xpressengine / xe-core

classes/security/htmlpurifier/library/HTMLPurifier/Filter.php

Indentation +16 added lines, -16 removed lines

@@ -22,24 +22,24 @@
 class HTMLPurifier_Filter
 {
 
-    /**
-     * Name of the filter for identification purposes
-     */
-    public $name;
+	/**
+	 * Name of the filter for identification purposes
+	 */
+	public $name;
 
-    /**
-     * Pre-processor function, handles HTML before HTML Purifier
-     */
-    public function preFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Pre-processor function, handles HTML before HTML Purifier
+	 */
+	public function preFilter($html, $config, $context) {
+		return $html;
+	}
 
-    /**
-     * Post-processor function, handles HTML after HTML Purifier
-     */
-    public function postFilter($html, $config, $context) {
-        return $html;
-    }
+	/**
+	 * Post-processor function, handles HTML after HTML Purifier
+	 */
+	public function postFilter($html, $config, $context) {
+		return $html;
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php

Indentation +253 added lines, -253 removed lines

@@ -23,265 +23,265 @@
 class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
 {
 
-    public $name = 'ExtractStyleBlocks';
-    private $_styleMatches = array();
-    private $_tidy;
+	public $name = 'ExtractStyleBlocks';
+	private $_styleMatches = array();
+	private $_tidy;
 
-    private $_id_attrdef;
-    private $_class_attrdef;
-    private $_enum_attrdef;
+	private $_id_attrdef;
+	private $_class_attrdef;
+	private $_enum_attrdef;
 
-    public function __construct() {
-        $this->_tidy = new csstidy();
-        $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
-        $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
-        $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
-    }
+	public function __construct() {
+		$this->_tidy = new csstidy();
+		$this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true);
+		$this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident();
+		$this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus'));
+	}
 
-    /**
-     * Save the contents of CSS blocks to style matches
-     * @param $matches preg_replace style $matches array
-     */
-    protected function styleCallback($matches) {
-        $this->_styleMatches[] = $matches[1];
-    }
+	/**
+	 * Save the contents of CSS blocks to style matches
+	 * @param $matches preg_replace style $matches array
+	 */
+	protected function styleCallback($matches) {
+		$this->_styleMatches[] = $matches[1];
+	}
 
-    /**
-     * Removes inline <style> tags from HTML, saves them for later use
-     * @todo Extend to indicate non-text/css style blocks
-     */
-    public function preFilter($html, $config, $context) {
-        $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
-        $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
-        $style_blocks = $this->_styleMatches;
-        $this->_styleMatches = array(); // reset
-        $context->register('StyleBlocks', $style_blocks); // $context must not be reused
-        if ($this->_tidy) {
-            foreach ($style_blocks as &$style) {
-                $style = $this->cleanCSS($style, $config, $context);
-            }
-        }
-        return $html;
-    }
+	/**
+	 * Removes inline <style> tags from HTML, saves them for later use
+	 * @todo Extend to indicate non-text/css style blocks
+	 */
+	public function preFilter($html, $config, $context) {
+		$tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
+		if ($tidy !== null) $this->_tidy = $tidy;
+		$html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
+		$style_blocks = $this->_styleMatches;
+		$this->_styleMatches = array(); // reset
+		$context->register('StyleBlocks', $style_blocks); // $context must not be reused
+		if ($this->_tidy) {
+			foreach ($style_blocks as &$style) {
+				$style = $this->cleanCSS($style, $config, $context);
+			}
+		}
+		return $html;
+	}
 
