xpressengine / xe-core

classes/security/htmlpurifier/library/HTMLPurifier/DefinitionCacheFactory.php

Indentation +74 added lines, -74 removed lines

@@ -6,85 +6,85 @@
 class HTMLPurifier_DefinitionCacheFactory
 {
 
-    protected $caches = array('Serializer' => array());
-    protected $implementations = array();
-    protected $decorators = array();
+	protected $caches = array('Serializer' => array());
+	protected $implementations = array();
+	protected $decorators = array();
 
-    /**
-     * Initialize default decorators
-     */
-    public function setup() {
-        $this->addDecorator('Cleanup');
-    }
+	/**
+	 * Initialize default decorators
+	 */
+	public function setup() {
+		$this->addDecorator('Cleanup');
+	}
 
-    /**
-     * Retrieves an instance of global definition cache factory.
-     */
-    public static function instance($prototype = null) {
-        static $instance;
-        if ($prototype !== null) {
-            $instance = $prototype;
-        } elseif ($instance === null || $prototype === true) {
-            $instance = new HTMLPurifier_DefinitionCacheFactory();
-            $instance->setup();
-        }
-        return $instance;
-    }
+	/**
+	 * Retrieves an instance of global definition cache factory.
+	 */
+	public static function instance($prototype = null) {
+		static $instance;
+		if ($prototype !== null) {
+			$instance = $prototype;
+		} elseif ($instance === null || $prototype === true) {
+			$instance = new HTMLPurifier_DefinitionCacheFactory();
+			$instance->setup();
+		}
+		return $instance;
+	}
 
-    /**
-     * Registers a new definition cache object
-     * @param $short Short name of cache object, for reference
-     * @param $long Full class name of cache object, for construction
-     */
-    public function register($short, $long) {
-        $this->implementations[$short] = $long;
-    }
+	/**
+	 * Registers a new definition cache object
+	 * @param $short Short name of cache object, for reference
+	 * @param $long Full class name of cache object, for construction
+	 */
+	public function register($short, $long) {
+		$this->implementations[$short] = $long;
+	}
 
-    /**
-     * Factory method that creates a cache object based on configuration
-     * @param $name Name of definitions handled by cache
-     * @param $config Instance of HTMLPurifier_Config
-     */
-    public function create($type, $config) {
-        $method = $config->get('Cache.DefinitionImpl');
-        if ($method === null) {
-            return new HTMLPurifier_DefinitionCache_Null($type);
-        }
-        if (!empty($this->caches[$method][$type])) {
-            return $this->caches[$method][$type];
-        }
-        if (
-          isset($this->implementations[$method]) &&
-          class_exists($class = $this->implementations[$method], false)
-        ) {
-            $cache = new $class($type);
-        } else {
-            if ($method != 'Serializer') {
-                trigger_error("Unrecognized DefinitionCache $method, using Serializer instead", E_USER_WARNING);
-            }
-            $cache = new HTMLPurifier_DefinitionCache_Serializer($type);
-        }
-        foreach ($this->decorators as $decorator) {
-            $new_cache = $decorator->decorate($cache);
-            // prevent infinite recursion in PHP 4
-            unset($cache);
-            $cache = $new_cache;
-        }
-        $this->caches[$method][$type] = $cache;
-        return $this->caches[$method][$type];
-    }
+	/**
+	 * Factory method that creates a cache object based on configuration
+	 * @param $name Name of definitions handled by cache
+	 * @param $config Instance of HTMLPurifier_Config
+	 */
+	public function create($type, $config) {
+		$method = $config->get('Cache.DefinitionImpl');
+		if ($method === null) {
+			return new HTMLPurifier_DefinitionCache_Null($type);
+		}
+		if (!empty($this->caches[$method][$type])) {
+			return $this->caches[$method][$type];
+		}
+		if (
+		  isset($this->implementations[$method]) &&
+		  class_exists($class = $this->implementations[$method], false)
+		) {
+			$cache = new $class($type);
+		} else {
+			if ($method != 'Serializer') {
+				trigger_error("Unrecognized DefinitionCache $method, using Serializer instead", E_USER_WARNING);
+			}
+			$cache = new HTMLPurifier_DefinitionCache_Serializer($type);
+		}
+		foreach ($this->decorators as $decorator) {
+			$new_cache = $decorator->decorate($cache);
+			// prevent infinite recursion in PHP 4
+			unset($cache);
+			$cache = $new_cache;
+		}
+		$this->caches[$method][$type] = $cache;
+		return $this->caches[$method][$type];
+	}
 
-    /**
-     * Registers a decorator to add to all new cache objects
-     * @param
-     */
-    public function addDecorator($decorator) {
-        if (is_string($decorator)) {
-            $class = "HTMLPurifier_DefinitionCache_Decorator_$decorator";
-            $decorator = new $class;
-        }
-        $this->decorators[$decorator->name] = $decorator;
-    }
+	/**
+	 * Registers a decorator to add to all new cache objects
+	 * @param
+	 */
+	public function addDecorator($decorator) {
+		if (is_string($decorator)) {
+			$class = "HTMLPurifier_DefinitionCache_Decorator_$decorator";
+			$decorator = new $class;
+		}
+		$this->decorators[$decorator->name] = $decorator;
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Doctype.php

Indentation +47 added lines, -47 removed lines

@@ -8,53 +8,53 @@
  */
 class HTMLPurifier_Doctype
 {
-    /**
-     * Full name of doctype
-     */
-    public $name;
-
-    /**
-     * List of standard modules (string identifiers or literal objects)
-     * that this doctype uses
-     */
-    public $modules = array();
-
-    /**
-     * List of modules to use for tidying up code
-     */
-    public $tidyModules = array();
-
-    /**
-     * Is the language derived from XML (i.e. XHTML)?
-     */
-    public $xml = true;
-
-    /**
-     * List of aliases for this doctype
-     */
-    public $aliases = array();
-
-    /**
-     * Public DTD identifier
-     */
-    public $dtdPublic;
-
-    /**
-     * System DTD identifier
-     */
-    public $dtdSystem;
-
-    public function __construct($name = null, $xml = true, $modules = array(),
-        $tidyModules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null
-    ) {
-        $this->name         = $name;
-        $this->xml          = $xml;
-        $this->modules      = $modules;
-        $this->tidyModules  = $tidyModules;
-        $this->aliases      = $aliases;
-        $this->dtdPublic    = $dtd_public;
-        $this->dtdSystem    = $dtd_system;
-    }
+	/**
+	 * Full name of doctype
+	 */
+	public $name;
+
+	/**
+	 * List of standard modules (string identifiers or literal objects)
+	 * that this doctype uses
+	 */
+	public $modules = array();
+
+	/**
+	 * List of modules to use for tidying up code
+	 */
+	public $tidyModules = array();
+
+	/**
+	 * Is the language derived from XML (i.e. XHTML)?
+	 */
+	public $xml = true;
+
+	/**
+	 * List of aliases for this doctype
+	 */
+	public $aliases = array();
+
+	/**
+	 * Public DTD identifier
+	 */
+	public $dtdPublic;
+
+	/**
+	 * System DTD identifier
+	 */
+	public $dtdSystem;
+
+	public function __construct($name = null, $xml = true, $modules = array(),
+		$tidyModules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null
+	) {
+		$this->name         = $name;
+		$this->xml          = $xml;
+		$this->modules      = $modules;
+		$this->tidyModules  = $tidyModules;
+		$this->aliases      = $aliases;
+		$this->dtdPublic    = $dtd_public;
+		$this->dtdSystem    = $dtd_system;
+	}
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ElementDef.php

