array();
+		if (!is_null($token)) {
+			$args['CurrentToken'] = $token;
+		}
+		if (!is_null($attr)) {
+			$subst['$CurrentAttr.Name'] = $attr;
+			if (isset($token->attr[$attr])) $subst['$CurrentAttr.Value'] = $token->attr[$attr];
+		}
+
+		if (empty($args)) {
+			$msg = $this->locale->getMessage($msg);
+		} else {
+			$msg = $this->locale->formatMessage($msg, $args);
+		}
+
+		if (!empty($subst)) $msg = strtr($msg, $subst);
+
+		// (numerically indexed)
+		$error = array(
+			self::LINENO   => $line,
+			self::SEVERITY => $severity,
+			self::MESSAGE  => $msg,
+			self::CHILDREN => array()
+		);
+		$this->_current[] = $error;
+
+
+		// NEW CODE BELOW ...
+
+		$struct = null;
+		// Top-level errors are either:
+		//  TOKEN type, if $value is set appropriately, or
+		//  "syntax" type, if $value is null
+		$new_struct = new HTMLPurifier_ErrorStruct();
+		$new_struct->type = HTMLPurifier_ErrorStruct::TOKEN;
+		if ($token) $new_struct->value = clone $token;
+		if (is_int($line) && is_int($col)) {
+			if (isset($this->lines[$line][$col])) {
+				$struct = $this->lines[$line][$col];
+			} else {
+				$struct = $this->lines[$line][$col] = $new_struct;
+			}
+			// These ksorts may present a performance problem
+			ksort($this->lines[$line], SORT_NUMERIC);
+		} else {
+			if (isset($this->lines[-1])) {
+				$struct = $this->lines[-1];
+			} else {
+				$struct = $this->lines[-1] = $new_struct;
+			}
+		}
+		ksort($this->lines, SORT_NUMERIC);
+
+		// Now, check if we need to operate on a lower structure
+		if (!empty($attr)) {
+			$struct = $struct->getChild(HTMLPurifier_ErrorStruct::ATTR, $attr);
+			if (!$struct->value) {
+				$struct->value = array($attr, 'PUT VALUE HERE');
+			}
+		}
+		if (!empty($cssprop)) {
+			$struct = $struct->getChild(HTMLPurifier_ErrorStruct::CSSPROP, $cssprop);
+			if (!$struct->value) {
+				// if we tokenize CSS this might be a little more difficult to do
+				$struct->value = array($cssprop, 'PUT VALUE HERE');
+			}
+		}
+
+		// Ok, structs are all setup, now time to register the error
+		$struct->addError($severity, $msg);
+	}
+
+	/**
+	 * Retrieves raw error data for custom formatter to use
+	 * @param List of arrays in format of array(line of error,
+	 *        error severity, error message,
+	 *        recursive sub-errors array)
+	 */
+	public function getRaw() {
+		return $this->errors;
+	}
+
+	/**
+	 * Default HTML formatting implementation for error messages
+	 * @param $config Configuration array, vital for HTML output nature
+	 * @param $errors Errors array to display; used for recursion.
+	 */
+	public function getHTMLFormatted($config, $errors = null) {
+		$ret = array();
+
+		$this->generator = new HTMLPurifier_Generator($config, $this->context);
+		if ($errors === null) $errors = $this->errors;
+
+		// 'At line' message needs to be removed
+
+		// generation code for new structure goes here. It needs to be recursive.
+		foreach ($this->lines as $line => $col_array) {
+			if ($line == -1) continue;
+			foreach ($col_array as $col => $struct) {
+				$this->_renderStruct($ret, $struct, $line, $col);
+			}
+		}
+		if (isset($this->lines[-1])) {
+			$this->_renderStruct($ret, $this->lines[-1]);
+		}
+
+		if (empty($errors)) {
+			return '<p>' . $this->locale->getMessage('ErrorCollector: No errors') . '</p>';
+		} else {
+			return '<ul><li>' . implode('</li><li>', $ret) . '</li></ul>';
+		}
+
+	}
+
+	private function _renderStruct(&$ret, $struct, $line = null, $col = null) {
+		$stack = array($struct);
+		$context_stack = array(array());
+		while ($current = array_pop($stack)) {
+			$context = array_pop($context_stack);
+			foreach ($current->errors as $error) {
+				list($severity, $msg) = $error;
+				$string = '';
+				$string .= '<div>';
+				// W3C uses an icon to indicate the severity of the error.
+				$error = $this->locale->getErrorName($severity);
+				$string .= "<span class=\"error e$severity\"><strong>$error</strong></span> ";
+				if (!is_null($line) && !is_null($col)) {
+					$string .= "<em class=\"location\">Line $line, Column $col: </em> ";
+				} else {
+					$string .= '<em class="location">End of Document: </em> ';
+				}
+				$string .= '<strong class="description">' . $this->generator->escape($msg) . '</strong> ';
+				$string .= '</div>';
+				// Here, have a marker for the character on the column appropriate.
+				// Be sure to clip extremely long lines.
+				//$string .= '<pre>';
+				//$string .= '';
+				//$string .= '</pre>';
+				$ret[] = $string;
+			}
+			foreach ($current->children as $type => $array) {
+				$context[] = $current;
+				$stack = array_merge($stack, array_reverse($array, true));
+				for ($i = count($array); $i > 0; $i--) {
+					$context_stack[] = $context;
+				}
+			}
+		}
+	}
 
 }
 

Braces +15 added lines, -5 removed lines

@@ -60,7 +60,9 @@ 
         }
         if (!is_null($attr)) {
             $subst['$CurrentAttr.Name'] = $attr;
-            if (isset($token->attr[$attr])) $subst['$CurrentAttr.Value'] = $token->attr[$attr];
+            if (isset($token->attr[$attr])) {
+            	$subst['$CurrentAttr.Value'] = $token->attr[$attr];
+            }
         }
 
         if (empty($args)) {
@@ -69,7 +71,9 @@ 
             $msg = $this->locale->formatMessage($msg, $args);
         }
 
-        if (!empty($subst)) $msg = strtr($msg, $subst);
+        if (!empty($subst)) {
+        	$msg = strtr($msg, $subst);
+        }
 
         // (numerically indexed)
         $error = array(
@@ -89,7 +93,9 @@ 
         //  "syntax" type, if $value is null
         $new_struct = new HTMLPurifier_ErrorStruct();
         $new_struct->type = HTMLPurifier_ErrorStruct::TOKEN;
-        if ($token) $new_struct->value = clone $token;
+        if ($token) {
+        	$new_struct->value = clone $token;
+        }
         if (is_int($line) && is_int($col)) {
             if (isset($this->lines[$line][$col])) {
                 $struct = $this->lines[$line][$col];
@@ -145,13 +151,17 @@ 
         $ret = array();
 
         $this->generator = new HTMLPurifier_Generator($config, $this->context);
-        if ($errors === null) $errors = $this->errors;
+        if ($errors === null) {
+        	$errors = $this->errors;
+        }
 
         // 'At line' message needs to be removed
 
         // generation code for new structure goes here. It needs to be recursive.
         foreach ($this->lines as $line => $col_array) {
-            if ($line == -1) continue;
+            if ($line == -1) {
+            	continue;
+            }
             foreach ($col_array as $col => $struct) {
                 $this->_renderStruct($ret, $struct, $line, $col);
             }

Spacing +7 added lines, -7 removed lines

@@ -26,10 +26,10 @@ 
     protected $lines = array();
 
     public function __construct($context) {
-        $this->locale    =& $context->get('Locale');
+        $this->locale    = & $context->get('Locale');
         $this->context   = $context;
-        $this->_current  =& $this->_stacks[0];
-        $this->errors    =& $this->_stacks[0];
+        $this->_current  = & $this->_stacks[0];
+        $this->errors    = & $this->_stacks[0];
     }
 
     /**
@@ -50,7 +50,7 @@ 
 
         $token = $this->context->get('CurrentToken', true);
         $line  = $token ? $token->line : $this->context->get('CurrentLine', true);
-        $col   = $token ? $token->col  : $this->context->get('CurrentCol',  true);
+        $col   = $token ? $token->col : $this->context->get('CurrentCol', true);
         $attr  = $this->context->get('CurrentAttr', true);
 
