xpressengine / xe-core

classes/security/htmlpurifier/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php

Indentation +50 added lines, -50 removed lines

@@ -5,56 +5,56 @@
  */
 class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_Injector
 {
-    public $name = 'RemoveSpansWithoutAttributes';
-    public $needed = array('span');
-
-    private $attrValidator;
-
-    /**
-     * Used by AttrValidator
-     */
-    private $config;
-    private $context;
-
-    public function prepare($config, $context) {
-        $this->attrValidator = new HTMLPurifier_AttrValidator();
-        $this->config = $config;
-        $this->context = $context;
-        return parent::prepare($config, $context);
-    }
-
-    public function handleElement(&$token) {
-        if ($token->name !== 'span' || !$token instanceof HTMLPurifier_Token_Start) {
-            return;
-        }
-
-        // We need to validate the attributes now since this doesn't normally
-        // happen until after MakeWellFormed. If all the attributes are removed
-        // the span needs to be removed too.
-        $this->attrValidator->validateToken($token, $this->config, $this->context);
-        $token->armor['ValidateAttributes'] = true;
-
-        if (!empty($token->attr)) {
-            return;
-        }
-
-        $nesting = 0;
-        $spanContentTokens = array();
-        while ($this->forwardUntilEndToken($i, $current, $nesting)) {}
-
-        if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
-            // Mark closing span tag for deletion
-            $current->markForDeletion = true;
-            // Delete open span tag
-            $token = false;
-        }
-    }
-
-    public function handleEnd(&$token) {
-        if ($token->markForDeletion) {
-            $token = false;
-        }
-    }
+	public $name = 'RemoveSpansWithoutAttributes';
+	public $needed = array('span');
+
+	private $attrValidator;
+
+	/**
+	 * Used by AttrValidator
+	 */
+	private $config;
+	private $context;
+
+	public function prepare($config, $context) {
+		$this->attrValidator = new HTMLPurifier_AttrValidator();
+		$this->config = $config;
+		$this->context = $context;
+		return parent::prepare($config, $context);
+	}
+
+	public function handleElement(&$token) {
+		if ($token->name !== 'span' || !$token instanceof HTMLPurifier_Token_Start) {
+			return;
+		}
+
+		// We need to validate the attributes now since this doesn't normally
+		// happen until after MakeWellFormed. If all the attributes are removed
+		// the span needs to be removed too.
+		$this->attrValidator->validateToken($token, $this->config, $this->context);
+		$token->armor['ValidateAttributes'] = true;
+
+		if (!empty($token->attr)) {
+			return;
+		}
+
+		$nesting = 0;
+		$spanContentTokens = array();
+		while ($this->forwardUntilEndToken($i, $current, $nesting)) {}
+
+		if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
+			// Mark closing span tag for deletion
+			$current->markForDeletion = true;
+			// Delete open span tag
+			$token = false;
+		}
+	}
+
+	public function handleEnd(&$token) {
+		if ($token->markForDeletion) {
+			$token = false;
+		}
+	}
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php

Indentation +74 added lines, -74 removed lines

@@ -6,85 +6,85 @@
  */
 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
 {
-    public $name = 'SafeObject';
-    public $needed = array('object', 'param');
+	public $name = 'SafeObject';
+	public $needed = array('object', 'param');
 
-    protected $objectStack = array();
-    protected $paramStack  = array();
+	protected $objectStack = array();
+	protected $paramStack  = array();
 
-    // Keep this synchronized with AttrTransform/SafeParam.php
-    protected $addParam = array(
-        'allowScriptAccess' => 'never',
-        'allowNetworking' => 'internal',
-    );
-    protected $allowedParam = array(
-        'wmode' => true,
-        'movie' => true,
-        'flashvars' => true,
-        'src' => true,
-        'allowFullScreen' => true, // if omitted, assume to be 'false'
-    );
+	// Keep this synchronized with AttrTransform/SafeParam.php
+	protected $addParam = array(
+		'allowScriptAccess' => 'never',
+		'allowNetworking' => 'internal',
+	);
+	protected $allowedParam = array(
+		'wmode' => true,
+		'movie' => true,
+		'flashvars' => true,
+		'src' => true,
+		'allowFullScreen' => true, // if omitted, assume to be 'false'
+	);
 
-    public function prepare($config, $context) {
-        parent::prepare($config, $context);
-    }
+	public function prepare($config, $context) {
+		parent::prepare($config, $context);
+	}
 
-    public function handleElement(&$token) {
-        if ($token->name == 'object') {
-            $this->objectStack[] = $token;
-            $this->paramStack[] = array();
-            $new = array($token);
-            foreach ($this->addParam as $name => $value) {
-                $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
-            }
-            $token = $new;
-        } elseif ($token->name == 'param') {
-            $nest = count($this->currentNesting) - 1;
-            if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
-                $i = count($this->objectStack) - 1;
-                if (!isset($token->attr['name'])) {
-                    $token = false;
-                    return;
-                }
-                $n = $token->attr['name'];
-                // We need this fix because YouTube doesn't supply a data
-                // attribute, which we need if a type is specified. This is
-                // *very* Flash specific.
-                if (!isset($this->objectStack[$i]->attr['data']) &&
-                    ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
-                    $this->objectStack[$i]->attr['data'] = $token->attr['value'];
-                }
-                // Check if the parameter is the correct value but has not
-                // already been added
-                if (
-                    !isset($this->paramStack[$i][$n]) &&
-                    isset($this->addParam[$n]) &&
-                    $token->attr['name'] === $this->addParam[$n]
-                ) {
-                    // keep token, and add to param stack
-                    $this->paramStack[$i][$n] = true;
-                } elseif (isset($this->allowedParam[$n])) {
-                    // keep token, don't do anything to it
-                    // (could possibly check for duplicates here)
-                } else {
-                    $token = false;
-                }
-            } else {
-                // not directly inside an object, DENY!
-                $token = false;
-            }
-        }
-    }
+	public function handleElement(&$token) {
+		if ($token->name == 'object') {
+			$this->objectStack[] = $token;
+			$this->paramStack[] = array();
+			$new = array($token);
+			foreach ($this->addParam as $name => $value) {
+				$new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
+			}
+			$token = $new;
+		} elseif ($token->name == 'param') {
+			$nest = count($this->currentNesting) - 1;
+			if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
+				$i = count($this->objectStack) - 1;
+				if (!isset($token->attr['name'])) {
+					$token = false;
+					return;
+				}
+				$n = $token->attr['name'];
+				// We need this fix because YouTube doesn't supply a data
+				// attribute, which we need if a type is specified. This is
+				// *very* Flash specific.
+				if (!isset($this->objectStack[$i]->attr['data']) &&
+					($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
+					$this->objectStack[$i]->attr['data'] = $token->attr['value'];
+				}
+				// Check if the parameter is the correct value but has not
+				// already been added
+				if (
+					!isset($this->paramStack[$i][$n]) &&
+					isset($this->addParam[$n]) &&
+					$token->attr['name'] === $this->addParam[$n]
+				) {
+					// keep token, and add to param stack
+					$this->paramStack[$i][$n] = true;
+				} elseif (isset($this->allowedParam[$n])) {
+					// keep token, don't do anything to it
+					// (could possibly check for duplicates here)
+				} else {
+					$token = false;
+				}
+			} else {
+				// not directly inside an object, DENY!
+				$token = false;
+			}
+		}
+	}
 
-    public function handleEnd(&$token) {
-        // This is the WRONG way of handling the object and param stacks;
-        // we should be inserting them directly on the relevant object tokens
-        // so that the global stack handling handles it.
-        if ($token->name == 'object') {
-            array_pop($this->objectStack);
-            array_pop($this->paramStack);
-        }
-    }
+	public function handleEnd(&$token) {
+		// This is the WRONG way of handling the object and param stacks;
+		// we should be inserting them directly on the relevant object tokens
+		// so that the global stack handling handles it.
+		if ($token->name == 'object') {
+			array_pop($this->objectStack);
+			array_pop($this->paramStack);
+		}
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-test.php

