xpressengine / xe-core

classes/security/htmlpurifier/library/HTMLPurifier/URIFilter/MakeAbsolute.php

Indentation +104 added lines, -104 removed lines

@@ -4,111 +4,111 @@
 
 class HTMLPurifier_URIFilter_MakeAbsolute extends HTMLPurifier_URIFilter
 {
-    public $name = 'MakeAbsolute';
-    protected $base;
-    protected $basePathStack = array();
-    public function prepare($config) {
-        $def = $config->getDefinition('URI');
-        $this->base = $def->base;
-        if (is_null($this->base)) {
-            trigger_error('URI.MakeAbsolute is being ignored due to lack of value for URI.Base configuration', E_USER_WARNING);
-            return false;
-        }
-        $this->base->fragment = null; // fragment is invalid for base URI
-        $stack = explode('/', $this->base->path);
-        array_pop($stack); // discard last segment
-        $stack = $this->_collapseStack($stack); // do pre-parsing
-        $this->basePathStack = $stack;
-        return true;
-    }
-    public function filter(&$uri, $config, $context) {
-        if (is_null($this->base)) return true; // abort early
-        if (
-            $uri->path === '' && is_null($uri->scheme) &&
-            is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment)
-        ) {
-            // reference to current document
-            $uri = clone $this->base;
-            return true;
-        }
-        if (!is_null($uri->scheme)) {
-            // absolute URI already: don't change
-            if (!is_null($uri->host)) return true;
-            $scheme_obj = $uri->getSchemeObj($config, $context);
-            if (!$scheme_obj) {
-                // scheme not recognized
-                return false;
-            }
-            if (!$scheme_obj->hierarchical) {
-                // non-hierarchal URI with explicit scheme, don't change
-                return true;
-            }
-            // special case: had a scheme but always is hierarchical and had no authority
-        }
-        if (!is_null($uri->host)) {
-            // network path, don't bother
-            return true;
-        }
-        if ($uri->path === '') {
-            $uri->path = $this->base->path;
-        } elseif ($uri->path[0] !== '/') {
-            // relative path, needs more complicated processing
-            $stack = explode('/', $uri->path);
-            $new_stack = array_merge($this->basePathStack, $stack);
-            if ($new_stack[0] !== '' && !is_null($this->base->host)) {
-                array_unshift($new_stack, '');
-            }
-            $new_stack = $this->_collapseStack($new_stack);
-            $uri->path = implode('/', $new_stack);
-        } else {
-            // absolute path, but still we should collapse
-            $uri->path = implode('/', $this->_collapseStack(explode('/', $uri->path)));
-        }
-        // re-combine
-        $uri->scheme = $this->base->scheme;
-        if (is_null($uri->userinfo)) $uri->userinfo = $this->base->userinfo;
-        if (is_null($uri->host))     $uri->host     = $this->base->host;
-        if (is_null($uri->port))     $uri->port     = $this->base->port;
-        return true;
-    }
+	public $name = 'MakeAbsolute';
+	protected $base;
+	protected $basePathStack = array();
+	public function prepare($config) {
+		$def = $config->getDefinition('URI');
+		$this->base = $def->base;
+		if (is_null($this->base)) {
+			trigger_error('URI.MakeAbsolute is being ignored due to lack of value for URI.Base configuration', E_USER_WARNING);
+			return false;
+		}
+		$this->base->fragment = null; // fragment is invalid for base URI
+		$stack = explode('/', $this->base->path);
+		array_pop($stack); // discard last segment
+		$stack = $this->_collapseStack($stack); // do pre-parsing
+		$this->basePathStack = $stack;
+		return true;
+	}
+	public function filter(&$uri, $config, $context) {
+		if (is_null($this->base)) return true; // abort early
+		if (
+			$uri->path === '' && is_null($uri->scheme) &&
+			is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment)
+		) {
+			// reference to current document
+			$uri = clone $this->base;
+			return true;
+		}
+		if (!is_null($uri->scheme)) {
+			// absolute URI already: don't change
+			if (!is_null($uri->host)) return true;
+			$scheme_obj = $uri->getSchemeObj($config, $context);
+			if (!$scheme_obj) {
+				// scheme not recognized
+				return false;
+			}
+			if (!$scheme_obj->hierarchical) {
+				// non-hierarchal URI with explicit scheme, don't change
+				return true;
+			}
+			// special case: had a scheme but always is hierarchical and had no authority
+		}
+		if (!is_null($uri->host)) {
+			// network path, don't bother
+			return true;
+		}
+		if ($uri->path === '') {
+			$uri->path = $this->base->path;
+		} elseif ($uri->path[0] !== '/') {
+			// relative path, needs more complicated processing
+			$stack = explode('/', $uri->path);
+			$new_stack = array_merge($this->basePathStack, $stack);
+			if ($new_stack[0] !== '' && !is_null($this->base->host)) {
+				array_unshift($new_stack, '');
+			}
+			$new_stack = $this->_collapseStack($new_stack);
+			$uri->path = implode('/', $new_stack);
+		} else {
+			// absolute path, but still we should collapse
+			$uri->path = implode('/', $this->_collapseStack(explode('/', $uri->path)));
+		}
+		// re-combine
+		$uri->scheme = $this->base->scheme;
+		if (is_null($uri->userinfo)) $uri->userinfo = $this->base->userinfo;
+		if (is_null($uri->host))     $uri->host     = $this->base->host;
+		if (is_null($uri->port))     $uri->port     = $this->base->port;
+		return true;
+	}
 