         // perform special substitutions, also add custom parameters
@@ -161,9 +161,9 @@ 
         }
 
         if (empty($errors)) {
-            return '<p>' . $this->locale->getMessage('ErrorCollector: No errors') . '</p>';
+            return '<p>'.$this->locale->getMessage('ErrorCollector: No errors').'</p>';
         } else {
-            return '<ul><li>' . implode('</li><li>', $ret) . '</li></ul>';
+            return '<ul><li>'.implode('</li><li>', $ret).'</li></ul>';
         }
 
     }
@@ -185,7 +185,7 @@ 
                 } else {
                     $string .= '<em class="location">End of Document: </em> ';
                 }
-                $string .= '<strong class="description">' . $this->generator->escape($msg) . '</strong> ';
+                $string .= '<strong class="description">'.$this->generator->escape($msg).'</strong> ';
                 $string .= '</div>';
                 // Here, have a marker for the character on the column appropriate.
                 // Be sure to clip extremely long lines.

classes/security/htmlpurifier/library/HTMLPurifier/Generator.php

Doc Comments +4 added lines, -4 removed lines

@@ -70,7 +70,7 @@ 
      * Generates HTML from an array of tokens.
      * @param $tokens Array of HTMLPurifier_Token
      * @param $config HTMLPurifier_Config object
-     * @return Generated HTML
+     * @return string HTML
      */
     public function generateFromTokens($tokens) {
         if (!$tokens) return '';
@@ -115,7 +115,7 @@ 
     /**
      * Generates HTML from a single token.
      * @param $token HTMLPurifier_Token object.
-     * @return Generated HTML
+     * @return string HTML
      */
     public function generateFromToken($token) {
         if (!$token instanceof HTMLPurifier_Token) {
@@ -181,7 +181,7 @@ 
      * @param $assoc_array_of_attributes Attribute array
      * @param $element Name of element attributes are for, used to check
      *        attribute minimization.
-     * @return Generate HTML fragment for insertion.
+     * @return string HTML fragment for insertion.
      */
     public function generateAttributes($assoc_array_of_attributes, $element = false) {
         $html = '';
@@ -238,7 +238,7 @@ 
      *       for properly generating HTML here w/o using tokens, it stays
      *       public.
      * @param $string String data to escape for HTML.
-     * @param $quote Quoting style, like htmlspecialchars. ENT_NOQUOTES is
+     * @param integer $quote Quoting style, like htmlspecialchars. ENT_NOQUOTES is
      *               permissible for non-attribute output.
      * @return String escaped data.
      */