Indentation +166 added lines, -166 removed lines

@@ -11,172 +11,172 @@
 class HTMLPurifier_ElementDef
 {
 
-    /**
-     * Does the definition work by itself, or is it created solely
-     * for the purpose of merging into another definition?
-     */
-    public $standalone = true;
-
-    /**
-     * Associative array of attribute name to HTMLPurifier_AttrDef
-     * @note Before being processed by HTMLPurifier_AttrCollections
-     *       when modules are finalized during
-     *       HTMLPurifier_HTMLDefinition->setup(), this array may also
-     *       contain an array at index 0 that indicates which attribute
-     *       collections to load into the full array. It may also
-     *       contain string indentifiers in lieu of HTMLPurifier_AttrDef,
-     *       see HTMLPurifier_AttrTypes on how they are expanded during
-     *       HTMLPurifier_HTMLDefinition->setup() processing.
-     */
-    public $attr = array();
-
-    /**
-     * Indexed list of tag's HTMLPurifier_AttrTransform to be done before validation
-     */
-    public $attr_transform_pre = array();
-
-    /**
-     * Indexed list of tag's HTMLPurifier_AttrTransform to be done after validation
-     */
-    public $attr_transform_post = array();
-
-    /**
-     * HTMLPurifier_ChildDef of this tag.
-     */
-    public $child;
-
-    /**
-     * Abstract string representation of internal ChildDef rules. See
-     * HTMLPurifier_ContentSets for how this is parsed and then transformed
-     * into an HTMLPurifier_ChildDef.
-     * @warning This is a temporary variable that is not available after
-     *      being processed by HTMLDefinition
-     */
-    public $content_model;
-
-    /**
-     * Value of $child->type, used to determine which ChildDef to use,
-     * used in combination with $content_model.
-     * @warning This must be lowercase
-     * @warning This is a temporary variable that is not available after
-     *      being processed by HTMLDefinition
-     */
-    public $content_model_type;
-
-
-
-    /**
-     * Does the element have a content model (#PCDATA | Inline)*? This
-     * is important for chameleon ins and del processing in
-     * HTMLPurifier_ChildDef_Chameleon. Dynamically set: modules don't
-     * have to worry about this one.
-     */
-    public $descendants_are_inline = false;
-
-    /**
-     * List of the names of required attributes this element has. Dynamically
-     * populated by HTMLPurifier_HTMLDefinition::getElement
-     */
-    public $required_attr = array();
-
-    /**
-     * Lookup table of tags excluded from all descendants of this tag.
-     * @note SGML permits exclusions for all descendants, but this is
-     *       not possible with DTDs or XML Schemas. W3C has elected to
-     *       use complicated compositions of content_models to simulate
-     *       exclusion for children, but we go the simpler, SGML-style
-     *       route of flat-out exclusions, which correctly apply to
-     *       all descendants and not just children. Note that the XHTML
-     *       Modularization Abstract Modules are blithely unaware of such
-     *       distinctions.
-     */
-    public $excludes = array();
-
-    /**
-     * This tag is explicitly auto-closed by the following tags.
-     */
-    public $autoclose = array();
-
-    /**
-     * If a foreign element is found in this element, test if it is
-     * allowed by this sub-element; if it is, instead of closing the
-     * current element, place it inside this element.
-     */
-    public $wrap;
-
-    /**
-     * Whether or not this is a formatting element affected by the
-     * "Active Formatting Elements" algorithm.
-     */
-    public $formatting;
-
-    /**
-     * Low-level factory constructor for creating new standalone element defs
-     */
-    public static function create($content_model, $content_model_type, $attr) {
-        $def = new HTMLPurifier_ElementDef();
-        $def->content_model = $content_model;
-        $def->content_model_type = $content_model_type;
-        $def->attr = $attr;
-        return $def;
-    }
-
-    /**
-     * Merges the values of another element definition into this one.
-     * Values from the new element def take precedence if a value is
-     * not mergeable.
-     */
-    public function mergeIn($def) {
-
-        // later keys takes precedence
-        foreach($def->attr as $k => $v) {
-            if ($k === 0) {
-                // merge in the includes
-                // sorry, no way to override an include
-                foreach ($v as $v2) {
-                    $this->attr[0][] = $v2;
-                }
-                continue;
-            }
-            if ($v === false) {
-                if (isset($this->attr[$k])) unset($this->attr[$k]);
-                continue;
-            }
-            $this->attr[$k] = $v;
-        }
-        $this->_mergeAssocArray($this->attr_transform_pre, $def->attr_transform_pre);
-        $this->_mergeAssocArray($this->attr_transform_post, $def->attr_transform_post);
-        $this->_mergeAssocArray($this->excludes, $def->excludes);
-
-        if(!empty($def->content_model)) {
-            $this->content_model =
-                str_replace("#SUPER", $this->content_model, $def->content_model);
-            $this->child = false;
-        }
-        if(!empty($def->content_model_type)) {
-            $this->content_model_type = $def->content_model_type;
-            $this->child = false;
-        }
-        if(!is_null($def->child)) $this->child = $def->child;
-        if(!is_null($def->formatting)) $this->formatting = $def->formatting;
-        if($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline;
-
-    }
-
-    /**
-     * Merges one array into another, removes values which equal false
-     * @param $a1 Array by reference that is merged into
-     * @param $a2 Array that merges into $a1
-     */
-    private function _mergeAssocArray(&$a1, $a2) {
-        foreach ($a2 as $k => $v) {
-            if ($v === false) {
-                if (isset($a1[$k])) unset($a1[$k]);
-                continue;
-            }
-            $a1[$k] = $v;
-        }
-    }
+	/**
+	 * Does the definition work by itself, or is it created solely
+	 * for the purpose of merging into another definition?
+	 */
+	public $standalone = true;
+
+	/**
+	 * Associative array of attribute name to HTMLPurifier_AttrDef
+	 * @note Before being processed by HTMLPurifier_AttrCollections
+	 *       when modules are finalized during
+	 *       HTMLPurifier_HTMLDefinition->setup(), this array may also
+	 *       contain an array at index 0 that indicates which attribute
+	 *       collections to load into the full array. It may also
+	 *       contain string indentifiers in lieu of HTMLPurifier_AttrDef,
+	 *       see HTMLPurifier_AttrTypes on how they are expanded during
+	 *       HTMLPurifier_HTMLDefinition->setup() processing.
+	 */
+	public $attr = array();
+
+	/**
+	 * Indexed list of tag's HTMLPurifier_AttrTransform to be done before validation
+	 */
+	public $attr_transform_pre = array();
+
+	/**
+	 * Indexed list of tag's HTMLPurifier_AttrTransform to be done after validation
+	 */
+	public $attr_transform_post = array();
+
+	/**
+	 * HTMLPurifier_ChildDef of this tag.
+	 */
+	public $child;
+
+	/**
+	 * Abstract string representation of internal ChildDef rules. See
+	 * HTMLPurifier_ContentSets for how this is parsed and then transformed
+	 * into an HTMLPurifier_ChildDef.
+	 * @warning This is a temporary variable that is not available after
+	 *      being processed by HTMLDefinition
+	 */
+	public $content_model;
+
+	/**
+	 * Value of $child->type, used to determine which ChildDef to use,
+	 * used in combination with $content_model.
+	 * @warning This must be lowercase
+	 * @warning This is a temporary variable that is not available after
+	 *      being processed by HTMLDefinition
+	 */
+	public $content_model_type;
+
+
+
+	/**
+	 * Does the element have a content model (#PCDATA | Inline)*? This
+	 * is important for chameleon ins and del processing in
+	 * HTMLPurifier_ChildDef_Chameleon. Dynamically set: modules don't
+	 * have to worry about this one.
+	 */
+	public $descendants_are_inline = false;
+
+	/**
+	 * List of the names of required attributes this element has. Dynamically
+	 * populated by HTMLPurifier_HTMLDefinition::getElement
+	 */
+	public $required_attr = array();
+
+	/**
+	 * Lookup table of tags excluded from all descendants of this tag.
+	 * @note SGML permits exclusions for all descendants, but this is
+	 *       not possible with DTDs or XML Schemas. W3C has elected to
+	 *       use complicated compositions of content_models to simulate
+	 *       exclusion for children, but we go the simpler, SGML-style
+	 *       route of flat-out exclusions, which correctly apply to
+	 *       all descendants and not just children. Note that the XHTML
+	 *       Modularization Abstract Modules are blithely unaware of such
+	 *       distinctions.
+	 */
+	public $excludes = array();
+
+	/**
+	 * This tag is explicitly auto-closed by the following tags.
+	 */
+	public $autoclose = array();
+
+	/**
+	 * If a foreign element is found in this element, test if it is
+	 * allowed by this sub-element; if it is, instead of closing the
+	 * current element, place it inside this element.
+	 */
+	public $wrap;
+
+	/**
+	 * Whether or not this is a formatting element affected by the
+	 * "Active Formatting Elements" algorithm.
+	 */
+	public $formatting;
+
+	/**
+	 * Low-level factory constructor for creating new standalone element defs
+	 */
+	public static function create($content_model, $content_model_type, $attr) {
+		$def = new HTMLPurifier_ElementDef();
+		$def->content_model = $content_model;
+		$def->content_model_type = $content_model_type;
+		$def->attr = $attr;
+		return $def;
+	}
+
+	/**
+	 * Merges the values of another element definition into this one.
+	 * Values from the new element def take precedence if a value is
+	 * not mergeable.
+	 */
+	public function mergeIn($def) {
+
+		// later keys takes precedence
+		foreach($def->attr as $k => $v) {
+			if ($k === 0) {
+				// merge in the includes
+				// sorry, no way to override an include
+				foreach ($v as $v2) {
+					$this->attr[0][] = $v2;
+				}
+				continue;
+			}
+			if ($v === false) {
+				if (isset($this->attr[$k])) unset($this->attr[$k]);
+				continue;
+			}
+			$this->attr[$k] = $v;
+		}
+		$this->_mergeAssocArray($this->attr_transform_pre, $def->attr_transform_pre);
+		$this->_mergeAssocArray($this->attr_transform_post, $def->attr_transform_post);
+		$this->_mergeAssocArray($this->excludes, $def->excludes);
+
+		if(!empty($def->content_model)) {
+			$this->content_model =
+				str_replace("#SUPER", $this->content_model, $def->content_model);
+			$this->child = false;
+		}
+		if(!empty($def->content_model_type)) {
+			$this->content_model_type = $def->content_model_type;
+			$this->child = false;
+		}
+		if(!is_null($def->child)) $this->child = $def->child;
+		if(!is_null($def->formatting)) $this->formatting = $def->formatting;
+		if($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline;
+
+	}
+
+	/**
+	 * Merges one array into another, removes values which equal false
+	 * @param $a1 Array by reference that is merged into
+	 * @param $a2 Array that merges into $a1
+	 */
+	private function _mergeAssocArray(&$a1, $a2) {
+		foreach ($a2 as $k => $v) {
+			if ($v === false) {
+				if (isset($a1[$k])) unset($a1[$k]);
+				continue;
+			}
+			$a1[$k] = $v;
+		}
+	}
 