Indentation +1 added lines, -1 removed lines

@@ -5,7 +5,7 @@
 $fallback = 'en';
 
 $messages = array(
-    'HTMLPurifier' => 'HTML Purifier X'
+	'HTMLPurifier' => 'HTML Purifier X'
 );
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-testmini.php

Indentation +1 added lines, -1 removed lines

@@ -6,7 +6,7 @@
 $fallback = 'en';
 
 $messages = array(
-    'HTMLPurifier' => 'HTML Purifier XNone'
+	'HTMLPurifier' => 'HTML Purifier XNone'
 );
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/Language/messages/en.php

Indentation +3 added lines, -3 removed lines

@@ -55,9 +55,9 @@
 );
 
 $errorNames = array(
-    E_ERROR   => 'Error',
-    E_WARNING => 'Warning',
-    E_NOTICE  => 'Notice'
+	E_ERROR   => 'Error',
+	E_WARNING => 'Warning',
+	E_NOTICE  => 'Notice'
 );
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/LanguageFactory.php

Indentation +182 added lines, -182 removed lines

@@ -10,188 +10,188 @@
 class HTMLPurifier_LanguageFactory
 {
 
-    /**
-     * Cache of language code information used to load HTMLPurifier_Language objects
-     * Structure is: $factory->cache[$language_code][$key] = $value
-     * @value array map
-     */
-    public $cache;
-
-    /**
-     * Valid keys in the HTMLPurifier_Language object. Designates which
-     * variables to slurp out of a message file.
-     * @value array list
-     */
-    public $keys = array('fallback', 'messages', 'errorNames');
-
-    /**
-     * Instance of HTMLPurifier_AttrDef_Lang to validate language codes
-     * @value object HTMLPurifier_AttrDef_Lang
-     */
-    protected $validator;
-
-    /**
-     * Cached copy of dirname(__FILE__), directory of current file without
-     * trailing slash
-     * @value string filename
-     */
-    protected $dir;
-
-    /**
-     * Keys whose contents are a hash map and can be merged
-     * @value array lookup
-     */
-    protected $mergeable_keys_map = array('messages' => true, 'errorNames' => true);
-
-    /**
-     * Keys whose contents are a list and can be merged
-     * @value array lookup
-     */
-    protected $mergeable_keys_list = array();
-
-    /**
-     * Retrieve sole instance of the factory.
-     * @param $prototype Optional prototype to overload sole instance with,
-     *                   or bool true to reset to default factory.
-     */
-    public static function instance($prototype = null) {
-        static $instance = null;
-        if ($prototype !== null) {
-            $instance = $prototype;
-        } elseif ($instance === null || $prototype == true) {
-            $instance = new HTMLPurifier_LanguageFactory();
-            $instance->setup();
-        }
-        return $instance;
-    }
-
-    /**
-     * Sets up the singleton, much like a constructor
-     * @note Prevents people from getting this outside of the singleton
-     */
-    public function setup() {
-        $this->validator = new HTMLPurifier_AttrDef_Lang();
-        $this->dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier';
-    }
-
-    /**
-     * Creates a language object, handles class fallbacks
-     * @param $config Instance of HTMLPurifier_Config
-     * @param $context Instance of HTMLPurifier_Context
-     * @param $code Code to override configuration with. Private parameter.
-     */
-    public function create($config, $context, $code = false) {
-
-        // validate language code
-        if ($code === false) {
-            $code = $this->validator->validate(
-              $config->get('Core.Language'), $config, $context
-            );
-        } else {
-            $code = $this->validator->validate($code, $config, $context);
-        }
-        if ($code === false) $code = 'en'; // malformed code becomes English
-
-        $pcode = str_replace('-', '_', $code); // make valid PHP classname
-        static $depth = 0; // recursion protection
-
-        if ($code == 'en') {
-            $lang = new HTMLPurifier_Language($config, $context);
-        } else {
-            $class = 'HTMLPurifier_Language_' . $pcode;
-            $file  = $this->dir . '/Language/classes/' . $code . '.php';
-            if (file_exists($file) || class_exists($class, false)) {
-                $lang = new $class($config, $context);
-            } else {
-                // Go fallback
-                $raw_fallback = $this->getFallbackFor($code);
-                $fallback = $raw_fallback ? $raw_fallback : 'en';
-                $depth++;
-                $lang = $this->create($config, $context, $fallback);
-                if (!$raw_fallback) {
-                    $lang->error = true;
-                }
-                $depth--;
-            }
-        }
-
-        $lang->code = $code;
-
-        return $lang;
-
-    }
-
-    /**
-     * Returns the fallback language for language
-     * @note Loads the original language into cache
-     * @param $code string language code
-     */
-    public function getFallbackFor($code) {
-        $this->loadLanguage($code);
-        return $this->cache[$code]['fallback'];
-    }
-
-    /**
-     * Loads language into the cache, handles message file and fallbacks
-     * @param $code string language code
-     */
-    public function loadLanguage($code) {
-        static $languages_seen = array(); // recursion guard
-
-        // abort if we've already loaded it
-        if (isset($this->cache[$code])) return;
-
-        // generate filename
-        $filename = $this->dir . '/Language/messages/' . $code . '.php';
-
-        // default fallback : may be overwritten by the ensuing include
-        $fallback = ($code != 'en') ? 'en' : false;
-
-        // load primary localisation
-        if (!file_exists($filename)) {
-            // skip the include: will rely solely on fallback
-            $filename = $this->dir . '/Language/messages/en.php';
-            $cache = array();
-        } else {
-            include $filename;
-            $cache = compact($this->keys);
-        }
-
-        // load fallback localisation
-        if (!empty($fallback)) {
-
-            // infinite recursion guard
-            if (isset($languages_seen[$code])) {
-                trigger_error('Circular fallback reference in language ' .
-                    $code, E_USER_ERROR);
-                $fallback = 'en';
-            }
-            $language_seen[$code] = true;
-
-            // load the fallback recursively
-            $this->loadLanguage($fallback);
-            $fallback_cache = $this->cache[$fallback];
-
-            // merge fallback with current language
-            foreach ( $this->keys as $key ) {
-                if (isset($cache[$key]) && isset($fallback_cache[$key])) {
-                    if (isset($this->mergeable_keys_map[$key])) {
-                        $cache[$key] = $cache[$key] + $fallback_cache[$key];
-                    } elseif (isset($this->mergeable_keys_list[$key])) {
-                        $cache[$key] = array_merge( $fallback_cache[$key], $cache[$key] );
-                    }
-                } else {
-                    $cache[$key] = $fallback_cache[$key];
-                }
-            }
-
-        }
-
-        // save to cache for later retrieval
-        $this->cache[$code] = $cache;
-
-        return;
-    }
+	/**
+	 * Cache of language code information used to load HTMLPurifier_Language objects
+	 * Structure is: $factory->cache[$language_code][$key] = $value
+	 * @value array map
+	 */
+	public $cache;
+
+	/**
+	 * Valid keys in the HTMLPurifier_Language object. Designates which
+	 * variables to slurp out of a message file.
+	 * @value array list
+	 */
+	public $keys = array('fallback', 'messages', 'errorNames');
+
+	/**
+	 * Instance of HTMLPurifier_AttrDef_Lang to validate language codes
+	 * @value object HTMLPurifier_AttrDef_Lang
+	 */
+	protected $validator;
+
+	/**
+	 * Cached copy of dirname(__FILE__), directory of current file without
+	 * trailing slash
+	 * @value string filename
+	 */
+	protected $dir;
+
+	/**
+	 * Keys whose contents are a hash map and can be merged
+	 * @value array lookup
+	 */
+	protected $mergeable_keys_map = array('messages' => true, 'errorNames' => true);
+
+	/**
+	 * Keys whose contents are a list and can be merged
+	 * @value array lookup
+	 */
+	protected $mergeable_keys_list = array();
+
+	/**
+	 * Retrieve sole instance of the factory.
+	 * @param $prototype Optional prototype to overload sole instance with,
+	 *                   or bool true to reset to default factory.
+	 */
+	public static function instance($prototype = null) {
+		static $instance = null;
+		if ($prototype !== null) {
+			$instance = $prototype;
+		} elseif ($instance === null || $prototype == true) {
+			$instance = new HTMLPurifier_LanguageFactory();
+			$instance->setup();
+		}
+		return $instance;
+	}
+
+	/**
+	 * Sets up the singleton, much like a constructor
+	 * @note Prevents people from getting this outside of the singleton
+	 */
+	public function setup() {
+		$this->validator = new HTMLPurifier_AttrDef_Lang();
+		$this->dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier';
+	}
+
+	/**
+	 * Creates a language object, handles class fallbacks
+	 * @param $config Instance of HTMLPurifier_Config
+	 * @param $context Instance of HTMLPurifier_Context
+	 * @param $code Code to override configuration with. Private parameter.
+	 */
+	public function create($config, $context, $code = false) {
+
+		// validate language code
+		if ($code === false) {
+			$code = $this->validator->validate(
+			  $config->get('Core.Language'), $config, $context
+			);
+		} else {
+			$code = $this->validator->validate($code, $config, $context);
+		}
+		if ($code === false) $code = 'en'; // malformed code becomes English
+
+		$pcode = str_replace('-', '_', $code); // make valid PHP classname
+		static $depth = 0; // recursion protection
+
+		if ($code == 'en') {
+			$lang = new HTMLPurifier_Language($config, $context);
+		} else {
+			$class = 'HTMLPurifier_Language_' . $pcode;
+			$file  = $this->dir . '/Language/classes/' . $code . '.php';
+			if (file_exists($file) || class_exists($class, false)) {
+				$lang = new $class($config, $context);
+			} else {
+				// Go fallback
+				$raw_fallback = $this->getFallbackFor($code);
+				$fallback = $raw_fallback ? $raw_fallback : 'en';
+				$depth++;
+				$lang = $this->create($config, $context, $fallback);
+				if (!$raw_fallback) {
+					$lang->error = true;
+				}
+				$depth--;
+			}
+		}
+
+		$lang->code = $code;
+
+		return $lang;
+
+	}
+
+	/**
+	 * Returns the fallback language for language
+	 * @note Loads the original language into cache
+	 * @param $code string language code
+	 */
+	public function getFallbackFor($code) {
+		$this->loadLanguage($code);
+		return $this->cache[$code]['fallback'];
+	}
+
+	/**
+	 * Loads language into the cache, handles message file and fallbacks
+	 * @param $code string language code
+	 */
+	public function loadLanguage($code) {
+		static $languages_seen = array(); // recursion guard
+
+		// abort if we've already loaded it
+		if (isset($this->cache[$code])) return;
+
+		// generate filename
+		$filename = $this->dir . '/Language/messages/' . $code . '.php';
+
+		// default fallback : may be overwritten by the ensuing include
+		$fallback = ($code != 'en') ? 'en' : false;
+
+		// load primary localisation
+		if (!file_exists($filename)) {
+			// skip the include: will rely solely on fallback
+			$filename = $this->dir . '/Language/messages/en.php';
+			$cache = array();
+		} else {
+			include $filename;
+			$cache = compact($this->keys);
+		}
+
+		// load fallback localisation
+		if (!empty($fallback)) {
+
+			// infinite recursion guard
+			if (isset($languages_seen[$code])) {
+				trigger_error('Circular fallback reference in language ' .
+					$code, E_USER_ERROR);
+				$fallback = 'en';
+			}
+			$language_seen[$code] = true;
+
+			// load the fallback recursively
+			$this->loadLanguage($fallback);
+			$fallback_cache = $this->cache[$fallback];
+
+			// merge fallback with current language
+			foreach ( $this->keys as $key ) {
+				if (isset($cache[$key]) && isset($fallback_cache[$key])) {
+					if (isset($this->mergeable_keys_map[$key])) {
+						$cache[$key] = $cache[$key] + $fallback_cache[$key];
+					} elseif (isset($this->mergeable_keys_list[$key])) {
+						$cache[$key] = array_merge( $fallback_cache[$key], $cache[$key] );
+					}
+				} else {
+					$cache[$key] = $fallback_cache[$key];
+				}
+			}
+
+		}
+
+		// save to cache for later retrieval
+		$this->cache[$code] = $cache;
+
+		return;
+	}
 
