xpressengine / xe-core

classes/security/htmlpurifier/library/HTMLPurifier/EntityLookup.php

Indentation +31 added lines, -31 removed lines

@@ -5,39 +5,39 @@
  */
 class HTMLPurifier_EntityLookup {
 
-    /**
-     * Assoc array of entity name to character represented.
-     */
-    public $table;
+	/**
+	 * Assoc array of entity name to character represented.
+	 */
+	public $table;
 
-    /**
-     * Sets up the entity lookup table from the serialized file contents.
-     * @note The serialized contents are versioned, but were generated
-     *       using the maintenance script generate_entity_file.php
-     * @warning This is not in constructor to help enforce the Singleton
-     */
-    public function setup($file = false) {
-        if (!$file) {
-            $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
-        }
-        $this->table = unserialize(file_get_contents($file));
-    }
+	/**
+	 * Sets up the entity lookup table from the serialized file contents.
+	 * @note The serialized contents are versioned, but were generated
+	 *       using the maintenance script generate_entity_file.php
+	 * @warning This is not in constructor to help enforce the Singleton
+	 */
+	public function setup($file = false) {
+		if (!$file) {
+			$file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
+		}
+		$this->table = unserialize(file_get_contents($file));
+	}
 
-    /**
-     * Retrieves sole instance of the object.
-     * @param Optional prototype of custom lookup table to overload with.
-     */
-    public static function instance($prototype = false) {
-        // no references, since PHP doesn't copy unless modified
-        static $instance = null;
-        if ($prototype) {
-            $instance = $prototype;
-        } elseif (!$instance) {
-            $instance = new HTMLPurifier_EntityLookup();
-            $instance->setup();
-        }
-        return $instance;
-    }
+	/**
+	 * Retrieves sole instance of the object.
+	 * @param Optional prototype of custom lookup table to overload with.
+	 */
+	public static function instance($prototype = false) {
+		// no references, since PHP doesn't copy unless modified
+		static $instance = null;
+		if ($prototype) {
+			$instance = $prototype;
+		} elseif (!$instance) {
+			$instance = new HTMLPurifier_EntityLookup();
+			$instance->setup();
+		}
+		return $instance;
+	}
 
 }
 

Spacing +1 added lines, -1 removed lines

@@ -18,7 +18,7 @@
      */
     public function setup($file = false) {
         if (!$file) {
-            $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';
+            $file = HTMLPURIFIER_PREFIX.'/HTMLPurifier/EntityLookup/entities.ser';
         }
         $this->table = unserialize(file_get_contents($file));
     }

classes/security/htmlpurifier/library/HTMLPurifier/EntityParser.php

Indentation +124 added lines, -124 removed lines

@@ -10,134 +10,134 @@
 class HTMLPurifier_EntityParser
 {
 
-    /**
-     * Reference to entity lookup table.
-     */
-    protected $_entity_lookup;
-
-    /**
-     * Callback regex string for parsing entities.
-     */
-    protected $_substituteEntitiesRegex =
+	/**
+	 * Reference to entity lookup table.
+	 */
+	protected $_entity_lookup;
+
+	/**
+	 * Callback regex string for parsing entities.
+	 */
+	protected $_substituteEntitiesRegex =
 '/&(?:[#]x([a-fA-F0-9]+)|[#]0*(\d+)|([A-Za-z_:][A-Za-z0-9.\-_:]*));?/';
 //     1. hex             2. dec      3. string (XML style)
 
 
-    /**
-     * Decimal to parsed string conversion table for special entities.
-     */
-    protected $_special_dec2str =
-            array(
-                    34 => '"',
-                    38 => '&',
-                    39 => "'",
-                    60 => '<',
-                    62 => '>'
-            );
-
-    /**
-     * Stripped entity names to decimal conversion table for special entities.
-     */
-    protected $_special_ent2dec =
-            array(
-                    'quot' => 34,
-                    'amp'  => 38,
-                    'lt'   => 60,
-                    'gt'   => 62
-            );
-
-    /**
-     * Substitutes non-special entities with their parsed equivalents. Since
-     * running this whenever you have parsed character is t3h 5uck, we run
-     * it before everything else.
-     *
-     * @param $string String to have non-special entities parsed.
-     * @returns Parsed string.
-     */
-    public function substituteNonSpecialEntities($string) {
-        // it will try to detect missing semicolons, but don't rely on it
-        return preg_replace_callback(
-            $this->_substituteEntitiesRegex,
-            array($this, 'nonSpecialEntityCallback'),
-            $string
-            );
-    }
-
-    /**
-     * Callback function for substituteNonSpecialEntities() that does the work.
-     *
-     * @param $matches  PCRE matches array, with 0 the entire match, and
-     *                  either index 1, 2 or 3 set with a hex value, dec value,
-     *                  or string (respectively).
-     * @returns Replacement string.
-     */
-
-    protected function nonSpecialEntityCallback($matches) {
-        // replaces all but big five
-        $entity = $matches[0];
-        $is_num = (@$matches[0][1] === '#');
-        if ($is_num) {
-            $is_hex = (@$entity[2] === 'x');
-            $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
-
-            // abort for special characters
-            if (isset($this->_special_dec2str[$code]))  return $entity;
-
-            return HTMLPurifier_Encoder::unichr($code);
-        } else {
-            if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
-            if (!$this->_entity_lookup) {
-                $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
-            }
-            if (isset($this->_entity_lookup->table[$matches[3]])) {
-                return $this->_entity_lookup->table[$matches[3]];
-            } else {
-                return $entity;
-            }
-        }
-    }
-
-    /**
-     * Substitutes only special entities with their parsed equivalents.
-     *
-     * @notice We try to avoid calling this function because otherwise, it
-     * would have to be called a lot (for every parsed section).
-     *
-     * @param $string String to have non-special entities parsed.
-     * @returns Parsed string.
-     */
-    public function substituteSpecialEntities($string) {
-        return preg_replace_callback(
-            $this->_substituteEntitiesRegex,
-            array($this, 'specialEntityCallback'),
-            $string);
-    }
-
-    /**
-     * Callback function for substituteSpecialEntities() that does the work.
-     *
-     * This callback has same syntax as nonSpecialEntityCallback().
-     *
-     * @param $matches  PCRE-style matches array, with 0 the entire match, and
-     *                  either index 1, 2 or 3 set with a hex value, dec value,
-     *                  or string (respectively).
-     * @returns Replacement string.
-     */
-    protected function specialEntityCallback($matches) {
-        $entity = $matches[0];
-        $is_num = (@$matches[0][1] === '#');
-        if ($is_num) {
-            $is_hex = (@$entity[2] === 'x');
-            $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
-            return isset($this->_special_dec2str[$int]) ?
-                $this->_special_dec2str[$int] :
-                $entity;
-        } else {
-            return isset($this->_special_ent2dec[$matches[3]]) ?
-                $this->_special_ent2dec[$matches[3]] :
-                $entity;
-        }
-    }
+	/**
+	 * Decimal to parsed string conversion table for special entities.
+	 */
+	protected $_special_dec2str =
+			array(
+					34 => '"',
+					38 => '&',
+					39 => "'",
+					60 => '<',
+					62 => '>'
+			);
+
+	/**
+	 * Stripped entity names to decimal conversion table for special entities.
+	 */
+	protected $_special_ent2dec =
+			array(
+					'quot' => 34,
+					'amp'  => 38,
+					'lt'   => 60,
+					'gt'   => 62
+			);
+
+	/**
+	 * Substitutes non-special entities with their parsed equivalents. Since
+	 * running this whenever you have parsed character is t3h 5uck, we run
+	 * it before everything else.
+	 *
+	 * @param $string String to have non-special entities parsed.
+	 * @returns Parsed string.
+	 */
+	public function substituteNonSpecialEntities($string) {
+		// it will try to detect missing semicolons, but don't rely on it
+		return preg_replace_callback(
+			$this->_substituteEntitiesRegex,
+			array($this, 'nonSpecialEntityCallback'),
+			$string
+			);
+	}
+
+	/**
+	 * Callback function for substituteNonSpecialEntities() that does the work.
+	 *
+	 * @param $matches  PCRE matches array, with 0 the entire match, and
+	 *                  either index 1, 2 or 3 set with a hex value, dec value,
+	 *                  or string (respectively).
+	 * @returns Replacement string.
+	 */
+
+	protected function nonSpecialEntityCallback($matches) {
+		// replaces all but big five
+		$entity = $matches[0];
+		$is_num = (@$matches[0][1] === '#');
+		if ($is_num) {
+			$is_hex = (@$entity[2] === 'x');
+			$code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
+
+			// abort for special characters
+			if (isset($this->_special_dec2str[$code]))  return $entity;
+
+			return HTMLPurifier_Encoder::unichr($code);
+		} else {
+			if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
+			if (!$this->_entity_lookup) {
+				$this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
+			}
+			if (isset($this->_entity_lookup->table[$matches[3]])) {
+				return $this->_entity_lookup->table[$matches[3]];
+			} else {
+				return $entity;
+			}
+		}
+	}
+
+	/**
+	 * Substitutes only special entities with their parsed equivalents.
+	 *
+	 * @notice We try to avoid calling this function because otherwise, it
+	 * would have to be called a lot (for every parsed section).
+	 *
+	 * @param $string String to have non-special entities parsed.
+	 * @returns Parsed string.
+	 */
+	public function substituteSpecialEntities($string) {
+		return preg_replace_callback(
+			$this->_substituteEntitiesRegex,
+			array($this, 'specialEntityCallback'),
+			$string);
+	}
+
+	/**
+	 * Callback function for substituteSpecialEntities() that does the work.
+	 *
+	 * This callback has same syntax as nonSpecialEntityCallback().
+	 *
+	 * @param $matches  PCRE-style matches array, with 0 the entire match, and
+	 *                  either index 1, 2 or 3 set with a hex value, dec value,
+	 *                  or string (respectively).
+	 * @returns Replacement string.
+	 */
+	protected function specialEntityCallback($matches) {
+		$entity = $matches[0];
+		$is_num = (@$matches[0][1] === '#');
+		if ($is_num) {
+			$is_hex = (@$entity[2] === 'x');
+			$int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
+			return isset($this->_special_dec2str[$int]) ?
+				$this->_special_dec2str[$int] :
+				$entity;
+		} else {
+			return isset($this->_special_ent2dec[$matches[3]]) ?
+				$this->_special_ent2dec[$matches[3]] :
+				$entity;
+		}
+	}
 