 }
 

Spacing +6 added lines, -6 removed lines

@@ -129,7 +129,7 @@ 
     public function mergeIn($def) {
 
         // later keys takes precedence
-        foreach($def->attr as $k => $v) {
+        foreach ($def->attr as $k => $v) {
             if ($k === 0) {
                 // merge in the includes
                 // sorry, no way to override an include
@@ -148,18 +148,18 @@ 
         $this->_mergeAssocArray($this->attr_transform_post, $def->attr_transform_post);
         $this->_mergeAssocArray($this->excludes, $def->excludes);
 
-        if(!empty($def->content_model)) {
+        if (!empty($def->content_model)) {
             $this->content_model =
                 str_replace("#SUPER", $this->content_model, $def->content_model);
             $this->child = false;
         }
-        if(!empty($def->content_model_type)) {
+        if (!empty($def->content_model_type)) {
             $this->content_model_type = $def->content_model_type;
             $this->child = false;
         }
-        if(!is_null($def->child)) $this->child = $def->child;
-        if(!is_null($def->formatting)) $this->formatting = $def->formatting;
-        if($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline;
+        if (!is_null($def->child)) $this->child = $def->child;
+        if (!is_null($def->formatting)) $this->formatting = $def->formatting;
+        if ($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline;
 
     }
 

Braces +15 added lines, -5 removed lines

@@ -139,7 +139,9 @@ 
                 continue;
             }
             if ($v === false) {
-                if (isset($this->attr[$k])) unset($this->attr[$k]);
+                if (isset($this->attr[$k])) {
+                	unset($this->attr[$k]);
+                }
                 continue;
             }
             $this->attr[$k] = $v;
@@ -157,9 +159,15 @@ 
             $this->content_model_type = $def->content_model_type;
             $this->child = false;
         }
-        if(!is_null($def->child)) $this->child = $def->child;
-        if(!is_null($def->formatting)) $this->formatting = $def->formatting;
-        if($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline;
+        if(!is_null($def->child)) {
+        	$this->child = $def->child;
+        }
+        if(!is_null($def->formatting)) {
+        	$this->formatting = $def->formatting;
+        }
+        if($def->descendants_are_inline) {
+        	$this->descendants_are_inline = $def->descendants_are_inline;
+        }
 
     }
 
@@ -171,7 +179,9 @@ 
     private function _mergeAssocArray(&$a1, $a2) {
         foreach ($a2 as $k => $v) {
             if ($v === false) {
-                if (isset($a1[$k])) unset($a1[$k]);
+                if (isset($a1[$k])) {
+                	unset($a1[$k]);
+                }
                 continue;
             }
             $a1[$k] = $v;

classes/security/htmlpurifier/library/HTMLPurifier/EntityLookup.php

Indentation +31 added lines, -31 removed lines

@@ -5,39 +5,39 @@
  */
 class HTMLPurifier_EntityLookup {
 
-    /**
-     * Assoc array of entity name to character represented.
-     */
-    public $table;
+	/**
+	 * Assoc array of entity name to character represented.
+	 */
+	public $table;
 