 }
 

Braces +7 added lines, -2 removed lines

@@ -90,7 +90,10 @@ 
         } else {
             $code = $this->validator->validate($code, $config, $context);
         }
-        if ($code === false) $code = 'en'; // malformed code becomes English
+        if ($code === false) {
+        	$code = 'en';
+        }
+        // malformed code becomes English
 
         $pcode = str_replace('-', '_', $code); // make valid PHP classname
         static $depth = 0; // recursion protection
@@ -139,7 +142,9 @@ 
         static $languages_seen = array(); // recursion guard
 
         // abort if we've already loaded it
-        if (isset($this->cache[$code])) return;
+        if (isset($this->cache[$code])) {
+        	return;
+        }
 
         // generate filename
         $filename = $this->dir . '/Language/messages/' . $code . '.php';

Spacing +8 added lines, -8 removed lines

@@ -71,7 +71,7 @@ 
      */
     public function setup() {
         $this->validator = new HTMLPurifier_AttrDef_Lang();
-        $this->dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier';
+        $this->dir = HTMLPURIFIER_PREFIX.'/HTMLPurifier';
     }
 
     /**
@@ -98,8 +98,8 @@ 
         if ($code == 'en') {
             $lang = new HTMLPurifier_Language($config, $context);
         } else {
-            $class = 'HTMLPurifier_Language_' . $pcode;
-            $file  = $this->dir . '/Language/classes/' . $code . '.php';
+            $class = 'HTMLPurifier_Language_'.$pcode;
+            $file  = $this->dir.'/Language/classes/'.$code.'.php';
             if (file_exists($file) || class_exists($class, false)) {
                 $lang = new $class($config, $context);
             } else {
@@ -142,7 +142,7 @@ 
         if (isset($this->cache[$code])) return;
 
         // generate filename
-        $filename = $this->dir . '/Language/messages/' . $code . '.php';
+        $filename = $this->dir.'/Language/messages/'.$code.'.php';
 
         // default fallback : may be overwritten by the ensuing include
         $fallback = ($code != 'en') ? 'en' : false;
@@ -150,7 +150,7 @@ 
         // load primary localisation
         if (!file_exists($filename)) {
             // skip the include: will rely solely on fallback
-            $filename = $this->dir . '/Language/messages/en.php';
+            $filename = $this->dir.'/Language/messages/en.php';
             $cache = array();
         } else {
             include $filename;
@@ -162,7 +162,7 @@ 
 
             // infinite recursion guard
             if (isset($languages_seen[$code])) {
-                trigger_error('Circular fallback reference in language ' .
+                trigger_error('Circular fallback reference in language '.
                     $code, E_USER_ERROR);
                 $fallback = 'en';
             }
@@ -173,12 +173,12 @@ 
             $fallback_cache = $this->cache[$fallback];
 
             // merge fallback with current language
-            foreach ( $this->keys as $key ) {
+            foreach ($this->keys as $key) {
                 if (isset($cache[$key]) && isset($fallback_cache[$key])) {
                     if (isset($this->mergeable_keys_map[$key])) {
                         $cache[$key] = $cache[$key] + $fallback_cache[$key];
                     } elseif (isset($this->mergeable_keys_list[$key])) {
-                        $cache[$key] = array_merge( $fallback_cache[$key], $cache[$key] );
+                        $cache[$key] = array_merge($fallback_cache[$key], $cache[$key]);
                     }
                 } else {
                     $cache[$key] = $fallback_cache[$key];

classes/security/htmlpurifier/library/HTMLPurifier/Length.php

Indentation +91 added lines, -91 removed lines

@@ -7,108 +7,108 @@
 class HTMLPurifier_Length
 {
 
-    /**
-     * String numeric magnitude.
-     */
-    protected $n;
+	/**
+	 * String numeric magnitude.
+	 */
+	protected $n;
 