-    /**
-     * Resolve dots and double-dots in a path stack
-     */
-    private function _collapseStack($stack) {
-        $result = array();
-        $is_folder = false;
-        for ($i = 0; isset($stack[$i]); $i++) {
-            $is_folder = false;
-            // absorb an internally duplicated slash
-            if ($stack[$i] == '' && $i && isset($stack[$i+1])) continue;
-            if ($stack[$i] == '..') {
-                if (!empty($result)) {
-                    $segment = array_pop($result);
-                    if ($segment === '' && empty($result)) {
-                        // error case: attempted to back out too far:
-                        // restore the leading slash
-                        $result[] = '';
-                    } elseif ($segment === '..') {
-                        $result[] = '..'; // cannot remove .. with ..
-                    }
-                } else {
-                    // relative path, preserve the double-dots
-                    $result[] = '..';
-                }
-                $is_folder = true;
-                continue;
-            }
-            if ($stack[$i] == '.') {
-                // silently absorb
-                $is_folder = true;
-                continue;
-            }
-            $result[] = $stack[$i];
-        }
-        if ($is_folder) $result[] = '';
-        return $result;
-    }
+	/**
+	 * Resolve dots and double-dots in a path stack
+	 */
+	private function _collapseStack($stack) {
+		$result = array();
+		$is_folder = false;
+		for ($i = 0; isset($stack[$i]); $i++) {
+			$is_folder = false;
+			// absorb an internally duplicated slash
+			if ($stack[$i] == '' && $i && isset($stack[$i+1])) continue;
+			if ($stack[$i] == '..') {
+				if (!empty($result)) {
+					$segment = array_pop($result);
+					if ($segment === '' && empty($result)) {
+						// error case: attempted to back out too far:
+						// restore the leading slash
+						$result[] = '';
+					} elseif ($segment === '..') {
+						$result[] = '..'; // cannot remove .. with ..
+					}
+				} else {
+					// relative path, preserve the double-dots
+					$result[] = '..';
+				}
+				$is_folder = true;
+				continue;
+			}
+			if ($stack[$i] == '.') {
+				// silently absorb
+				$is_folder = true;
+				continue;
+			}
+			$result[] = $stack[$i];
+		}
+		if ($is_folder) $result[] = '';
+		return $result;
+	}
 }
 
 // vim: et sw=4 sts=4

Spacing +1 added lines, -1 removed lines

@@ -81,7 +81,7 @@
         for ($i = 0; isset($stack[$i]); $i++) {
             $is_folder = false;
             // absorb an internally duplicated slash
-            if ($stack[$i] == '' && $i && isset($stack[$i+1])) continue;
+            if ($stack[$i] == '' && $i && isset($stack[$i + 1])) continue;
             if ($stack[$i] == '..') {
                 if (!empty($result)) {
                     $segment = array_pop($result);

Braces +22 added lines, -7 removed lines

@@ -22,7 +22,10 @@ 
         return true;
     }
     public function filter(&$uri, $config, $context) {
-        if (is_null($this->base)) return true; // abort early
+        if (is_null($this->base)) {
+        	return true;
+        }
+        // abort early
         if (
             $uri->path === '' && is_null($uri->scheme) &&
             is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment)
@@ -33,7 +36,9 @@ 
         }
         if (!is_null($uri->scheme)) {
             // absolute URI already: don't change
-            if (!is_null($uri->host)) return true;
+            if (!is_null($uri->host)) {
+            	return true;
+            }
             $scheme_obj = $uri->getSchemeObj($config, $context);
             if (!$scheme_obj) {
                 // scheme not recognized
@@ -66,9 +71,15 @@ 
         }
         // re-combine
         $uri->scheme = $this->base->scheme;
-        if (is_null($uri->userinfo)) $uri->userinfo = $this->base->userinfo;
-        if (is_null($uri->host))     $uri->host     = $this->base->host;
-        if (is_null($uri->port))     $uri->port     = $this->base->port;
+        if (is_null($uri->userinfo)) {
+        	$uri->userinfo = $this->base->userinfo;
+        }
+        if (is_null($uri->host)) {
+        	$uri->host     = $this->base->host;
+        }
+        if (is_null($uri->port)) {
+        	$uri->port     = $this->base->port;
+        }
         return true;
     }
 
@@ -81,7 +92,9 @@ 
         for ($i = 0; isset($stack[$i]); $i++) {
             $is_folder = false;
             // absorb an internally duplicated slash
-            if ($stack[$i] == '' && $i && isset($stack[$i+1])) continue;
+            if ($stack[$i] == '' && $i && isset($stack[$i+1])) {
+            	continue;
+            }
             if ($stack[$i] == '..') {
                 if (!empty($result)) {
                     $segment = array_pop($result);
@@ -106,7 +119,9 @@ 
             }
             $result[] = $stack[$i];
         }
-        if ($is_folder) $result[] = '';
+        if ($is_folder) {
+        	$result[] = '';
+        }
         return $result;
     }
 }

