xpressengine / xe-core

classes/security/Password.class.php

Spacing +42 added lines, -42 removed lines

@@ -19,11 +19,11 @@ 
 	public function getSupportedAlgorithms()
 	{
 		$retval = array();
-		if(function_exists('hash_hmac') && in_array('sha256', hash_algos()))
+		if (function_exists('hash_hmac') && in_array('sha256', hash_algos()))
 		{
 			$retval['pbkdf2'] = 'pbkdf2';
 		}
-		if(version_compare(PHP_VERSION, '5.3.7', '>=') && defined('CRYPT_BLOWFISH'))
+		if (version_compare(PHP_VERSION, '5.3.7', '>=') && defined('CRYPT_BLOWFISH'))
 		{
 			$retval['bcrypt'] = 'bcrypt';
 		}
@@ -47,13 +47,13 @@ 
 	 */
 	public function getCurrentlySelectedAlgorithm()
 	{
-		if(function_exists('getModel'))
+		if (function_exists('getModel'))
 		{
 			$config = getModel('member')->getMemberConfig();
 			$algorithm = $config->password_hashing_algorithm;
-			if(strval($algorithm) === '')
+			if (strval($algorithm) === '')
 			{
-				$algorithm = 'md5';  // Historical default for XE
+				$algorithm = 'md5'; // Historical default for XE
 			}
 		}
 		else
@@ -69,13 +69,13 @@ 
 	 */
 	public function getWorkFactor()
 	{
-		if(function_exists('getModel'))
+		if (function_exists('getModel'))
 		{
 			$config = getModel('member')->getMemberConfig();
 			$work_factor = $config->password_hashing_work_factor;
-			if(!$work_factor || $work_factor < 4 || $work_factor > 31)
+			if (!$work_factor || $work_factor < 4 || $work_factor > 31)
 			{
-				$work_factor = 8;  // Reasonable default
+				$work_factor = 8; // Reasonable default
 			}
 		}
 		else
@@ -93,18 +93,18 @@ 
 	 */
 	public function createHash($password, $algorithm = null)
 	{
-		if($algorithm === null)
+		if ($algorithm === null)
 		{
 			$algorithm = $this->getCurrentlySelectedAlgorithm();
 		}
-		if(!array_key_exists($algorithm, $this->getSupportedAlgorithms()))
+		if (!array_key_exists($algorithm, $this->getSupportedAlgorithms()))
 		{
 			return false;
 		}
 
 		$password = trim($password);
 
-		switch($algorithm)
+		switch ($algorithm)
 		{
 			case 'md5':
 				return md5($password);
@@ -113,7 +113,7 @@ 
 				$iterations = pow(2, $this->getWorkFactor() + 5);
 				$salt = $this->createSecureSalt(12, 'alnum');
 				$hash = base64_encode($this->pbkdf2($password, $salt, 'sha256', $iterations, 24));
-				return 'sha256:'.sprintf('%07d', $iterations).':'.$salt.':'.$hash;
+				return 'sha256:' . sprintf('%07d', $iterations) . ':' . $salt . ':' . $hash;
 
 			case 'bcrypt':
 				return $this->bcrypt($password);
@@ -132,14 +132,14 @@ 
 	 */
 	public function checkPassword($password, $hash, $algorithm = null)
 	{
-		if($algorithm === null)
+		if ($algorithm === null)
 		{
 			$algorithm = $this->checkAlgorithm($hash);
 		}
 
 		$password = trim($password);
 
-		switch($algorithm)
+		switch ($algorithm)
 		{
 			case 'md5':
 				return md5($password) === $hash || md5(sha1(md5($password))) === $hash;
@@ -173,23 +173,23 @@ 
 	 */
 	function checkAlgorithm($hash)
 	{
-		if(preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
+		if (preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
 		{
 			return 'bcrypt';
 		}
-		elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
+		elseif (preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
 		{
 			return 'pbkdf2';
 		}
-		elseif(strlen($hash) === 32 && ctype_xdigit($hash))
+		elseif (strlen($hash) === 32 && ctype_xdigit($hash))
 		{
 			return 'md5';
 		}
-		elseif(strlen($hash) === 16 && ctype_xdigit($hash))
+		elseif (strlen($hash) === 16 && ctype_xdigit($hash))
 		{
 			return 'mysql_old_password';
 		}
-		elseif(strlen($hash) === 41 && $hash[0] === '*')
+		elseif (strlen($hash) === 41 && $hash[0] === '*')
 		{
 			return 'mysql_password';
 		}
@@ -206,11 +206,11 @@ 
 	 */
 	function checkWorkFactor($hash)
 	{
-		if(preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
+		if (preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
 		{
 			return intval($matches[1], 10);
 		}
-		elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
+		elseif (preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
 		{
 			return max(0, round(log($matches[1], 2)) - 5);
 		}
@@ -229,7 +229,7 @@ 
 	public function createSecureSalt($length, $format = 'hex')
 	{
 		// Find out how many bytes of entropy we really need
-		switch($format)
+		switch ($format)
 		{
 			case 'hex':
 				$entropy_required_bytes = ceil($length / 2);
@@ -247,19 +247,19 @@ 
 
 		// Find and use the most secure way to generate a random string
 		$is_windows = (defined('PHP_OS') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
-		if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
+		if (function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
 		{
 			$entropy = openssl_random_pseudo_bytes($entropy_capped_bytes);
 		}
-		elseif(function_exists('mcrypt_create_iv') && (!$is_windows || version_compare(PHP_VERSION, '5.3.7', '>=')))
+		elseif (function_exists('mcrypt_create_iv') && (!$is_windows || version_compare(PHP_VERSION, '5.3.7', '>=')))
 		{
 			$entropy = mcrypt_create_iv($entropy_capped_bytes, MCRYPT_DEV_URANDOM);
 		}
-		elseif(function_exists('mcrypt_create_iv') && $is_windows)
+		elseif (function_exists('mcrypt_create_iv') && $is_windows)
 		{
 			$entropy = mcrypt_create_iv($entropy_capped_bytes, MCRYPT_RAND);
 		}
-		elseif(!$is_windows && @is_readable('/dev/urandom'))
+		elseif (!$is_windows && @is_readable('/dev/urandom'))
 		{
 			$fp = fopen('/dev/urandom', 'rb');
 			$entropy = fread($fp, $entropy_capped_bytes);
@@ -268,7 +268,7 @@ 
 		else
 		{
 			$entropy = '';
-			for($i = 0; $i < $entropy_capped_bytes; $i += 2)
+			for ($i = 0; $i < $entropy_capped_bytes; $i += 2)
 			{
 				$entropy .= pack('S', rand(0, 65536) ^ mt_rand(0, 65535));
 			}
@@ -276,13 +276,13 @@ 
 