-    /**
-     * Sets up the entity lookup table from the serialized file contents.
-     * @note The serialized contents are versioned, but were generated
-     *       using the maintenance script generate_entity_file.php
-     * @warning This is not in constructor to help enforce the Singleton
-     */
-    public function setup($file = false) {
-        if (!$file) {
-            $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
-        }
-        $this->table = unserialize(file_get_contents($file));
-    }
+	/**
+	 * Sets up the entity lookup table from the serialized file contents.
+	 * @note The serialized contents are versioned, but were generated
+	 *       using the maintenance script generate_entity_file.php
+	 * @warning This is not in constructor to help enforce the Singleton
+	 */
+	public function setup($file = false) {
+		if (!$file) {
+			$file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
+		}
+		$this->table = unserialize(file_get_contents($file));
+	}
 
-    /**
-     * Retrieves sole instance of the object.
-     * @param Optional prototype of custom lookup table to overload with.
-     */
-    public static function instance($prototype = false) {
-        // no references, since PHP doesn't copy unless modified
-        static $instance = null;
-        if ($prototype) {
-            $instance = $prototype;
-        } elseif (!$instance) {
-            $instance = new HTMLPurifier_EntityLookup();
-            $instance->setup();
-        }
-        return $instance;
-    }
+	/**
+	 * Retrieves sole instance of the object.
+	 * @param Optional prototype of custom lookup table to overload with.
+	 */
+	public static function instance($prototype = false) {
+		// no references, since PHP doesn't copy unless modified
+		static $instance = null;
+		if ($prototype) {
+			$instance = $prototype;
+		} elseif (!$instance) {
+			$instance = new HTMLPurifier_EntityLookup();
+			$instance->setup();
+		}
+		return $instance;
+	}
 
 }
 

Spacing +1 added lines, -1 removed lines

@@ -18,7 +18,7 @@
      */
     public function setup($file = false) {
         if (!$file) {
-            $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
+            $file = HTMLPURIFIER_PREFIX.'/HTMLPurifier/EntityLookup/entities.ser';
         }
         $this->table = unserialize(file_get_contents($file));
     }

classes/security/htmlpurifier/library/HTMLPurifier/EntityParser.php

Indentation +124 added lines, -124 removed lines

@@ -10,134 +10,134 @@
 class HTMLPurifier_EntityParser
 {
 
-    /**
-     * Reference to entity lookup table.
-     */
-    protected $_entity_lookup;
-
-    /**
-     * Callback regex string for parsing entities.
-     */
-    protected $_substituteEntitiesRegex =
+	/**
+	 * Reference to entity lookup table.
+	 */
+	protected $_entity_lookup;
+
+	/**
+	 * Callback regex string for parsing entities.
+	 */
+	protected $_substituteEntitiesRegex =
 '/&(?:[#]x([a-fA-F0-9]+)|[#]0*(\d+)|([A-Za-z_:][A-Za-z0-9.\-_:]*));?/';
 //     1. hex             2. dec      3. string (XML style)
 
 
-    /**
-     * Decimal to parsed string conversion table for special entities.
-     */
-    protected $_special_dec2str =
-            array(
-                    34 => '"',
-                    38 => '&',
-                    39 => "'",
-                    60 => '<',
-                    62 => '>'
-            );
-
-    /**
-     * Stripped entity names to decimal conversion table for special entities.
-     */
-    protected $_special_ent2dec =
-            array(
-                    'quot' => 34,
-                    'amp'  => 38,
-                    'lt'   => 60,
-                    'gt'   => 62
-            );
-
-    /**
-     * Substitutes non-special entities with their parsed equivalents. Since
-     * running this whenever you have parsed character is t3h 5uck, we run
-     * it before everything else.
-     *
-     * @param $string String to have non-special entities parsed.
-     * @returns Parsed string.
-     */
-    public function substituteNonSpecialEntities($string) {
-        // it will try to detect missing semicolons, but don't rely on it
-        return preg_replace_callback(
-            $this->_substituteEntitiesRegex,
-            array($this, 'nonSpecialEntityCallback'),
-            $string
-            );
-    }
-
-    /**
-     * Callback function for substituteNonSpecialEntities() that does the work.
-     *
-     * @param $matches  PCRE matches array, with 0 the entire match, and
-     *                  either index 1, 2 or 3 set with a hex value, dec value,
-     *                  or string (respectively).
-     * @returns Replacement string.
-     */
-
-    protected function nonSpecialEntityCallback($matches) {
-        // replaces all but big five
-        $entity = $matches[0];
-        $is_num = (@$matches[0][1] === '#');
-        if ($is_num) {
-            $is_hex = (@$entity[2] === 'x');
-            $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
-
-            // abort for special characters
-            if (isset($this->_special_dec2str[$code]))  return $entity;
-
-            return HTMLPurifier_Encoder::unichr($code);
-        } else {
-            if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
-            if (!$this->_entity_lookup) {
-                $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
-            }
-            if (isset($this->_entity_lookup->table[$matches[3]])) {
-                return $this->_entity_lookup->table[$matches[3]];
-            } else {
-                return $entity;
-            }
-        }
-    }
-
-    /**
-     * Substitutes only special entities with their parsed equivalents.
-     *
-     * @notice We try to avoid calling this function because otherwise, it
-     * would have to be called a lot (for every parsed section).
-     *
-     * @param $string String to have non-special entities parsed.
-     * @returns Parsed string.
-     */
-    public function substituteSpecialEntities($string) {
-        return preg_replace_callback(
-            $this->_substituteEntitiesRegex,
-            array($this, 'specialEntityCallback'),
-            $string);
-    }
-
-    /**
-     * Callback function for substituteSpecialEntities() that does the work.
-     *
-     * This callback has same syntax as nonSpecialEntityCallback().
-     *
-     * @param $matches  PCRE-style matches array, with 0 the entire match, and
-     *                  either index 1, 2 or 3 set with a hex value, dec value,
-     *                  or string (respectively).
-     * @returns Replacement string.
-     */
-    protected function specialEntityCallback($matches) {
-        $entity = $matches[0];
-        $is_num = (@$matches[0][1] === '#');
-        if ($is_num) {
-            $is_hex = (@$entity[2] === 'x');
-            $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
-            return isset($this->_special_dec2str[$int]) ?
-                $this->_special_dec2str[$int] :
-                $entity;
-        } else {
-            return isset($this->_special_ent2dec[$matches[3]]) ?
-                $this->_special_ent2dec[$matches[3]] :
-                $entity;
-        }
-    }
+	/**
+	 * Decimal to parsed string conversion table for special entities.
+	 */
+	protected $_special_dec2str =
+			array(
+					34 => '"',
+					38 => '&',
+					39 => "'",
+					60 => '<',
+					62 => '>'
+			);
+
+	/**
+	 * Stripped entity names to decimal conversion table for special entities.
+	 */
+	protected $_special_ent2dec =
+			array(
+					'quot' => 34,
+					'amp'  => 38,
+					'lt'   => 60,
+					'gt'   => 62
+			);
+
+	/**
+	 * Substitutes non-special entities with their parsed equivalents. Since
+	 * running this whenever you have parsed character is t3h 5uck, we run
+	 * it before everything else.
+	 *
+	 * @param $string String to have non-special entities parsed.
+	 * @returns Parsed string.
+	 */
+	public function substituteNonSpecialEntities($string) {
+		// it will try to detect missing semicolons, but don't rely on it
+		return preg_replace_callback(
+			$this->_substituteEntitiesRegex,
+			array($this, 'nonSpecialEntityCallback'),
+			$string
+			);
+	}
+
+	/**
+	 * Callback function for substituteNonSpecialEntities() that does the work.
+	 *
+	 * @param $matches  PCRE matches array, with 0 the entire match, and
+	 *                  either index 1, 2 or 3 set with a hex value, dec value,
+	 *                  or string (respectively).
+	 * @returns Replacement string.
+	 */
+
+	protected function nonSpecialEntityCallback($matches) {
+		// replaces all but big five
+		$entity = $matches[0];
+		$is_num = (@$matches[0][1] === '#');
+		if ($is_num) {
+			$is_hex = (@$entity[2] === 'x');
+			$code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
+
+			// abort for special characters
+			if (isset($this->_special_dec2str[$code]))  return $entity;
+
+			return HTMLPurifier_Encoder::unichr($code);
+		} else {
+			if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
+			if (!$this->_entity_lookup) {
+				$this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
+			}
+			if (isset($this->_entity_lookup->table[$matches[3]])) {
+				return $this->_entity_lookup->table[$matches[3]];
+			} else {
+				return $entity;
+			}
+		}
+	}
+
+	/**
+	 * Substitutes only special entities with their parsed equivalents.
+	 *
+	 * @notice We try to avoid calling this function because otherwise, it
+	 * would have to be called a lot (for every parsed section).
+	 *
+	 * @param $string String to have non-special entities parsed.
+	 * @returns Parsed string.
+	 */
+	public function substituteSpecialEntities($string) {
+		return preg_replace_callback(
+			$this->_substituteEntitiesRegex,
+			array($this, 'specialEntityCallback'),
+			$string);
+	}
+
+	/**
+	 * Callback function for substituteSpecialEntities() that does the work.
+	 *
+	 * This callback has same syntax as nonSpecialEntityCallback().
+	 *
+	 * @param $matches  PCRE-style matches array, with 0 the entire match, and
+	 *                  either index 1, 2 or 3 set with a hex value, dec value,
+	 *                  or string (respectively).
+	 * @returns Replacement string.
+	 */
+	protected function specialEntityCallback($matches) {
+		$entity = $matches[0];
+		$is_num = (@$matches[0][1] === '#');
+		if ($is_num) {
+			$is_hex = (@$entity[2] === 'x');
+			$int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
+			return isset($this->_special_dec2str[$int]) ?
+				$this->_special_dec2str[$int] :
+				$entity;
+		} else {
+			return isset($this->_special_ent2dec[$matches[3]]) ?
+				$this->_special_ent2dec[$matches[3]] :
+				$entity;
+		}
+	}
 