classes/security/htmlpurifier/library/HTMLPurifier/URIFilter/Munge.php

Indentation +45 added lines, -45 removed lines

@@ -2,51 +2,51 @@
 
 class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
 {
-    public $name = 'Munge';
-    public $post = true;
-    private $target, $parser, $doEmbed, $secretKey;
-
-    protected $replace = array();
-
-    public function prepare($config) {
-        $this->target    = $config->get('URI.' . $this->name);
-        $this->parser    = new HTMLPurifier_URIParser();
-        $this->doEmbed   = $config->get('URI.MungeResources');
-        $this->secretKey = $config->get('URI.MungeSecretKey');
-        return true;
-    }
-    public function filter(&$uri, $config, $context) {
-        if ($context->get('EmbeddedURI', true) && !$this->doEmbed) return true;
-
-        $scheme_obj = $uri->getSchemeObj($config, $context);
-        if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (!$scheme_obj->browsable) return true; // ignore non-browseable schemes, since we can't munge those in a reasonable way
-        if ($uri->isBenign($config, $context)) return true; // don't redirect if a benign URL
-
-        $this->makeReplace($uri, $config, $context);
-        $this->replace = array_map('rawurlencode', $this->replace);
-
-        $new_uri = strtr($this->target, $this->replace);
-        $new_uri = $this->parser->parse($new_uri);
-        // don't redirect if the target host is the same as the
-        // starting host
-        if ($uri->host === $new_uri->host) return true;
-        $uri = $new_uri; // overwrite
-        return true;
-    }
-
-    protected function makeReplace($uri, $config, $context) {
-        $string = $uri->toString();
-        // always available
-        $this->replace['%s'] = $string;
-        $this->replace['%r'] = $context->get('EmbeddedURI', true);
-        $token = $context->get('CurrentToken', true);
-        $this->replace['%n'] = $token ? $token->name : null;
-        $this->replace['%m'] = $context->get('CurrentAttr', true);
-        $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
-        // not always available
-        if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
-    }
+	public $name = 'Munge';
+	public $post = true;
+	private $target, $parser, $doEmbed, $secretKey;
+
+	protected $replace = array();
+
+	public function prepare($config) {
+		$this->target    = $config->get('URI.' . $this->name);
+		$this->parser    = new HTMLPurifier_URIParser();
+		$this->doEmbed   = $config->get('URI.MungeResources');
+		$this->secretKey = $config->get('URI.MungeSecretKey');
+		return true;
+	}
+	public function filter(&$uri, $config, $context) {
+		if ($context->get('EmbeddedURI', true) && !$this->doEmbed) return true;
+
+		$scheme_obj = $uri->getSchemeObj($config, $context);
+		if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
+		if (!$scheme_obj->browsable) return true; // ignore non-browseable schemes, since we can't munge those in a reasonable way
+		if ($uri->isBenign($config, $context)) return true; // don't redirect if a benign URL
+
+		$this->makeReplace($uri, $config, $context);
+		$this->replace = array_map('rawurlencode', $this->replace);
+
+		$new_uri = strtr($this->target, $this->replace);
+		$new_uri = $this->parser->parse($new_uri);
+		// don't redirect if the target host is the same as the
+		// starting host
+		if ($uri->host === $new_uri->host) return true;
+		$uri = $new_uri; // overwrite
+		return true;
+	}
+
+	protected function makeReplace($uri, $config, $context) {
+		$string = $uri->toString();
+		// always available
+		$this->replace['%s'] = $string;
+		$this->replace['%r'] = $context->get('EmbeddedURI', true);
+		$token = $context->get('CurrentToken', true);
+		$this->replace['%n'] = $token ? $token->name : null;
+		$this->replace['%m'] = $context->get('CurrentAttr', true);
+		$this->replace['%p'] = $context->get('CurrentCSSProperty', true);
+		// not always available
+		if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
+	}
 
 }
 

Braces +21 added lines, -6 removed lines

@@ -16,12 +16,23 @@ 
         return true;
     }
     public function filter(&$uri, $config, $context) {
-        if ($context->get('EmbeddedURI', true) && !$this->doEmbed) return true;
+        if ($context->get('EmbeddedURI', true) && !$this->doEmbed) {
+        	return true;
+        }
 
         $scheme_obj = $uri->getSchemeObj($config, $context);
-        if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (!$scheme_obj->browsable) return true; // ignore non-browseable schemes, since we can't munge those in a reasonable way
-        if ($uri->isBenign($config, $context)) return true; // don't redirect if a benign URL
+        if (!$scheme_obj) {
+        	return true;
+        }
+        // ignore unknown schemes, maybe another postfilter did it
+        if (!$scheme_obj->browsable) {
+        	return true;
+        }
+        // ignore non-browseable schemes, since we can't munge those in a reasonable way
+        if ($uri->isBenign($config, $context)) {
+        	return true;
+        }
+        // don't redirect if a benign URL
 
         $this->makeReplace($uri, $config, $context);
         $this->replace = array_map('rawurlencode', $this->replace);
@@ -30,7 +41,9 @@ 
         $new_uri = $this->parser->parse($new_uri);
         // don't redirect if the target host is the same as the
         // starting host
-        if ($uri->host === $new_uri->host) return true;
+        if ($uri->host === $new_uri->host) {
+        	return true;
+        }
         $uri = $new_uri; // overwrite
         return true;
     }
@@ -45,7 +58,9 @@ 
         $this->replace['%m'] = $context->get('CurrentAttr', true);
         $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
         // not always available
-        if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
+        if ($this->secretKey) {
+        	$this->replace['%t'] = sha1($this->secretKey . ':' . $string);
+        }
     }
 
 }

Spacing +2 added lines, -2 removed lines

@@ -9,7 +9,7 @@ 
     protected $replace = array();
 
     public function prepare($config) {
-        $this->target    = $config->get('URI.' . $this->name);
+        $this->target    = $config->get('URI.'.$this->name);
         $this->parser    = new HTMLPurifier_URIParser();
         $this->doEmbed   = $config->get('URI.MungeResources');
         $this->secretKey = $config->get('URI.MungeSecretKey');
@@ -45,7 +45,7 @@ 
         $this->replace['%m'] = $context->get('CurrentAttr', true);
         $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
         // not always available
-        if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
+        if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey.':'.$string);
     }
 