-    /**
-     * String unit. False is permitted if $n = 0.
-     */
-    protected $unit;
+	/**
+	 * String unit. False is permitted if $n = 0.
+	 */
+	protected $unit;
 
-    /**
-     * Whether or not this length is valid. Null if not calculated yet.
-     */
-    protected $isValid;
+	/**
+	 * Whether or not this length is valid. Null if not calculated yet.
+	 */
+	protected $isValid;
 
-    /**
-     * Lookup array of units recognized by CSS 2.1
-     */
-    protected static $allowedUnits = array(
-        'em' => true, 'ex' => true, 'px' => true, 'in' => true,
-        'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true
-    );
+	/**
+	 * Lookup array of units recognized by CSS 2.1
+	 */
+	protected static $allowedUnits = array(
+		'em' => true, 'ex' => true, 'px' => true, 'in' => true,
+		'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true
+	);
 
-    /**
-     * @param number $n Magnitude
-     * @param string $u Unit
-     */
-    public function __construct($n = '0', $u = false) {
-        $this->n = (string) $n;
-        $this->unit = $u !== false ? (string) $u : false;
-    }
+	/**
+	 * @param number $n Magnitude
+	 * @param string $u Unit
+	 */
+	public function __construct($n = '0', $u = false) {
+		$this->n = (string) $n;
+		$this->unit = $u !== false ? (string) $u : false;
+	}
 
-    /**
-     * @param string $s Unit string, like '2em' or '3.4in'
-     * @warning Does not perform validation.
-     */
-    static public function make($s) {
-        if ($s instanceof HTMLPurifier_Length) return $s;
-        $n_length = strspn($s, '1234567890.+-');
-        $n = substr($s, 0, $n_length);
-        $unit = substr($s, $n_length);
-        if ($unit === '') $unit = false;
-        return new HTMLPurifier_Length($n, $unit);
-    }
+	/**
+	 * @param string $s Unit string, like '2em' or '3.4in'
+	 * @warning Does not perform validation.
+	 */
+	static public function make($s) {
+		if ($s instanceof HTMLPurifier_Length) return $s;
+		$n_length = strspn($s, '1234567890.+-');
+		$n = substr($s, 0, $n_length);
+		$unit = substr($s, $n_length);
+		if ($unit === '') $unit = false;
+		return new HTMLPurifier_Length($n, $unit);
+	}
 
-    /**
-     * Validates the number and unit.
-     */
-    protected function validate() {
-        // Special case:
-        if ($this->n === '+0' || $this->n === '-0') $this->n = '0';
-        if ($this->n === '0' && $this->unit === false) return true;
-        if (!ctype_lower($this->unit)) $this->unit = strtolower($this->unit);
-        if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) return false;
-        // Hack:
-        $def = new HTMLPurifier_AttrDef_CSS_Number();
-        $result = $def->validate($this->n, false, false);
-        if ($result === false) return false;
-        $this->n = $result;
-        return true;
-    }
+	/**
+	 * Validates the number and unit.
+	 */
+	protected function validate() {
+		// Special case:
+		if ($this->n === '+0' || $this->n === '-0') $this->n = '0';
+		if ($this->n === '0' && $this->unit === false) return true;
+		if (!ctype_lower($this->unit)) $this->unit = strtolower($this->unit);
+		if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) return false;
+		// Hack:
+		$def = new HTMLPurifier_AttrDef_CSS_Number();
+		$result = $def->validate($this->n, false, false);
+		if ($result === false) return false;
+		$this->n = $result;
+		return true;
+	}
 
-    /**
-     * Returns string representation of number.
-     */
-    public function toString() {
-        if (!$this->isValid()) return false;
-        return $this->n . $this->unit;
-    }
+	/**
+	 * Returns string representation of number.
+	 */
+	public function toString() {
+		if (!$this->isValid()) return false;
+		return $this->n . $this->unit;
+	}
 
-    /**
-     * Retrieves string numeric magnitude.
-     */
-    public function getN() {return $this->n;}
+	/**
+	 * Retrieves string numeric magnitude.
+	 */
+	public function getN() {return $this->n;}
 
-    /**
-     * Retrieves string unit.
-     */
-    public function getUnit() {return $this->unit;}
+	/**
+	 * Retrieves string unit.
+	 */
+	public function getUnit() {return $this->unit;}
 
-    /**
-     * Returns true if this length unit is valid.
-     */
-    public function isValid() {
-        if ($this->isValid === null) $this->isValid = $this->validate();
-        return $this->isValid;
-    }
+	/**
+	 * Returns true if this length unit is valid.
+	 */
+	public function isValid() {
+		if ($this->isValid === null) $this->isValid = $this->validate();
+		return $this->isValid;
+	}
 
-    /**
-     * Compares two lengths, and returns 1 if greater, -1 if less and 0 if equal.
-     * @warning If both values are too large or small, this calculation will
-     *          not work properly
-     */
-    public function compareTo($l) {
-        if ($l === false) return false;
-        if ($l->unit !== $this->unit) {
-            $converter = new HTMLPurifier_UnitConverter();
-            $l = $converter->convert($l, $this->unit);
-            if ($l === false) return false;
-        }
-        return $this->n - $l->n;
-    }
+	/**
+	 * Compares two lengths, and returns 1 if greater, -1 if less and 0 if equal.
+	 * @warning If both values are too large or small, this calculation will
+	 *          not work properly
+	 */
+	public function compareTo($l) {
+		if ($l === false) return false;
+		if ($l->unit !== $this->unit) {
+			$converter = new HTMLPurifier_UnitConverter();
+			$l = $converter->convert($l, $this->unit);
+			if ($l === false) return false;
+		}
+		return $this->n - $l->n;
+	}
 
 }
 

Braces +33 added lines, -11 removed lines

@@ -44,11 +44,15 @@ 
      * @warning Does not perform validation.
      */
     static public function make($s) {
-        if ($s instanceof HTMLPurifier_Length) return $s;
+        if ($s instanceof HTMLPurifier_Length) {
+        	return $s;
+        }
         $n_length = strspn($s, '1234567890.+-');
         $n = substr($s, 0, $n_length);
         $unit = substr($s, $n_length);
-        if ($unit === '') $unit = false;
+        if ($unit === '') {
+        	$unit = false;
+        }
         return new HTMLPurifier_Length($n, $unit);
     }
 
@@ -57,14 +61,24 @@ 
      */
     protected function validate() {
         // Special case:
-        if ($this->n === '+0' || $this->n === '-0') $this->n = '0';
-        if ($this->n === '0' && $this->unit === false) return true;
-        if (!ctype_lower($this->unit)) $this->unit = strtolower($this->unit);
-        if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) return false;
+        if ($this->n === '+0' || $this->n === '-0') {
+        	$this->n = '0';
+        }
+        if ($this->n === '0' && $this->unit === false) {
+        	return true;
+        }
+        if (!ctype_lower($this->unit)) {
+        	$this->unit = strtolower($this->unit);
+        }
+        if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) {
+        	return false;
+        }
         // Hack:
         $def = new HTMLPurifier_AttrDef_CSS_Number();
         $result = $def->validate($this->n, false, false);
-        if ($result === false) return false;
+        if ($result === false) {
+        	return false;
+        }
         $this->n = $result;
         return true;
     }
@@ -73,7 +87,9 @@ 
      * Returns string representation of number.
      */
     public function toString() {
-        if (!$this->isValid()) return false;
+        if (!$this->isValid()) {
+        	return false;
+        }
         return $this->n . $this->unit;
     }
 
@@ -91,7 +107,9 @@ 
      * Returns true if this length unit is valid.
      */
     public function isValid() {
-        if ($this->isValid === null) $this->isValid = $this->validate();
+        if ($this->isValid === null) {
+        	$this->isValid = $this->validate();
+        }
         return $this->isValid;
     }
 