-    /**
-     * Takes CSS (the stuff found in <style>) and cleans it.
-     * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
-     * @param $css     CSS styling to clean
-     * @param $config  Instance of HTMLPurifier_Config
-     * @param $context Instance of HTMLPurifier_Context
-     * @return Cleaned CSS
-     */
-    public function cleanCSS($css, $config, $context) {
-        // prepare scope
-        $scope = $config->get('Filter.ExtractStyleBlocks.Scope');
-        if ($scope !== null) {
-            $scopes = array_map('trim', explode(',', $scope));
-        } else {
-            $scopes = array();
-        }
-        // remove comments from CSS
-        $css = trim($css);
-        if (strncmp('<!--', $css, 4) === 0) {
-            $css = substr($css, 4);
-        }
-        if (strlen($css) > 3 && substr($css, -3) == '-->') {
-            $css = substr($css, 0, -3);
-        }
-        $css = trim($css);
-        set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
-        $this->_tidy->parse($css);
-        restore_error_handler();
-        $css_definition = $config->getDefinition('CSS');
-        $html_definition = $config->getDefinition('HTML');
-        $new_css = array();
-        foreach ($this->_tidy->css as $k => $decls) {
-            // $decls are all CSS declarations inside an @ selector
-            $new_decls = array();
-            foreach ($decls as $selector => $style) {
-                $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
-                // Parse the selector
-                // Here is the relevant part of the CSS grammar:
-                //
-                // ruleset
-                //   : selector [ ',' S* selector ]* '{' ...
-                // selector
-                //   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
-                // combinator
-                //   : '+' S*
-                //   : '>' S*
-                // simple_selector
-                //   : element_name [ HASH | class | attrib | pseudo ]*
-                //   | [ HASH | class | attrib | pseudo ]+
-                // element_name
-                //   : IDENT | '*'
-                //   ;
-                // class
-                //   : '.' IDENT
-                //   ;
-                // attrib
-                //   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
-                //     [ IDENT | STRING ] S* ]? ']'
-                //   ;
-                // pseudo
-                //   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
-                //   ;
-                //
-                // For reference, here are the relevant tokens:
-                //
-                // HASH         #{name}
-                // IDENT        {ident}
-                // INCLUDES     ==
-                // DASHMATCH    |=
-                // STRING       {string}
-                // FUNCTION     {ident}\(
-                //
-                // And the lexical scanner tokens
-                //
-                // name         {nmchar}+
-                // nmchar       [_a-z0-9-]|{nonascii}|{escape}
-                // nonascii     [\240-\377]
-                // escape       {unicode}|\\[^\r\n\f0-9a-f]
-                // unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
-                // ident        -?{nmstart}{nmchar*}
-                // nmstart      [_a-z]|{nonascii}|{escape}
-                // string       {string1}|{string2}
-                // string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
-                // string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
-                //
-                // We'll implement a subset (in order to reduce attack
-                // surface); in particular:
-                //
-                //      - No Unicode support
-                //      - No escapes support
-                //      - No string support (by proxy no attrib support)
-                //      - element_name is matched against allowed
-                //        elements (some people might find this
-                //        annoying...)
-                //      - Pseudo-elements one of :first-child, :link,
-                //        :visited, :active, :hover, :focus
+	/**
+	 * Takes CSS (the stuff found in <style>) and cleans it.
+	 * @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
+	 * @param $css     CSS styling to clean
+	 * @param $config  Instance of HTMLPurifier_Config
+	 * @param $context Instance of HTMLPurifier_Context
+	 * @return Cleaned CSS
+	 */
+	public function cleanCSS($css, $config, $context) {
+		// prepare scope
+		$scope = $config->get('Filter.ExtractStyleBlocks.Scope');
+		if ($scope !== null) {
+			$scopes = array_map('trim', explode(',', $scope));
+		} else {
+			$scopes = array();
+		}
+		// remove comments from CSS
+		$css = trim($css);
+		if (strncmp('<!--', $css, 4) === 0) {
+			$css = substr($css, 4);
+		}
+		if (strlen($css) > 3 && substr($css, -3) == '-->') {
+			$css = substr($css, 0, -3);
+		}
+		$css = trim($css);
+		set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler');
+		$this->_tidy->parse($css);
+		restore_error_handler();
+		$css_definition = $config->getDefinition('CSS');
+		$html_definition = $config->getDefinition('HTML');
+		$new_css = array();
+		foreach ($this->_tidy->css as $k => $decls) {
+			// $decls are all CSS declarations inside an @ selector
+			$new_decls = array();
+			foreach ($decls as $selector => $style) {
+				$selector = trim($selector);
+				if ($selector === '') continue; // should not happen
+				// Parse the selector
+				// Here is the relevant part of the CSS grammar:
+				//
+				// ruleset
+				//   : selector [ ',' S* selector ]* '{' ...
+				// selector
+				//   : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]?
+				// combinator
+				//   : '+' S*
+				//   : '>' S*
+				// simple_selector
+				//   : element_name [ HASH | class | attrib | pseudo ]*
+				//   | [ HASH | class | attrib | pseudo ]+
+				// element_name
+				//   : IDENT | '*'
+				//   ;
+				// class
+				//   : '.' IDENT
+				//   ;
+				// attrib
+				//   : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S*
+				//     [ IDENT | STRING ] S* ]? ']'
+				//   ;
+				// pseudo
+				//   : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ]
+				//   ;
+				//
+				// For reference, here are the relevant tokens:
+				//
+				// HASH         #{name}
+				// IDENT        {ident}
+				// INCLUDES     ==
+				// DASHMATCH    |=
+				// STRING       {string}
+				// FUNCTION     {ident}\(
+				//
+				// And the lexical scanner tokens
+				//
+				// name         {nmchar}+
+				// nmchar       [_a-z0-9-]|{nonascii}|{escape}
+				// nonascii     [\240-\377]
+				// escape       {unicode}|\\[^\r\n\f0-9a-f]
+				// unicode      \\{h}}{1,6}(\r\n|[ \t\r\n\f])?
+				// ident        -?{nmstart}{nmchar*}
+				// nmstart      [_a-z]|{nonascii}|{escape}
+				// string       {string1}|{string2}
+				// string1      \"([^\n\r\f\\"]|\\{nl}|{escape})*\"
+				// string2      \'([^\n\r\f\\"]|\\{nl}|{escape})*\'
+				//
+				// We'll implement a subset (in order to reduce attack
+				// surface); in particular:
+				//
+				//      - No Unicode support
+				//      - No escapes support
+				//      - No string support (by proxy no attrib support)
+				//      - element_name is matched against allowed
+				//        elements (some people might find this
+				//        annoying...)
+				//      - Pseudo-elements one of :first-child, :link,
+				//        :visited, :active, :hover, :focus
 