 }

classes/security/htmlpurifier/library/HTMLPurifier/URIFilter/SafeIframe.php

Indentation +22 added lines, -22 removed lines

@@ -8,28 +8,28 @@
  */
 class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
 {
-    public $name = 'SafeIframe';
-    public $always_load = true;
-    protected $regexp = NULL;
-    // XXX: The not so good bit about how this is all setup now is we
-    // can't check HTML.SafeIframe in the 'prepare' step: we have to
-    // defer till the actual filtering.
-    public function prepare($config) {
-        $this->regexp = $config->get('URI.SafeIframeRegexp');
-        return true;
-    }
-    public function filter(&$uri, $config, $context) {
-        // check if filter not applicable
-        if (!$config->get('HTML.SafeIframe')) return true;
-        // check if the filter should actually trigger
-        if (!$context->get('EmbeddedURI', true)) return true;
-        $token = $context->get('CurrentToken', true);
-        if (!($token && $token->name == 'iframe')) return true;
-        // check if we actually have some whitelists enabled
-        if ($this->regexp === null) return false;
-        // actually check the whitelists
-        return preg_match($this->regexp, $uri->toString());
-    }
+	public $name = 'SafeIframe';
+	public $always_load = true;
+	protected $regexp = NULL;
+	// XXX: The not so good bit about how this is all setup now is we
+	// can't check HTML.SafeIframe in the 'prepare' step: we have to
+	// defer till the actual filtering.
+	public function prepare($config) {
+		$this->regexp = $config->get('URI.SafeIframeRegexp');
+		return true;
+	}
+	public function filter(&$uri, $config, $context) {
+		// check if filter not applicable
+		if (!$config->get('HTML.SafeIframe')) return true;
+		// check if the filter should actually trigger
+		if (!$context->get('EmbeddedURI', true)) return true;
+		$token = $context->get('CurrentToken', true);
+		if (!($token && $token->name == 'iframe')) return true;
+		// check if we actually have some whitelists enabled
+		if ($this->regexp === null) return false;
+		// actually check the whitelists
+		return preg_match($this->regexp, $uri->toString());
+	}
 }
 
 // vim: et sw=4 sts=4

Braces +12 added lines, -4 removed lines

@@ -20,13 +20,21 @@
     }
     public function filter(&$uri, $config, $context) {
         // check if filter not applicable
-        if (!$config->get('HTML.SafeIframe')) return true;
+        if (!$config->get('HTML.SafeIframe')) {
+        	return true;
+        }
         // check if the filter should actually trigger
-        if (!$context->get('EmbeddedURI', true)) return true;
+        if (!$context->get('EmbeddedURI', true)) {
+        	return true;
+        }
         $token = $context->get('CurrentToken', true);
-        if (!($token && $token->name == 'iframe')) return true;
+        if (!($token && $token->name == 'iframe')) {
+        	return true;
+        }
         // check if we actually have some whitelists enabled
-        if ($this->regexp === null) return false;
+        if ($this->regexp === null) {
+        	return false;
+        }
         // actually check the whitelists
         return preg_match($this->regexp, $uri->toString());
     }

classes/security/htmlpurifier/library/HTMLPurifier/URIParser.php

Indentation +48 added lines, -48 removed lines

@@ -7,63 +7,63 @@
 class HTMLPurifier_URIParser
 {
 
-    /**
-     * Instance of HTMLPurifier_PercentEncoder to do normalization with.
-     */
-    protected $percentEncoder;
+	/**
+	 * Instance of HTMLPurifier_PercentEncoder to do normalization with.
+	 */
+	protected $percentEncoder;
 
-    public function __construct() {
-        $this->percentEncoder = new HTMLPurifier_PercentEncoder();
-    }
+	public function __construct() {
+		$this->percentEncoder = new HTMLPurifier_PercentEncoder();
+	}
 
-    /**
-     * Parses a URI.
-     * @param $uri string URI to parse
-     * @return HTMLPurifier_URI representation of URI. This representation has
-     *         not been validated yet and may not conform to RFC.
-     */
-    public function parse($uri) {
+	/**
+	 * Parses a URI.
+	 * @param $uri string URI to parse
+	 * @return HTMLPurifier_URI representation of URI. This representation has
+	 *         not been validated yet and may not conform to RFC.
+	 */
+	public function parse($uri) {
 
-        $uri = $this->percentEncoder->normalize($uri);
+		$uri = $this->percentEncoder->normalize($uri);
 
-        // Regexp is as per Appendix B.
-        // Note that ["<>] are an addition to the RFC's recommended
-        // characters, because they represent external delimeters.
-        $r_URI = '!'.
-            '(([^:/?#"<>]+):)?'. // 2. Scheme
-            '(//([^/?#"<>]*))?'. // 4. Authority
-            '([^?#"<>]*)'.       // 5. Path
-            '(\?([^#"<>]*))?'.   // 7. Query
-            '(#([^"<>]*))?'.     // 8. Fragment
-            '!';
+		// Regexp is as per Appendix B.
+		// Note that ["<>] are an addition to the RFC's recommended
+		// characters, because they represent external delimeters.
+		$r_URI = '!'.
+			'(([^:/?#"<>]+):)?'. // 2. Scheme
+			'(//([^/?#"<>]*))?'. // 4. Authority
+			'([^?#"<>]*)'.       // 5. Path
+			'(\?([^#"<>]*))?'.   // 7. Query
+			'(#([^"<>]*))?'.     // 8. Fragment
+			'!';
 
-        $matches = array();
-        $result = preg_match($r_URI, $uri, $matches);
+		$matches = array();
+		$result = preg_match($r_URI, $uri, $matches);
 
-        if (!$result) return false; // *really* invalid URI
+		if (!$result) return false; // *really* invalid URI
 