 }
 

Spacing +2 added lines, -4 removed lines

@@ -130,12 +130,10 @@
             $is_hex = (@$entity[2] === 'x');
             $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
             return isset($this->_special_dec2str[$int]) ?
-                $this->_special_dec2str[$int] :
-                $entity;
+                $this->_special_dec2str[$int] : $entity;
         } else {
             return isset($this->_special_ent2dec[$matches[3]]) ?
-                $this->_special_ent2dec[$matches[3]] :
-                $entity;
+                $this->_special_ent2dec[$matches[3]] : $entity;
         }
     }
 

Braces +6 added lines, -2 removed lines

@@ -81,11 +81,15 @@
             $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
 
             // abort for special characters
-            if (isset($this->_special_dec2str[$code]))  return $entity;
+            if (isset($this->_special_dec2str[$code])) {
+            	return $entity;
+            }
 
             return HTMLPurifier_Encoder::unichr($code);
         } else {
-            if (isset($this->_special_ent2dec[$matches[3]])) return $entity;
+            if (isset($this->_special_ent2dec[$matches[3]])) {
+            	return $entity;
+            }
             if (!$this->_entity_lookup) {
                 $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
             }

classes/security/htmlpurifier/library/HTMLPurifier/ErrorStruct.php

Indentation +45 added lines, -45 removed lines

@@ -9,51 +9,51 @@
 class HTMLPurifier_ErrorStruct
 {
 
-    /**
-     * Possible values for $children first-key. Note that top-level structures
-     * are automatically token-level.
-     */
-    const TOKEN     = 0;
-    const ATTR      = 1;
-    const CSSPROP   = 2;
-
-    /**
-     * Type of this struct.
-     */
-    public $type;
-
-    /**
-     * Value of the struct we are recording errors for. There are various
-     * values for this:
-     *  - TOKEN: Instance of HTMLPurifier_Token
-     *  - ATTR: array('attr-name', 'value')
-     *  - CSSPROP: array('prop-name', 'value')
-     */
-    public $value;
-
-    /**
-     * Errors registered for this structure.
-     */
-    public $errors = array();
-
-    /**
-     * Child ErrorStructs that are from this structure. For example, a TOKEN
-     * ErrorStruct would contain ATTR ErrorStructs. This is a multi-dimensional
-     * array in structure: [TYPE]['identifier']
-     */
-    public $children = array();
-
-    public function getChild($type, $id) {
-        if (!isset($this->children[$type][$id])) {
-            $this->children[$type][$id] = new HTMLPurifier_ErrorStruct();
-            $this->children[$type][$id]->type = $type;
-        }
-        return $this->children[$type][$id];
-    }
-
-    public function addError($severity, $message) {
-        $this->errors[] = array($severity, $message);
-    }
+	/**
+	 * Possible values for $children first-key. Note that top-level structures
+	 * are automatically token-level.
+	 */
+	const TOKEN     = 0;
+	const ATTR      = 1;
+	const CSSPROP   = 2;
+
+	/**
+	 * Type of this struct.
+	 */
+	public $type;
+
+	/**
+	 * Value of the struct we are recording errors for. There are various
+	 * values for this:
+	 *  - TOKEN: Instance of HTMLPurifier_Token
+	 *  - ATTR: array('attr-name', 'value')
+	 *  - CSSPROP: array('prop-name', 'value')
+	 */
+	public $value;
+
+	/**
+	 * Errors registered for this structure.
+	 */
+	public $errors = array();
+
+	/**
+	 * Child ErrorStructs that are from this structure. For example, a TOKEN
+	 * ErrorStruct would contain ATTR ErrorStructs. This is a multi-dimensional
+	 * array in structure: [TYPE]['identifier']
+	 */
+	public $children = array();
+
+	public function getChild($type, $id) {
+		if (!isset($this->children[$type][$id])) {
+			$this->children[$type][$id] = new HTMLPurifier_ErrorStruct();
+			$this->children[$type][$id]->type = $type;
+		}
+		return $this->children[$type][$id];
+	}
+
+	public function addError($severity, $message) {
+		$this->errors[] = array($severity, $message);
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Filter.php