 		// Mixing (see RFC 4086 section 5)
 		$output = '';
-		for($i = 0; $i < $entropy_required_bytes; $i += 32)
+		for ($i = 0; $i < $entropy_required_bytes; $i += 32)
 		{
 			$output .= hash('sha256', $entropy . $i . rand(), true);
 		}
 
 		// Encode and return the random string
-		switch($format)
+		switch ($format)
 		{
 			case 'hex':
 				return substr(bin2hex($output), 0, $length);
@@ -290,7 +290,7 @@ 
 				return substr($output, 0, $length);
 			case 'printable':
 				$salt = '';
-				for($i = 0; $i < $length; $i++)
+				for ($i = 0; $i < $length; $i++)
 				{
 					$salt .= chr(33 + (crc32(sha1($i . $output)) % 94));
 				}
@@ -310,15 +310,15 @@ 
 	 */
 	public function createTemporaryPassword($length = 16)
 	{
-		while(true)
+		while (true)
 		{
 			$source = base64_encode($this->createSecureSalt(64, 'binary'));
 			$source = strtr($source, 'iIoOjl10/', '@#$%&*-!?');
 			$source_length = strlen($source);
-			for($i = 0; $i < $source_length - $length; $i++)
+			for ($i = 0; $i < $source_length - $length; $i++)
 			{
 				$candidate = substr($source, $i, $length);
-				if(preg_match('/[a-z]/', $candidate) && preg_match('/[A-Z]/', $candidate) &&
+				if (preg_match('/[a-z]/', $candidate) && preg_match('/[A-Z]/', $candidate) &&
 					preg_match('/[0-9]/', $candidate) && preg_match('/[^a-zA-Z0-9]/', $candidate))
 				{
 					return $candidate;
@@ -338,19 +338,19 @@ 
 	 */
 	public function pbkdf2($password, $salt, $algorithm = 'sha256', $iterations = 8192, $length = 24)
 	{
-		if(function_exists('hash_pbkdf2'))
+		if (function_exists('hash_pbkdf2'))
 		{
 			return hash_pbkdf2($algorithm, $password, $salt, $iterations, $length, true);
 		}
 		else
 		{
 			$output = '';
-			$block_count = ceil($length / strlen(hash($algorithm, '', true)));  // key length divided by the length of one hash
-			for($i = 1; $i <= $block_count; $i++)
+			$block_count = ceil($length / strlen(hash($algorithm, '', true))); // key length divided by the length of one hash
+			for ($i = 1; $i <= $block_count; $i++)
 			{
-				$last = $salt . pack('N', $i);  // $i encoded as 4 bytes, big endian
-				$last = $xorsum = hash_hmac($algorithm, $last, $password, true);  // first iteration
-				for($j = 1; $j < $iterations; $j++)  // The other $count - 1 iterations
+				$last = $salt . pack('N', $i); // $i encoded as 4 bytes, big endian
+				$last = $xorsum = hash_hmac($algorithm, $last, $password, true); // first iteration
+				for ($j = 1; $j < $iterations; $j++)  // The other $count - 1 iterations
 				{
 					$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
 				}
@@ -368,9 +368,9 @@ 
 	 */
 	public function bcrypt($password, $salt = null)
 	{
-		if($salt === null)
+		if ($salt === null)
 		{
-			$salt = '$2y$'.sprintf('%02d', $this->getWorkFactor()).'$'.$this->createSecureSalt(22, 'alnum');
+			$salt = '$2y$' . sprintf('%02d', $this->getWorkFactor()) . '$' . $this->createSecureSalt(22, 'alnum');
 		}
 		return crypt($password, $salt);
 	}
@@ -385,7 +385,7 @@ 
 	{
 		$diff = strlen($a) ^ strlen($b);
 		$maxlen = min(strlen($a), strlen($b));
-		for($i = 0; $i < $maxlen; $i++)
+		for ($i = 0; $i < $maxlen; $i++)
 		{
 			$diff |= ord($a[$i]) ^ ord($b[$i]);
 		}

Braces +17 added lines, -29 removed lines

@@ -55,8 +55,7 @@ 
 			{
 				$algorithm = 'md5';  // Historical default for XE
 			}
-		}
-		else
+		} else
 		{
 			$algorithm = 'md5';
 		}
@@ -77,8 +76,7 @@ 
 			{
 				$work_factor = 8;  // Reasonable default
 			}
-		}
-		else
+		} else
 		{
 			$work_factor = 8;
 		}
@@ -176,24 +174,19 @@ 
 		if(preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
 		{
 			return 'bcrypt';
-		}
-		elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
+		} elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
 		{
 			return 'pbkdf2';
-		}
-		elseif(strlen($hash) === 32 && ctype_xdigit($hash))
+		} elseif(strlen($hash) === 32 && ctype_xdigit($hash))
 		{
 			return 'md5';
-		}
-		elseif(strlen($hash) === 16 && ctype_xdigit($hash))
+		} elseif(strlen($hash) === 16 && ctype_xdigit($hash))
 		{
 			return 'mysql_old_password';
-		}
-		elseif(strlen($hash) === 41 && $hash[0] === '*')
+		} elseif(strlen($hash) === 41 && $hash[0] === '*')
 		{
 			return 'mysql_password';
-		}
-		else
+		} else
 		{
 			return false;
 		}
@@ -209,12 +202,10 @@ 
 		if(preg_match('/^\$2[axy]\$([0-9]{2})\$/', $hash, $matches))
 		{
 			return intval($matches[1], 10);
-		}
-		elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
+		} elseif(preg_match('/^sha[0-9]+:([0-9]+):/', $hash, $matches))
 		{
 			return max(0, round(log($matches[1], 2)) - 5);
-		}
-		else
+		} else
 		{
 			return false;
 		}
@@ -250,22 +241,18 @@ 
 		if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
 		{
 			$entropy = openssl_random_pseudo_bytes($entropy_capped_bytes);
-		}
-		elseif(function_exists('mcrypt_create_iv') && (!$is_windows || version_compare(PHP_VERSION, '5.3.7', '>=')))
+		} elseif(function_exists('mcrypt_create_iv') && (!$is_windows || version_compare(PHP_VERSION, '5.3.7', '>=')))
 		{
 			$entropy = mcrypt_create_iv($entropy_capped_bytes, MCRYPT_DEV_URANDOM);
-		}
-		elseif(function_exists('mcrypt_create_iv') && $is_windows)
+		} elseif(function_exists('mcrypt_create_iv') && $is_windows)
 		{
 			$entropy = mcrypt_create_iv($entropy_capped_bytes, MCRYPT_RAND);
-		}
-		elseif(!$is_windows && @is_readable('/dev/urandom'))
+		} elseif(!$is_windows && @is_readable('/dev/urandom'))
 		{
 			$fp = fopen('/dev/urandom', 'rb');
 			$entropy = fread($fp, $entropy_capped_bytes);
 			fclose($fp);
-		}
-		else
+		} else
 		{
 			$entropy = '';
 			for($i = 0; $i < $entropy_capped_bytes; $i += 2)
@@ -341,8 +328,7 @@ 
 		if(function_exists('hash_pbkdf2'))
 		{
 			return hash_pbkdf2($algorithm, $password, $salt, $iterations, $length, true);
-		}
-		else
+		} else
 		{
 			$output = '';
 			$block_count = ceil($length / strlen(hash($algorithm, '', true)));  // key length divided by the length of one hash
@@ -350,10 +336,12 @@ 
 			{
 				$last = $salt . pack('N', $i);  // $i encoded as 4 bytes, big endian
 				$last = $xorsum = hash_hmac($algorithm, $last, $password, true);  // first iteration
-				for($j = 1; $j < $iterations; $j++)  // The other $count - 1 iterations
+				for($j = 1; $j < $iterations; $j++) {
+					// The other $count - 1 iterations
 				{
 					$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
 				}
+				}
 				$output .= $xorsum;
 			}
 			return substr($output, 0, $length);