@@ -101,11 +119,15 @@ 
      *          not work properly
      */
     public function compareTo($l) {
-        if ($l === false) return false;
+        if ($l === false) {
+        	return false;
+        }
         if ($l->unit !== $this->unit) {
             $converter = new HTMLPurifier_UnitConverter();
             $l = $converter->convert($l, $this->unit);
-            if ($l === false) return false;
+            if ($l === false) {
+            	return false;
+            }
         }
         return $this->n - $l->n;
     }

Spacing +3 added lines, -3 removed lines

@@ -74,18 +74,18 @@
      */
     public function toString() {
         if (!$this->isValid()) return false;
-        return $this->n . $this->unit;
+        return $this->n.$this->unit;
     }
 
     /**
      * Retrieves string numeric magnitude.
      */
-    public function getN() {return $this->n;}
+    public function getN() {return $this->n; }
 
     /**
      * Retrieves string unit.
      */
-    public function getUnit() {return $this->unit;}
+    public function getUnit() {return $this->unit; }
 
     /**
      * Returns true if this length unit is valid.

classes/security/htmlpurifier/library/HTMLPurifier/Lexer.php

Indentation +276 added lines, -276 removed lines

@@ -42,284 +42,284 @@
 class HTMLPurifier_Lexer
 {
 
-    /**
-     * Whether or not this lexer implements line-number/column-number tracking.
-     * If it does, set to true.
-     */
-    public $tracksLineNumbers = false;
-
-    // -- STATIC ----------------------------------------------------------
-
-    /**
-     * Retrieves or sets the default Lexer as a Prototype Factory.
-     *
-     * By default HTMLPurifier_Lexer_DOMLex will be returned. There are
-     * a few exceptions involving special features that only DirectLex
-     * implements.
-     *
-     * @note The behavior of this class has changed, rather than accepting
-     *       a prototype object, it now accepts a configuration object.
-     *       To specify your own prototype, set %Core.LexerImpl to it.
-     *       This change in behavior de-singletonizes the lexer object.
-     *
-     * @param $config Instance of HTMLPurifier_Config
-     * @return Concrete lexer.
-     */
-    public static function create($config) {
-
-        if (!($config instanceof HTMLPurifier_Config)) {
-            $lexer = $config;
-            trigger_error("Passing a prototype to
+	/**
+	 * Whether or not this lexer implements line-number/column-number tracking.
+	 * If it does, set to true.
+	 */
+	public $tracksLineNumbers = false;
+
+	// -- STATIC ----------------------------------------------------------
+
+	/**
+	 * Retrieves or sets the default Lexer as a Prototype Factory.
+	 *
+	 * By default HTMLPurifier_Lexer_DOMLex will be returned. There are
+	 * a few exceptions involving special features that only DirectLex
+	 * implements.
+	 *
+	 * @note The behavior of this class has changed, rather than accepting
+	 *       a prototype object, it now accepts a configuration object.
+	 *       To specify your own prototype, set %Core.LexerImpl to it.
+	 *       This change in behavior de-singletonizes the lexer object.
+	 *
+	 * @param $config Instance of HTMLPurifier_Config
+	 * @return Concrete lexer.
+	 */
+	public static function create($config) {
+
+		if (!($config instanceof HTMLPurifier_Config)) {
+			$lexer = $config;
+			trigger_error("Passing a prototype to
               HTMLPurifier_Lexer::create() is deprecated, please instead
               use %Core.LexerImpl", E_USER_WARNING);
-        } else {
-            $lexer = $config->get('Core.LexerImpl');
-        }
-
-        $needs_tracking =
-            $config->get('Core.MaintainLineNumbers') ||
-            $config->get('Core.CollectErrors');
-
-        $inst = null;
-        if (is_object($lexer)) {
-            $inst = $lexer;
-        } else {
-
-            if (is_null($lexer)) { do {
-                // auto-detection algorithm
-
-                if ($needs_tracking) {
-                    $lexer = 'DirectLex';
-                    break;
-                }
-
-                if (
-                    class_exists('DOMDocument') &&
-                    method_exists('DOMDocument', 'loadHTML') &&
-                    !extension_loaded('domxml')
-                ) {
-                    // check for DOM support, because while it's part of the
-                    // core, it can be disabled compile time. Also, the PECL
-                    // domxml extension overrides the default DOM, and is evil
-                    // and nasty and we shan't bother to support it
-                    $lexer = 'DOMLex';
-                } else {
-                    $lexer = 'DirectLex';
-                }
-
-            } while(0); } // do..while so we can break
-
-            // instantiate recognized string names
-            switch ($lexer) {
-                case 'DOMLex':
-                    $inst = new HTMLPurifier_Lexer_DOMLex();
-                    break;
-                case 'DirectLex':
-                    $inst = new HTMLPurifier_Lexer_DirectLex();
-                    break;
-                case 'PH5P':
-                    $inst = new HTMLPurifier_Lexer_PH5P();
-                    break;
-                default:
-                    throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type " . htmlspecialchars($lexer, ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
-            }
-        }
-
-        if (!$inst) throw new HTMLPurifier_Exception('No lexer was instantiated');
-
-        // once PHP DOM implements native line numbers, or we
-        // hack out something using XSLT, remove this stipulation
-        if ($needs_tracking && !$inst->tracksLineNumbers) {
-            throw new HTMLPurifier_Exception('Cannot use lexer that does not support line numbers with Core.MaintainLineNumbers or Core.CollectErrors (use DirectLex instead)');
-        }
-
-        return $inst;
-
-    }
-
-    // -- CONVENIENCE MEMBERS ---------------------------------------------
-
-    public function __construct() {
-        $this->_entity_parser = new HTMLPurifier_EntityParser();
-    }
-
-    /**
-     * Most common entity to raw value conversion table for special entities.
-     */
-    protected $_special_entity2str =
-            array(
-                    '"' => '"',
-                    '&'  => '&',
-                    '&lt;'   => '<',
-                    '&gt;'   => '>',
-                    '&#39;'  => "'",
-                    '&#039;' => "'",
-                    '&#x27;' => "'"
-            );
-
-    /**
-     * Parses special entities into the proper characters.
-     *
-     * This string will translate escaped versions of the special characters
-     * into the correct ones.
-     *
-     * @warning
-     * You should be able to treat the output of this function as
-     * completely parsed, but that's only because all other entities should
-     * have been handled previously in substituteNonSpecialEntities()
-     *
-     * @param $string String character data to be parsed.
-     * @returns Parsed character data.
-     */
-    public function parseData($string) {
-
-        // following functions require at least one character
-        if ($string === '') return '';
-
-        // subtracts amps that cannot possibly be escaped
-        $num_amp = substr_count($string, '&') - substr_count($string, '& ') -
-            ($string[strlen($string)-1] === '&' ? 1 : 0);
-
-        if (!$num_amp) return $string; // abort if no entities
-        $num_esc_amp = substr_count($string, '&amp;');
-        $string = strtr($string, $this->_special_entity2str);
-
-        // code duplication for sake of optimization, see above
-        $num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') -
-            ($string[strlen($string)-1] === '&' ? 1 : 0);
-
-        if ($num_amp_2 <= $num_esc_amp) return $string;
-
-        // hmm... now we have some uncommon entities. Use the callback.
-        $string = $this->_entity_parser->substituteSpecialEntities($string);
-        return $string;
-    }
-
-    /**
-     * Lexes an HTML string into tokens.
-     *
-     * @param $string String HTML.
-     * @return HTMLPurifier_Token array representation of HTML.
-     */
-    public function tokenizeHTML($string, $config, $context) {
-        trigger_error('Call to abstract class', E_USER_ERROR);
-    }
-
-    /**
-     * Translates CDATA sections into regular sections (through escaping).
-     *
-     * @param $string HTML string to process.
-     * @returns HTML with CDATA sections escaped.
-     */
-    protected static function escapeCDATA($string) {
-        return preg_replace_callback(
-            '/<!\[CDATA\[(.+?)\]\]>/s',
-            array('HTMLPurifier_Lexer', 'CDATACallback'),
-            $string
-        );
-    }
-
-    /**
-     * Special CDATA case that is especially convoluted for <script>
-     */
-    protected static function escapeCommentedCDATA($string) {
-        return preg_replace_callback(
-            '#<!--//--><!\[CDATA\[//><!--(.+?)//--><!\]\]>#s',
-            array('HTMLPurifier_Lexer', 'CDATACallback'),
-            $string
-        );
-    }
-
-    /**
-     * Special Internet Explorer conditional comments should be removed.
-     */
-    protected static function removeIEConditional($string) {
-        return preg_replace(
-            '#<!--\[if [^>]+\]>.*?<!\[endif\]-->#si', // probably should generalize for all strings
-            '',
-            $string
-        );
-    }
-
-    /**
-     * Callback function for escapeCDATA() that does the work.
-     *
-     * @warning Though this is public in order to let the callback happen,
-     *          calling it directly is not recommended.
-     * @params $matches PCRE matches array, with index 0 the entire match
-     *                  and 1 the inside of the CDATA section.
-     * @returns Escaped internals of the CDATA section.
-     */