Indentation +16 added lines, -16 removed lines

@@ -22,24 +22,24 @@
 class HTMLPurifier_Filter
 {
 
-    /**
-     * Name of the filter for identification purposes
-     */
-    public $name;
+	/**
+	 * Name of the filter for identification purposes
+	 */
+	public $name;
 
-    /**
-     * Pre-processor function, handles HTML before HTML Purifier
-     */
-    public function preFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Pre-processor function, handles HTML before HTML Purifier
+	 */
+	public function preFilter($html, $config, $context) {
+		return $html;
+	}
 
-    /**
-     * Post-processor function, handles HTML after HTML Purifier
-     */
-    public function postFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Post-processor function, handles HTML after HTML Purifier
+	 */
+	public function postFilter($html, $config, $context) {
+		return $html;
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php

Indentation +253 added lines, -253 removed lines

@@ -23,265 +23,265 @@
 class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
 {
 
-    public $name = 'ExtractStyleBlocks';
-    private $_styleMatches = array();
-    private $_tidy;
+	public $name = 'ExtractStyleBlocks';
+	private $_styleMatches = array();
+	private $_tidy;
 
-    private $_id_attrdef;
-    private $_class_attrdef;
-    private $_enum_attrdef;
+	private $_id_attrdef;
+	private $_class_attrdef;
+	private $_enum_attrdef;
 
-    public function __construct() {
-        $this->_tidy = new csstidy();
-        $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
-        $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
-        $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
-    }
+	public function __construct() {
+		$this->_tidy = new csstidy();
+		$this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
+		$this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
+		$this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
+	}
 
-    /**
-     * Save the contents of CSS blocks to style matches
-     * @param $matches preg_replace style $matches array
-     */
-    protected function styleCallback($matches) {
-        $this->_styleMatches[] = $matches[1];
-    }
+	/**
+	 * Save the contents of CSS blocks to style matches
+	 * @param $matches preg_replace style $matches array
+	 */
+	protected function styleCallback($matches) {
+		$this->_styleMatches[] = $matches[1];
+	}
 
-    /**
-     * Removes inline <style> tags from HTML, saves them for later use
-     * @todo Extend to indicate non-text/css style blocks
-     */
-    public function preFilter($html, $config, $context) {
-        $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
-        $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
-        $style_blocks = $this->_styleMatches;
-        $this->_styleMatches = array(); // reset
-        $context->register('StyleBlocks', $style_blocks); // $context must not be reused
-        if ($this->_tidy) {
-            foreach ($style_blocks as &$style) {
-                $style = $this->cleanCSS($style, $config, $context);
-            }
-        }
-        return $html;
-    }
+	/**
+	 * Removes inline <style> tags from HTML, saves them for later use
+	 * @todo Extend to indicate non-text/css style blocks
+	 */
+	public function preFilter($html, $config, $context) {
+		$tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
+		if ($tidy !== null) $this->_tidy = $tidy;
+		$html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
+		$style_blocks = $this->_styleMatches;
+		$this->_styleMatches = array(); // reset
+		$context->register('StyleBlocks', $style_blocks); // $context must not be reused
+		if ($this->_tidy) {
+			foreach ($style_blocks as &$style) {
+				$style = $this->cleanCSS($style, $config, $context);
+			}
+		}
+		return $html;
+	}
 
-    /**
-     * Takes CSS (the stuff found in <style>) and cleans it.
-     * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
-     * @param $css     CSS styling to clean
-     * @param $config  Instance of HTMLPurifier_Config
-     * @param $context Instance of HTMLPurifier_Context
-     * @return Cleaned CSS
-     */
-    public function cleanCSS($css, $config, $context) {
-        // prepare scope
-        $scope = $config->get('Filter.ExtractStyleBlocks.Scope');
-        if ($scope !== null) {
-            $scopes = array_map('trim', explode(',', $scope));
-        } else {
-            $scopes = array();
-        }
-        // remove comments from CSS
-        $css = trim($css);
-        if (strncmp('<!--', $css, 4) === 0) {
-            $css = substr($css, 4);
-        }
-        if (strlen($css) > 3 && substr($css, -3) == '-->') {
-            $css = substr($css, 0, -3);
-        }
-        $css = trim($css);
-        set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
-        $this->_tidy->parse($css);
-        restore_error_handler();
-        $css_definition = $config->getDefinition('CSS');
-        $html_definition = $config->getDefinition('HTML');
-        $new_css = array();
-        foreach ($this->_tidy->css as $k => $decls) {
-            // $decls are all CSS declarations inside an @ selector
-            $new_decls = array();
-            foreach ($decls as $selector => $style) {
-                $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
-                // Parse the selector
-                // Here is the relevant part of the CSS grammar:
-                //
-                // ruleset
-                //   : selector [ ',' S* selector ]* '{' ...
-                // selector
-                //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
-                // combinator
-                //   : '+' S*
-                //   : '>' S*
-                // simple_selector
-                //   : element_name [ HASH | class | attrib | pseudo ]*
-                //   | [ HASH | class | attrib | pseudo ]+
-                // element_name
-                //   : IDENT | '*'
-                //   ;
-                // class
-                //   : '.' IDENT
-                //   ;
-                // attrib
-                //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
-                //     [ IDENT | STRING ] S* ]? ']'
-                //   ;
-                // pseudo
-                //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
-                //   ;
-                //
-                // For reference, here are the relevant tokens:
-                //
-                // HASH         #{name}
-                // IDENT        {ident}
-                // INCLUDES     ==
-                // DASHMATCH    |=
-                // STRING       {string}
-                // FUNCTION     {ident}\(
-                //
-                // And the lexical scanner tokens
-                //
-                // name         {nmchar}+
-                // nmchar       [_a-z0-9-]|{nonascii}|{escape}
-                // nonascii     [\240-\377]
-                // escape       {unicode}|\\[^\r\n\f0-9a-f]
-                // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
-                // ident        -?{nmstart}{nmchar*}
-                // nmstart      [_a-z]|{nonascii}|{escape}
-                // string       {string1}|{string2}
-                // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
-                // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
-                //
-                // We'll implement a subset (in order to reduce attack
-                // surface); in particular:
-                //
-                //      - No Unicode support
-                //      - No escapes support
-                //      - No string support (by proxy no attrib support)
-                //      - element_name is matched against allowed
-                //        elements (some people might find this
-                //        annoying...)
-                //      - Pseudo-elements one of :first-child, :link,
-                //        :visited, :active, :hover, :focus
+	/**
+	 * Takes CSS (the stuff found in <style>) and cleans it.
+	 * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
+	 * @param $css     CSS styling to clean
+	 * @param $config  Instance of HTMLPurifier_Config
+	 * @param $context Instance of HTMLPurifier_Context
+	 * @return Cleaned CSS
+	 */
+	public function cleanCSS($css, $config, $context) {
+		// prepare scope
+		$scope = $config->get('Filter.ExtractStyleBlocks.Scope');
+		if ($scope !== null) {
+			$scopes = array_map('trim', explode(',', $scope));
+		} else {
+			$scopes = array();
+		}
+		// remove comments from CSS
+		$css = trim($css);
+		if (strncmp('<!--', $css, 4) === 0) {
+			$css = substr($css, 4);
+		}
+		if (strlen($css) > 3 && substr($css, -3) == '-->') {
+			$css = substr($css, 0, -3);
+		}
+		$css = trim($css);
+		set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
+		$this->_tidy->parse($css);
+		restore_error_handler();
+		$css_definition = $config->getDefinition('CSS');
+		$html_definition = $config->getDefinition('HTML');
+		$new_css = array();
+		foreach ($this->_tidy->css as $k => $decls) {
+			// $decls are all CSS declarations inside an @ selector
+			$new_decls = array();
+			foreach ($decls as $selector => $style) {
+				$selector = trim($selector);
+				if ($selector === '') continue; // should not happen
+				// Parse the selector
+				// Here is the relevant part of the CSS grammar:
+				//
+				// ruleset
+				//   : selector [ ',' S* selector ]* '{' ...
+				// selector
+				//   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
+				// combinator
+				//   : '+' S*
+				//   : '>' S*
+				// simple_selector
+				//   : element_name [ HASH | class | attrib | pseudo ]*
+				//   | [ HASH | class | attrib | pseudo ]+
+				// element_name
+				//   : IDENT | '*'
+				//   ;
+				// class
+				//   : '.' IDENT
+				//   ;
+				// attrib
+				//   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
+				//     [ IDENT | STRING ] S* ]? ']'
+				//   ;
+				// pseudo
+				//   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
+				//   ;
+				//
+				// For reference, here are the relevant tokens:
+				//
+				// HASH         #{name}
+				// IDENT        {ident}
+				// INCLUDES     ==
+				// DASHMATCH    |=
+				// STRING       {string}
+				// FUNCTION     {ident}\(
+				//
+				// And the lexical scanner tokens
+				//
+				// name         {nmchar}+
+				// nmchar       [_a-z0-9-]|{nonascii}|{escape}
+				// nonascii     [\240-\377]
+				// escape       {unicode}|\\[^\r\n\f0-9a-f]
+				// unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
+				// ident        -?{nmstart}{nmchar*}
+				// nmstart      [_a-z]|{nonascii}|{escape}
+				// string       {string1}|{string2}
+				// string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
+				// string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
+				//
+				// We'll implement a subset (in order to reduce attack
+				// surface); in particular:
+				//
+				//      - No Unicode support
+				//      - No escapes support
+				//      - No string support (by proxy no attrib support)
+				//      - element_name is matched against allowed
+				//        elements (some people might find this
+				//        annoying...)
+				//      - Pseudo-elements one of :first-child, :link,
+				//        :visited, :active, :hover, :focus
 