-                // handle ruleset
-                $selectors = array_map('trim', explode(',', $selector));
-                $new_selectors = array();
-                foreach ($selectors as $sel) {
-                    // split on +, > and spaces
-                    $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
-                    // even indices are chunks, odd indices are
-                    // delimiters
-                    $nsel = null;
-                    $delim = null; // guaranteed to be non-null after
-                                   // two loop iterations
-                    for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
-                        $x = $basic_selectors[$i];
-                        if ($i % 2) {
-                            // delimiter
-                            if ($x === ' ') {
-                                $delim = ' ';
-                            } else {
-                                $delim = ' ' . $x . ' ';
-                            }
-                        } else {
-                            // simple selector
-                            $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
-                            $sdelim = null;
-                            $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
-                                $y = $components[$j];
-                                if ($j === 0) {
-                                    if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
-                                        $nx = $y;
-                                    } else {
-                                        // $nx stays null; this matters
-                                        // if we don't manage to find
-                                        // any valid selector content,
-                                        // in which case we ignore the
-                                        // outer $delim
-                                    }
-                                } elseif ($j % 2) {
-                                    // set delimiter
-                                    $sdelim = $y;
-                                } else {
-                                    $attrdef = null;
-                                    if ($sdelim === '#') {
-                                        $attrdef = $this->_id_attrdef;
-                                    } elseif ($sdelim === '.') {
-                                        $attrdef = $this->_class_attrdef;
-                                    } elseif ($sdelim === ':') {
-                                        $attrdef = $this->_enum_attrdef;
-                                    } else {
-                                        throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
-                                    }
-                                    $r = $attrdef->validate($y, $config, $context);
-                                    if ($r !== false) {
-                                        if ($r !== true) {
-                                            $y = $r;
-                                        }
-                                        if ($nx === null) {
-                                            $nx = '';
-                                        }
-                                        $nx .= $sdelim . $y;
-                                    }
-                                }
-                            }
-                            if ($nx !== null) {
-                                if ($nsel === null) {
-                                    $nsel = $nx;
-                                } else {
-                                    $nsel .= $delim . $nx;
-                                }
-                            } else {
-                                // delimiters to the left of invalid
-                                // basic selector ignored
-                            }
-                        }
-                    }
-                    if ($nsel !== null) {
-                        if (!empty($scopes)) {
-                            foreach ($scopes as $s) {
-                                $new_selectors[] = "$s $nsel";
-                            }
-                        } else {
-                            $new_selectors[] = $nsel;
-                        }
-                    }
-                }
-                if (empty($new_selectors)) continue;
-                $selector = implode(', ', $new_selectors);
-                foreach ($style as $name => $value) {
-                    if (!isset($css_definition->info[$name])) {
-                        unset($style[$name]);