classes/security/Purifier.class.php

Spacing +18 added lines, -18 removed lines

@@ -22,7 +22,7 @@ 
 
 	public function getInstance()
 	{
-		if(!isset($GLOBALS['__PURIFIER_INSTANCE__']))
+		if (!isset($GLOBALS['__PURIFIER_INSTANCE__']))
 		{
 			$GLOBALS['__PURIFIER_INSTANCE__'] = new Purifier();
 		}
@@ -52,9 +52,9 @@ 
 	{
 		// add attribute for edit component
 		$editComponentAttrs = $this->_searchEditComponent($content);
-		if(is_array($editComponentAttrs))
+		if (is_array($editComponentAttrs))
 		{
-			foreach($editComponentAttrs AS $k => $v)
+			foreach ($editComponentAttrs AS $k => $v)
 			{
 				$this->_def->addAttribute('img', $v, 'CDATA');
 				$this->_def->addAttribute('div', $v, 'CDATA');
@@ -63,9 +63,9 @@ 
 
 		// add attribute for widget component
 		$widgetAttrs = $this->_searchWidget($content);
-		if(is_array($widgetAttrs))
+		if (is_array($widgetAttrs))
 		{
-			foreach($widgetAttrs AS $k => $v)
+			foreach ($widgetAttrs AS $k => $v)
 			{
 				$this->_def->addAttribute('img', $v, 'CDATA');
 			}
@@ -82,19 +82,19 @@ 
 		preg_match_all('!<(?:(div)|img)([^>]*)editor_component=([^>]*)>(?(1)(.*?)</div>)!is', $content, $m);
 
 		$attributeList = array();
-		if(is_array($m[2]))
+		if (is_array($m[2]))
 		{
-			foreach($m[2] as $key => $value)
+			foreach ($m[2] as $key => $value)
 			{
 				unset($script, $m2);
 				$script = " {$m[2][$key]} editor_component={$m[3][$key]}";
 
-				if(preg_match_all('/([a-z0-9_-]+)="([^"]+)"/is', $script, $m2))
+				if (preg_match_all('/([a-z0-9_-]+)="([^"]+)"/is', $script, $m2))
 				{
-					foreach($m2[1] as $value2)
+					foreach ($m2[1] as $value2)
 					{
 						//SECISSUE check style attr
-						if($value2 == 'style')
+						if ($value2 == 'style')
 						{
 							continue;
 						}
@@ -117,18 +117,18 @@ 
 		preg_match_all('!<(?:(div)|img)([^>]*)class="zbxe_widget_output"([^>]*)>(?(1)(.*?)</div>)!is', $content, $m);
 
 		$attributeList = array();
-		if(is_array($m[3]))
+		if (is_array($m[3]))
 		{
 			$content = str_replace('<img class="zbxe_widget_output"', '<img src="" class="zbxe_widget_output"', $content);
 
-			foreach($m[3] as $key => $value)
+			foreach ($m[3] as $key => $value)
 			{
 				if (preg_match_all('/([a-z0-9_-]+)="([^"]+)"/is', $m[3][$key], $m2))
 				{
-					foreach($m2[1] as $value2)
+					foreach ($m2[1] as $value2)
 					{
 						//SECISSUE check style attr
-						if($value2 == 'style')
+						if ($value2 == 'style')
 						{
 							continue;
 						}
@@ -149,14 +149,14 @@ 
 		$whiteDomainRegex = '%^(';
 		$whiteDomainCount = count($whiteIframeUrlList);
 
-		$i=1;
-		if(is_array($whiteIframeUrlList))
+		$i = 1;
+		if (is_array($whiteIframeUrlList))
 		{
-			foreach($whiteIframeUrlList as $value)
+			foreach ($whiteIframeUrlList as $value)
 			{
 				$whiteDomainRegex .= $value;
 
-				if($i < $whiteDomainCount)
+				if ($i < $whiteDomainCount)
 				{
 					$whiteDomainRegex .= '|';
 				}

classes/security/htmlpurifier/library/HTMLPurifier.autoload.php

Indentation +10 added lines, -10 removed lines

@@ -7,20 +7,20 @@
  */
 
 if (function_exists('spl_autoload_register') && function_exists('spl_autoload_unregister')) {
-    // We need unregister for our pre-registering functionality
-    HTMLPurifier_Bootstrap::registerAutoload();
-    if (function_exists('__autoload')) {
-        // Be polite and ensure that userland autoload gets retained
-        spl_autoload_register('__autoload');
-    }
+	// We need unregister for our pre-registering functionality
+	HTMLPurifier_Bootstrap::registerAutoload();
+	if (function_exists('__autoload')) {
+		// Be polite and ensure that userland autoload gets retained
+		spl_autoload_register('__autoload');
+	}
 } elseif (!function_exists('__autoload')) {
-    function __autoload($class) {
-        return HTMLPurifier_Bootstrap::autoload($class);
-    }
+	function __autoload($class) {
+		return HTMLPurifier_Bootstrap::autoload($class);
+	}
 }
 
 if (ini_get('zend.ze1_compatibility_mode')) {
-    trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
+	trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier.func.php