Indentation +238 added lines, -238 removed lines

@@ -10,244 +10,244 @@
 class HTMLPurifier_Generator
 {
 
-    /**
-     * Whether or not generator should produce XML output
-     */
-    private $_xhtml = true;
-
-    /**
-     * :HACK: Whether or not generator should comment the insides of <script> tags
-     */
-    private $_scriptFix = false;
-
-    /**
-     * Cache of HTMLDefinition during HTML output to determine whether or
-     * not attributes should be minimized.
-     */
-    private $_def;
-
-    /**
-     * Cache of %Output.SortAttr
-     */
-    private $_sortAttr;
-
-    /**
-     * Cache of %Output.FlashCompat
-     */
-    private $_flashCompat;
-
-    /**
-     * Cache of %Output.FixInnerHTML
-     */
-    private $_innerHTMLFix;
-
-    /**
-     * Stack for keeping track of object information when outputting IE
-     * compatibility code.
-     */
-    private $_flashStack = array();
-
-    /**
-     * Configuration for the generator
-     */
-    protected $config;
-
-    /**
-     * @param $config Instance of HTMLPurifier_Config
-     * @param $context Instance of HTMLPurifier_Context
-     */
-    public function __construct($config, $context) {
-        $this->config = $config;
-        $this->_scriptFix = $config->get('Output.CommentScriptContents');
-        $this->_innerHTMLFix = $config->get('Output.FixInnerHTML');
-        $this->_sortAttr = $config->get('Output.SortAttr');
-        $this->_flashCompat = $config->get('Output.FlashCompat');
-        $this->_def = $config->getHTMLDefinition();
-        $this->_xhtml = $this->_def->doctype->xml;
-    }
-
-    /**
-     * Generates HTML from an array of tokens.
-     * @param $tokens Array of HTMLPurifier_Token
-     * @param $config HTMLPurifier_Config object
-     * @return Generated HTML
-     */
-    public function generateFromTokens($tokens) {
-        if (!$tokens) return '';
-
-        // Basic algorithm
-        $html = '';
-        for ($i = 0, $size = count($tokens); $i < $size; $i++) {
-            if ($this->_scriptFix && $tokens[$i]->name === 'script'
-                && $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) {
-                // script special case
-                // the contents of the script block must be ONE token
-                // for this to work.
-                $html .= $this->generateFromToken($tokens[$i++]);
-                $html .= $this->generateScriptFromToken($tokens[$i++]);
-            }
-            $html .= $this->generateFromToken($tokens[$i]);
-        }
-
-        // Tidy cleanup
-        if (extension_loaded('tidy') && $this->config->get('Output.TidyFormat')) {
-            $tidy = new Tidy;
-            $tidy->parseString($html, array(
-               'indent'=> true,
-               'output-xhtml' => $this->_xhtml,
-               'show-body-only' => true,
-               'indent-spaces' => 2,
-               'wrap' => 68,
-            ), 'utf8');
-            $tidy->cleanRepair();
-            $html = (string) $tidy; // explicit cast necessary
-        }
-
-        // Normalize newlines to system defined value
-        if ($this->config->get('Core.NormalizeNewlines')) {
-            $nl = $this->config->get('Output.Newline');
-            if ($nl === null) $nl = PHP_EOL;
-            if ($nl !== "\n") $html = str_replace("\n", $nl, $html);
-        }
-        return $html;
-    }
-
-    /**
-     * Generates HTML from a single token.
-     * @param $token HTMLPurifier_Token object.
-     * @return Generated HTML
-     */
-    public function generateFromToken($token) {
-        if (!$token instanceof HTMLPurifier_Token) {
-            trigger_error('Cannot generate HTML from non-HTMLPurifier_Token object', E_USER_WARNING);
-            return '';
-
-        } elseif ($token instanceof HTMLPurifier_Token_Start) {
-            $attr = $this->generateAttributes($token->attr, $token->name);
-            if ($this->_flashCompat) {
-                if ($token->name == "object") {
-                    $flash = new stdclass();
-                    $flash->attr = $token->attr;
-                    $flash->param = array();
-                    $this->_flashStack[] = $flash;
-                }
-            }
-            return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>';
-
-        } elseif ($token instanceof HTMLPurifier_Token_End) {
-            $_extra = '';
-            if ($this->_flashCompat) {
-                if ($token->name == "object" && !empty($this->_flashStack)) {
-                    // doesn't do anything for now
-                }
-            }
-            return $_extra . '</' . $token->name . '>';
-
-        } elseif ($token instanceof HTMLPurifier_Token_Empty) {
-            if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) {
-                $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value'];
-            }
-            $attr = $this->generateAttributes($token->attr, $token->name);
-             return '<' . $token->name . ($attr ? ' ' : '') . $attr .
-                ( $this->_xhtml ? ' /': '' ) // <br /> v. <br>
-                . '>';
-
-        } elseif ($token instanceof HTMLPurifier_Token_Text) {
-            return $this->escape($token->data, ENT_NOQUOTES);
-
-        } elseif ($token instanceof HTMLPurifier_Token_Comment) {
-            return '<!--' . $token->data . '-->';
-        } else {
-            return '';
-
-        }
-    }
-
-    /**
-     * Special case processor for the contents of script tags
-     * @warning This runs into problems if there's already a literal
-     *          --> somewhere inside the script contents.
-     */
-    public function generateScriptFromToken($token) {
-        if (!$token instanceof HTMLPurifier_Token_Text) return $this->generateFromToken($token);
-        // Thanks <http://lachy.id.au/log/2005/05/script-comments>
-        $data = preg_replace('#//\s*$#', '', $token->data);
-        return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
-    }
-
-    /**
-     * Generates attribute declarations from attribute array.
-     * @note This does not include the leading or trailing space.
-     * @param $assoc_array_of_attributes Attribute array
-     * @param $element Name of element attributes are for, used to check
-     *        attribute minimization.
-     * @return Generate HTML fragment for insertion.
-     */
-    public function generateAttributes($assoc_array_of_attributes, $element = false) {
-        $html = '';
-        if ($this->_sortAttr) ksort($assoc_array_of_attributes);
-        foreach ($assoc_array_of_attributes as $key => $value) {
-            if (!$this->_xhtml) {
-                // Remove namespaced attributes
-                if (strpos($key, ':') !== false) continue;
-                // Check if we should minimize the attribute: val="val" -> val
-                if ($element && !empty($this->_def->info[$element]->attr[$key]->minimized)) {
-                    $html .= $key . ' ';
-                    continue;
-                }
-            }
-            // Workaround for Internet Explorer innerHTML bug.
-            // Essentially, Internet Explorer, when calculating
-            // innerHTML, omits quotes if there are no instances of
-            // angled brackets, quotes or spaces.  However, when parsing
-            // HTML (for example, when you assign to innerHTML), it
-            // treats backticks as quotes.  Thus,
-            //      <img alt="``" />
-            // becomes
-            //      <img alt=`` />
-            // becomes
-            //      <img alt='' />
-            // Fortunately, all we need to do is trigger an appropriate
-            // quoting style, which we do by adding an extra space.
-            // This also is consistent with the W3C spec, which states
-            // that user agents may ignore leading or trailing
-            // whitespace (in fact, most don't, at least for attributes
-            // like alt, but an extra space at the end is barely
-            // noticeable).  Still, we have a configuration knob for
-            // this, since this transformation is not necesary if you
-            // don't process user input with innerHTML or you don't plan
-            // on supporting Internet Explorer.
-            if ($this->_innerHTMLFix) {
-                if (strpos($value, '`') !== false) {
-                    // check if correct quoting style would not already be
-                    // triggered
-                    if (strcspn($value, '"\' <>') === strlen($value)) {
-                        // protect!
-                        $value .= ' ';
-                    }
-                }
-            }
-            $html .= $key.'="'.$this->escape($value).'" ';
-        }
-        return rtrim($html);
-    }
-
-    /**
-     * Escapes raw text data.
-     * @todo This really ought to be protected, but until we have a facility
-     *       for properly generating HTML here w/o using tokens, it stays
-     *       public.
-     * @param $string String data to escape for HTML.
-     * @param $quote Quoting style, like htmlspecialchars. ENT_NOQUOTES is
-     *               permissible for non-attribute output.
-     * @return String escaped data.
-     */
-    public function escape($string, $quote = null) {
-        // Workaround for APC bug on Mac Leopard reported by sidepodcast
-        // http://htmlpurifier.org/phorum/read.php?3,4823,4846
-        if ($quote === null) $quote = ENT_COMPAT;
-        return htmlspecialchars($string, $quote, 'UTF-8', false);
-    }
+	/**
+	 * Whether or not generator should produce XML output
+	 */
+	private $_xhtml = true;
+
+	/**
+	 * :HACK: Whether or not generator should comment the insides of <script> tags
+	 */
+	private $_scriptFix = false;
+
+	/**
+	 * Cache of HTMLDefinition during HTML output to determine whether or
+	 * not attributes should be minimized.
+	 */
+	private $_def;
+
+	/**
+	 * Cache of %Output.SortAttr
+	 */
+	private $_sortAttr;
+
+	/**
+	 * Cache of %Output.FlashCompat
+	 */
+	private $_flashCompat;
+
+	/**
+	 * Cache of %Output.FixInnerHTML
+	 */
+	private $_innerHTMLFix;
+
+	/**
+	 * Stack for keeping track of object information when outputting IE
+	 * compatibility code.
+	 */
+	private $_flashStack = array();
+
+	/**
+	 * Configuration for the generator
+	 */
+	protected $config;
+
+	/**
+	 * @param $config Instance of HTMLPurifier_Config
+	 * @param $context Instance of HTMLPurifier_Context
+	 */
+	public function __construct($config, $context) {
+		$this->config = $config;
+		$this->_scriptFix = $config->get('Output.CommentScriptContents');
+		$this->_innerHTMLFix = $config->get('Output.FixInnerHTML');
+		$this->_sortAttr = $config->get('Output.SortAttr');
+		$this->_flashCompat = $config->get('Output.FlashCompat');
+		$this->_def = $config->getHTMLDefinition();
+		$this->_xhtml = $this->_def->doctype->xml;
+	}
+
+	/**
+	 * Generates HTML from an array of tokens.
+	 * @param $tokens Array of HTMLPurifier_Token
+	 * @param $config HTMLPurifier_Config object
+	 * @return Generated HTML
+	 */
+	public function generateFromTokens($tokens) {
+		if (!$tokens) return '';
+
+		// Basic algorithm
+		$html = '';
+		for ($i = 0, $size = count($tokens); $i < $size; $i++) {
+			if ($this->_scriptFix && $tokens[$i]->name === 'script'
+				&& $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) {
+				// script special case
+				// the contents of the script block must be ONE token
+				// for this to work.
+				$html .= $this->generateFromToken($tokens[$i++]);
+				$html .= $this->generateScriptFromToken($tokens[$i++]);
+			}
+			$html .= $this->generateFromToken($tokens[$i]);
+		}
+
+		// Tidy cleanup
+		if (extension_loaded('tidy') && $this->config->get('Output.TidyFormat')) {
+			$tidy = new Tidy;
+			$tidy->parseString($html, array(
+			   'indent'=> true,
+			   'output-xhtml' => $this->_xhtml,
+			   'show-body-only' => true,
+			   'indent-spaces' => 2,
+			   'wrap' => 68,
+			), 'utf8');
+			$tidy->cleanRepair();
+			$html = (string) $tidy; // explicit cast necessary
+		}
+
+		// Normalize newlines to system defined value
+		if ($this->config->get('Core.NormalizeNewlines')) {
+			$nl = $this->config->get('Output.Newline');
+			if ($nl === null) $nl = PHP_EOL;
+			if ($nl !== "\n") $html = str_replace("\n", $nl, $html);
+		}
+		return $html;
+	}
+
+	/**
+	 * Generates HTML from a single token.
+	 * @param $token HTMLPurifier_Token object.
+	 * @return Generated HTML
+	 */
+	public function generateFromToken($token) {
+		if (!$token instanceof HTMLPurifier_Token) {
+			trigger_error('Cannot generate HTML from non-HTMLPurifier_Token object', E_USER_WARNING);
+			return '';
+
+		} elseif ($token instanceof HTMLPurifier_Token_Start) {
+			$attr = $this->generateAttributes($token->attr, $token->name);
+			if ($this->_flashCompat) {
+				if ($token->name == "object") {
+					$flash = new stdclass();
+					$flash->attr = $token->attr;
+					$flash->param = array();
+					$this->_flashStack[] = $flash;
+				}
+			}
+			return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>';
+
+		} elseif ($token instanceof HTMLPurifier_Token_End) {
+			$_extra = '';
+			if ($this->_flashCompat) {
+				if ($token->name == "object" && !empty($this->_flashStack)) {
+					// doesn't do anything for now
+				}
+			}
+			return $_extra . '</' . $token->name . '>';
+
+		} elseif ($token instanceof HTMLPurifier_Token_Empty) {
+			if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) {
+				$this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value'];
+			}
+			$attr = $this->generateAttributes($token->attr, $token->name);
+			 return '<' . $token->name . ($attr ? ' ' : '') . $attr .
+				( $this->_xhtml ? ' /': '' ) // <br /> v. <br>
+				. '>';
+
+		} elseif ($token instanceof HTMLPurifier_Token_Text) {
+			return $this->escape($token->data, ENT_NOQUOTES);
+
+		} elseif ($token instanceof HTMLPurifier_Token_Comment) {
+			return '<!--' . $token->data . '-->';
+		} else {
+			return '';
+
+		}
+	}
+
+	/**
+	 * Special case processor for the contents of script tags
+	 * @warning This runs into problems if there's already a literal
+	 *          --> somewhere inside the script contents.
+	 */
+	public function generateScriptFromToken($token) {
+		if (!$token instanceof HTMLPurifier_Token_Text) return $this->generateFromToken($token);
+		// Thanks <http://lachy.id.au/log/2005/05/script-comments>
+		$data = preg_replace('#//\s*$#', '', $token->data);
+		return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
+	}
+
+	/**
+	 * Generates attribute declarations from attribute array.
+	 * @note This does not include the leading or trailing space.
+	 * @param $assoc_array_of_attributes Attribute array
+	 * @param $element Name of element attributes are for, used to check
+	 *        attribute minimization.
+	 * @return Generate HTML fragment for insertion.
+	 */
+	public function generateAttributes($assoc_array_of_attributes, $element = false) {
+		$html = '';
+		if ($this->_sortAttr) ksort($assoc_array_of_attributes);
+		foreach ($assoc_array_of_attributes as $key => $value) {
+			if (!$this->_xhtml) {
+				// Remove namespaced attributes
+				if (strpos($key, ':') !== false) continue;
+				// Check if we should minimize the attribute: val="val" -> val
+				if ($element && !empty($this->_def->info[$element]->attr[$key]->minimized)) {
+					$html .= $key . ' ';
+					continue;
+				}
+			}
+			// Workaround for Internet Explorer innerHTML bug.
+			// Essentially, Internet Explorer, when calculating
+			// innerHTML, omits quotes if there are no instances of
+			// angled brackets, quotes or spaces.  However, when parsing
+			// HTML (for example, when you assign to innerHTML), it
+			// treats backticks as quotes.  Thus,
+			//      <img alt="``" />
+			// becomes
+			//      <img alt=`` />
+			// becomes
+			//      <img alt='' />
+			// Fortunately, all we need to do is trigger an appropriate
+			// quoting style, which we do by adding an extra space.
+			// This also is consistent with the W3C spec, which states
+			// that user agents may ignore leading or trailing
+			// whitespace (in fact, most don't, at least for attributes
+			// like alt, but an extra space at the end is barely
+			// noticeable).  Still, we have a configuration knob for
+			// this, since this transformation is not necesary if you
+			// don't process user input with innerHTML or you don't plan
+			// on supporting Internet Explorer.
+			if ($this->_innerHTMLFix) {
+				if (strpos($value, '`') !== false) {
+					// check if correct quoting style would not already be
+					// triggered
+					if (strcspn($value, '"\' <>') === strlen($value)) {
+						// protect!
+						$value .= ' ';
+					}
+				}
+			}
+			$html .= $key.'="'.$this->escape($value).'" ';
+		}
+		return rtrim($html);
+	}
+
+	/**
+	 * Escapes raw text data.
+	 * @todo This really ought to be protected, but until we have a facility
+	 *       for properly generating HTML here w/o using tokens, it stays
+	 *       public.
+	 * @param $string String data to escape for HTML.
+	 * @param $quote Quoting style, like htmlspecialchars. ENT_NOQUOTES is
+	 *               permissible for non-attribute output.
+	 * @return String escaped data.
+	 */
+	public function escape($string, $quote = null) {
+		// Workaround for APC bug on Mac Leopard reported by sidepodcast
+		// http://htmlpurifier.org/phorum/read.php?3,4823,4846
+		if ($quote === null) $quote = ENT_COMPAT;
+		return htmlspecialchars($string, $quote, 'UTF-8', false);
+	}
 