-                        continue;
-                    }
-                    $def = $css_definition->info[$name];
-                    $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
-                }
-                $new_decls[$selector] = $style;
-            }
-            $new_css[$k] = $new_decls;
-        }
-        // remove stuff that shouldn't be used, could be reenabled
-        // after security risks are analyzed
-        $this->_tidy->css = $new_css;
-        $this->_tidy->import = array();
-        $this->_tidy->charset = null;
-        $this->_tidy->namespace = null;
-        $css = $this->_tidy->print->plain();
-        // we are going to escape any special characters <>& to ensure
-        // that no funny business occurs (i.e. </style> in a font-family prop).
-        if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
-            $css = str_replace(
-                array('<',    '>',    '&'),
-                array('\3C ', '\3E ', '\26 '),
-                $css
-            );
-        }
-        return $css;
-    }
+				// handle ruleset
+				$selectors = array_map('trim', explode(',', $selector));
+				$new_selectors = array();
+				foreach ($selectors as $sel) {
+					// split on +, > and spaces
+					$basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE);
+					// even indices are chunks, odd indices are
+					// delimiters
+					$nsel = null;
+					$delim = null; // guaranteed to be non-null after
+								   // two loop iterations
+					for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) {
+						$x = $basic_selectors[$i];
+						if ($i % 2) {
+							// delimiter
+							if ($x === ' ') {
+								$delim = ' ';
+							} else {
+								$delim = ' ' . $x . ' ';
+							}
+						} else {
+							// simple selector
+							$components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
+							$sdelim = null;
+							$nx = null;
+							for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+								$y = $components[$j];
+								if ($j === 0) {
+									if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
+										$nx = $y;
+									} else {
+										// $nx stays null; this matters
+										// if we don't manage to find
+										// any valid selector content,
+										// in which case we ignore the
+										// outer $delim
+									}
+								} elseif ($j % 2) {
+									// set delimiter
+									$sdelim = $y;
+								} else {
+									$attrdef = null;
+									if ($sdelim === '#') {
+										$attrdef = $this->_id_attrdef;
+									} elseif ($sdelim === '.') {
+										$attrdef = $this->_class_attrdef;
+									} elseif ($sdelim === ':') {
+										$attrdef = $this->_enum_attrdef;
+									} else {
+										throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split');
+									}
+									$r = $attrdef->validate($y, $config, $context);
+									if ($r !== false) {
+										if ($r !== true) {
+											$y = $r;
+										}
+										if ($nx === null) {
+											$nx = '';
+										}
+										$nx .= $sdelim . $y;
+									}
+								}
+							}
+							if ($nx !== null) {
+								if ($nsel === null) {
+									$nsel = $nx;
+								} else {
+									$nsel .= $delim . $nx;
+								}
+							} else {
+								// delimiters to the left of invalid
+								// basic selector ignored
+							}
+						}
+					}
+					if ($nsel !== null) {
+						if (!empty($scopes)) {
+							foreach ($scopes as $s) {
+								$new_selectors[] = "$s $nsel";
+							}
+						} else {
+							$new_selectors[] = $nsel;
+						}
+					}
+				}
+				if (empty($new_selectors)) continue;
+				$selector = implode(', ', $new_selectors);
+				foreach ($style as $name => $value) {
+					if (!isset($css_definition->info[$name])) {
+						unset($style[$name]);
+						continue;
+					}
+					$def = $css_definition->info[$name];
+					$ret = $def->validate($value, $config, $context);
+					if ($ret === false) unset($style[$name]);
+					else $style[$name] = $ret;
+				}
+				$new_decls[$selector] = $style;
+			}
+			$new_css[$k] = $new_decls;
+		}
+		// remove stuff that shouldn't be used, could be reenabled
+		// after security risks are analyzed
+		$this->_tidy->css = $new_css;
+		$this->_tidy->import = array();
+		$this->_tidy->charset = null;
+		$this->_tidy->namespace = null;
+		$css = $this->_tidy->print->plain();
+		// we are going to escape any special characters <>& to ensure
+		// that no funny business occurs (i.e. </style> in a font-family prop).
+		if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
+			$css = str_replace(
+				array('<',    '>',    '&'),
+				array('\3C ', '\3E ', '\26 '),
+				$css
+			);
+		}
+		return $css;
+	}
 