Indentation +5 added lines, -5 removed lines

@@ -13,11 +13,11 @@
  *        HTMLPurifier_Config::create()
  */
 function HTMLPurifier($html, $config = null) {
-    static $purifier = false;
-    if (!$purifier) {
-        $purifier = new HTMLPurifier();
-    }
-    return $purifier->purify($html, $config);
+	static $purifier = false;
+	if (!$purifier) {
+		$purifier = new HTMLPurifier();
+	}
+	return $purifier->purify($html, $config);
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier.kses.php

Indentation +17 added lines, -17 removed lines

@@ -8,23 +8,23 @@
 require_once dirname(__FILE__) . '/HTMLPurifier.auto.php';
 
 function kses($string, $allowed_html, $allowed_protocols = null) {
-    $config = HTMLPurifier_Config::createDefault();
-    $allowed_elements = array();
-    $allowed_attributes = array();
-    foreach ($allowed_html as $element => $attributes) {
-        $allowed_elements[$element] = true;
-        foreach ($attributes as $attribute => $x) {
-            $allowed_attributes["$element.$attribute"] = true;
-        }
-    }
-    $config->set('HTML.AllowedElements', $allowed_elements);
-    $config->set('HTML.AllowedAttributes', $allowed_attributes);
-    $allowed_schemes = array();
-    if ($allowed_protocols !== null) {
-        $config->set('URI.AllowedSchemes', $allowed_protocols);
-    }
-    $purifier = new HTMLPurifier($config);
-    return $purifier->purify($string);
+	$config = HTMLPurifier_Config::createDefault();
+	$allowed_elements = array();
+	$allowed_attributes = array();
+	foreach ($allowed_html as $element => $attributes) {
+		$allowed_elements[$element] = true;
+		foreach ($attributes as $attribute => $x) {
+			$allowed_attributes["$element.$attribute"] = true;
+		}
+	}
+	$config->set('HTML.AllowedElements', $allowed_elements);
+	$config->set('HTML.AllowedAttributes', $allowed_attributes);
+	$allowed_schemes = array();
+	if ($allowed_protocols !== null) {
+		$config->set('URI.AllowedSchemes', $allowed_protocols);
+	}
+	$purifier = new HTMLPurifier($config);
+	return $purifier->purify($string);
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier.path.php

Spacing +1 added lines, -1 removed lines

@@ -6,6 +6,6 @@
  * without any other side-effects.
  */
 
-set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
+set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path());
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier.php