-        // seperate out parts
-        $scheme     = !empty($matches[1]) ? $matches[2] : null;
-        $authority  = !empty($matches[3]) ? $matches[4] : null;
-        $path       = $matches[5]; // always present, can be empty
-        $query      = !empty($matches[6]) ? $matches[7] : null;
-        $fragment   = !empty($matches[8]) ? $matches[9] : null;
+		// seperate out parts
+		$scheme     = !empty($matches[1]) ? $matches[2] : null;
+		$authority  = !empty($matches[3]) ? $matches[4] : null;
+		$path       = $matches[5]; // always present, can be empty
+		$query      = !empty($matches[6]) ? $matches[7] : null;
+		$fragment   = !empty($matches[8]) ? $matches[9] : null;
 
-        // further parse authority
-        if ($authority !== null) {
-            $r_authority = "/^((.+?)@)?(\[[^\]]+\]|[^:]*)(:(\d*))?/";
-            $matches = array();
-            preg_match($r_authority, $authority, $matches);
-            $userinfo   = !empty($matches[1]) ? $matches[2] : null;
-            $host       = !empty($matches[3]) ? $matches[3] : '';
-            $port       = !empty($matches[4]) ? (int) $matches[5] : null;
-        } else {
-            $port = $host = $userinfo = null;
-        }
+		// further parse authority
+		if ($authority !== null) {
+			$r_authority = "/^((.+?)@)?(\[[^\]]+\]|[^:]*)(:(\d*))?/";
+			$matches = array();
+			preg_match($r_authority, $authority, $matches);
+			$userinfo   = !empty($matches[1]) ? $matches[2] : null;
+			$host       = !empty($matches[3]) ? $matches[3] : '';
+			$port       = !empty($matches[4]) ? (int) $matches[5] : null;
+		} else {
+			$port = $host = $userinfo = null;
+		}
 
-        return new HTMLPurifier_URI(
-            $scheme, $userinfo, $host, $port, $path, $query, $fragment);
-    }
+		return new HTMLPurifier_URI(
+			$scheme, $userinfo, $host, $port, $path, $query, $fragment);
+	}
 
 }
 

Braces +4 added lines, -1 removed lines

@@ -40,7 +40,10 @@
         $matches = array();
         $result = preg_match($r_URI, $uri, $matches);
 
-        if (!$result) return false; // *really* invalid URI
+        if (!$result) {
+        	return false;
+        }
+        // *really* invalid URI
 
         // seperate out parts
         $scheme     = !empty($matches[1]) ? $matches[2] : null;

Spacing +5 added lines, -5 removed lines

@@ -30,11 +30,11 @@
         // Note that ["<>] are an addition to the RFC's recommended
         // characters, because they represent external delimeters.
         $r_URI = '!'.
-            '(([^:/?#"<>]+):)?'. // 2. Scheme
-            '(//([^/?#"<>]*))?'. // 4. Authority
-            '([^?#"<>]*)'.       // 5. Path
-            '(\?([^#"<>]*))?'.   // 7. Query
-            '(#([^"<>]*))?'.     // 8. Fragment
+            '(([^:/?#"<>]+):)?'.// 2. Scheme
+            '(//([^/?#"<>]*))?'.// 4. Authority
+            '([^?#"<>]*)'.// 5. Path
+            '(\?([^#"<>]*))?'.// 7. Query
+            '(#([^"<>]*))?'.// 8. Fragment
             '!';
 
         $matches = array();

classes/security/htmlpurifier/library/HTMLPurifier/URIScheme.php

Indentation +77 added lines, -77 removed lines

@@ -6,89 +6,89 @@
 abstract class HTMLPurifier_URIScheme
 {
 
-    /**
-     * Scheme's default port (integer).  If an explicit port number is
-     * specified that coincides with the default port, it will be
-     * elided.
-     */
-    public $default_port = null;
+	/**
+	 * Scheme's default port (integer).  If an explicit port number is
+	 * specified that coincides with the default port, it will be
+	 * elided.
+	 */
+	public $default_port = null;
 
-    /**
-     * Whether or not URIs of this schem are locatable by a browser
-     * http and ftp are accessible, while mailto and news are not.
-     */
-    public $browsable = false;
+	/**
+	 * Whether or not URIs of this schem are locatable by a browser
+	 * http and ftp are accessible, while mailto and news are not.
+	 */
+	public $browsable = false;
 
-    /**
-     * Whether or not data transmitted over this scheme is encrypted.
-     * https is secure, http is not.
-     */
-    public $secure = false;
+	/**
+	 * Whether or not data transmitted over this scheme is encrypted.
+	 * https is secure, http is not.
+	 */
+	public $secure = false;
 
-    /**
-     * Whether or not the URI always uses <hier_part>, resolves edge cases
-     * with making relative URIs absolute
-     */
-    public $hierarchical = false;
+	/**
+	 * Whether or not the URI always uses <hier_part>, resolves edge cases
+	 * with making relative URIs absolute
+	 */
+	public $hierarchical = false;
 
-    /**
-     * Whether or not the URI may omit a hostname when the scheme is
-     * explicitly specified, ala file:///path/to/file. As of writing,
-     * 'file' is the only scheme that browsers support his properly.
-     */
-    public $may_omit_host = false;
+	/**
+	 * Whether or not the URI may omit a hostname when the scheme is
+	 * explicitly specified, ala file:///path/to/file. As of writing,
+	 * 'file' is the only scheme that browsers support his properly.
+	 */
+	public $may_omit_host = false;
 
-    /**
-     * Validates the components of a URI for a specific scheme.
-     * @param $uri Reference to a HTMLPurifier_URI object
-     * @param $config HTMLPurifier_Config object
-     * @param $context HTMLPurifier_Context object
-     * @return Bool success or failure
-     */
-    public abstract function doValidate(&$uri, $config, $context);
+	/**
+	 * Validates the components of a URI for a specific scheme.
+	 * @param $uri Reference to a HTMLPurifier_URI object
+	 * @param $config HTMLPurifier_Config object
+	 * @param $context HTMLPurifier_Context object
+	 * @return Bool success or failure
+	 */
+	public abstract function doValidate(&$uri, $config, $context);
 