 }
 

Braces +15 added lines, -5 removed lines

@@ -52,7 +52,9 @@ 
      */
     public function preFilter($html, $config, $context) {
         $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl');
-        if ($tidy !== null) $this->_tidy = $tidy;
+        if ($tidy !== null) {
+        	$this->_tidy = $tidy;
+        }
         $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
         $style_blocks = $this->_styleMatches;
         $this->_styleMatches = array(); // reset
@@ -101,7 +103,10 @@ 
             $new_decls = array();
             foreach ($decls as $selector => $style) {
                 $selector = trim($selector);
-                if ($selector === '') continue; // should not happen
+                if ($selector === '') {
+                	continue;
+                }
+                // should not happen
                 // Parse the selector
                 // Here is the relevant part of the CSS grammar:
                 //
@@ -248,7 +253,9 @@ 
                         }
                     }
                 }
-                if (empty($new_selectors)) continue;
+                if (empty($new_selectors)) {
+                	continue;
+                }
                 $selector = implode(', ', $new_selectors);
                 foreach ($style as $name => $value) {
                     if (!isset($css_definition->info[$name])) {
@@ -257,8 +264,11 @@ 
                     }
                     $def = $css_definition->info[$name];
                     $ret = $def->validate($value, $config, $context);
-                    if ($ret === false) unset($style[$name]);
-                    else $style[$name] = $ret;
+                    if ($ret === false) {
+                    	unset($style[$name]);
+                    } else {
+                    	$style[$name] = $ret;
+                    }
                 }
                 $new_decls[$selector] = $style;
             }

Spacing +5 added lines, -5 removed lines

@@ -181,14 +181,14 @@ 
                             if ($x === ' ') {
                                 $delim = ' ';
                             } else {
-                                $delim = ' ' . $x . ' ';
+                                $delim = ' '.$x.' ';
                             }
                         } else {
                             // simple selector
                             $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE);
                             $sdelim = null;
                             $nx = null;
-                            for ($j = 0, $cc = count($components); $j < $cc; $j ++) {
+                            for ($j = 0, $cc = count($components); $j < $cc; $j++) {
                                 $y = $components[$j];
                                 if ($j === 0) {
                                     if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) {
@@ -222,7 +222,7 @@ 
                                         if ($nx === null) {
                                             $nx = '';
                                         }
-                                        $nx .= $sdelim . $y;
+                                        $nx .= $sdelim.$y;
                                     }
                                 }
                             }
@@ -230,7 +230,7 @@ 
                                 if ($nsel === null) {
                                     $nsel = $nx;
                                 } else {
-                                    $nsel .= $delim . $nx;
+                                    $nsel .= $delim.$nx;
                                 }
                             } else {
                                 // delimiters to the left of invalid
@@ -275,7 +275,7 @@ 
         // that no funny business occurs (i.e. </style> in a font-family prop).
         if ($config->get('Filter.ExtractStyleBlocks.Escaping')) {
             $css = str_replace(
-                array('<',    '>',    '&'),
+                array('<', '>', '&'),
                 array('\3C ', '\3E ', '\26 '),
                 $css
             );