Indentation +177 added lines, -177 removed lines

@@ -54,183 +54,183 @@
 class HTMLPurifier
 {
 
-    /** Version of HTML Purifier */
-    public $version = '4.4.0';
-
-    /** Constant with version of HTML Purifier */
-    const VERSION = '4.4.0';
-
-    /** Global configuration object */
-    public $config;
-
-    /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */
-    private $filters = array();
-
-    /** Single instance of HTML Purifier */
-    private static $instance;
-
-    protected $strategy, $generator;
-
-    /**
-     * Resultant HTMLPurifier_Context of last run purification. Is an array
-     * of contexts if the last called method was purifyArray().
-     */
-    public $context;
-
-    /**
-     * Initializes the purifier.
-     * @param $config Optional HTMLPurifier_Config object for all instances of
-     *                the purifier, if omitted, a default configuration is
-     *                supplied (which can be overridden on a per-use basis).
-     *                The parameter can also be any type that
-     *                HTMLPurifier_Config::create() supports.
-     */
-    public function __construct($config = null) {
-
-        $this->config = HTMLPurifier_Config::create($config);
-
-        $this->strategy     = new HTMLPurifier_Strategy_Core();
-
-    }
-
-    /**
-     * Adds a filter to process the output. First come first serve
-     * @param $filter HTMLPurifier_Filter object
-     */
-    public function addFilter($filter) {
-        trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING);
-        $this->filters[] = $filter;
-    }
-
-    /**
-     * Filters an HTML snippet/document to be XSS-free and standards-compliant.
-     *
-     * @param $html String of HTML to purify
-     * @param $config HTMLPurifier_Config object for this operation, if omitted,
-     *                defaults to the config object specified during this
-     *                object's construction. The parameter can also be any type
-     *                that HTMLPurifier_Config::create() supports.
-     * @return Purified HTML
-     */
-    public function purify($html, $config = null) {
-
-        // :TODO: make the config merge in, instead of replace
-        $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
-
-        // implementation is partially environment dependant, partially
-        // configuration dependant
-        $lexer = HTMLPurifier_Lexer::create($config);
-
-        $context = new HTMLPurifier_Context();
-
-        // setup HTML generator
-        $this->generator = new HTMLPurifier_Generator($config, $context);
-        $context->register('Generator', $this->generator);
-
-        // set up global context variables
-        if ($config->get('Core.CollectErrors')) {
-            // may get moved out if other facilities use it
-            $language_factory = HTMLPurifier_LanguageFactory::instance();
-            $language = $language_factory->create($config, $context);
-            $context->register('Locale', $language);
-
-            $error_collector = new HTMLPurifier_ErrorCollector($context);
-            $context->register('ErrorCollector', $error_collector);
-        }
-
-        // setup id_accumulator context, necessary due to the fact that
-        // AttrValidator can be called from many places
-        $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
-        $context->register('IDAccumulator', $id_accumulator);
-
-        $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
-
-        // setup filters
-        $filter_flags = $config->getBatch('Filter');
-        $custom_filters = $filter_flags['Custom'];
-        unset($filter_flags['Custom']);
-        $filters = array();
-        foreach ($filter_flags as $filter => $flag) {
-            if (!$flag) continue;
-            if (strpos($filter, '.') !== false) continue;
-            $class = "HTMLPurifier_Filter_$filter";
-            $filters[] = new $class;
-        }
-        foreach ($custom_filters as $filter) {
-            // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat
-            $filters[] = $filter;
-        }
-        $filters = array_merge($filters, $this->filters);
-        // maybe prepare(), but later
-
-        for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
-            $html = $filters[$i]->preFilter($html, $config, $context);
-        }
-
-        // purified HTML
-        $html =
-            $this->generator->generateFromTokens(
-                // list of tokens
-                $this->strategy->execute(
-                    // list of un-purified tokens
-                    $lexer->tokenizeHTML(
-                        // un-purified HTML
-                        $html, $config, $context
-                    ),
-                    $config, $context
-                )
-            );
-
-        for ($i = $filter_size - 1; $i >= 0; $i--) {
-            $html = $filters[$i]->postFilter($html, $config, $context);
-        }
-
-        $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
-        $this->context =& $context;
-        return $html;
-    }
-
-    /**
-     * Filters an array of HTML snippets
-     * @param $config Optional HTMLPurifier_Config object for this operation.
-     *                See HTMLPurifier::purify() for more details.
-     * @return Array of purified HTML
-     */
-    public function purifyArray($array_of_html, $config = null) {
-        $context_array = array();
-        foreach ($array_of_html as $key => $html) {
-            $array_of_html[$key] = $this->purify($html, $config);
-            $context_array[$key] = $this->context;
-        }
-        $this->context = $context_array;
-        return $array_of_html;
-    }
-
-    /**
-     * Singleton for enforcing just one HTML Purifier in your system
-     * @param $prototype Optional prototype HTMLPurifier instance to
-     *                   overload singleton with, or HTMLPurifier_Config
-     *                   instance to configure the generated version with.
-     */
-    public static function instance($prototype = null) {
-        if (!self::$instance || $prototype) {
-            if ($prototype instanceof HTMLPurifier) {
-                self::$instance = $prototype;
-            } elseif ($prototype) {
-                self::$instance = new HTMLPurifier($prototype);
-            } else {
-                self::$instance = new HTMLPurifier();
-            }
-        }
-        return self::$instance;
-    }
-
-    /**
-     * @note Backwards compatibility, see instance()
-     */
-    public static function getInstance($prototype = null) {
-        return HTMLPurifier::instance($prototype);
-    }
+	/** Version of HTML Purifier */
+	public $version = '4.4.0';
+
+	/** Constant with version of HTML Purifier */
+	const VERSION = '4.4.0';
+
+	/** Global configuration object */
+	public $config;
+
+	/** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */
+	private $filters = array();
+
+	/** Single instance of HTML Purifier */
+	private static $instance;
+
+	protected $strategy, $generator;
+
+	/**
+	 * Resultant HTMLPurifier_Context of last run purification. Is an array
+	 * of contexts if the last called method was purifyArray().
+	 */
+	public $context;
+
+	/**
+	 * Initializes the purifier.
+	 * @param $config Optional HTMLPurifier_Config object for all instances of
+	 *                the purifier, if omitted, a default configuration is
+	 *                supplied (which can be overridden on a per-use basis).
+	 *                The parameter can also be any type that
+	 *                HTMLPurifier_Config::create() supports.
+	 */
+	public function __construct($config = null) {
+
+		$this->config = HTMLPurifier_Config::create($config);
+
+		$this->strategy     = new HTMLPurifier_Strategy_Core();
+
+	}
+
+	/**
+	 * Adds a filter to process the output. First come first serve
+	 * @param $filter HTMLPurifier_Filter object
+	 */
+	public function addFilter($filter) {
+		trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING);
+		$this->filters[] = $filter;
+	}
+
+	/**
+	 * Filters an HTML snippet/document to be XSS-free and standards-compliant.
+	 *
+	 * @param $html String of HTML to purify
+	 * @param $config HTMLPurifier_Config object for this operation, if omitted,
+	 *                defaults to the config object specified during this
+	 *                object's construction. The parameter can also be any type
+	 *                that HTMLPurifier_Config::create() supports.
+	 * @return Purified HTML
+	 */
+	public function purify($html, $config = null) {
+
+		// :TODO: make the config merge in, instead of replace
+		$config = $config ? HTMLPurifier_Config::create($config) : $this->config;
+
+		// implementation is partially environment dependant, partially
+		// configuration dependant
+		$lexer = HTMLPurifier_Lexer::create($config);
+
+		$context = new HTMLPurifier_Context();
+
+		// setup HTML generator
+		$this->generator = new HTMLPurifier_Generator($config, $context);
+		$context->register('Generator', $this->generator);
+
+		// set up global context variables
+		if ($config->get('Core.CollectErrors')) {
+			// may get moved out if other facilities use it
+			$language_factory = HTMLPurifier_LanguageFactory::instance();
+			$language = $language_factory->create($config, $context);
+			$context->register('Locale', $language);
+
+			$error_collector = new HTMLPurifier_ErrorCollector($context);
+			$context->register('ErrorCollector', $error_collector);
+		}
+
+		// setup id_accumulator context, necessary due to the fact that
+		// AttrValidator can be called from many places
+		$id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
+		$context->register('IDAccumulator', $id_accumulator);
+
+		$html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
+
+		// setup filters
+		$filter_flags = $config->getBatch('Filter');
+		$custom_filters = $filter_flags['Custom'];
+		unset($filter_flags['Custom']);
+		$filters = array();
+		foreach ($filter_flags as $filter => $flag) {
+			if (!$flag) continue;
+			if (strpos($filter, '.') !== false) continue;
+			$class = "HTMLPurifier_Filter_$filter";
+			$filters[] = new $class;
+		}
+		foreach ($custom_filters as $filter) {
+			// maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat
+			$filters[] = $filter;
+		}
+		$filters = array_merge($filters, $this->filters);
+		// maybe prepare(), but later
+
+		for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
+			$html = $filters[$i]->preFilter($html, $config, $context);
+		}
+
+		// purified HTML
+		$html =
+			$this->generator->generateFromTokens(
+				// list of tokens
+				$this->strategy->execute(
+					// list of un-purified tokens
+					$lexer->tokenizeHTML(
+						// un-purified HTML
+						$html, $config, $context
+					),
+					$config, $context
+				)
+			);
+
+		for ($i = $filter_size - 1; $i >= 0; $i--) {
+			$html = $filters[$i]->postFilter($html, $config, $context);
+		}
+
+		$html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
+		$this->context =& $context;
+		return $html;
+	}
+
+	/**
+	 * Filters an array of HTML snippets
+	 * @param $config Optional HTMLPurifier_Config object for this operation.
+	 *                See HTMLPurifier::purify() for more details.
+	 * @return Array of purified HTML
+	 */
+	public function purifyArray($array_of_html, $config = null) {
+		$context_array = array();
+		foreach ($array_of_html as $key => $html) {
+			$array_of_html[$key] = $this->purify($html, $config);
+			$context_array[$key] = $this->context;
+		}
+		$this->context = $context_array;
+		return $array_of_html;
+	}
+
+	/**
+	 * Singleton for enforcing just one HTML Purifier in your system
+	 * @param $prototype Optional prototype HTMLPurifier instance to
+	 *                   overload singleton with, or HTMLPurifier_Config
+	 *                   instance to configure the generated version with.
+	 */
+	public static function instance($prototype = null) {
+		if (!self::$instance || $prototype) {
+			if ($prototype instanceof HTMLPurifier) {
+				self::$instance = $prototype;
+			} elseif ($prototype) {
+				self::$instance = new HTMLPurifier($prototype);
+			} else {
+				self::$instance = new HTMLPurifier();
+			}
+		}
+		return self::$instance;
+	}
+
+	/**
+	 * @note Backwards compatibility, see instance()
+	 */
+	public static function getInstance($prototype = null) {
+		return HTMLPurifier::instance($prototype);
+	}
 