 }
 

Spacing +2 added lines, -4 removed lines

@@ -130,12 +130,10 @@
             $is_hex = (@$entity[2] === 'x');
             $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
             return isset($this->_special_dec2str[$int]) ?
-                $this->_special_dec2str[$int] :
-                $entity;
+                $this->_special_dec2str[$int] : $entity;
         } else {
             return isset($this->_special_ent2dec[$matches[3]]) ?
-                $this->_special_ent2dec[$matches[3]] :
-                $entity;
+                $this->_special_ent2dec[$matches[3]] : $entity;
         }
     }
 

Braces +6 added lines, -2 removed lines

@@ -81,11 +81,15 @@
             $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
 
             // abort for special characters
-            if (isset($this->_special_dec2str[$code]))  return $entity;
+            if (isset($this->_special_dec2str[$code])) {
+            	return $entity;
+            }
 
             return HTMLPurifier_Encoder::unichr($code);
         } else {
-            if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
+            if (isset($this->_special_ent2dec[$matches[3]])) {
+            	return $entity;
+            }
             if (!$this->_entity_lookup) {
                 $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
             }

classes/security/htmlpurifier/library/HTMLPurifier/ErrorStruct.php

Indentation +45 added lines, -45 removed lines

@@ -9,51 +9,51 @@
 class HTMLPurifier_ErrorStruct
 {
 
-    /**
-     * Possible values for $children first-key. Note that top-level structures
-     * are automatically token-level.
-     */
-    const TOKEN     = 0;
-    const ATTR      = 1;
-    const CSSPROP   = 2;
-
-    /**
-     * Type of this struct.
-     */
-    public $type;
-
-    /**
-     * Value of the struct we are recording errors for. There are various
-     * values for this:
-     *  - TOKEN: Instance of HTMLPurifier_Token
-     *  - ATTR: array('attr-name', 'value')
-     *  - CSSPROP: array('prop-name', 'value')
-     */
-    public $value;
-
-    /**
-     * Errors registered for this structure.
-     */
-    public $errors = array();
-
-    /**
-     * Child ErrorStructs that are from this structure. For example, a TOKEN
-     * ErrorStruct would contain ATTR ErrorStructs. This is a multi-dimensional
-     * array in structure: [TYPE]['identifier']
-     */
-    public $children = array();
-
-    public function getChild($type, $id) {
-        if (!isset($this->children[$type][$id])) {
-            $this->children[$type][$id] = new HTMLPurifier_ErrorStruct();
-            $this->children[$type][$id]->type = $type;
-        }
-        return $this->children[$type][$id];
-    }
-
-    public function addError($severity, $message) {
-        $this->errors[] = array($severity, $message);
-    }
+	/**
+	 * Possible values for $children first-key. Note that top-level structures
+	 * are automatically token-level.
+	 */
+	const TOKEN     = 0;
+	const ATTR      = 1;
+	const CSSPROP   = 2;
+
+	/**
+	 * Type of this struct.
+	 */
+	public $type;
+
+	/**
+	 * Value of the struct we are recording errors for. There are various
+	 * values for this:
+	 *  - TOKEN: Instance of HTMLPurifier_Token
+	 *  - ATTR: array('attr-name', 'value')
+	 *  - CSSPROP: array('prop-name', 'value')
+	 */
+	public $value;
+
+	/**
+	 * Errors registered for this structure.
+	 */
+	public $errors = array();
+
+	/**
+	 * Child ErrorStructs that are from this structure. For example, a TOKEN
+	 * ErrorStruct would contain ATTR ErrorStructs. This is a multi-dimensional
+	 * array in structure: [TYPE]['identifier']
+	 */
+	public $children = array();
+
+	public function getChild($type, $id) {
+		if (!isset($this->children[$type][$id])) {
+			$this->children[$type][$id] = new HTMLPurifier_ErrorStruct();
+			$this->children[$type][$id]->type = $type;
+		}
+		return $this->children[$type][$id];
+	}
+
+	public function addError($severity, $message) {
+		$this->errors[] = array($severity, $message);
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Filter.php