 }
 

Braces +21 added lines, -7 removed lines

@@ -73,7 +73,9 @@ 
      * @return Generated HTML
      */
     public function generateFromTokens($tokens) {
-        if (!$tokens) return '';
+        if (!$tokens) {
+        	return '';
+        }
 
         // Basic algorithm
         $html = '';
@@ -106,8 +108,12 @@ 
         // Normalize newlines to system defined value
         if ($this->config->get('Core.NormalizeNewlines')) {
             $nl = $this->config->get('Output.Newline');
-            if ($nl === null) $nl = PHP_EOL;
-            if ($nl !== "\n") $html = str_replace("\n", $nl, $html);
+            if ($nl === null) {
+            	$nl = PHP_EOL;
+            }
+            if ($nl !== "\n") {
+            	$html = str_replace("\n", $nl, $html);
+            }
         }
         return $html;
     }
@@ -169,7 +175,9 @@ 
      *          --> somewhere inside the script contents.
      */
     public function generateScriptFromToken($token) {
-        if (!$token instanceof HTMLPurifier_Token_Text) return $this->generateFromToken($token);
+        if (!$token instanceof HTMLPurifier_Token_Text) {
+        	return $this->generateFromToken($token);
+        }
         // Thanks <http://lachy.id.au/log/2005/05/script-comments>
         $data = preg_replace('#//\s*$#', '', $token->data);
         return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
@@ -185,11 +193,15 @@ 
      */
     public function generateAttributes($assoc_array_of_attributes, $element = false) {
         $html = '';
-        if ($this->_sortAttr) ksort($assoc_array_of_attributes);
+        if ($this->_sortAttr) {
+        	ksort($assoc_array_of_attributes);
+        }
         foreach ($assoc_array_of_attributes as $key => $value) {
             if (!$this->_xhtml) {
                 // Remove namespaced attributes
-                if (strpos($key, ':') !== false) continue;
+                if (strpos($key, ':') !== false) {
+                	continue;
+                }
                 // Check if we should minimize the attribute: val="val" -> val
                 if ($element && !empty($this->_def->info[$element]->attr[$key]->minimized)) {
                     $html .= $key . ' ';
@@ -245,7 +257,9 @@ 
     public function escape($string, $quote = null) {
         // Workaround for APC bug on Mac Leopard reported by sidepodcast
         // http://htmlpurifier.org/phorum/read.php?3,4823,4846
-        if ($quote === null) $quote = ENT_COMPAT;
+        if ($quote === null) {
+        	$quote = ENT_COMPAT;
+        }
         return htmlspecialchars($string, $quote, 'UTF-8', false);
     }
 

Spacing +9 added lines, -9 removed lines

@@ -79,7 +79,7 @@ 
         $html = '';
         for ($i = 0, $size = count($tokens); $i < $size; $i++) {
             if ($this->_scriptFix && $tokens[$i]->name === 'script'
-                && $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) {
+                && $i + 2 < $size && $tokens[$i + 2] instanceof HTMLPurifier_Token_End) {
                 // script special case
                 // the contents of the script block must be ONE token
                 // for this to work.
@@ -132,7 +132,7 @@ 
                     $this->_flashStack[] = $flash;
                 }
             }
-            return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>';
+            return '<'.$token->name.($attr ? ' ' : '').$attr.'>';
 
         } elseif ($token instanceof HTMLPurifier_Token_End) {
             $_extra = '';
@@ -141,22 +141,22 @@ 
                     // doesn't do anything for now
                 }
             }
-            return $_extra . '</' . $token->name . '>';
+            return $_extra.'</'.$token->name.'>';
 
         } elseif ($token instanceof HTMLPurifier_Token_Empty) {
             if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) {
-                $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value'];
+                $this->_flashStack[count($this->_flashStack) - 1]->param[$token->attr['name']] = $token->attr['value'];
             }
             $attr = $this->generateAttributes($token->attr, $token->name);
-             return '<' . $token->name . ($attr ? ' ' : '') . $attr .
-                ( $this->_xhtml ? ' /': '' ) // <br /> v. <br>
+             return '<'.$token->name.($attr ? ' ' : '').$attr.
+                ($this->_xhtml ? ' /' : '') // <br /> v. <br>
                 . '>';
 
         } elseif ($token instanceof HTMLPurifier_Token_Text) {
             return $this->escape($token->data, ENT_NOQUOTES);
 
         } elseif ($token instanceof HTMLPurifier_Token_Comment) {
-            return '<!--' . $token->data . '-->';
+            return '<!--'.$token->data.'-->';
         } else {
             return '';
 
@@ -172,7 +172,7 @@ 
         if (!$token instanceof HTMLPurifier_Token_Text) return $this->generateFromToken($token);
         // Thanks <http://lachy.id.au/log/2005/05/script-comments>
         $data = preg_replace('#//\s*$#', '', $token->data);
-        return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
+        return '<!--//--><![CDATA[//><!--'."\n".trim($data)."\n".'//--><!]]>';
     }
 