-                // handle ruleset
-                $selectors = array_map('trim', explode(',', $selector));
-                $new_selectors = array();
-                foreach ($selectors as $sel) {
-                    // split on +, > and spaces
-                    $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
-                    // even indices are chunks, odd indices are
-                    // delimiters
-                    $nsel = null;
-                    $delim = null; // guaranteed to be non-null after
-                                   // two loop iterations
-                    for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
-                        $x = $basic_selectors[$i];
-                        if ($i % 2) {
-                            // delimiter
-                            if ($x === ' ') {
-                                $delim = ' ';
-                            } else {
-                                $delim = ' ' . $x . ' ';
-                            }
-                        } else {
-                            // simple selector
-                            $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
-                            $sdelim = null;
-                            $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
-                                $y = $components[$j];
-                                if ($j === 0) {
-                                    if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
-                                        $nx = $y;
-                                    } else {
-                                        // $nx stays null; this matters
-                                        // if we don't manage to find
-                                        // any valid selector content,
-                                        // in which case we ignore the
-                                        // outer $delim
-                                    }
-                                } elseif ($j % 2) {
-                                    // set delimiter
-                                    $sdelim = $y;
-                                } else {
-                                    $attrdef = null;
-                                    if ($sdelim === '#') {
-                                        $attrdef = $this->_id_attrdef;
-                                    } elseif ($sdelim === '.') {
-                                        $attrdef = $this->_class_attrdef;
-                                    } elseif ($sdelim === ':') {
-                                        $attrdef = $this->_enum_attrdef;
-                                    } else {
-                                        throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
-                                    }
-                                    $r = $attrdef->validate($y, $config, $context);
-                                    if ($r !== false) {
-                                        if ($r !== true) {
-                                            $y = $r;
-                                        }
-                                        if ($nx === null) {
-                                            $nx = '';
-                                        }
-                                        $nx .= $sdelim . $y;
-                                    }
-                                }
-                            }
-                            if ($nx !== null) {
-                                if ($nsel === null) {
-                                    $nsel = $nx;
-                                } else {
-                                    $nsel .= $delim . $nx;
-                                }
-                            } else {
-                                // delimiters to the left of invalid
-                                // basic selector ignored
-                            }
-                        }
-                    }
-                    if ($nsel !== null) {
-                        if (!empty($scopes)) {
-                            foreach ($scopes as $s) {
-                                $new_selectors[] = "$s $nsel";
-                            }
-                        } else {
-                            $new_selectors[] = $nsel;
-                        }
-                    }
-                }
-                if (empty($new_selectors)) continue;
-                $selector = implode(', ', $new_selectors);
-                foreach ($style as $name => $value) {
-                    if (!isset($css_definition->info[$name])) {
-                        unset($style[$name]);
-                        continue;
-                    }
-                    $def = $css_definition->info[$name];
-                    $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
-                }
-                $new_decls[$selector] = $style;
-            }
-            $new_css[$k] = $new_decls;
-        }
-        // remove stuff that shouldn't be used, could be reenabled
-        // after security risks are analyzed
-        $this->_tidy->css = $new_css;
-        $this->_tidy->import = array();
-        $this->_tidy->charset = null;
-        $this->_tidy->namespace = null;
-        $css = $this->_tidy->print->plain();
-        // we are going to escape any special characters <>& to ensure
-        // that no funny business occurs (i.e. </style> in a font-family prop).
-        if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
-            $css = str_replace(
-                array('<',    '>',    '&'),
-                array('\3C ', '\3E ', '\26 '),
-                $css
-            );
-        }
-        return $css;
-    }
+				// handle ruleset
+				$selectors = array_map('trim', explode(',', $selector));
+				$new_selectors = array();
+				foreach ($selectors as $sel) {
+					// split on +, > and spaces
+					$basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
+					// even indices are chunks, odd indices are
+					// delimiters
+					$nsel = null;
+					$delim = null; // guaranteed to be non-null after
+								   // two loop iterations
+					for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
+						$x = $basic_selectors[$i];
+						if ($i % 2) {
+							// delimiter
+							if ($x === ' ') {
+								$delim = ' ';
+							} else {
+								$delim = ' ' . $x . ' ';
+							}
+						} else {
+							// simple selector
+							$components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
+							$sdelim = null;
+							$nx = null;
+							for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+								$y = $components[$j];
+								if ($j === 0) {
+									if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
+										$nx = $y;
+									} else {
+										// $nx stays null; this matters
+										// if we don't manage to find
+										// any valid selector content,
+										// in which case we ignore the
+										// outer $delim
+									}
+								} elseif ($j % 2) {
+									// set delimiter
+									$sdelim = $y;
+								} else {
+									$attrdef = null;
+									if ($sdelim === '#') {
+										$attrdef = $this->_id_attrdef;
+									} elseif ($sdelim === '.') {
+										$attrdef = $this->_class_attrdef;
+									} elseif ($sdelim === ':') {
+										$attrdef = $this->_enum_attrdef;
+									} else {
+										throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
+									}
+									$r = $attrdef->validate($y, $config, $context);
+									if ($r !== false) {
+										if ($r !== true) {
+											$y = $r;
+										}
+										if ($nx === null) {
+											$nx = '';
+										}
+										$nx .= $sdelim . $y;
+									}
+								}
+							}
+							if ($nx !== null) {
+								if ($nsel === null) {
+									$nsel = $nx;
+								} else {
+									$nsel .= $delim . $nx;
+								}
+							} else {
+								// delimiters to the left of invalid
+								// basic selector ignored
+							}
+						}
+					}
+					if ($nsel !== null) {
+						if (!empty($scopes)) {
+							foreach ($scopes as $s) {
+								$new_selectors[] = "$s $nsel";
+							}
+						} else {
+							$new_selectors[] = $nsel;
+						}
+					}
+				}
+				if (empty($new_selectors)) continue;
+				$selector = implode(', ', $new_selectors);
+				foreach ($style as $name => $value) {
+					if (!isset($css_definition->info[$name])) {
+						unset($style[$name]);
+						continue;
+					}
+					$def = $css_definition->info[$name];
+					$ret = $def->validate($value, $config, $context);
+					if ($ret === false) unset($style[$name]);
+					else $style[$name] = $ret;
+				}
+				$new_decls[$selector] = $style;
+			}
+			$new_css[$k] = $new_decls;
+		}
+		// remove stuff that shouldn't be used, could be reenabled
+		// after security risks are analyzed
+		$this->_tidy->css = $new_css;
+		$this->_tidy->import = array();
+		$this->_tidy->charset = null;
+		$this->_tidy->namespace = null;
+		$css = $this->_tidy->print->plain();
+		// we are going to escape any special characters <>& to ensure
+		// that no funny business occurs (i.e. </style> in a font-family prop).
+		if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
+			$css = str_replace(
+				array('<',    '>',    '&'),
+				array('\3C ', '\3E ', '\26 '),
+				$css
+			);
+		}
+		return $css;
+	}
 