-    protected static function CDATACallback($matches) {
-        // not exactly sure why the character set is needed, but whatever
-        return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8', false);
-    }
-
-    /**
-     * Takes a piece of HTML and normalizes it by converting entities, fixing
-     * encoding, extracting bits, and other good stuff.
-     * @todo Consider making protected
-     */
-    public function normalize($html, $config, $context) {
-
-        // normalize newlines to \n
-        if ($config->get('Core.NormalizeNewlines')) {
-            $html = str_replace("\r\n", "\n", $html);
-            $html = str_replace("\r", "\n", $html);
-        }
-
-        if ($config->get('HTML.Trusted')) {
-            // escape convoluted CDATA
-            $html = $this->escapeCommentedCDATA($html);
-        }
-
-        // escape CDATA
-        $html = $this->escapeCDATA($html);
-
-        $html = $this->removeIEConditional($html);
-
-        // extract body from document if applicable
-        if ($config->get('Core.ConvertDocumentToFragment')) {
-            $e = false;
-            if ($config->get('Core.CollectErrors')) {
-                $e =& $context->get('ErrorCollector');
-            }
-            $new_html = $this->extractBody($html);
-            if ($e && $new_html != $html) {
-                $e->send(E_WARNING, 'Lexer: Extracted body');
-            }
-            $html = $new_html;
-        }
-
-        // expand entities that aren't the big five
-        $html = $this->_entity_parser->substituteNonSpecialEntities($html);
-
-        // clean into wellformed UTF-8 string for an SGML context: this has
-        // to be done after entity expansion because the entities sometimes
-        // represent non-SGML characters (horror, horror!)
-        $html = HTMLPurifier_Encoder::cleanUTF8($html);
-
-        // if processing instructions are to removed, remove them now
-        if ($config->get('Core.RemoveProcessingInstructions')) {
-            $html = preg_replace('#<\?.+?\?>#s', '', $html);
-        }
-
-        return $html;
-    }
-
-    /**
-     * Takes a string of HTML (fragment or document) and returns the content
-     * @todo Consider making protected
-     */
-    public function extractBody($html) {
-        $matches = array();
-        $result = preg_match('!<body[^>]*>(.*)</body>!is', $html, $matches);
-        if ($result) {
-            return $matches[1];
-        } else {
-            return $html;
-        }
-    }
+		} else {
+			$lexer = $config->get('Core.LexerImpl');
+		}
+
+		$needs_tracking =
+			$config->get('Core.MaintainLineNumbers') ||
+			$config->get('Core.CollectErrors');
+
+		$inst = null;
+		if (is_object($lexer)) {
+			$inst = $lexer;
+		} else {
+
+			if (is_null($lexer)) { do {
+				// auto-detection algorithm
+
+				if ($needs_tracking) {
+					$lexer = 'DirectLex';
+					break;
+				}
+
+				if (
+					class_exists('DOMDocument') &&
+					method_exists('DOMDocument', 'loadHTML') &&
+					!extension_loaded('domxml')
+				) {
+					// check for DOM support, because while it's part of the
+					// core, it can be disabled compile time. Also, the PECL
+					// domxml extension overrides the default DOM, and is evil
+					// and nasty and we shan't bother to support it
+					$lexer = 'DOMLex';
+				} else {
+					$lexer = 'DirectLex';
+				}
+
+			} while(0); } // do..while so we can break
+
+			// instantiate recognized string names
+			switch ($lexer) {
+				case 'DOMLex':
+					$inst = new HTMLPurifier_Lexer_DOMLex();
+					break;
+				case 'DirectLex':
+					$inst = new HTMLPurifier_Lexer_DirectLex();
+					break;
+				case 'PH5P':
+					$inst = new HTMLPurifier_Lexer_PH5P();
+					break;
+				default:
+					throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type " . htmlspecialchars($lexer, ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
+			}
+		}
+
+		if (!$inst) throw new HTMLPurifier_Exception('No lexer was instantiated');
+
+		// once PHP DOM implements native line numbers, or we
+		// hack out something using XSLT, remove this stipulation
+		if ($needs_tracking && !$inst->tracksLineNumbers) {
+			throw new HTMLPurifier_Exception('Cannot use lexer that does not support line numbers with Core.MaintainLineNumbers or Core.CollectErrors (use DirectLex instead)');
+		}
+
+		return $inst;
+
+	}
+
+	// -- CONVENIENCE MEMBERS ---------------------------------------------
+
+	public function __construct() {
+		$this->_entity_parser = new HTMLPurifier_EntityParser();
+	}
+
+	/**
+	 * Most common entity to raw value conversion table for special entities.
+	 */
+	protected $_special_entity2str =
+			array(
+					'&quot;' => '"',
+					'&amp;'  => '&',
+					'&lt;'   => '<',
+					'&gt;'   => '>',
+					'&#39;'  => "'",
+					'&#039;' => "'",
+					'&#x27;' => "'"
+			);
+
+	/**
+	 * Parses special entities into the proper characters.
+	 *
+	 * This string will translate escaped versions of the special characters
+	 * into the correct ones.
+	 *
+	 * @warning
+	 * You should be able to treat the output of this function as
+	 * completely parsed, but that's only because all other entities should
+	 * have been handled previously in substituteNonSpecialEntities()
+	 *
+	 * @param $string String character data to be parsed.
+	 * @returns Parsed character data.
+	 */
+	public function parseData($string) {
+
+		// following functions require at least one character
+		if ($string === '') return '';
+
+		// subtracts amps that cannot possibly be escaped
+		$num_amp = substr_count($string, '&') - substr_count($string, '& ') -
+			($string[strlen($string)-1] === '&' ? 1 : 0);
+
+		if (!$num_amp) return $string; // abort if no entities
+		$num_esc_amp = substr_count($string, '&amp;');
+		$string = strtr($string, $this->_special_entity2str);
+
+		// code duplication for sake of optimization, see above
+		$num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') -
+			($string[strlen($string)-1] === '&' ? 1 : 0);
+
+		if ($num_amp_2 <= $num_esc_amp) return $string;
+
+		// hmm... now we have some uncommon entities. Use the callback.
+		$string = $this->_entity_parser->substituteSpecialEntities($string);
+		return $string;
+	}
+
+	/**
+	 * Lexes an HTML string into tokens.
+	 *
+	 * @param $string String HTML.
+	 * @return HTMLPurifier_Token array representation of HTML.
+	 */
+	public function tokenizeHTML($string, $config, $context) {
+		trigger_error('Call to abstract class', E_USER_ERROR);
+	}
+
+	/**
+	 * Translates CDATA sections into regular sections (through escaping).
+	 *
+	 * @param $string HTML string to process.
+	 * @returns HTML with CDATA sections escaped.
+	 */
+	protected static function escapeCDATA($string) {
+		return preg_replace_callback(
+			'/<!\[CDATA\[(.+?)\]\]>/s',
+			array('HTMLPurifier_Lexer', 'CDATACallback'),
+			$string
+		);
+	}
+
+	/**
+	 * Special CDATA case that is especially convoluted for <script>
+	 */
+	protected static function escapeCommentedCDATA($string) {
+		return preg_replace_callback(
+			'#<!--//--><!\[CDATA\[//><!--(.+?)//--><!\]\]>#s',
+			array('HTMLPurifier_Lexer', 'CDATACallback'),
+			$string
+		);
+	}
+
+	/**
+	 * Special Internet Explorer conditional comments should be removed.
+	 */
+	protected static function removeIEConditional($string) {
+		return preg_replace(
+			'#<!--\[if [^>]+\]>.*?<!\[endif\]-->#si', // probably should generalize for all strings
+			'',
+			$string
+		);
+	}
+
+	/**
+	 * Callback function for escapeCDATA() that does the work.
+	 *
+	 * @warning Though this is public in order to let the callback happen,
+	 *          calling it directly is not recommended.
+	 * @params $matches PCRE matches array, with index 0 the entire match
+	 *                  and 1 the inside of the CDATA section.
+	 * @returns Escaped internals of the CDATA section.
+	 */
+	protected static function CDATACallback($matches) {
+		// not exactly sure why the character set is needed, but whatever
+		return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8', false);
+	}
+
+	/**
+	 * Takes a piece of HTML and normalizes it by converting entities, fixing
+	 * encoding, extracting bits, and other good stuff.
+	 * @todo Consider making protected
+	 */
+	public function normalize($html, $config, $context) {
+
+		// normalize newlines to \n
+		if ($config->get('Core.NormalizeNewlines')) {
+			$html = str_replace("\r\n", "\n", $html);
+			$html = str_replace("\r", "\n", $html);
+		}
+
+		if ($config->get('HTML.Trusted')) {
+			// escape convoluted CDATA
+			$html = $this->escapeCommentedCDATA($html);
+		}
+
+		// escape CDATA
+		$html = $this->escapeCDATA($html);
+
+		$html = $this->removeIEConditional($html);
+
+		// extract body from document if applicable
+		if ($config->get('Core.ConvertDocumentToFragment')) {
+			$e = false;
+			if ($config->get('Core.CollectErrors')) {
+				$e =& $context->get('ErrorCollector');
+			}
+			$new_html = $this->extractBody($html);
+			if ($e && $new_html != $html) {
+				$e->send(E_WARNING, 'Lexer: Extracted body');
+			}
+			$html = $new_html;
+		}
+
+		// expand entities that aren't the big five
+		$html = $this->_entity_parser->substituteNonSpecialEntities($html);
+
+		// clean into wellformed UTF-8 string for an SGML context: this has
+		// to be done after entity expansion because the entities sometimes
+		// represent non-SGML characters (horror, horror!)
+		$html = HTMLPurifier_Encoder::cleanUTF8($html);
+
+		// if processing instructions are to removed, remove them now
+		if ($config->get('Core.RemoveProcessingInstructions')) {
+			$html = preg_replace('#<\?.+?\?>#s', '', $html);
+		}
+
+		return $html;
+	}
+
+	/**
+	 * Takes a string of HTML (fragment or document) and returns the content
+	 * @todo Consider making protected
+	 */
+	public function extractBody($html) {
+		$matches = array();
+		$result = preg_match('!<body[^>]*>(.*)</body>!is', $html, $matches);
+		if ($result) {
+			return $matches[1];
+		} else {
+			return $html;
+		}
+	}
 