     /**
@@ -192,7 +192,7 @@ 
                 if (strpos($key, ':') !== false) continue;
                 // Check if we should minimize the attribute: val="val" -> val
                 if ($element && !empty($this->_def->info[$element]->attr[$key]->minimized)) {
-                    $html .= $key . ' ';
+                    $html .= $key.' ';
                     continue;
                 }
             }

classes/security/htmlpurifier/library/HTMLPurifier/HTMLDefinition.php

Doc Comments +1 added lines, -2 removed lines

@@ -385,8 +385,7 @@
      * separate lists for processing. Format is element[attr1|attr2],element2...
      * @warning Although it's largely drawn from TinyMCE's implementation,
      *      it is different, and you'll probably have to modify your lists
-     * @param $list String list to parse
-     * @param array($allowed_elements, $allowed_attributes)
+     * @param string $list String list to parse
      * @todo Give this its own class, probably static interface
      */
     public function parseTinyMCEAllowedList($list) {

Indentation +392 added lines, -392 removed lines

@@ -26,398 +26,398 @@
 class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
 {
 
-    // FULLY-PUBLIC VARIABLES ---------------------------------------------
-
-    /**
-     * Associative array of element names to HTMLPurifier_ElementDef
-     */
-    public $info = array();
-
-    /**
-     * Associative array of global attribute name to attribute definition.
-     */
-    public $info_global_attr = array();
-
-    /**
-     * String name of parent element HTML will be going into.
-     */
-    public $info_parent = 'div';
-
-    /**
-     * Definition for parent element, allows parent element to be a
-     * tag that's not allowed inside the HTML fragment.
-     */
-    public $info_parent_def;
-
-    /**
-     * String name of element used to wrap inline elements in block context
-     * @note This is rarely used except for BLOCKQUOTEs in strict mode
-     */
-    public $info_block_wrapper = 'p';
-
-    /**
-     * Associative array of deprecated tag name to HTMLPurifier_TagTransform
-     */
-    public $info_tag_transform = array();
-
-    /**
-     * Indexed list of HTMLPurifier_AttrTransform to be performed before validation.
-     */
-    public $info_attr_transform_pre = array();
-
-    /**
-     * Indexed list of HTMLPurifier_AttrTransform to be performed after validation.
-     */
-    public $info_attr_transform_post = array();
-
-    /**
-     * Nested lookup array of content set name (Block, Inline) to
-     * element name to whether or not it belongs in that content set.
-     */
-    public $info_content_sets = array();
-
-    /**
-     * Indexed list of HTMLPurifier_Injector to be used.
-     */
-    public $info_injector = array();
-
-    /**
-     * Doctype object
-     */
-    public $doctype;
-
-
-
-    // RAW CUSTOMIZATION STUFF --------------------------------------------
-
-    /**
-     * Adds a custom attribute to a pre-existing element
-     * @note This is strictly convenience, and does not have a corresponding
-     *       method in HTMLPurifier_HTMLModule
-     * @param $element_name String element name to add attribute to
-     * @param $attr_name String name of attribute
-     * @param $def Attribute definition, can be string or object, see
-     *             HTMLPurifier_AttrTypes for details
-     */
-    public function addAttribute($element_name, $attr_name, $def) {
-        $module = $this->getAnonymousModule();
-        if (!isset($module->info[$element_name])) {
-            $element = $module->addBlankElement($element_name);
-        } else {
-            $element = $module->info[$element_name];
-        }
-        $element->attr[$attr_name] = $def;
-    }
-
-    /**
-     * Adds a custom element to your HTML definition
-     * @note See HTMLPurifier_HTMLModule::addElement for detailed
-     *       parameter and return value descriptions.
-     */
-    public function addElement($element_name, $type, $contents, $attr_collections, $attributes = array()) {
-        $module = $this->getAnonymousModule();
-        // assume that if the user is calling this, the element
-        // is safe. This may not be a good idea
-        $element = $module->addElement($element_name, $type, $contents, $attr_collections, $attributes);
-        return $element;
-    }
-
-    /**
-     * Adds a blank element to your HTML definition, for overriding
-     * existing behavior
-     * @note See HTMLPurifier_HTMLModule::addBlankElement for detailed
-     *       parameter and return value descriptions.
-     */
-    public function addBlankElement($element_name) {
-        $module  = $this->getAnonymousModule();
-        $element = $module->addBlankElement($element_name);
-        return $element;
-    }
-
-    /**
-     * Retrieves a reference to the anonymous module, so you can
-     * bust out advanced features without having to make your own
-     * module.
-     */
-    public function getAnonymousModule() {
-        if (!$this->_anonModule) {
-            $this->_anonModule = new HTMLPurifier_HTMLModule();
-            $this->_anonModule->name = 'Anonymous';
-        }
-        return $this->_anonModule;
-    }
-
-    private $_anonModule = null;
-
-
-    // PUBLIC BUT INTERNAL VARIABLES --------------------------------------
-
-    public $type = 'HTML';
-    public $manager; /**< Instance of HTMLPurifier_HTMLModuleManager */
-
-    /**
-     * Performs low-cost, preliminary initialization.
-     */
-    public function __construct() {
-        $this->manager = new HTMLPurifier_HTMLModuleManager();
-    }
-
-    protected function doSetup($config) {
-        $this->processModules($config);
-        $this->setupConfigStuff($config);
-        unset($this->manager);
-
-        // cleanup some of the element definitions
-        foreach ($this->info as $k => $v) {
-            unset($this->info[$k]->content_model);
-            unset($this->info[$k]->content_model_type);
-        }
-    }
-
-    /**
-     * Extract out the information from the manager
-     */
-    protected function processModules($config) {
-
-        if ($this->_anonModule) {
-            // for user specific changes
-            // this is late-loaded so we don't have to deal with PHP4
-            // reference wonky-ness
-            $this->manager->addModule($this->_anonModule);
-            unset($this->_anonModule);
-        }
-
-        $this->manager->setup($config);
-        $this->doctype = $this->manager->doctype;
-
-        foreach ($this->manager->modules as $module) {
-            foreach($module->info_tag_transform as $k => $v) {
-                if ($v === false) unset($this->info_tag_transform[$k]);
-                else $this->info_tag_transform[$k] = $v;
-            }
-            foreach($module->info_attr_transform_pre as $k => $v) {
-                if ($v === false) unset($this->info_attr_transform_pre[$k]);
-                else $this->info_attr_transform_pre[$k] = $v;
-            }
-            foreach($module->info_attr_transform_post as $k => $v) {
-                if ($v === false) unset($this->info_attr_transform_post[$k]);
-                else $this->info_attr_transform_post[$k] = $v;
-            }
-            foreach ($module->info_injector as $k => $v) {
-                if ($v === false) unset($this->info_injector[$k]);
-                else $this->info_injector[$k] = $v;
-            }
-        }
-
-        $this->info = $this->manager->getElements();
-        $this->info_content_sets = $this->manager->contentSets->lookup;
-
-    }
-
-    /**
-     * Sets up stuff based on config. We need a better way of doing this.
-     */
-    protected function setupConfigStuff($config) {
-
-        $block_wrapper = $config->get('HTML.BlockWrapper');
-        if (isset($this->info_content_sets['Block'][$block_wrapper])) {
-            $this->info_block_wrapper = $block_wrapper;
-        } else {
-            trigger_error('Cannot use non-block element as block wrapper',
-                E_USER_ERROR);
-        }
-
-        $parent = $config->get('HTML.Parent');
-        $def = $this->manager->getElement($parent, true);
-        if ($def) {
-            $this->info_parent = $parent;
-            $this->info_parent_def = $def;
-        } else {
-            trigger_error('Cannot use unrecognized element as parent',
-                E_USER_ERROR);
-            $this->info_parent_def = $this->manager->getElement($this->info_parent, true);
-        }
-
-        // support template text
-        $support = "(for information on implementing this, see the ".
-                   "support forums) ";
-
-        // setup allowed elements -----------------------------------------
-
-        $allowed_elements = $config->get('HTML.AllowedElements');
-        $allowed_attributes = $config->get('HTML.AllowedAttributes'); // retrieve early
-
-        if (!is_array($allowed_elements) && !is_array($allowed_attributes)) {
-            $allowed = $config->get('HTML.Allowed');
-            if (is_string($allowed)) {
-                list($allowed_elements, $allowed_attributes) = $this->parseTinyMCEAllowedList($allowed);
-            }
-        }
-
-        if (is_array($allowed_elements)) {
-            foreach ($this->info as $name => $d) {
-                if(!isset($allowed_elements[$name])) unset($this->info[$name]);
-                unset($allowed_elements[$name]);
-            }
-            // emit errors
-            foreach ($allowed_elements as $element => $d) {
-                $element = htmlspecialchars($element, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); // PHP doesn't escape errors, be careful!
-                trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
-            }
-        }
-
-        // setup allowed attributes ---------------------------------------