 }
 

Braces +15 added lines, -5 removed lines

@@ -52,7 +52,9 @@ 
      */
     public function preFilter($html, $config, $context) {
         $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
+        if ($tidy !== null) {
+        	$this->_tidy = $tidy;
+        }
         $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
         $style_blocks = $this->_styleMatches;
         $this->_styleMatches = array(); // reset
@@ -101,7 +103,10 @@ 
             $new_decls = array();
             foreach ($decls as $selector => $style) {
                 $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
+                if ($selector === '') {
+                	continue;
+                }
+                // should not happen
                 // Parse the selector
                 // Here is the relevant part of the CSS grammar:
                 //
@@ -248,7 +253,9 @@ 
                         }
                     }
                 }
-                if (empty($new_selectors)) continue;
+                if (empty($new_selectors)) {
+                	continue;
+                }
                 $selector = implode(', ', $new_selectors);
                 foreach ($style as $name => $value) {
                     if (!isset($css_definition->info[$name])) {
@@ -257,8 +264,11 @@ 
                     }
                     $def = $css_definition->info[$name];
                     $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
+                    if ($ret === false) {
+                    	unset($style[$name]);
+                    } else {
+                    	$style[$name] = $ret;
+                    }
                 }
                 $new_decls[$selector] = $style;
             }

Spacing +5 added lines, -5 removed lines

@@ -181,14 +181,14 @@ 
                             if ($x === ' ') {
                                 $delim = ' ';
                             } else {
-                                $delim = ' ' . $x . ' ';
+                                $delim = ' '.$x.' ';
                             }
                         } else {
                             // simple selector
                             $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
                             $sdelim = null;
                             $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+                            for ($j = 0, $cc = count($components); $j < $cc; $j++) {
                                 $y = $components[$j];
                                 if ($j === 0) {
                                     if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
@@ -222,7 +222,7 @@ 
                                         if ($nx === null) {
                                             $nx = '';
                                         }
-                                        $nx .= $sdelim . $y;
+                                        $nx .= $sdelim.$y;
                                     }
                                 }
                             }
@@ -230,7 +230,7 @@ 
                                 if ($nsel === null) {
                                     $nsel = $nx;
                                 } else {
-                                    $nsel .= $delim . $nx;
+                                    $nsel .= $delim.$nx;
                                 }
                             } else {
                                 // delimiters to the left of invalid
@@ -275,7 +275,7 @@ 
         // that no funny business occurs (i.e. </style> in a font-family prop).
         if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
             $css = str_replace(
-                array('<',    '>',    '&'),
+                array('<', '>', '&'),
                 array('\3C ', '\3E ', '\26 '),
                 $css
             );

classes/security/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php

Indentation +31 added lines, -31 removed lines

@@ -3,37 +3,37 @@
 class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
 {
 
-    public $name = 'YouTube';
-
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<object[^>]+>.+?'.
-            'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
-        $pre_replace = '<span class="youtube-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
-        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
-    }
-
-    protected function armorUrl($url) {
-        return str_replace('--', '-&#45;', $url);
-    }
-
-    protected function postFilterCallback($matches) {
-        $url = $this->armorUrl($matches[1]);
-        return '<object width="425" height="350" type="application/x-shockwave-flash" '.
-            'data="http://www.youtube.com/'.$url.'">'.
-            '<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.youtube.com/'.$url.'"'.
-            'type="application/x-shockwave-flash"'.
-            'wmode="transparent" width="425" height="350" />'.
-            '<![endif]-->'.
-            '</object>';
-
-    }
+	public $name = 'YouTube';
+
+	public function preFilter($html, $config, $context) {
+		$pre_regex = '#<object[^>]+>.+?'.
+			'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
+		$pre_replace = '<span class="youtube-embed">\1</span>';
+		return preg_replace($pre_regex, $pre_replace, $html);
+	}
+
+	public function postFilter($html, $config, $context) {
+		$post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
+		return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
+	}
+
+	protected function armorUrl($url) {
+		return str_replace('--', '-&#45;', $url);
+	}
+
+	protected function postFilterCallback($matches) {
+		$url = $this->armorUrl($matches[1]);
+		return '<object width="425" height="350" type="application/x-shockwave-flash" '.
+			'data="http://www.youtube.com/'.$url.'">'.
+			'<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
+			'<!--[if IE]>'.
+			'<embed src="http://www.youtube.com/'.$url.'"'.
+			'type="application/x-shockwave-flash"'.
+			'wmode="transparent" width="425" height="350" />'.
+			'<![endif]-->'.
+			'</object>';
+
+	}
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule.php