 }
 

Braces +13 added lines, -4 removed lines

@@ -125,7 +125,9 @@ 
             }
         }
 
-        if (!$inst) throw new HTMLPurifier_Exception('No lexer was instantiated');
+        if (!$inst) {
+        	throw new HTMLPurifier_Exception('No lexer was instantiated');
+        }
 
         // once PHP DOM implements native line numbers, or we
         // hack out something using XSLT, remove this stipulation
@@ -174,13 +176,18 @@ 
     public function parseData($string) {
 
         // following functions require at least one character
-        if ($string === '') return '';
+        if ($string === '') {
+        	return '';
+        }
 
         // subtracts amps that cannot possibly be escaped
         $num_amp = substr_count($string, '&') - substr_count($string, '& ') -
             ($string[strlen($string)-1] === '&' ? 1 : 0);
 
-        if (!$num_amp) return $string; // abort if no entities
+        if (!$num_amp) {
+        	return $string;
+        }
+        // abort if no entities
         $num_esc_amp = substr_count($string, '&');
         $string = strtr($string, $this->_special_entity2str);
 
@@ -188,7 +195,9 @@ 
         $num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') -
             ($string[strlen($string)-1] === '&' ? 1 : 0);
 
-        if ($num_amp_2 <= $num_esc_amp) return $string;
+        if ($num_amp_2 <= $num_esc_amp) {
+        	return $string;
+        }
 
         // hmm... now we have some uncommon entities. Use the callback.
         $string = $this->_entity_parser->substituteSpecialEntities($string);

Spacing +5 added lines, -5 removed lines

@@ -107,7 +107,7 @@ 
                     $lexer = 'DirectLex';
                 }
 
-            } while(0); } // do..while so we can break
+            } while (0); } // do..while so we can break
 
             // instantiate recognized string names
             switch ($lexer) {
@@ -121,7 +121,7 @@ 
                     $inst = new HTMLPurifier_Lexer_PH5P();
                     break;
                 default:
-                    throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type " . htmlspecialchars($lexer, ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
+                    throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type ".htmlspecialchars($lexer, ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
             }
         }
 
@@ -178,7 +178,7 @@ 
 
         // subtracts amps that cannot possibly be escaped
         $num_amp = substr_count($string, '&') - substr_count($string, '& ') -
-            ($string[strlen($string)-1] === '&' ? 1 : 0);
+            ($string[strlen($string) - 1] === '&' ? 1 : 0);
 
         if (!$num_amp) return $string; // abort if no entities
         $num_esc_amp = substr_count($string, '&');
@@ -186,7 +186,7 @@ 
 
         // code duplication for sake of optimization, see above
         $num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') -
-            ($string[strlen($string)-1] === '&' ? 1 : 0);
+            ($string[strlen($string) - 1] === '&' ? 1 : 0);
 
         if ($num_amp_2 <= $num_esc_amp) return $string;
 
@@ -282,7 +282,7 @@ 
         if ($config->get('Core.ConvertDocumentToFragment')) {
             $e = false;
             if ($config->get('Core.CollectErrors')) {
-                $e =& $context->get('ErrorCollector');
+                $e = & $context->get('ErrorCollector');
             }
             $new_html = $this->extractBody($html);
             if ($e && $new_html != $html) {

classes/security/htmlpurifier/library/HTMLPurifier/PercentEncoder.php

Indentation +77 added lines, -77 removed lines

@@ -11,87 +11,87 @@
 class HTMLPurifier_PercentEncoder
 {
 
-    /**
-     * Reserved characters to preserve when using encode().
-     */
-    protected $preserve = array();
+	/**
+	 * Reserved characters to preserve when using encode().
+	 */
+	protected $preserve = array();
 
-    /**
-     * String of characters that should be preserved while using encode().
-     */
-    public function __construct($preserve = false) {
-        // unreserved letters, ought to const-ify
-        for ($i = 48; $i <= 57;  $i++) $this->preserve[$i] = true; // digits
-        for ($i = 65; $i <= 90;  $i++) $this->preserve[$i] = true; // upper-case
-        for ($i = 97; $i <= 122; $i++) $this->preserve[$i] = true; // lower-case
-        $this->preserve[45] = true; // Dash         -
-        $this->preserve[46] = true; // Period       .
-        $this->preserve[95] = true; // Underscore   _
-        $this->preserve[126]= true; // Tilde        ~
+	/**
+	 * String of characters that should be preserved while using encode().
+	 */
+	public function __construct($preserve = false) {
+		// unreserved letters, ought to const-ify
+		for ($i = 48; $i <= 57;  $i++) $this->preserve[$i] = true; // digits
+		for ($i = 65; $i <= 90;  $i++) $this->preserve[$i] = true; // upper-case
+		for ($i = 97; $i <= 122; $i++) $this->preserve[$i] = true; // lower-case
+		$this->preserve[45] = true; // Dash         -
+		$this->preserve[46] = true; // Period       .
+		$this->preserve[95] = true; // Underscore   _
+		$this->preserve[126]= true; // Tilde        ~
 