 }
 

Spacing +2 added lines, -2 removed lines

@@ -89,7 +89,7 @@ 
 
         $this->config = HTMLPurifier_Config::create($config);
 
-        $this->strategy     = new HTMLPurifier_Strategy_Core();
+        $this->strategy = new HTMLPurifier_Strategy_Core();
 
     }
 
@@ -186,7 +186,7 @@ 
         }
 
         $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
-        $this->context =& $context;
+        $this->context = & $context;
         return $html;
     }
 

Braces +6 added lines, -2 removed lines

@@ -151,8 +151,12 @@
         unset($filter_flags['Custom']);
         $filters = array();
         foreach ($filter_flags as $filter => $flag) {
-            if (!$flag) continue;
-            if (strpos($filter, '.') !== false) continue;
+            if (!$flag) {
+            	continue;
+            }
+            if (strpos($filter, '.') !== false) {
+            	continue;
+            }
             $class = "HTMLPurifier_Filter_$filter";
             $filters[] = new $class;
         }

classes/security/htmlpurifier/library/HTMLPurifier/AttrCollections.php

Indentation +115 added lines, -115 removed lines

@@ -7,121 +7,121 @@
 class HTMLPurifier_AttrCollections
 {
 
-    /**
-     * Associative array of attribute collections, indexed by name
-     */
-    public $info = array();
-
-    /**
-     * Performs all expansions on internal data for use by other inclusions
-     * It also collects all attribute collection extensions from
-     * modules
-     * @param $attr_types HTMLPurifier_AttrTypes instance
-     * @param $modules Hash array of HTMLPurifier_HTMLModule members
-     */
-    public function __construct($attr_types, $modules) {
-        // load extensions from the modules
-        foreach ($modules as $module) {
-            foreach ($module->attr_collections as $coll_i => $coll) {
-                if (!isset($this->info[$coll_i])) {
-                    $this->info[$coll_i] = array();
-                }
-                foreach ($coll as $attr_i => $attr) {
-                    if ($attr_i === 0 && isset($this->info[$coll_i][$attr_i])) {
-                        // merge in includes
-                        $this->info[$coll_i][$attr_i] = array_merge(
-                            $this->info[$coll_i][$attr_i], $attr);
-                        continue;
-                    }
-                    $this->info[$coll_i][$attr_i] = $attr;
-                }
-            }
-        }
-        // perform internal expansions and inclusions
-        foreach ($this->info as $name => $attr) {
-            // merge attribute collections that include others
-            $this->performInclusions($this->info[$name]);
-            // replace string identifiers with actual attribute objects
-            $this->expandIdentifiers($this->info[$name], $attr_types);
-        }
-    }
-
-    /**
-     * Takes a reference to an attribute associative array and performs
-     * all inclusions specified by the zero index.
-     * @param &$attr Reference to attribute array
-     */
-    public function performInclusions(&$attr) {
-        if (!isset($attr[0])) return;
-        $merge = $attr[0];
-        $seen  = array(); // recursion guard
-        // loop through all the inclusions
-        for ($i = 0; isset($merge[$i]); $i++) {
-            if (isset($seen[$merge[$i]])) continue;
-            $seen[$merge[$i]] = true;
-            // foreach attribute of the inclusion, copy it over
-            if (!isset($this->info[$merge[$i]])) continue;
-            foreach ($this->info[$merge[$i]] as $key => $value) {
-                if (isset($attr[$key])) continue; // also catches more inclusions
-                $attr[$key] = $value;
-            }
-            if (isset($this->info[$merge[$i]][0])) {
-                // recursion
-                $merge = array_merge($merge, $this->info[$merge[$i]][0]);
-            }
-        }
-        unset($attr[0]);
-    }
-
-    /**
-     * Expands all string identifiers in an attribute array by replacing
-     * them with the appropriate values inside HTMLPurifier_AttrTypes
-     * @param &$attr Reference to attribute array
-     * @param $attr_types HTMLPurifier_AttrTypes instance
-     */
-    public function expandIdentifiers(&$attr, $attr_types) {
-
-        // because foreach will process new elements we add, make sure we
-        // skip duplicates
-        $processed = array();
-
-        foreach ($attr as $def_i => $def) {
-            // skip inclusions
-            if ($def_i === 0) continue;
-
-            if (isset($processed[$def_i])) continue;
-
-            // determine whether or not attribute is required
-            if ($required = (strpos($def_i, '*') !== false)) {
-                // rename the definition
-                unset($attr[$def_i]);
-                $def_i = trim($def_i, '*');
-                $attr[$def_i] = $def;
-            }
-
-            $processed[$def_i] = true;
-
-            // if we've already got a literal object, move on
-            if (is_object($def)) {
-                // preserve previous required
-                $attr[$def_i]->required = ($required || $attr[$def_i]->required);
-                continue;
-            }
-
-            if ($def === false) {
-                unset($attr[$def_i]);
-                continue;
-            }
-
-            if ($t = $attr_types->get($def)) {
-                $attr[$def_i] = $t;
-                $attr[$def_i]->required = $required;
-            } else {
-                unset($attr[$def_i]);
-            }
-        }
-
-    }
+	/**
+	 * Associative array of attribute collections, indexed by name
+	 */
+	public $info = array();
+
+	/**
+	 * Performs all expansions on internal data for use by other inclusions
+	 * It also collects all attribute collection extensions from
+	 * modules
+	 * @param $attr_types HTMLPurifier_AttrTypes instance
+	 * @param $modules Hash array of HTMLPurifier_HTMLModule members
+	 */
+	public function __construct($attr_types, $modules) {
+		// load extensions from the modules
+		foreach ($modules as $module) {
+			foreach ($module->attr_collections as $coll_i => $coll) {
+				if (!isset($this->info[$coll_i])) {
+					$this->info[$coll_i] = array();
+				}
+				foreach ($coll as $attr_i => $attr) {
+					if ($attr_i === 0 && isset($this->info[$coll_i][$attr_i])) {
+						// merge in includes
+						$this->info[$coll_i][$attr_i] = array_merge(
+							$this->info[$coll_i][$attr_i], $attr);
+						continue;
+					}
+					$this->info[$coll_i][$attr_i] = $attr;
+				}
+			}
+		}
+		// perform internal expansions and inclusions
+		foreach ($this->info as $name => $attr) {
+			// merge attribute collections that include others
+			$this->performInclusions($this->info[$name]);
+			// replace string identifiers with actual attribute objects
+			$this->expandIdentifiers($this->info[$name], $attr_types);
+		}
+	}
+
+	/**
+	 * Takes a reference to an attribute associative array and performs
+	 * all inclusions specified by the zero index.
+	 * @param &$attr Reference to attribute array
+	 */
+	public function performInclusions(&$attr) {
+		if (!isset($attr[0])) return;
+		$merge = $attr[0];
+		$seen  = array(); // recursion guard
+		// loop through all the inclusions
+		for ($i = 0; isset($merge[$i]); $i++) {
+			if (isset($seen[$merge[$i]])) continue;
+			$seen[$merge[$i]] = true;
+			// foreach attribute of the inclusion, copy it over
+			if (!isset($this->info[$merge[$i]])) continue;
+			foreach ($this->info[$merge[$i]] as $key => $value) {
+				if (isset($attr[$key])) continue; // also catches more inclusions
+				$attr[$key] = $value;
+			}
+			if (isset($this->info[$merge[$i]][0])) {
+				// recursion
+				$merge = array_merge($merge, $this->info[$merge[$i]][0]);
+			}
+		}
+		unset($attr[0]);
+	}
+
+	/**
+	 * Expands all string identifiers in an attribute array by replacing
+	 * them with the appropriate values inside HTMLPurifier_AttrTypes
+	 * @param &$attr Reference to attribute array
+	 * @param $attr_types HTMLPurifier_AttrTypes instance
+	 */
+	public function expandIdentifiers(&$attr, $attr_types) {
+
+		// because foreach will process new elements we add, make sure we
+		// skip duplicates
+		$processed = array();
+
+		foreach ($attr as $def_i => $def) {
+			// skip inclusions
+			if ($def_i === 0) continue;
+
+			if (isset($processed[$def_i])) continue;
+
+			// determine whether or not attribute is required
+			if ($required = (strpos($def_i, '*') !== false)) {
+				// rename the definition
+				unset($attr[$def_i]);
+				$def_i = trim($def_i, '*');
+				$attr[$def_i] = $def;
+			}
+
+			$processed[$def_i] = true;
+
+			// if we've already got a literal object, move on
+			if (is_object($def)) {
+				// preserve previous required
+				$attr[$def_i]->required = ($required || $attr[$def_i]->required);
+				continue;
+			}
+
+			if ($def === false) {
+				unset($attr[$def_i]);
+				continue;
+			}
+
+			if ($t = $attr_types->get($def)) {
+				$attr[$def_i] = $t;
+				$attr[$def_i]->required = $required;
+			} else {
+				unset($attr[$def_i]);
+			}
+		}
+
+	}
 