Indentation +220 added lines, -220 removed lines

@@ -18,226 +18,226 @@
 class HTMLPurifier_HTMLModule
 {
 
-    // -- Overloadable ----------------------------------------------------
-
-    /**
-     * Short unique string identifier of the module
-     */
-    public $name;
-
-    /**
-     * Informally, a list of elements this module changes. Not used in
-     * any significant way.
-     */
-    public $elements = array();
-
-    /**
-     * Associative array of element names to element definitions.
-     * Some definitions may be incomplete, to be merged in later
-     * with the full definition.
-     */
-    public $info = array();
-
-    /**
-     * Associative array of content set names to content set additions.
-     * This is commonly used to, say, add an A element to the Inline
-     * content set. This corresponds to an internal variable $content_sets
-     * and NOT info_content_sets member variable of HTMLDefinition.
-     */
-    public $content_sets = array();
-
-    /**
-     * Associative array of attribute collection names to attribute
-     * collection additions. More rarely used for adding attributes to
-     * the global collections. Example is the StyleAttribute module adding
-     * the style attribute to the Core. Corresponds to HTMLDefinition's
-     * attr_collections->info, since the object's data is only info,
-     * with extra behavior associated with it.
-     */
-    public $attr_collections = array();
-
-    /**
-     * Associative array of deprecated tag name to HTMLPurifier_TagTransform
-     */
-    public $info_tag_transform = array();
-
-    /**
-     * List of HTMLPurifier_AttrTransform to be performed before validation.
-     */
-    public $info_attr_transform_pre = array();
-
-    /**
-     * List of HTMLPurifier_AttrTransform to be performed after validation.
-     */
-    public $info_attr_transform_post = array();
-
-    /**
-     * List of HTMLPurifier_Injector to be performed during well-formedness fixing.
-     * An injector will only be invoked if all of it's pre-requisites are met;
-     * if an injector fails setup, there will be no error; it will simply be
-     * silently disabled.
-     */
-    public $info_injector = array();
-
-    /**
-     * Boolean flag that indicates whether or not getChildDef is implemented.
-     * For optimization reasons: may save a call to a function. Be sure
-     * to set it if you do implement getChildDef(), otherwise it will have
-     * no effect!
-     */
-    public $defines_child_def = false;
-
-    /**
-     * Boolean flag whether or not this module is safe. If it is not safe, all
-     * of its members are unsafe. Modules are safe by default (this might be
-     * slightly dangerous, but it doesn't make much sense to force HTML Purifier,
-     * which is based off of safe HTML, to explicitly say, "This is safe," even
-     * though there are modules which are "unsafe")
-     *
-     * @note Previously, safety could be applied at an element level granularity.
-     *       We've removed this ability, so in order to add "unsafe" elements
-     *       or attributes, a dedicated module with this property set to false
-     *       must be used.
-     */
-    public $safe = true;
-
-    /**
-     * Retrieves a proper HTMLPurifier_ChildDef subclass based on
-     * content_model and content_model_type member variables of
-     * the HTMLPurifier_ElementDef class. There is a similar function
-     * in HTMLPurifier_HTMLDefinition.
-     * @param $def HTMLPurifier_ElementDef instance
-     * @return HTMLPurifier_ChildDef subclass
-     */
-    public function getChildDef($def) {return false;}
-
-    // -- Convenience -----------------------------------------------------
-
-    /**
-     * Convenience function that sets up a new element
-     * @param $element Name of element to add
-     * @param $type What content set should element be registered to?
-     *              Set as false to skip this step.
-     * @param $contents Allowed children in form of:
-     *              "$content_model_type: $content_model"
-     * @param $attr_includes What attribute collections to register to
-     *              element?
-     * @param $attr What unique attributes does the element define?
-     * @note See ElementDef for in-depth descriptions of these parameters.
-     * @return Created element definition object, so you
-     *         can set advanced parameters
-     */
-    public function addElement($element, $type, $contents, $attr_includes = array(), $attr = array()) {
-        $this->elements[] = $element;
-        // parse content_model
-        list($content_model_type, $content_model) = $this->parseContents($contents);
-        // merge in attribute inclusions
-        $this->mergeInAttrIncludes($attr, $attr_includes);
-        // add element to content sets
-        if ($type) $this->addElementToContentSet($element, $type);
-        // create element
-        $this->info[$element] = HTMLPurifier_ElementDef::create(
-            $content_model, $content_model_type, $attr
-        );
-        // literal object $contents means direct child manipulation
-        if (!is_string($contents)) $this->info[$element]->child = $contents;
-        return $this->info[$element];
-    }
-
-    /**
-     * Convenience function that creates a totally blank, non-standalone
-     * element.
-     * @param $element Name of element to create
-     * @return Created element
-     */
-    public function addBlankElement($element) {
-        if (!isset($this->info[$element])) {
-            $this->elements[] = $element;
-            $this->info[$element] = new HTMLPurifier_ElementDef();
-            $this->info[$element]->standalone = false;
-        } else {
-            trigger_error("Definition for $element already exists in module, cannot redefine");
-        }
-        return $this->info[$element];
-    }
-
-    /**
-     * Convenience function that registers an element to a content set
-     * @param Element to register
-     * @param Name content set (warning: case sensitive, usually upper-case
-     *        first letter)
-     */
-    public function addElementToContentSet($element, $type) {
-        if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
-        else $this->content_sets[$type] .= ' | ';
-        $this->content_sets[$type] .= $element;
-    }
-
-    /**
-     * Convenience function that transforms single-string contents
-     * into separate content model and content model type
-     * @param $contents Allowed children in form of:
-     *                  "$content_model_type: $content_model"
-     * @note If contents is an object, an array of two nulls will be
-     *       returned, and the callee needs to take the original $contents
-     *       and use it directly.
-     */
-    public function parseContents($contents) {
-        if (!is_string($contents)) return array(null, null); // defer
-        switch ($contents) {
-            // check for shorthand content model forms
-            case 'Empty':
-                return array('empty', '');
-            case 'Inline':
-                return array('optional', 'Inline | #PCDATA');
-            case 'Flow':
-                return array('optional', 'Flow | #PCDATA');
-        }
-        list($content_model_type, $content_model) = explode(':', $contents);
-        $content_model_type = strtolower(trim($content_model_type));
-        $content_model = trim($content_model);
-        return array($content_model_type, $content_model);
-    }
-
-    /**
-     * Convenience function that merges a list of attribute includes into
-     * an attribute array.
-     * @param $attr Reference to attr array to modify
-     * @param $attr_includes Array of includes / string include to merge in
-     */
-    public function mergeInAttrIncludes(&$attr, $attr_includes) {
-        if (!is_array($attr_includes)) {
-            if (empty($attr_includes)) $attr_includes = array();
-            else $attr_includes = array($attr_includes);
-        }
-        $attr[0] = $attr_includes;
-    }
-
-    /**
-     * Convenience function that generates a lookup table with boolean
-     * true as value.
-     * @param $list List of values to turn into a lookup
-     * @note You can also pass an arbitrary number of arguments in
-     *       place of the regular argument
-     * @return Lookup array equivalent of list
-     */
-    public function makeLookup($list) {
-        if (is_string($list)) $list = func_get_args();