-    /**
-     * Public interface for validating components of a URI.  Performs a
-     * bunch of default actions. Don't overload this method.
-     * @param $uri Reference to a HTMLPurifier_URI object
-     * @param $config HTMLPurifier_Config object
-     * @param $context HTMLPurifier_Context object
-     * @return Bool success or failure
-     */
-    public function validate(&$uri, $config, $context) {
-        if ($this->default_port == $uri->port) $uri->port = null;
-        // kludge: browsers do funny things when the scheme but not the
-        // authority is set
-        if (!$this->may_omit_host &&
-            // if the scheme is present, a missing host is always in error
-            (!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) ||
-            // if the scheme is not present, a *blank* host is in error,
-            // since this translates into '///path' which most browsers
-            // interpret as being 'http://path'.
-             (is_null($uri->scheme) && $uri->host === '')
-        ) {
-            do {
-                if (is_null($uri->scheme)) {
-                    if (substr($uri->path, 0, 2) != '//') {
-                        $uri->host = null;
-                        break;
-                    }
-                    // URI is '////path', so we cannot nullify the
-                    // host to preserve semantics.  Try expanding the
-                    // hostname instead (fall through)
-                }
-                // first see if we can manually insert a hostname
-                $host = $config->get('URI.Host');
-                if (!is_null($host)) {
-                    $uri->host = $host;
-                } else {
-                    // we can't do anything sensible, reject the URL.
-                    return false;
-                }
-            } while (false);
-        }
-        return $this->doValidate($uri, $config, $context);
-    }
+	/**
+	 * Public interface for validating components of a URI.  Performs a
+	 * bunch of default actions. Don't overload this method.
+	 * @param $uri Reference to a HTMLPurifier_URI object
+	 * @param $config HTMLPurifier_Config object
+	 * @param $context HTMLPurifier_Context object
+	 * @return Bool success or failure
+	 */
+	public function validate(&$uri, $config, $context) {
+		if ($this->default_port == $uri->port) $uri->port = null;
+		// kludge: browsers do funny things when the scheme but not the
+		// authority is set
+		if (!$this->may_omit_host &&
+			// if the scheme is present, a missing host is always in error
+			(!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) ||
+			// if the scheme is not present, a *blank* host is in error,
+			// since this translates into '///path' which most browsers
+			// interpret as being 'http://path'.
+			 (is_null($uri->scheme) && $uri->host === '')
+		) {
+			do {
+				if (is_null($uri->scheme)) {
+					if (substr($uri->path, 0, 2) != '//') {
+						$uri->host = null;
+						break;
+					}
+					// URI is '////path', so we cannot nullify the
+					// host to preserve semantics.  Try expanding the
+					// hostname instead (fall through)
+				}
+				// first see if we can manually insert a hostname
+				$host = $config->get('URI.Host');
+				if (!is_null($host)) {
+					$uri->host = $host;
+				} else {
+					// we can't do anything sensible, reject the URL.
+					return false;
+				}
+			} while (false);
+		}
+		return $this->doValidate($uri, $config, $context);
+	}
 
 }
 

Braces +3 added lines, -1 removed lines

@@ -56,7 +56,9 @@
      * @return Bool success or failure
      */
     public function validate(&$uri, $config, $context) {
-        if ($this->default_port == $uri->port) $uri->port = null;
+        if ($this->default_port == $uri->port) {
+        	$uri->port = null;
+        }
         // kludge: browsers do funny things when the scheme but not the
         // authority is set
         if (!$this->may_omit_host &&

classes/security/htmlpurifier/library/HTMLPurifier/URIScheme/data.php

Indentation +84 added lines, -84 removed lines

@@ -5,92 +5,92 @@
  */
 class HTMLPurifier_URIScheme_data extends HTMLPurifier_URIScheme {
 
-    public $browsable = true;
-    public $allowed_types = array(
-        // you better write validation code for other types if you
-        // decide to allow them
-        'image/jpeg' => true,
-        'image/gif' => true,
-        'image/png' => true,
-        );
-    // this is actually irrelevant since we only write out the path
-    // component
-    public $may_omit_host = true;
+	public $browsable = true;
+	public $allowed_types = array(
+		// you better write validation code for other types if you
+		// decide to allow them
+		'image/jpeg' => true,
+		'image/gif' => true,
+		'image/png' => true,
+		);
+	// this is actually irrelevant since we only write out the path
+	// component
+	public $may_omit_host = true;
 