 }
 

Braces +19 added lines, -6 removed lines

@@ -52,17 +52,26 @@ 
      * @param &$attr Reference to attribute array
      */
     public function performInclusions(&$attr) {
-        if (!isset($attr[0])) return;
+        if (!isset($attr[0])) {
+        	return;
+        }
         $merge = $attr[0];
         $seen  = array(); // recursion guard
         // loop through all the inclusions
         for ($i = 0; isset($merge[$i]); $i++) {
-            if (isset($seen[$merge[$i]])) continue;
+            if (isset($seen[$merge[$i]])) {
+            	continue;
+            }
             $seen[$merge[$i]] = true;
             // foreach attribute of the inclusion, copy it over
-            if (!isset($this->info[$merge[$i]])) continue;
+            if (!isset($this->info[$merge[$i]])) {
+            	continue;
+            }
             foreach ($this->info[$merge[$i]] as $key => $value) {
-                if (isset($attr[$key])) continue; // also catches more inclusions
+                if (isset($attr[$key])) {
+                	continue;
+                }
+                // also catches more inclusions
                 $attr[$key] = $value;
             }
             if (isset($this->info[$merge[$i]][0])) {
@@ -87,9 +96,13 @@ 
 
         foreach ($attr as $def_i => $def) {
             // skip inclusions
-            if ($def_i === 0) continue;
+            if ($def_i === 0) {
+            	continue;
+            }
 
-            if (isset($processed[$def_i])) continue;
+            if (isset($processed[$def_i])) {
+            	continue;
+            }
 
             // determine whether or not attribute is required
             if ($required = (strpos($def_i, '*') !== false)) {

classes/security/htmlpurifier/library/HTMLPurifier/AttrDef.php

Indentation +98 added lines, -98 removed lines

@@ -13,110 +13,110 @@
 abstract class HTMLPurifier_AttrDef
 {
 
-    /**
-     * Tells us whether or not an HTML attribute is minimized. Has no
-     * meaning in other contexts.
-     */
-    public $minimized = false;
+	/**
+	 * Tells us whether or not an HTML attribute is minimized. Has no
+	 * meaning in other contexts.
+	 */
+	public $minimized = false;
 
-    /**
-     * Tells us whether or not an HTML attribute is required. Has no
-     * meaning in other contexts
-     */
-    public $required = false;
+	/**
+	 * Tells us whether or not an HTML attribute is required. Has no
+	 * meaning in other contexts
+	 */
+	public $required = false;
 
-    /**
-     * Validates and cleans passed string according to a definition.
-     *
-     * @param $string String to be validated and cleaned.
-     * @param $config Mandatory HTMLPurifier_Config object.
-     * @param $context Mandatory HTMLPurifier_AttrContext object.
-     */
-    abstract public function validate($string, $config, $context);
+	/**
+	 * Validates and cleans passed string according to a definition.
+	 *
+	 * @param $string String to be validated and cleaned.
+	 * @param $config Mandatory HTMLPurifier_Config object.
+	 * @param $context Mandatory HTMLPurifier_AttrContext object.
+	 */
+	abstract public function validate($string, $config, $context);
 