-        // extra letters not to escape
-        if ($preserve !== false) {
-            for ($i = 0, $c = strlen($preserve); $i < $c; $i++) {
-                $this->preserve[ord($preserve[$i])] = true;
-            }
-        }
-    }
+		// extra letters not to escape
+		if ($preserve !== false) {
+			for ($i = 0, $c = strlen($preserve); $i < $c; $i++) {
+				$this->preserve[ord($preserve[$i])] = true;
+			}
+		}
+	}
 
-    /**
-     * Our replacement for urlencode, it encodes all non-reserved characters,
-     * as well as any extra characters that were instructed to be preserved.
-     * @note
-     *      Assumes that the string has already been normalized, making any
-     *      and all percent escape sequences valid. Percents will not be
-     *      re-escaped, regardless of their status in $preserve
-     * @param $string String to be encoded
-     * @return Encoded string.
-     */
-    public function encode($string) {
-        $ret = '';
-        for ($i = 0, $c = strlen($string); $i < $c; $i++) {
-            if ($string[$i] !== '%' && !isset($this->preserve[$int = ord($string[$i])]) ) {
-                $ret .= '%' . sprintf('%02X', $int);
-            } else {
-                $ret .= $string[$i];
-            }
-        }
-        return $ret;
-    }
+	/**
+	 * Our replacement for urlencode, it encodes all non-reserved characters,
+	 * as well as any extra characters that were instructed to be preserved.
+	 * @note
+	 *      Assumes that the string has already been normalized, making any
+	 *      and all percent escape sequences valid. Percents will not be
+	 *      re-escaped, regardless of their status in $preserve
+	 * @param $string String to be encoded
+	 * @return Encoded string.
+	 */
+	public function encode($string) {
+		$ret = '';
+		for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+			if ($string[$i] !== '%' && !isset($this->preserve[$int = ord($string[$i])]) ) {
+				$ret .= '%' . sprintf('%02X', $int);
+			} else {
+				$ret .= $string[$i];
+			}
+		}
+		return $ret;
+	}
 
-    /**
-     * Fix up percent-encoding by decoding unreserved characters and normalizing.
-     * @warning This function is affected by $preserve, even though the
-     *          usual desired behavior is for this not to preserve those
-     *          characters. Be careful when reusing instances of PercentEncoder!
-     * @param $string String to normalize
-     */
-    public function normalize($string) {
-        if ($string == '') return '';
-        $parts = explode('%', $string);
-        $ret = array_shift($parts);
-        foreach ($parts as $part) {
-            $length = strlen($part);
-            if ($length < 2) {
-                $ret .= '%25' . $part;
-                continue;
-            }
-            $encoding = substr($part, 0, 2);
-            $text     = substr($part, 2);
-            if (!ctype_xdigit($encoding)) {
-                $ret .= '%25' . $part;
-                continue;
-            }
-            $int = hexdec($encoding);
-            if (isset($this->preserve[$int])) {
-                $ret .= chr($int) . $text;
-                continue;
-            }
-            $encoding = strtoupper($encoding);
-            $ret .= '%' . $encoding . $text;
-        }
-        return $ret;
-    }
+	/**
+	 * Fix up percent-encoding by decoding unreserved characters and normalizing.
+	 * @warning This function is affected by $preserve, even though the
+	 *          usual desired behavior is for this not to preserve those
+	 *          characters. Be careful when reusing instances of PercentEncoder!
+	 * @param $string String to normalize
+	 */
+	public function normalize($string) {
+		if ($string == '') return '';
+		$parts = explode('%', $string);
+		$ret = array_shift($parts);
+		foreach ($parts as $part) {
+			$length = strlen($part);
+			if ($length < 2) {
+				$ret .= '%25' . $part;
+				continue;
+			}
+			$encoding = substr($part, 0, 2);
+			$text     = substr($part, 2);
+			if (!ctype_xdigit($encoding)) {
+				$ret .= '%25' . $part;
+				continue;
+			}
+			$int = hexdec($encoding);
+			if (isset($this->preserve[$int])) {
+				$ret .= chr($int) . $text;
+				continue;
+			}
+			$encoding = strtoupper($encoding);
+			$ret .= '%' . $encoding . $text;
+		}
+		return $ret;
+	}
 
 }
 

Braces +15 added lines, -4 removed lines

@@ -21,9 +21,18 @@ 
      */
     public function __construct($preserve = false) {
         // unreserved letters, ought to const-ify
-        for ($i = 48; $i <= 57;  $i++) $this->preserve[$i] = true; // digits
-        for ($i = 65; $i <= 90;  $i++) $this->preserve[$i] = true; // upper-case
-        for ($i = 97; $i <= 122; $i++) $this->preserve[$i] = true; // lower-case
+        for ($i = 48; $i <= 57;  $i++) {
+        	$this->preserve[$i] = true;
+        }
+        // digits
+        for ($i = 65; $i <= 90;  $i++) {
+        	$this->preserve[$i] = true;
+        }
+        // upper-case
+        for ($i = 97; $i <= 122; $i++) {
+        	$this->preserve[$i] = true;
+        }
+        // lower-case
         $this->preserve[45] = true; // Dash         -
         $this->preserve[46] = true; // Period       .
         $this->preserve[95] = true; // Underscore   _
@@ -67,7 +76,9 @@ 
      * @param $string String to normalize
      */
     public function normalize($string) {
-        if ($string == '') return '';
+        if ($string == '') {
+        	return '';
+        }
         $parts = explode('%', $string);
         $ret = array_shift($parts);
         foreach ($parts as $part) {

Spacing +9 added lines, -9 removed lines

@@ -21,13 +21,13 @@ 
      */
     public function __construct($preserve = false) {
         // unreserved letters, ought to const-ify
-        for ($i = 48; $i <= 57;  $i++) $this->preserve[$i] = true; // digits
-        for ($i = 65; $i <= 90;  $i++) $this->preserve[$i] = true; // upper-case
+        for ($i = 48; $i <= 57; $i++) $this->preserve[$i] = true; // digits
+        for ($i = 65; $i <= 90; $i++) $this->preserve[$i] = true; // upper-case
         for ($i = 97; $i <= 122; $i++) $this->preserve[$i] = true; // lower-case
         $this->preserve[45] = true; // Dash         -
         $this->preserve[46] = true; // Period       .
         $this->preserve[95] = true; // Underscore   _
-        $this->preserve[126]= true; // Tilde        ~
+        $this->preserve[126] = true; // Tilde        ~
 
         // extra letters not to escape
         if ($preserve !== false) {
@@ -50,8 +50,8 @@ 
     public function encode($string) {
         $ret = '';
         for ($i = 0, $c = strlen($string); $i < $c; $i++) {
-            if ($string[$i] !== '%' && !isset($this->preserve[$int = ord($string[$i])]) ) {
-                $ret .= '%' . sprintf('%02X', $int);
+            if ($string[$i] !== '%' && !isset($this->preserve[$int = ord($string[$i])])) {
+                $ret .= '%'.sprintf('%02X', $int);
             } else {
                 $ret .= $string[$i];
             }
@@ -73,22 +73,22 @@ 
         foreach ($parts as $part) {
             $length = strlen($part);
             if ($length < 2) {
-                $ret .= '%25' . $part;
+                $ret .= '%25'.$part;
                 continue;
             }
             $encoding = substr($part, 0, 2);
             $text     = substr($part, 2);
             if (!ctype_xdigit($encoding)) {
-                $ret .= '%25' . $part;
+                $ret .= '%25'.$part;
                 continue;
             }
             $int = hexdec($encoding);
             if (isset($this->preserve[$int])) {
-                $ret .= chr($int) . $text;
+                $ret .= chr($int).$text;
                 continue;
             }
             $encoding = strtoupper($encoding);
-            $ret .= '%' . $encoding . $text;
+            $ret .= '%'.$encoding.$text;
         }
         return $ret;
     }