-        $ret = array();
-        foreach ($list as $value) {
-            if (is_null($value)) continue;
-            $ret[$value] = true;
-        }
-        return $ret;
-    }
-
-    /**
-     * Lazy load construction of the module after determining whether
-     * or not it's needed, and also when a finalized configuration object
-     * is available.
-     * @param $config Instance of HTMLPurifier_Config
-     */
-    public function setup($config) {}
+	// -- Overloadable ----------------------------------------------------
+
+	/**
+	 * Short unique string identifier of the module
+	 */
+	public $name;
+
+	/**
+	 * Informally, a list of elements this module changes. Not used in
+	 * any significant way.
+	 */
+	public $elements = array();
+
+	/**
+	 * Associative array of element names to element definitions.
+	 * Some definitions may be incomplete, to be merged in later
+	 * with the full definition.
+	 */
+	public $info = array();
+
+	/**
+	 * Associative array of content set names to content set additions.
+	 * This is commonly used to, say, add an A element to the Inline
+	 * content set. This corresponds to an internal variable $content_sets
+	 * and NOT info_content_sets member variable of HTMLDefinition.
+	 */
+	public $content_sets = array();
+
+	/**
+	 * Associative array of attribute collection names to attribute
+	 * collection additions. More rarely used for adding attributes to
+	 * the global collections. Example is the StyleAttribute module adding
+	 * the style attribute to the Core. Corresponds to HTMLDefinition's
+	 * attr_collections->info, since the object's data is only info,
+	 * with extra behavior associated with it.
+	 */
+	public $attr_collections = array();
+
+	/**
+	 * Associative array of deprecated tag name to HTMLPurifier_TagTransform
+	 */
+	public $info_tag_transform = array();
+
+	/**
+	 * List of HTMLPurifier_AttrTransform to be performed before validation.
+	 */
+	public $info_attr_transform_pre = array();
+
+	/**
+	 * List of HTMLPurifier_AttrTransform to be performed after validation.
+	 */
+	public $info_attr_transform_post = array();
+
+	/**
+	 * List of HTMLPurifier_Injector to be performed during well-formedness fixing.
+	 * An injector will only be invoked if all of it's pre-requisites are met;
+	 * if an injector fails setup, there will be no error; it will simply be
+	 * silently disabled.
+	 */
+	public $info_injector = array();
+
+	/**
+	 * Boolean flag that indicates whether or not getChildDef is implemented.
+	 * For optimization reasons: may save a call to a function. Be sure
+	 * to set it if you do implement getChildDef(), otherwise it will have
+	 * no effect!
+	 */
+	public $defines_child_def = false;
+
+	/**
+	 * Boolean flag whether or not this module is safe. If it is not safe, all
+	 * of its members are unsafe. Modules are safe by default (this might be
+	 * slightly dangerous, but it doesn't make much sense to force HTML Purifier,
+	 * which is based off of safe HTML, to explicitly say, "This is safe," even
+	 * though there are modules which are "unsafe")
+	 *
+	 * @note Previously, safety could be applied at an element level granularity.
+	 *       We've removed this ability, so in order to add "unsafe" elements
+	 *       or attributes, a dedicated module with this property set to false
+	 *       must be used.
+	 */
+	public $safe = true;
+
+	/**
+	 * Retrieves a proper HTMLPurifier_ChildDef subclass based on
+	 * content_model and content_model_type member variables of
+	 * the HTMLPurifier_ElementDef class. There is a similar function
+	 * in HTMLPurifier_HTMLDefinition.
+	 * @param $def HTMLPurifier_ElementDef instance
+	 * @return HTMLPurifier_ChildDef subclass
+	 */
+	public function getChildDef($def) {return false;}
+
+	// -- Convenience -----------------------------------------------------
+
+	/**
+	 * Convenience function that sets up a new element
+	 * @param $element Name of element to add
+	 * @param $type What content set should element be registered to?
+	 *              Set as false to skip this step.
+	 * @param $contents Allowed children in form of:
+	 *              "$content_model_type: $content_model"
+	 * @param $attr_includes What attribute collections to register to
+	 *              element?
+	 * @param $attr What unique attributes does the element define?
+	 * @note See ElementDef for in-depth descriptions of these parameters.
+	 * @return Created element definition object, so you
+	 *         can set advanced parameters
+	 */
+	public function addElement($element, $type, $contents, $attr_includes = array(), $attr = array()) {
+		$this->elements[] = $element;
+		// parse content_model
+		list($content_model_type, $content_model) = $this->parseContents($contents);
+		// merge in attribute inclusions
+		$this->mergeInAttrIncludes($attr, $attr_includes);
+		// add element to content sets
+		if ($type) $this->addElementToContentSet($element, $type);
+		// create element
+		$this->info[$element] = HTMLPurifier_ElementDef::create(
+			$content_model, $content_model_type, $attr
+		);
+		// literal object $contents means direct child manipulation
+		if (!is_string($contents)) $this->info[$element]->child = $contents;
+		return $this->info[$element];
+	}
+
+	/**
+	 * Convenience function that creates a totally blank, non-standalone
+	 * element.
+	 * @param $element Name of element to create
+	 * @return Created element
+	 */
+	public function addBlankElement($element) {
+		if (!isset($this->info[$element])) {
+			$this->elements[] = $element;
+			$this->info[$element] = new HTMLPurifier_ElementDef();
+			$this->info[$element]->standalone = false;
+		} else {
+			trigger_error("Definition for $element already exists in module, cannot redefine");
+		}
+		return $this->info[$element];
+	}
+
+	/**
+	 * Convenience function that registers an element to a content set
+	 * @param Element to register
+	 * @param Name content set (warning: case sensitive, usually upper-case
+	 *        first letter)
+	 */
+	public function addElementToContentSet($element, $type) {
+		if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
+		else $this->content_sets[$type] .= ' | ';
+		$this->content_sets[$type] .= $element;
+	}
+
+	/**
+	 * Convenience function that transforms single-string contents
+	 * into separate content model and content model type
+	 * @param $contents Allowed children in form of:
+	 *                  "$content_model_type: $content_model"
+	 * @note If contents is an object, an array of two nulls will be
+	 *       returned, and the callee needs to take the original $contents
+	 *       and use it directly.
+	 */
+	public function parseContents($contents) {
+		if (!is_string($contents)) return array(null, null); // defer
+		switch ($contents) {
+			// check for shorthand content model forms
+			case 'Empty':
+				return array('empty', '');
+			case 'Inline':
+				return array('optional', 'Inline | #PCDATA');
+			case 'Flow':
+				return array('optional', 'Flow | #PCDATA');
+		}
+		list($content_model_type, $content_model) = explode(':', $contents);
+		$content_model_type = strtolower(trim($content_model_type));
+		$content_model = trim($content_model);
+		return array($content_model_type, $content_model);
+	}
+
+	/**
+	 * Convenience function that merges a list of attribute includes into
+	 * an attribute array.
+	 * @param $attr Reference to attr array to modify
+	 * @param $attr_includes Array of includes / string include to merge in
+	 */
+	public function mergeInAttrIncludes(&$attr, $attr_includes) {
+		if (!is_array($attr_includes)) {
+			if (empty($attr_includes)) $attr_includes = array();
+			else $attr_includes = array($attr_includes);
+		}
+		$attr[0] = $attr_includes;
+	}
+
+	/**
+	 * Convenience function that generates a lookup table with boolean
+	 * true as value.
+	 * @param $list List of values to turn into a lookup
+	 * @note You can also pass an arbitrary number of arguments in
+	 *       place of the regular argument
+	 * @return Lookup array equivalent of list
+	 */
+	public function makeLookup($list) {
+		if (is_string($list)) $list = func_get_args();
+		$ret = array();
+		foreach ($list as $value) {
+			if (is_null($value)) continue;
+			$ret[$value] = true;
+		}
+		return $ret;
+	}
+
+	/**
+	 * Lazy load construction of the module after determining whether
+	 * or not it's needed, and also when a finalized configuration object
+	 * is available.
+	 * @param $config Instance of HTMLPurifier_Config
+	 */
+	public function setup($config) {}
 