Indentation +16 added lines, -16 removed lines

@@ -22,24 +22,24 @@
 class HTMLPurifier_Filter
 {
 
-    /**
-     * Name of the filter for identification purposes
-     */
-    public $name;
+	/**
+	 * Name of the filter for identification purposes
+	 */
+	public $name;
 
-    /**
-     * Pre-processor function, handles HTML before HTML Purifier
-     */
-    public function preFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Pre-processor function, handles HTML before HTML Purifier
+	 */
+	public function preFilter($html, $config, $context) {
+		return $html;
+	}
 
-    /**
-     * Post-processor function, handles HTML after HTML Purifier
-     */
-    public function postFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Post-processor function, handles HTML after HTML Purifier
+	 */
+	public function postFilter($html, $config, $context) {
+		return $html;
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php

Indentation +253 added lines, -253 removed lines

@@ -23,265 +23,265 @@
 class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
 {
 
-    public $name = 'ExtractStyleBlocks';
-    private $_styleMatches = array();
-    private $_tidy;
+	public $name = 'ExtractStyleBlocks';
+	private $_styleMatches = array();
+	private $_tidy;
 
-    private $_id_attrdef;
-    private $_class_attrdef;
-    private $_enum_attrdef;
+	private $_id_attrdef;
+	private $_class_attrdef;
+	private $_enum_attrdef;
 
-    public function __construct() {
-        $this->_tidy = new csstidy();
-        $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
-        $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
-        $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
-    }
+	public function __construct() {
+		$this->_tidy = new csstidy();
+		$this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
+		$this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
+		$this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
+	}
 
-    /**
-     * Save the contents of CSS blocks to style matches
-     * @param $matches preg_replace style $matches array
-     */
-    protected function styleCallback($matches) {
-        $this->_styleMatches[] = $matches[1];
-    }
+	/**
+	 * Save the contents of CSS blocks to style matches
+	 * @param $matches preg_replace style $matches array
+	 */
+	protected function styleCallback($matches) {
+		$this->_styleMatches[] = $matches[1];
+	}
 
-    /**
-     * Removes inline <style> tags from HTML, saves them for later use
-     * @todo Extend to indicate non-text/css style blocks
-     */
-    public function preFilter($html, $config, $context) {
-        $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
-        $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
-        $style_blocks = $this->_styleMatches;
-        $this->_styleMatches = array(); // reset
-        $context->register('StyleBlocks', $style_blocks); // $context must not be reused
-        if ($this->_tidy) {
-            foreach ($style_blocks as &$style) {
-                $style = $this->cleanCSS($style, $config, $context);
-            }
-        }
-        return $html;
-    }
+	/**
+	 * Removes inline <style> tags from HTML, saves them for later use
+	 * @todo Extend to indicate non-text/css style blocks
+	 */
+	public function preFilter($html, $config, $context) {
+		$tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
+		if ($tidy !== null) $this->_tidy = $tidy;
+		$html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
+		$style_blocks = $this->_styleMatches;
+		$this->_styleMatches = array(); // reset
+		$context->register('StyleBlocks', $style_blocks); // $context must not be reused
+		if ($this->_tidy) {
+			foreach ($style_blocks as &$style) {
+				$style = $this->cleanCSS($style, $config, $context);
+			}
+		}
+		return $html;
+	}
 
-    /**
-     * Takes CSS (the stuff found in <style>) and cleans it.
-     * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
-     * @param $css     CSS styling to clean
-     * @param $config  Instance of HTMLPurifier_Config
-     * @param $context Instance of HTMLPurifier_Context
-     * @return Cleaned CSS
-     */
-    public function cleanCSS($css, $config, $context) {
-        // prepare scope
-        $scope = $config->get('Filter.ExtractStyleBlocks.Scope');
-        if ($scope !== null) {
-            $scopes = array_map('trim', explode(',', $scope));
-        } else {
-            $scopes = array();
-        }
-        // remove comments from CSS
-        $css = trim($css);
-        if (strncmp('<!--', $css, 4) === 0) {
-            $css = substr($css, 4);
-        }
-        if (strlen($css) > 3 && substr($css, -3) == '-->') {
-            $css = substr($css, 0, -3);
-        }
-        $css = trim($css);
-        set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
-        $this->_tidy->parse($css);
-        restore_error_handler();
-        $css_definition = $config->getDefinition('CSS');
-        $html_definition = $config->getDefinition('HTML');
-        $new_css = array();
-        foreach ($this->_tidy->css as $k => $decls) {
-            // $decls are all CSS declarations inside an @ selector
-            $new_decls = array();
-            foreach ($decls as $selector => $style) {
-                $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
-                // Parse the selector
-                // Here is the relevant part of the CSS grammar:
-                //
-                // ruleset
-                //   : selector [ ',' S* selector ]* '{' ...
-                // selector
-                //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
-                // combinator
-                //   : '+' S*
-                //   : '>' S*
-                // simple_selector
-                //   : element_name [ HASH | class | attrib | pseudo ]*
-                //   | [ HASH | class | attrib | pseudo ]+
-                // element_name
-                //   : IDENT | '*'
-                //   ;
-                // class
-                //   : '.' IDENT
-                //   ;
-                // attrib
-                //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
-                //     [ IDENT | STRING ] S* ]? ']'
-                //   ;
-                // pseudo
-                //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
-                //   ;
-                //
-                // For reference, here are the relevant tokens:
-                //
-                // HASH         #{name}
-                // IDENT        {ident}
-                // INCLUDES     ==
-                // DASHMATCH    |=
-                // STRING       {string}
-                // FUNCTION     {ident}\(
-                //
-                // And the lexical scanner tokens
-                //
-                // name         {nmchar}+
-                // nmchar       [_a-z0-9-]|{nonascii}|{escape}
-                // nonascii     [\240-\377]
-                // escape       {unicode}|\\[^\r\n\f0-9a-f]
-                // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
-                // ident        -?{nmstart}{nmchar*}
-                // nmstart      [_a-z]|{nonascii}|{escape}
-                // string       {string1}|{string2}
-                // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
-                // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
-                //
-                // We'll implement a subset (in order to reduce attack
-                // surface); in particular:
-                //
-                //      - No Unicode support
-                //      - No escapes support
-                //      - No string support (by proxy no attrib support)
-                //      - element_name is matched against allowed
-                //        elements (some people might find this
-                //        annoying...)
-                //      - Pseudo-elements one of :first-child, :link,
-                //        :visited, :active, :hover, :focus
+	/**
+	 * Takes CSS (the stuff found in <style>) and cleans it.
+	 * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
+	 * @param $css     CSS styling to clean
+	 * @param $config  Instance of HTMLPurifier_Config
+	 * @param $context Instance of HTMLPurifier_Context
+	 * @return Cleaned CSS
+	 */
+	public function cleanCSS($css, $config, $context) {
+		// prepare scope
+		$scope = $config->get('Filter.ExtractStyleBlocks.Scope');
+		if ($scope !== null) {
+			$scopes = array_map('trim', explode(',', $scope));
+		} else {
+			$scopes = array();
+		}
+		// remove comments from CSS
+		$css = trim($css);
+		if (strncmp('<!--', $css, 4) === 0) {
+			$css = substr($css, 4);
+		}
+		if (strlen($css) > 3 && substr($css, -3) == '-->') {
+			$css = substr($css, 0, -3);
+		}
+		$css = trim($css);
+		set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
+		$this->_tidy->parse($css);
+		restore_error_handler();
+		$css_definition = $config->getDefinition('CSS');
+		$html_definition = $config->getDefinition('HTML');
+		$new_css = array();
+		foreach ($this->_tidy->css as $k => $decls) {
+			// $decls are all CSS declarations inside an @ selector
+			$new_decls = array();
+			foreach ($decls as $selector => $style) {
+				$selector = trim($selector);
+				if ($selector === '') continue; // should not happen
+				// Parse the selector
+				// Here is the relevant part of the CSS grammar:
+				//
+				// ruleset
+				//   : selector [ ',' S* selector ]* '{' ...
+				// selector
+				//   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
+				// combinator
+				//   : '+' S*
+				//   : '>' S*
+				// simple_selector
+				//   : element_name [ HASH | class | attrib | pseudo ]*
+				//   | [ HASH | class | attrib | pseudo ]+
+				// element_name
+				//   : IDENT | '*'
+				//   ;
+				// class
+				//   : '.' IDENT
+				//   ;
+				// attrib
+				//   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
+				//     [ IDENT | STRING ] S* ]? ']'
+				//   ;
+				// pseudo
+				//   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
+				//   ;
+				//
+				// For reference, here are the relevant tokens:
+				//
+				// HASH         #{name}
+				// IDENT        {ident}
+				// INCLUDES     ==
+				// DASHMATCH    |=
+				// STRING       {string}
+				// FUNCTION     {ident}\(
+				//
+				// And the lexical scanner tokens
+				//
+				// name         {nmchar}+
+				// nmchar       [_a-z0-9-]|{nonascii}|{escape}
+				// nonascii     [\240-\377]
+				// escape       {unicode}|\\[^\r\n\f0-9a-f]
+				// unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
+				// ident        -?{nmstart}{nmchar*}
+				// nmstart      [_a-z]|{nonascii}|{escape}
+				// string       {string1}|{string2}
+				// string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
+				// string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
+				//
+				// We'll implement a subset (in order to reduce attack
+				// surface); in particular:
+				//
+				//      - No Unicode support
+				//      - No escapes support
+				//      - No string support (by proxy no attrib support)
+				//      - element_name is matched against allowed
+				//        elements (some people might find this
+				//        annoying...)
+				//      - Pseudo-elements one of :first-child, :link,
+				//        :visited, :active, :hover, :focus
 