-    public function doValidate(&$uri, $config, $context) {
-        $result = explode(',', $uri->path, 2);
-        $is_base64 = false;
-        $charset = null;
-        $content_type = null;
-        if (count($result) == 2) {
-            list($metadata, $data) = $result;
-            // do some legwork on the metadata
-            $metas = explode(';', $metadata);
-            while(!empty($metas)) {
-                $cur = array_shift($metas);
-                if ($cur == 'base64') {
-                    $is_base64 = true;
-                    break;
-                }
-                if (substr($cur, 0, 8) == 'charset=') {
-                    // doesn't match if there are arbitrary spaces, but
-                    // whatever dude
-                    if ($charset !== null) continue; // garbage
-                    $charset = substr($cur, 8); // not used
-                } else {
-                    if ($content_type !== null) continue; // garbage
-                    $content_type = $cur;
-                }
-            }
-        } else {
-            $data = $result[0];
-        }
-        if ($content_type !== null && empty($this->allowed_types[$content_type])) {
-            return false;
-        }
-        if ($charset !== null) {
-            // error; we don't allow plaintext stuff
-            $charset = null;
-        }
-        $data = rawurldecode($data);
-        if ($is_base64) {
-            $raw_data = base64_decode($data);
-        } else {
-            $raw_data = $data;
-        }
-        // XXX probably want to refactor this into a general mechanism
-        // for filtering arbitrary content types
-        $file = tempnam("/tmp", "");
-        file_put_contents($file, $raw_data, LOCK_EX);
-        if (function_exists('exif_imagetype')) {
-            $image_code = exif_imagetype($file);
-        } elseif (function_exists('getimagesize')) {
-            set_error_handler(array($this, 'muteErrorHandler'));
-            $info = getimagesize($file);
-            restore_error_handler();
-            if ($info == false) return false;
-            $image_code = $info[2];
-        } else {
-            trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
-        }
-        $real_content_type = image_type_to_mime_type($image_code);
-        if ($real_content_type != $content_type) {
-            // we're nice guys; if the content type is something else we
-            // support, change it over
-            if (empty($this->allowed_types[$real_content_type])) return false;
-            $content_type = $real_content_type;
-        }
-        // ok, it's kosher, rewrite what we need
-        $uri->userinfo = null;
-        $uri->host = null;
-        $uri->port = null;
-        $uri->fragment = null;
-        $uri->query = null;
-        $uri->path = "$content_type;base64," . base64_encode($raw_data);
-        return true;
-    }
+	public function doValidate(&$uri, $config, $context) {
+		$result = explode(',', $uri->path, 2);
+		$is_base64 = false;
+		$charset = null;
+		$content_type = null;
+		if (count($result) == 2) {
+			list($metadata, $data) = $result;
+			// do some legwork on the metadata
+			$metas = explode(';', $metadata);
+			while(!empty($metas)) {
+				$cur = array_shift($metas);
+				if ($cur == 'base64') {
+					$is_base64 = true;
+					break;
+				}
+				if (substr($cur, 0, 8) == 'charset=') {
+					// doesn't match if there are arbitrary spaces, but
+					// whatever dude
+					if ($charset !== null) continue; // garbage
+					$charset = substr($cur, 8); // not used
+				} else {
+					if ($content_type !== null) continue; // garbage
+					$content_type = $cur;
+				}
+			}
+		} else {
+			$data = $result[0];
+		}
+		if ($content_type !== null && empty($this->allowed_types[$content_type])) {
+			return false;
+		}
+		if ($charset !== null) {
+			// error; we don't allow plaintext stuff
+			$charset = null;
+		}
+		$data = rawurldecode($data);
+		if ($is_base64) {
+			$raw_data = base64_decode($data);
+		} else {
+			$raw_data = $data;
+		}
+		// XXX probably want to refactor this into a general mechanism
+		// for filtering arbitrary content types
+		$file = tempnam("/tmp", "");
+		file_put_contents($file, $raw_data, LOCK_EX);
+		if (function_exists('exif_imagetype')) {
+			$image_code = exif_imagetype($file);
+		} elseif (function_exists('getimagesize')) {
+			set_error_handler(array($this, 'muteErrorHandler'));
+			$info = getimagesize($file);
+			restore_error_handler();
+			if ($info == false) return false;
+			$image_code = $info[2];
+		} else {
+			trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
+		}
+		$real_content_type = image_type_to_mime_type($image_code);
+		if ($real_content_type != $content_type) {
+			// we're nice guys; if the content type is something else we
+			// support, change it over
+			if (empty($this->allowed_types[$real_content_type])) return false;
+			$content_type = $real_content_type;
+		}
+		// ok, it's kosher, rewrite what we need
+		$uri->userinfo = null;
+		$uri->host = null;
+		$uri->port = null;
+		$uri->fragment = null;
+		$uri->query = null;
+		$uri->path = "$content_type;base64," . base64_encode($raw_data);
+		return true;
+	}
 
-    public function muteErrorHandler($errno, $errstr) {}
+	public function muteErrorHandler($errno, $errstr) {}
 
 }
 

Braces +14 added lines, -4 removed lines

@@ -35,10 +35,16 @@ 
                 if (substr($cur, 0, 8) == 'charset=') {
                     // doesn't match if there are arbitrary spaces, but
                     // whatever dude
-                    if ($charset !== null) continue; // garbage
+                    if ($charset !== null) {
+                    	continue;
+                    }
+                    // garbage
                     $charset = substr($cur, 8); // not used
                 } else {
-                    if ($content_type !== null) continue; // garbage
+                    if ($content_type !== null) {
+                    	continue;
+                    }
+                    // garbage
                     $content_type = $cur;
                 }
             }
@@ -68,7 +74,9 @@ 
             set_error_handler(array($this, 'muteErrorHandler'));
             $info = getimagesize($file);
             restore_error_handler();
-            if ($info == false) return false;
+            if ($info == false) {
+            	return false;
+            }
             $image_code = $info[2];
         } else {
             trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
@@ -77,7 +85,9 @@ 
         if ($real_content_type != $content_type) {
             // we're nice guys; if the content type is something else we
             // support, change it over
-            if (empty($this->allowed_types[$real_content_type])) return false;
+            if (empty($this->allowed_types[$real_content_type])) {
+            	return false;
+            }
             $content_type = $real_content_type;
         }
         // ok, it's kosher, rewrite what we need