-
-        $allowed_attributes_mutable = $allowed_attributes; // by copy!
-        if (is_array($allowed_attributes)) {
-
-            // This actually doesn't do anything, since we went away from
-            // global attributes. It's possible that userland code uses
-            // it, but HTMLModuleManager doesn't!
-            foreach ($this->info_global_attr as $attr => $x) {
-                $keys = array($attr, "*@$attr", "*.$attr");
-                $delete = true;
-                foreach ($keys as $key) {
-                    if ($delete && isset($allowed_attributes[$key])) {
-                        $delete = false;
-                    }
-                    if (isset($allowed_attributes_mutable[$key])) {
-                        unset($allowed_attributes_mutable[$key]);
-                    }
-                }
-                if ($delete) unset($this->info_global_attr[$attr]);
-            }
-
-            foreach ($this->info as $tag => $info) {
-                foreach ($info->attr as $attr => $x) {
-                    $keys = array("$tag@$attr", $attr, "*@$attr", "$tag.$attr", "*.$attr");
-                    $delete = true;
-                    foreach ($keys as $key) {
-                        if ($delete && isset($allowed_attributes[$key])) {
-                            $delete = false;
-                        }
-                        if (isset($allowed_attributes_mutable[$key])) {
-                            unset($allowed_attributes_mutable[$key]);
-                        }
-                    }
-                    if ($delete) {
-                        if ($this->info[$tag]->attr[$attr]->required) {
-                            trigger_error("Required attribute '$attr' in element '$tag' was not allowed, which means '$tag' will not be allowed either", E_USER_WARNING);
-                        }
-                        unset($this->info[$tag]->attr[$attr]);
-                    }
-                }
-            }
-            // emit errors
-            foreach ($allowed_attributes_mutable as $elattr => $d) {
-                $bits = preg_split('/[.@]/', $elattr, 2);
-                $c = count($bits);
-                switch ($c) {
-                    case 2:
-                        if ($bits[0] !== '*') {
-                            $element = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
-                            $attribute = htmlspecialchars($bits[1], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
-                            if (!isset($this->info[$element])) {
-                                trigger_error("Cannot allow attribute '$attribute' if element '$element' is not allowed/supported $support");
-                            } else {
-                                trigger_error("Attribute '$attribute' in element '$element' not supported $support",
-                                    E_USER_WARNING);
-                            }
-                            break;
-                        }
-                        // otherwise fall through
-                    case 1:
-                        $attribute = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
-                        trigger_error("Global attribute '$attribute' is not ".
-                            "supported in any elements $support",
-                            E_USER_WARNING);
-                        break;
-                }
-            }
-
-        }
-
-        // setup forbidden elements ---------------------------------------
-
-        $forbidden_elements   = $config->get('HTML.ForbiddenElements');
-        $forbidden_attributes = $config->get('HTML.ForbiddenAttributes');
-
-        foreach ($this->info as $tag => $info) {
-            if (isset($forbidden_elements[$tag])) {
-                unset($this->info[$tag]);
-                continue;
-            }
-            foreach ($info->attr as $attr => $x) {
-                if (
-                    isset($forbidden_attributes["$tag@$attr"]) ||
-                    isset($forbidden_attributes["*@$attr"]) ||
-                    isset($forbidden_attributes[$attr])
-                ) {
-                    unset($this->info[$tag]->attr[$attr]);
-                    continue;
-                } // this segment might get removed eventually
-                elseif (isset($forbidden_attributes["$tag.$attr"])) {
-                    // $tag.$attr are not user supplied, so no worries!
-                    trigger_error("Error with $tag.$attr: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead", E_USER_WARNING);
-                }
-            }
-        }
-        foreach ($forbidden_attributes as $key => $v) {
-            if (strlen($key) < 2) continue;
-            if ($key[0] != '*') continue;
-            if ($key[1] == '.') {
-                trigger_error("Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead", E_USER_WARNING);
-            }
-        }
-
-        // setup injectors -----------------------------------------------------
-        foreach ($this->info_injector as $i => $injector) {
-            if ($injector->checkNeeded($config) !== false) {
-                // remove injector that does not have it's required
-                // elements/attributes present, and is thus not needed.
-                unset($this->info_injector[$i]);
-            }
-        }
-    }
-
-    /**
-     * Parses a TinyMCE-flavored Allowed Elements and Attributes list into
-     * separate lists for processing. Format is element[attr1|attr2],element2...
-     * @warning Although it's largely drawn from TinyMCE's implementation,
-     *      it is different, and you'll probably have to modify your lists
-     * @param $list String list to parse
-     * @param array($allowed_elements, $allowed_attributes)
-     * @todo Give this its own class, probably static interface
-     */
-    public function parseTinyMCEAllowedList($list) {
-
-        $list = str_replace(array(' ', "\t"), '', $list);
-
-        $elements = array();
-        $attributes = array();
-
-        $chunks = preg_split('/(,|[\n\r]+)/', $list);
-        foreach ($chunks as $chunk) {
-            if (empty($chunk)) continue;
-            // remove TinyMCE element control characters
-            if (!strpos($chunk, '[')) {
-                $element = $chunk;
-                $attr = false;
-            } else {
-                list($element, $attr) = explode('[', $chunk);
-            }
-            if ($element !== '*') $elements[$element] = true;
-            if (!$attr) continue;
-            $attr = substr($attr, 0, strlen($attr) - 1); // remove trailing ]
-            $attr = explode('|', $attr);
-            foreach ($attr as $key) {
-                $attributes["$element.$key"] = true;
-            }
-        }
-
-        return array($elements, $attributes);
-
-    }
+	// FULLY-PUBLIC VARIABLES ---------------------------------------------
+
+	/**
+	 * Associative array of element names to HTMLPurifier_ElementDef
+	 */
+	public $info = array();
+
+	/**
+	 * Associative array of global attribute name to attribute definition.
+	 */
+	public $info_global_attr = array();
+
+	/**
+	 * String name of parent element HTML will be going into.
+	 */
+	public $info_parent = 'div';
+
+	/**
+	 * Definition for parent element, allows parent element to be a
+	 * tag that's not allowed inside the HTML fragment.
+	 */
+	public $info_parent_def;
+
+	/**
+	 * String name of element used to wrap inline elements in block context
+	 * @note This is rarely used except for BLOCKQUOTEs in strict mode
+	 */
+	public $info_block_wrapper = 'p';
+
+	/**
+	 * Associative array of deprecated tag name to HTMLPurifier_TagTransform
+	 */
+	public $info_tag_transform = array();
+
+	/**
+	 * Indexed list of HTMLPurifier_AttrTransform to be performed before validation.
+	 */
+	public $info_attr_transform_pre = array();
+
+	/**
+	 * Indexed list of HTMLPurifier_AttrTransform to be performed after validation.
+	 */
+	public $info_attr_transform_post = array();
+
+	/**
+	 * Nested lookup array of content set name (Block, Inline) to
+	 * element name to whether or not it belongs in that content set.
+	 */
+	public $info_content_sets = array();
+
+	/**
+	 * Indexed list of HTMLPurifier_Injector to be used.
+	 */
+	public $info_injector = array();
+
+	/**
+	 * Doctype object
+	 */
+	public $doctype;
+
+
+
+	// RAW CUSTOMIZATION STUFF --------------------------------------------
+
+	/**
+	 * Adds a custom attribute to a pre-existing element
+	 * @note This is strictly convenience, and does not have a corresponding
+	 *       method in HTMLPurifier_HTMLModule
+	 * @param $element_name String element name to add attribute to
+	 * @param $attr_name String name of attribute
+	 * @param $def Attribute definition, can be string or object, see
+	 *             HTMLPurifier_AttrTypes for details
+	 */
+	public function addAttribute($element_name, $attr_name, $def) {
+		$module = $this->getAnonymousModule();
+		if (!isset($module->info[$element_name])) {
+			$element = $module->addBlankElement($element_name);
+		} else {
+			$element = $module->info[$element_name];
+		}
+		$element->attr[$attr_name] = $def;
+	}
+
+	/**
+	 * Adds a custom element to your HTML definition
+	 * @note See HTMLPurifier_HTMLModule::addElement for detailed
+	 *       parameter and return value descriptions.
+	 */
+	public function addElement($element_name, $type, $contents, $attr_collections, $attributes = array()) {
+		$module = $this->getAnonymousModule();
+		// assume that if the user is calling this, the element
+		// is safe. This may not be a good idea
+		$element = $module->addElement($element_name, $type, $contents, $attr_collections, $attributes);
+		return $element;
+	}
+
+	/**
+	 * Adds a blank element to your HTML definition, for overriding