-                // handle ruleset
-                $selectors = array_map('trim', explode(',', $selector));
-                $new_selectors = array();
-                foreach ($selectors as $sel) {
-                    // split on +, > and spaces
-                    $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
-                    // even indices are chunks, odd indices are
-                    // delimiters
-                    $nsel = null;
-                    $delim = null; // guaranteed to be non-null after
-                                   // two loop iterations
-                    for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
-                        $x = $basic_selectors[$i];
-                        if ($i % 2) {
-                            // delimiter
-                            if ($x === ' ') {
-                                $delim = ' ';
-                            } else {
-                                $delim = ' ' . $x . ' ';
-                            }
-                        } else {
-                            // simple selector
-                            $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
-                            $sdelim = null;
-                            $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
-                                $y = $components[$j];
-                                if ($j === 0) {
-                                    if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
-                                        $nx = $y;
-                                    } else {
-                                        // $nx stays null; this matters
-                                        // if we don't manage to find
-                                        // any valid selector content,
-                                        // in which case we ignore the
-                                        // outer $delim
-                                    }
-                                } elseif ($j % 2) {
-                                    // set delimiter
-                                    $sdelim = $y;
-                                } else {
-                                    $attrdef = null;
-                                    if ($sdelim === '#') {
-                                        $attrdef = $this->_id_attrdef;
-                                    } elseif ($sdelim === '.') {
-                                        $attrdef = $this->_class_attrdef;
-                                    } elseif ($sdelim === ':') {
-                                        $attrdef = $this->_enum_attrdef;
-                                    } else {
-                                        throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
-                                    }
-                                    $r = $attrdef->validate($y, $config, $context);
-                                    if ($r !== false) {
-                                        if ($r !== true) {
-                                            $y = $r;
-                                        }
-                                        if ($nx === null) {
-                                            $nx = '';
-                                        }
-                                        $nx .= $sdelim . $y;
-                                    }
-                                }
-                            }
-                            if ($nx !== null) {
-                                if ($nsel === null) {
-                                    $nsel = $nx;
-                                } else {
-                                    $nsel .= $delim . $nx;
-                                }
-                            } else {
-                                // delimiters to the left of invalid
-                                // basic selector ignored
-                            }
-                        }
-                    }
-                    if ($nsel !== null) {
-                        if (!empty($scopes)) {
-                            foreach ($scopes as $s) {
-                                $new_selectors[] = "$s $nsel";
-                            }
-                        } else {
-                            $new_selectors[] = $nsel;
-                        }
-                    }
-                }
-                if (empty($new_selectors)) continue;
-                $selector = implode(', ', $new_selectors);
-                foreach ($style as $name => $value) {
-                    if (!isset($css_definition->info[$name])) {
-                        unset($style[$name]);
-                        continue;
-                    }
-                    $def = $css_definition->info[$name];
-                    $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
-                }
-                $new_decls[$selector] = $style;
-            }
-            $new_css[$k] = $new_decls;
-        }
-        // remove stuff that shouldn't be used, could be reenabled
-        // after security risks are analyzed
-        $this->_tidy->css = $new_css;
-        $this->_tidy->import = array();
-        $this->_tidy->charset = null;
-        $this->_tidy->namespace = null;
-        $css = $this->_tidy->print->plain();
-        // we are going to escape any special characters <>& to ensure
-        // that no funny business occurs (i.e. </style> in a font-family prop).
-        if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
-            $css = str_replace(
-                array('<',    '>',    '&'),
-                array('\3C ', '\3E ', '\26 '),
-                $css
-            );
-        }
-        return $css;
-    }
+				// handle ruleset
+				$selectors = array_map('trim', explode(',', $selector));
+				$new_selectors = array();
+				foreach ($selectors as $sel) {
+					// split on +, > and spaces
+					$basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
+					// even indices are chunks, odd indices are
+					// delimiters
+					$nsel = null;
+					$delim = null; // guaranteed to be non-null after
+								   // two loop iterations
+					for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
+						$x = $basic_selectors[$i];
+						if ($i % 2) {
+							// delimiter
+							if ($x === ' ') {
+								$delim = ' ';
+							} else {
+								$delim = ' ' . $x . ' ';
+							}
+						} else {
+							// simple selector
+							$components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
+							$sdelim = null;
+							$nx = null;
+							for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+								$y = $components[$j];
+								if ($j === 0) {
+									if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
+										$nx = $y;
+									} else {
+										// $nx stays null; this matters
+										// if we don't manage to find
+										// any valid selector content,
+										// in which case we ignore the
+										// outer $delim
+									}
+								} elseif ($j % 2) {
+									// set delimiter
+									$sdelim = $y;
+								} else {
+									$attrdef = null;
+									if ($sdelim === '#') {
+										$attrdef = $this->_id_attrdef;
+									} elseif ($sdelim === '.') {
+										$attrdef = $this->_class_attrdef;
+									} elseif ($sdelim === ':') {
+										$attrdef = $this->_enum_attrdef;
+									} else {
+										throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
+									}
+									$r = $attrdef->validate($y, $config, $context);
+									if ($r !== false) {
+										if ($r !== true) {
+											$y = $r;
+										}
+										if ($nx === null) {
+											$nx = '';
+										}
+										$nx .= $sdelim . $y;
+									}
+								}
+							}
+							if ($nx !== null) {
+								if ($nsel === null) {
+									$nsel = $nx;
+								} else {
+									$nsel .= $delim . $nx;
+								}
+							} else {
+								// delimiters to the left of invalid
+								// basic selector ignored
+							}
+						}
+					}
+					if ($nsel !== null) {
+						if (!empty($scopes)) {
+							foreach ($scopes as $s) {
+								$new_selectors[] = "$s $nsel";
+							}
+						} else {
+							$new_selectors[] = $nsel;
+						}
+					}
+				}
+				if (empty($new_selectors)) continue;
+				$selector = implode(', ', $new_selectors);
+				foreach ($style as $name => $value) {
+					if (!isset($css_definition->info[$name])) {
+						unset($style[$name]);
+						continue;
+					}
+					$def = $css_definition->info[$name];
+					$ret = $def->validate($value, $config, $context);
+					if ($ret === false) unset($style[$name]);
+					else $style[$name] = $ret;
+				}
+				$new_decls[$selector] = $style;
+			}
+			$new_css[$k] = $new_decls;
+		}
+		// remove stuff that shouldn't be used, could be reenabled
+		// after security risks are analyzed
+		$this->_tidy->css = $new_css;
+		$this->_tidy->import = array();
+		$this->_tidy->charset = null;
+		$this->_tidy->namespace = null;
+		$css = $this->_tidy->print->plain();
+		// we are going to escape any special characters <>& to ensure
+		// that no funny business occurs (i.e. </style> in a font-family prop).
+		if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
+			$css = str_replace(
+				array('<',    '>',    '&'),
+				array('\3C ', '\3E ', '\26 '),
+				$css
+			);
+		}
+		return $css;
+	}
 