-    /**
-     * Convenience method that parses a string as if it were CDATA.
-     *
-     * This method process a string in the manner specified at
-     * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
-     * leading and trailing whitespace, ignoring line feeds, and replacing
-     * carriage returns and tabs with spaces.  While most useful for HTML
-     * attributes specified as CDATA, it can also be applied to most CSS
-     * values.
-     *
-     * @note This method is not entirely standards compliant, as trim() removes
-     *       more types of whitespace than specified in the spec. In practice,
-     *       this is rarely a problem, as those extra characters usually have
-     *       already been removed by HTMLPurifier_Encoder.
-     *
-     * @warning This processing is inconsistent with XML's whitespace handling
-     *          as specified by section 3.3.3 and referenced XHTML 1.0 section
-     *          4.7.  However, note that we are NOT necessarily
-     *          parsing XML, thus, this behavior may still be correct. We
-     *          assume that newlines have been normalized.
-     */
-    public function parseCDATA($string) {
-        $string = trim($string);
-        $string = str_replace(array("\n", "\t", "\r"), ' ', $string);
-        return $string;
-    }
+	/**
+	 * Convenience method that parses a string as if it were CDATA.
+	 *
+	 * This method process a string in the manner specified at
+	 * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
+	 * leading and trailing whitespace, ignoring line feeds, and replacing
+	 * carriage returns and tabs with spaces.  While most useful for HTML
+	 * attributes specified as CDATA, it can also be applied to most CSS
+	 * values.
+	 *
+	 * @note This method is not entirely standards compliant, as trim() removes
+	 *       more types of whitespace than specified in the spec. In practice,
+	 *       this is rarely a problem, as those extra characters usually have
+	 *       already been removed by HTMLPurifier_Encoder.
+	 *
+	 * @warning This processing is inconsistent with XML's whitespace handling
+	 *          as specified by section 3.3.3 and referenced XHTML 1.0 section
+	 *          4.7.  However, note that we are NOT necessarily
+	 *          parsing XML, thus, this behavior may still be correct. We
+	 *          assume that newlines have been normalized.
+	 */
+	public function parseCDATA($string) {
+		$string = trim($string);
+		$string = str_replace(array("\n", "\t", "\r"), ' ', $string);
+		return $string;
+	}
 
-    /**
-     * Factory method for creating this class from a string.
-     * @param $string String construction info
-     * @return Created AttrDef object corresponding to $string
-     */
-    public function make($string) {
-        // default implementation, return a flyweight of this object.
-        // If $string has an effect on the returned object (i.e. you
-        // need to overload this method), it is best
-        // to clone or instantiate new copies. (Instantiation is safer.)
-        return $this;
-    }
+	/**
+	 * Factory method for creating this class from a string.
+	 * @param $string String construction info
+	 * @return Created AttrDef object corresponding to $string
+	 */
+	public function make($string) {
+		// default implementation, return a flyweight of this object.
+		// If $string has an effect on the returned object (i.e. you
+		// need to overload this method), it is best
+		// to clone or instantiate new copies. (Instantiation is safer.)
+		return $this;
+	}
 
-    /**
-     * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work
-     * properly. THIS IS A HACK!
-     */
-    protected function mungeRgb($string) {
-        return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
-    }
+	/**
+	 * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work
+	 * properly. THIS IS A HACK!
+	 */
+	protected function mungeRgb($string) {
+		return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
+	}
 
-    /**
-     * Parses a possibly escaped CSS string and returns the "pure" 
-     * version of it.
-     */
-    protected function expandCSSEscape($string) {
-        // flexibly parse it
-        $ret = '';
-        for ($i = 0, $c = strlen($string); $i < $c; $i++) {
-            if ($string[$i] === '\\') {
-                $i++;
-                if ($i >= $c) {
-                    $ret .= '\\';
-                    break;
-                }
-                if (ctype_xdigit($string[$i])) {
-                    $code = $string[$i];
-                    for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
-                        if (!ctype_xdigit($string[$i])) break;
-                        $code .= $string[$i];
-                    }
-                    // We have to be extremely careful when adding
-                    // new characters, to make sure we're not breaking
-                    // the encoding.
-                    $char = HTMLPurifier_Encoder::unichr(hexdec($code));
-                    if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
-                    $ret .= $char;
-                    if ($i < $c && trim($string[$i]) !== '') $i--;
-                    continue;
-                }
-                if ($string[$i] === "\n") continue;
-            }
-            $ret .= $string[$i];
-        }
-        return $ret;
-    }
+	/**
+	 * Parses a possibly escaped CSS string and returns the "pure" 
+	 * version of it.
+	 */
+	protected function expandCSSEscape($string) {
+		// flexibly parse it
+		$ret = '';
+		for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+			if ($string[$i] === '\\') {
+				$i++;
+				if ($i >= $c) {
+					$ret .= '\\';
+					break;
+				}
+				if (ctype_xdigit($string[$i])) {
+					$code = $string[$i];
+					for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+						if (!ctype_xdigit($string[$i])) break;
+						$code .= $string[$i];
+					}
+					// We have to be extremely careful when adding
+					// new characters, to make sure we're not breaking
+					// the encoding.
+					$char = HTMLPurifier_Encoder::unichr(hexdec($code));
+					if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+					$ret .= $char;
+					if ($i < $c && trim($string[$i]) !== '') $i--;
+					continue;
+				}
+				if ($string[$i] === "\n") continue;
+			}
+			$ret .= $string[$i];
+		}
+		return $ret;
+	}
 
 }
 

Braces +12 added lines, -4 removed lines

@@ -99,19 +99,27 @@
                 if (ctype_xdigit($string[$i])) {
                     $code = $string[$i];
                     for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
-                        if (!ctype_xdigit($string[$i])) break;
+                        if (!ctype_xdigit($string[$i])) {
+                        	break;
+                        }
                         $code .= $string[$i];
                     }
                     // We have to be extremely careful when adding
                     // new characters, to make sure we're not breaking
                     // the encoding.
                     $char = HTMLPurifier_Encoder::unichr(hexdec($code));
-                    if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+                    if (HTMLPurifier_Encoder::cleanUTF8($char) === '') {
+                    	continue;
+                    }
                     $ret .= $char;
-                    if ($i < $c && trim($string[$i]) !== '') $i--;
+                    if ($i < $c && trim($string[$i]) !== '') {
+                    	$i--;
+                    }
                     continue;
                 }
-                if ($string[$i] === "\n") continue;
+                if ($string[$i] === "\n") {
+                	continue;
+                }
             }
             $ret .= $string[$i];
         }