+	 * existing behavior
+	 * @note See HTMLPurifier_HTMLModule::addBlankElement for detailed
+	 *       parameter and return value descriptions.
+	 */
+	public function addBlankElement($element_name) {
+		$module  = $this->getAnonymousModule();
+		$element = $module->addBlankElement($element_name);
+		return $element;
+	}
+
+	/**
+	 * Retrieves a reference to the anonymous module, so you can
+	 * bust out advanced features without having to make your own
+	 * module.
+	 */
+	public function getAnonymousModule() {
+		if (!$this->_anonModule) {
+			$this->_anonModule = new HTMLPurifier_HTMLModule();
+			$this->_anonModule->name = 'Anonymous';
+		}
+		return $this->_anonModule;
+	}
+
+	private $_anonModule = null;
+
+
+	// PUBLIC BUT INTERNAL VARIABLES --------------------------------------
+
+	public $type = 'HTML';
+	public $manager; /**< Instance of HTMLPurifier_HTMLModuleManager */
+
+	/**
+	 * Performs low-cost, preliminary initialization.
+	 */
+	public function __construct() {
+		$this->manager = new HTMLPurifier_HTMLModuleManager();
+	}
+
+	protected function doSetup($config) {
+		$this->processModules($config);
+		$this->setupConfigStuff($config);
+		unset($this->manager);
+
+		// cleanup some of the element definitions
+		foreach ($this->info as $k => $v) {
+			unset($this->info[$k]->content_model);
+			unset($this->info[$k]->content_model_type);
+		}
+	}
+
+	/**
+	 * Extract out the information from the manager
+	 */
+	protected function processModules($config) {
+
+		if ($this->_anonModule) {
+			// for user specific changes
+			// this is late-loaded so we don't have to deal with PHP4
+			// reference wonky-ness
+			$this->manager->addModule($this->_anonModule);
+			unset($this->_anonModule);
+		}
+
+		$this->manager->setup($config);
+		$this->doctype = $this->manager->doctype;
+
+		foreach ($this->manager->modules as $module) {
+			foreach($module->info_tag_transform as $k => $v) {
+				if ($v === false) unset($this->info_tag_transform[$k]);
+				else $this->info_tag_transform[$k] = $v;
+			}
+			foreach($module->info_attr_transform_pre as $k => $v) {
+				if ($v === false) unset($this->info_attr_transform_pre[$k]);
+				else $this->info_attr_transform_pre[$k] = $v;
+			}
+			foreach($module->info_attr_transform_post as $k => $v) {
+				if ($v === false) unset($this->info_attr_transform_post[$k]);
+				else $this->info_attr_transform_post[$k] = $v;
+			}
+			foreach ($module->info_injector as $k => $v) {
+				if ($v === false) unset($this->info_injector[$k]);
+				else $this->info_injector[$k] = $v;
+			}
+		}
+
+		$this->info = $this->manager->getElements();
+		$this->info_content_sets = $this->manager->contentSets->lookup;
+
+	}
+
+	/**
+	 * Sets up stuff based on config. We need a better way of doing this.
+	 */
+	protected function setupConfigStuff($config) {
+
+		$block_wrapper = $config->get('HTML.BlockWrapper');
+		if (isset($this->info_content_sets['Block'][$block_wrapper])) {
+			$this->info_block_wrapper = $block_wrapper;
+		} else {
+			trigger_error('Cannot use non-block element as block wrapper',
+				E_USER_ERROR);
+		}
+
+		$parent = $config->get('HTML.Parent');
+		$def = $this->manager->getElement($parent, true);
+		if ($def) {
+			$this->info_parent = $parent;
+			$this->info_parent_def = $def;
+		} else {
+			trigger_error('Cannot use unrecognized element as parent',
+				E_USER_ERROR);
+			$this->info_parent_def = $this->manager->getElement($this->info_parent, true);
+		}
+
+		// support template text
+		$support = "(for information on implementing this, see the ".
+				   "support forums) ";
+
+		// setup allowed elements -----------------------------------------
+
+		$allowed_elements = $config->get('HTML.AllowedElements');
+		$allowed_attributes = $config->get('HTML.AllowedAttributes'); // retrieve early
+
+		if (!is_array($allowed_elements) && !is_array($allowed_attributes)) {
+			$allowed = $config->get('HTML.Allowed');
+			if (is_string($allowed)) {
+				list($allowed_elements, $allowed_attributes) = $this->parseTinyMCEAllowedList($allowed);
+			}
+		}
+
+		if (is_array($allowed_elements)) {
+			foreach ($this->info as $name => $d) {
+				if(!isset($allowed_elements[$name])) unset($this->info[$name]);
+				unset($allowed_elements[$name]);
+			}
+			// emit errors
+			foreach ($allowed_elements as $element => $d) {
+				$element = htmlspecialchars($element, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); // PHP doesn't escape errors, be careful!
+				trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
+			}
+		}
+
+		// setup allowed attributes ---------------------------------------
+
+		$allowed_attributes_mutable = $allowed_attributes; // by copy!
+		if (is_array($allowed_attributes)) {
+
+			// This actually doesn't do anything, since we went away from
+			// global attributes. It's possible that userland code uses
+			// it, but HTMLModuleManager doesn't!
+			foreach ($this->info_global_attr as $attr => $x) {
+				$keys = array($attr, "*@$attr", "*.$attr");
+				$delete = true;
+				foreach ($keys as $key) {
+					if ($delete && isset($allowed_attributes[$key])) {
+						$delete = false;
+					}
+					if (isset($allowed_attributes_mutable[$key])) {
+						unset($allowed_attributes_mutable[$key]);
+					}
+				}
+				if ($delete) unset($this->info_global_attr[$attr]);
+			}
+
+			foreach ($this->info as $tag => $info) {
+				foreach ($info->attr as $attr => $x) {
+					$keys = array("$tag@$attr", $attr, "*@$attr", "$tag.$attr", "*.$attr");
+					$delete = true;
+					foreach ($keys as $key) {
+						if ($delete && isset($allowed_attributes[$key])) {
+							$delete = false;
+						}
+						if (isset($allowed_attributes_mutable[$key])) {
+							unset($allowed_attributes_mutable[$key]);
+						}
+					}
+					if ($delete) {
+						if ($this->info[$tag]->attr[$attr]->required) {
+							trigger_error("Required attribute '$attr' in element '$tag' was not allowed, which means '$tag' will not be allowed either", E_USER_WARNING);
+						}
+						unset($this->info[$tag]->attr[$attr]);
+					}
+				}
+			}
+			// emit errors
+			foreach ($allowed_attributes_mutable as $elattr => $d) {
+				$bits = preg_split('/[.@]/', $elattr, 2);
+				$c = count($bits);
+				switch ($c) {
+					case 2:
+						if ($bits[0] !== '*') {
+							$element = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+							$attribute = htmlspecialchars($bits[1], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+							if (!isset($this->info[$element])) {
+								trigger_error("Cannot allow attribute '$attribute' if element '$element' is not allowed/supported $support");
+							} else {
+								trigger_error("Attribute '$attribute' in element '$element' not supported $support",
+									E_USER_WARNING);
+							}
+							break;
+						}
+						// otherwise fall through
+					case 1:
+						$attribute = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+						trigger_error("Global attribute '$attribute' is not ".
+							"supported in any elements $support",
+							E_USER_WARNING);
+						break;
+				}
+			}
+
+		}
+
+		// setup forbidden elements ---------------------------------------
+
+		$forbidden_elements   = $config->get('HTML.ForbiddenElements');
+		$forbidden_attributes = $config->get('HTML.ForbiddenAttributes');
+
+		foreach ($this->info as $tag => $info) {
+			if (isset($forbidden_elements[$tag])) {
+				unset($this->info[$tag]);
+				continue;
+			}
+			foreach ($info->attr as $attr => $x) {
+				if (
+					isset($forbidden_attributes["$tag@$attr"]) ||
+					isset($forbidden_attributes["*@$attr"]) ||
+					isset($forbidden_attributes[$attr])
+				) {
+					unset($this->info[$tag]->attr[$attr]);
+					continue;
+				} // this segment might get removed eventually
+				elseif (isset($forbidden_attributes["$tag.$attr"])) {
+					// $tag.$attr are not user supplied, so no worries!
+					trigger_error("Error with $tag.$attr: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead", E_USER_WARNING);
+				}
+			}
+		}
+		foreach ($forbidden_attributes as $key => $v) {
+			if (strlen($key) < 2) continue;
+			if ($key[0] != '*') continue;
+			if ($key[1] == '.') {
+				trigger_error("Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead", E_USER_WARNING);
+			}
+		}
+
+		// setup injectors -----------------------------------------------------
+		foreach ($this->info_injector as $i => $injector) {
+			if ($injector->checkNeeded($config) !== false) {
+				// remove injector that does not have it's required
+				// elements/attributes present, and is thus not needed.
+				unset($this->info_injector[$i]);
+			}
+		}
+	}
+
+	/**
+	 * Parses a TinyMCE-flavored Allowed Elements and Attributes list into
+	 * separate lists for processing. Format is element[attr1|attr2],element2...
+	 * @warning Although it's largely drawn from TinyMCE's implementation,
+	 *      it is different, and you'll probably have to modify your lists
+	 * @param $list String list to parse
+	 * @param array($allowed_elements, $allowed_attributes)
+	 * @todo Give this its own class, probably static interface
+	 */
+	public function parseTinyMCEAllowedList($list) {
+
+		$list = str_replace(array(' ', "\t"), '', $list);
+
+		$elements = array();
+		$attributes = array();
+
+		$chunks = preg_split('/(,|[\n\r]+)/', $list);
+		foreach ($chunks as $chunk) {
+			if (empty($chunk)) continue;
+			// remove TinyMCE element control characters
+			if (!strpos($chunk, '[')) {
+				$element = $chunk;
+				$attr = false;
+			} else {
+				list($element, $attr) = explode('[', $chunk);
+			}
+			if ($element !== '*') $elements[$element] = true;
+			if (!$attr) continue;
+			$attr = substr($attr, 0, strlen($attr) - 1); // remove trailing ]
+			$attr = explode('|', $attr);
+			foreach ($attr as $key) {
+				$attributes["$element.$key"] = true;
+			}
+		}
+
+		return array($elements, $attributes);
+
+	}
 