Spacing +2 added lines, -2 removed lines

@@ -26,7 +26,7 @@ 
             list($metadata, $data) = $result;
             // do some legwork on the metadata
             $metas = explode(';', $metadata);
-            while(!empty($metas)) {
+            while (!empty($metas)) {
                 $cur = array_shift($metas);
                 if ($cur == 'base64') {
                     $is_base64 = true;
@@ -86,7 +86,7 @@ 
         $uri->port = null;
         $uri->fragment = null;
         $uri->query = null;
-        $uri->path = "$content_type;base64," . base64_encode($raw_data);
+        $uri->path = "$content_type;base64,".base64_encode($raw_data);
         return true;
     }
 

classes/security/htmlpurifier/library/HTMLPurifier/URIScheme/file.php

Indentation +19 added lines, -19 removed lines

@@ -5,27 +5,27 @@
  */
 class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
 
-    // Generally file:// URLs are not accessible from most
-    // machines, so placing them as an img src is incorrect.
-    public $browsable = false;
+	// Generally file:// URLs are not accessible from most
+	// machines, so placing them as an img src is incorrect.
+	public $browsable = false;
 
-    // Basically the *only* URI scheme for which this is true, since
-    // accessing files on the local machine is very common.  In fact,
-    // browsers on some operating systems don't understand the
-    // authority, though I hear it is used on Windows to refer to
-    // network shares.
-    public $may_omit_host = true;
+	// Basically the *only* URI scheme for which this is true, since
+	// accessing files on the local machine is very common.  In fact,
+	// browsers on some operating systems don't understand the
+	// authority, though I hear it is used on Windows to refer to
+	// network shares.
+	public $may_omit_host = true;
 
-    public function doValidate(&$uri, $config, $context) {
-        // Authentication method is not supported
-        $uri->userinfo = null;
-        // file:// makes no provisions for accessing the resource
-        $uri->port     = null;
-        // While it seems to work on Firefox, the querystring has
-        // no possible effect and is thus stripped.
-        $uri->query    = null;
-        return true;
-    }
+	public function doValidate(&$uri, $config, $context) {
+		// Authentication method is not supported
+		$uri->userinfo = null;
+		// file:// makes no provisions for accessing the resource
+		$uri->port     = null;
+		// While it seems to work on Firefox, the querystring has
+		// no possible effect and is thus stripped.
+		$uri->query    = null;
+		return true;
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/URIScheme/ftp.php

Indentation +28 added lines, -28 removed lines

@@ -5,37 +5,37 @@
  */
 class HTMLPurifier_URIScheme_ftp extends HTMLPurifier_URIScheme {
 
-    public $default_port = 21;
-    public $browsable = true; // usually
-    public $hierarchical = true;
+	public $default_port = 21;
+	public $browsable = true; // usually
+	public $hierarchical = true;
 
-    public function doValidate(&$uri, $config, $context) {
-        $uri->query    = null;
+	public function doValidate(&$uri, $config, $context) {
+		$uri->query    = null;
 
-        // typecode check
-        $semicolon_pos = strrpos($uri->path, ';'); // reverse
-        if ($semicolon_pos !== false) {
-            $type = substr($uri->path, $semicolon_pos + 1); // no semicolon
-            $uri->path = substr($uri->path, 0, $semicolon_pos);
-            $type_ret = '';
-            if (strpos($type, '=') !== false) {
-                // figure out whether or not the declaration is correct
-                list($key, $typecode) = explode('=', $type, 2);
-                if ($key !== 'type') {
-                    // invalid key, tack it back on encoded
-                    $uri->path .= '%3B' . $type;
-                } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') {
-                    $type_ret = ";type=$typecode";
-                }
-            } else {
-                $uri->path .= '%3B' . $type;
-            }
-            $uri->path = str_replace(';', '%3B', $uri->path);
-            $uri->path .= $type_ret;
-        }
+		// typecode check
+		$semicolon_pos = strrpos($uri->path, ';'); // reverse
+		if ($semicolon_pos !== false) {
+			$type = substr($uri->path, $semicolon_pos + 1); // no semicolon
+			$uri->path = substr($uri->path, 0, $semicolon_pos);
+			$type_ret = '';
+			if (strpos($type, '=') !== false) {
+				// figure out whether or not the declaration is correct
+				list($key, $typecode) = explode('=', $type, 2);
+				if ($key !== 'type') {
+					// invalid key, tack it back on encoded
+					$uri->path .= '%3B' . $type;
+				} elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') {
+					$type_ret = ";type=$typecode";
+				}
+			} else {
+				$uri->path .= '%3B' . $type;
+			}
+			$uri->path = str_replace(';', '%3B', $uri->path);
+			$uri->path .= $type_ret;
+		}
 
-        return true;
-    }
+		return true;
+	}
 
 }
 

Spacing +2 added lines, -2 removed lines

@@ -23,12 +23,12 @@
                 list($key, $typecode) = explode('=', $type, 2);
                 if ($key !== 'type') {
                     // invalid key, tack it back on encoded
-                    $uri->path .= '%3B' . $type;
+                    $uri->path .= '%3B'.$type;
                 } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') {
                     $type_ret = ";type=$typecode";
                 }
             } else {
-                $uri->path .= '%3B' . $type;
+                $uri->path .= '%3B'.$type;
             }
             $uri->path = str_replace(';', '%3B', $uri->path);
             $uri->path .= $type_ret;

classes/security/htmlpurifier/library/HTMLPurifier/URIScheme/http.php

Indentation +7 added lines, -7 removed lines

@@ -5,14 +5,14 @@
  */
 class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
 
-    public $default_port = 80;
-    public $browsable = true;
-    public $hierarchical = true;
+	public $default_port = 80;
+	public $browsable = true;
+	public $hierarchical = true;
 
-    public function doValidate(&$uri, $config, $context) {
-        $uri->userinfo = null;
-        return true;
-    }
+	public function doValidate(&$uri, $config, $context) {
+		$uri->userinfo = null;
+		return true;
+	}
 
 }