 }
 

Spacing +1 added lines, -1 removed lines

@@ -109,7 +109,7 @@
      * @param $def HTMLPurifier_ElementDef instance
      * @return HTMLPurifier_ChildDef subclass
      */
-    public function getChildDef($def) {return false;}
+    public function getChildDef($def) {return false; }
 
     // -- Convenience -----------------------------------------------------
 

Braces +26 added lines, -9 removed lines

@@ -134,13 +134,17 @@ 
         // merge in attribute inclusions
         $this->mergeInAttrIncludes($attr, $attr_includes);
         // add element to content sets
-        if ($type) $this->addElementToContentSet($element, $type);
+        if ($type) {
+        	$this->addElementToContentSet($element, $type);
+        }
         // create element
         $this->info[$element] = HTMLPurifier_ElementDef::create(
             $content_model, $content_model_type, $attr
         );
         // literal object $contents means direct child manipulation
-        if (!is_string($contents)) $this->info[$element]->child = $contents;
+        if (!is_string($contents)) {
+        	$this->info[$element]->child = $contents;
+        }
         return $this->info[$element];
     }
 
@@ -168,8 +172,11 @@ 
      *        first letter)
      */
     public function addElementToContentSet($element, $type) {
-        if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
-        else $this->content_sets[$type] .= ' | ';
+        if (!isset($this->content_sets[$type])) {
+        	$this->content_sets[$type] = '';
+        } else {
+        	$this->content_sets[$type] .= ' | ';
+        }
         $this->content_sets[$type] .= $element;
     }
 
@@ -183,7 +190,10 @@ 
      *       and use it directly.
      */
     public function parseContents($contents) {
-        if (!is_string($contents)) return array(null, null); // defer
+        if (!is_string($contents)) {
+        	return array(null, null);
+        }
+        // defer
         switch ($contents) {
             // check for shorthand content model forms
             case 'Empty':
@@ -207,8 +217,11 @@ 
      */
     public function mergeInAttrIncludes(&$attr, $attr_includes) {
         if (!is_array($attr_includes)) {
-            if (empty($attr_includes)) $attr_includes = array();
-            else $attr_includes = array($attr_includes);
+            if (empty($attr_includes)) {
+            	$attr_includes = array();
+            } else {
+            	$attr_includes = array($attr_includes);
+            }
         }
         $attr[0] = $attr_includes;
     }
@@ -222,10 +235,14 @@ 
      * @return Lookup array equivalent of list
      */
     public function makeLookup($list) {
-        if (is_string($list)) $list = func_get_args();
+        if (is_string($list)) {
+        	$list = func_get_args();
+        }
         $ret = array();
         foreach ($list as $value) {
-            if (is_null($value)) continue;
+            if (is_null($value)) {
+            	continue;
+            }
             $ret[$value] = true;
         }
         return $ret;

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/Bdo.php

Indentation +16 added lines, -16 removed lines

@@ -7,24 +7,24 @@
 class HTMLPurifier_HTMLModule_Bdo extends HTMLPurifier_HTMLModule
 {
 
-    public $name = 'Bdo';
-    public $attr_collections = array(
-        'I18N' => array('dir' => false)
-    );
+	public $name = 'Bdo';
+	public $attr_collections = array(
+		'I18N' => array('dir' => false)
+	);
 
-    public function setup($config) {
-        $bdo = $this->addElement(
-            'bdo', 'Inline', 'Inline', array('Core', 'Lang'),
-            array(
-                'dir' => 'Enum#ltr,rtl', // required
-                // The Abstract Module specification has the attribute
-                // inclusions wrong for bdo: bdo allows Lang
-            )
-        );
-        $bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir();
+	public function setup($config) {
+		$bdo = $this->addElement(
+			'bdo', 'Inline', 'Inline', array('Core', 'Lang'),
+			array(
+				'dir' => 'Enum#ltr,rtl', // required
+				// The Abstract Module specification has the attribute
+				// inclusions wrong for bdo: bdo allows Lang
+			)
+		);
+		$bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir();
 
-        $this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
-    }
+		$this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/CommonAttributes.php

Indentation +17 added lines, -17 removed lines

@@ -2,24 +2,24 @@
 
 class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
 {
-    public $name = 'CommonAttributes';
+	public $name = 'CommonAttributes';
 
-    public $attr_collections = array(
-        'Core' => array(
-            0 => array('Style'),
-            // 'xml:space' => false,
-            'class' => 'Class',
-            'id' => 'ID',
-            'title' => 'CDATA',
-        ),
-        'Lang' => array(),
-        'I18N' => array(
-            0 => array('Lang'), // proprietary, for xml:lang/lang
-        ),
-        'Common' => array(
-            0 => array('Core', 'I18N')
-        )
-    );
+	public $attr_collections = array(
+		'Core' => array(
+			0 => array('Style'),
+			// 'xml:space' => false,
+			'class' => 'Class',
+			'id' => 'ID',
+			'title' => 'CDATA',
+		),
+		'Lang' => array(),
+		'I18N' => array(
+			0 => array('Lang'), // proprietary, for xml:lang/lang
+		),
+		'Common' => array(
+			0 => array('Core', 'I18N')
+		)
+	);
 
 }