 
 }

Braces +41 added lines, -15 removed lines

@@ -192,20 +192,32 @@ 
 
         foreach ($this->manager->modules as $module) {
             foreach($module->info_tag_transform as $k => $v) {
-                if ($v === false) unset($this->info_tag_transform[$k]);
-                else $this->info_tag_transform[$k] = $v;
+                if ($v === false) {
+                	unset($this->info_tag_transform[$k]);
+                } else {
+                	$this->info_tag_transform[$k] = $v;
+                }
             }
             foreach($module->info_attr_transform_pre as $k => $v) {
-                if ($v === false) unset($this->info_attr_transform_pre[$k]);
-                else $this->info_attr_transform_pre[$k] = $v;
+                if ($v === false) {
+                	unset($this->info_attr_transform_pre[$k]);
+                } else {
+                	$this->info_attr_transform_pre[$k] = $v;
+                }
             }
             foreach($module->info_attr_transform_post as $k => $v) {
-                if ($v === false) unset($this->info_attr_transform_post[$k]);
-                else $this->info_attr_transform_post[$k] = $v;
+                if ($v === false) {
+                	unset($this->info_attr_transform_post[$k]);
+                } else {
+                	$this->info_attr_transform_post[$k] = $v;
+                }
             }
             foreach ($module->info_injector as $k => $v) {
-                if ($v === false) unset($this->info_injector[$k]);
-                else $this->info_injector[$k] = $v;
+                if ($v === false) {
+                	unset($this->info_injector[$k]);
+                } else {
+                	$this->info_injector[$k] = $v;
+                }
             }
         }
 
@@ -256,7 +268,9 @@ 
 
         if (is_array($allowed_elements)) {
             foreach ($this->info as $name => $d) {
-                if(!isset($allowed_elements[$name])) unset($this->info[$name]);
+                if(!isset($allowed_elements[$name])) {
+                	unset($this->info[$name]);
+                }
                 unset($allowed_elements[$name]);
             }
             // emit errors
@@ -285,7 +299,9 @@ 
                         unset($allowed_attributes_mutable[$key]);
                     }
                 }
-                if ($delete) unset($this->info_global_attr[$attr]);
+                if ($delete) {
+                	unset($this->info_global_attr[$attr]);
+                }
             }
 
             foreach ($this->info as $tag => $info) {
@@ -363,8 +379,12 @@ 
             }
         }
         foreach ($forbidden_attributes as $key => $v) {
-            if (strlen($key) < 2) continue;
-            if ($key[0] != '*') continue;
+            if (strlen($key) < 2) {
+            	continue;
+            }
+            if ($key[0] != '*') {
+            	continue;
+            }
             if ($key[1] == '.') {
                 trigger_error("Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead", E_USER_WARNING);
             }
@@ -398,7 +418,9 @@ 
 
         $chunks = preg_split('/(,|[\n\r]+)/', $list);
         foreach ($chunks as $chunk) {
-            if (empty($chunk)) continue;
+            if (empty($chunk)) {
+            	continue;
+            }
             // remove TinyMCE element control characters
             if (!strpos($chunk, '[')) {
                 $element = $chunk;
@@ -406,8 +428,12 @@ 
             } else {
                 list($element, $attr) = explode('[', $chunk);
             }
-            if ($element !== '*') $elements[$element] = true;
-            if (!$attr) continue;
+            if ($element !== '*') {
+            	$elements[$element] = true;
+            }
+            if (!$attr) {
+            	continue;
+            }
             $attr = substr($attr, 0, strlen($attr) - 1); // remove trailing ]
             $attr = explode('|', $attr);
             foreach ($attr as $key) {

Spacing +4 added lines, -4 removed lines

@@ -191,15 +191,15 @@ 
         $this->doctype = $this->manager->doctype;
 
         foreach ($this->manager->modules as $module) {
-            foreach($module->info_tag_transform as $k => $v) {
+            foreach ($module->info_tag_transform as $k => $v) {
                 if ($v === false) unset($this->info_tag_transform[$k]);
                 else $this->info_tag_transform[$k] = $v;
             }
-            foreach($module->info_attr_transform_pre as $k => $v) {
+            foreach ($module->info_attr_transform_pre as $k => $v) {
                 if ($v === false) unset($this->info_attr_transform_pre[$k]);
                 else $this->info_attr_transform_pre[$k] = $v;
             }
-            foreach($module->info_attr_transform_post as $k => $v) {
+            foreach ($module->info_attr_transform_post as $k => $v) {
                 if ($v === false) unset($this->info_attr_transform_post[$k]);
                 else $this->info_attr_transform_post[$k] = $v;
             }
@@ -256,7 +256,7 @@ 
 
         if (is_array($allowed_elements)) {
             foreach ($this->info as $name => $d) {
-                if(!isset($allowed_elements[$name])) unset($this->info[$name]);
+                if (!isset($allowed_elements[$name])) unset($this->info[$name]);
                 unset($allowed_elements[$name]);
             }
             // emit errors