 }
 

Braces +15 added lines, -5 removed lines

@@ -52,7 +52,9 @@ 
      */
     public function preFilter($html, $config, $context) {
         $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
+        if ($tidy !== null) {
+        	$this->_tidy = $tidy;
+        }
         $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
         $style_blocks = $this->_styleMatches;
         $this->_styleMatches = array(); // reset
@@ -101,7 +103,10 @@ 
             $new_decls = array();
             foreach ($decls as $selector => $style) {
                 $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
+                if ($selector === '') {
+                	continue;
+                }
+                // should not happen
                 // Parse the selector
                 // Here is the relevant part of the CSS grammar:
                 //
@@ -248,7 +253,9 @@ 
                         }
                     }
                 }
-                if (empty($new_selectors)) continue;
+                if (empty($new_selectors)) {
+                	continue;
+                }
                 $selector = implode(', ', $new_selectors);
                 foreach ($style as $name => $value) {
                     if (!isset($css_definition->info[$name])) {
@@ -257,8 +264,11 @@ 
                     }
                     $def = $css_definition->info[$name];
                     $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
+                    if ($ret === false) {
+                    	unset($style[$name]);
+                    } else {
+                    	$style[$name] = $ret;
+                    }
                 }
                 $new_decls[$selector] = $style;
             }

Spacing +5 added lines, -5 removed lines

@@ -181,14 +181,14 @@ 
                             if ($x === ' ') {
                                 $delim = ' ';
                             } else {
-                                $delim = ' ' . $x . ' ';
+                                $delim = ' '.$x.' ';
                             }
                         } else {
                             // simple selector
                             $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
                             $sdelim = null;
                             $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+                            for ($j = 0, $cc = count($components); $j < $cc; $j++) {
                                 $y = $components[$j];
                                 if ($j === 0) {
                                     if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
@@ -222,7 +222,7 @@ 
                                         if ($nx === null) {
                                             $nx = '';
                                         }
-                                        $nx .= $sdelim . $y;
+                                        $nx .= $sdelim.$y;
                                     }
                                 }
                             }
@@ -230,7 +230,7 @@ 
                                 if ($nsel === null) {
                                     $nsel = $nx;
                                 } else {
-                                    $nsel .= $delim . $nx;
+                                    $nsel .= $delim.$nx;
                                 }
                             } else {
                                 // delimiters to the left of invalid
@@ -275,7 +275,7 @@ 
         // that no funny business occurs (i.e. </style> in a font-family prop).
         if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
             $css = str_replace(
-                array('<',    '>',    '&'),
+                array('<', '>', '&'),
                 array('\3C ', '\3E ', '\26 '),
                 $css
             );

classes/security/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php

Indentation +31 added lines, -31 removed lines

@@ -3,37 +3,37 @@
 class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
 {
 
-    public $name = 'YouTube';
-
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<object[^>]+>.+?'.
-            'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
-        $pre_replace = '<span class="youtube-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
-        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
-    }
-
-    protected function armorUrl($url) {
-        return str_replace('--', '-&#45;', $url);
-    }
-
-    protected function postFilterCallback($matches) {
-        $url = $this->armorUrl($matches[1]);
-        return '<object width="425" height="350" type="application/x-shockwave-flash" '.
-            'data="http://www.youtube.com/'.$url.'">'.
-            '<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.youtube.com/'.$url.'"'.
-            'type="application/x-shockwave-flash"'.
-            'wmode="transparent" width="425" height="350" />'.
-            '<![endif]-->'.
-            '</object>';
-
-    }
+	public $name = 'YouTube';
+
+	public function preFilter($html, $config, $context) {
+		$pre_regex = '#<object[^>]+>.+?'.
+			'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
+		$pre_replace = '<span class="youtube-embed">\1</span>';
+		return preg_replace($pre_regex, $pre_replace, $html);
+	}
+
+	public function postFilter($html, $config, $context) {
+		$post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
+		return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
+	}
+
+	protected function armorUrl($url) {
+		return str_replace('--', '-&#45;', $url);
+	}
+
+	protected function postFilterCallback($matches) {
+		$url = $this->armorUrl($matches[1]);
+		return '<object width="425" height="350" type="application/x-shockwave-flash" '.
+			'data="http://www.youtube.com/'.$url.'">'.
+			'<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
+			'<!--[if IE]>'.
+			'<embed src="http://www.youtube.com/'.$url.'"'.
+			'type="application/x-shockwave-flash"'.
+			'wmode="transparent" width="425" height="350" />'.
+			'<![endif]-->'.
+			'</object>';
+
+	}
 }
 
 // vim: et sw=4 sts=4