classes/security/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php

Indentation +31 added lines, -31 removed lines

@@ -3,37 +3,37 @@
 class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
 {
 
-    public $name = 'YouTube';
-
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<object[^>]+>.+?'.
-            'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
-        $pre_replace = '<span class="youtube-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
-        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
-    }
-
-    protected function armorUrl($url) {
-        return str_replace('--', '-&#45;', $url);
-    }
-
-    protected function postFilterCallback($matches) {
-        $url = $this->armorUrl($matches[1]);
-        return '<object width="425" height="350" type="application/x-shockwave-flash" '.
-            'data="http://www.youtube.com/'.$url.'">'.
-            '<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.youtube.com/'.$url.'"'.
-            'type="application/x-shockwave-flash"'.
-            'wmode="transparent" width="425" height="350" />'.
-            '<![endif]-->'.
-            '</object>';
-
-    }
+	public $name = 'YouTube';
+
+	public function preFilter($html, $config, $context) {
+		$pre_regex = '#<object[^>]+>.+?'.
+			'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
+		$pre_replace = '<span class="youtube-embed">\1</span>';
+		return preg_replace($pre_regex, $pre_replace, $html);
+	}
+
+	public function postFilter($html, $config, $context) {
+		$post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#';
+		return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
+	}
+
+	protected function armorUrl($url) {
+		return str_replace('--', '-&#45;', $url);
+	}
+
+	protected function postFilterCallback($matches) {
+		$url = $this->armorUrl($matches[1]);
+		return '<object width="425" height="350" type="application/x-shockwave-flash" '.
+			'data="http://www.youtube.com/'.$url.'">'.
+			'<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'.
+			'<!--[if IE]>'.
+			'<embed src="http://www.youtube.com/'.$url.'"'.
+			'type="application/x-shockwave-flash"'.
+			'wmode="transparent" width="425" height="350" />'.
+			'<![endif]-->'.
+			'</object>';
+
+	}
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule.php

Indentation +220 added lines, -220 removed lines

@@ -18,226 +18,226 @@
 class HTMLPurifier_HTMLModule
 {
 
-    // -- Overloadable ----------------------------------------------------
-
-    /**
-     * Short unique string identifier of the module
-     */
-    public $name;
-
-    /**
-     * Informally, a list of elements this module changes. Not used in
-     * any significant way.
-     */
-    public $elements = array();
-
-    /**
-     * Associative array of element names to element definitions.
-     * Some definitions may be incomplete, to be merged in later
-     * with the full definition.
-     */
-    public $info = array();
-
-    /**
-     * Associative array of content set names to content set additions.
-     * This is commonly used to, say, add an A element to the Inline
-     * content set. This corresponds to an internal variable $content_sets
-     * and NOT info_content_sets member variable of HTMLDefinition.
-     */
-    public $content_sets = array();
-
-    /**
-     * Associative array of attribute collection names to attribute
-     * collection additions. More rarely used for adding attributes to
-     * the global collections. Example is the StyleAttribute module adding
-     * the style attribute to the Core. Corresponds to HTMLDefinition's
-     * attr_collections->info, since the object's data is only info,
-     * with extra behavior associated with it.
-     */
-    public $attr_collections = array();
-
-    /**
-     * Associative array of deprecated tag name to HTMLPurifier_TagTransform
-     */
-    public $info_tag_transform = array();
-
-    /**
-     * List of HTMLPurifier_AttrTransform to be performed before validation.
-     */
-    public $info_attr_transform_pre = array();
-
-    /**
-     * List of HTMLPurifier_AttrTransform to be performed after validation.
-     */
-    public $info_attr_transform_post = array();
-
-    /**
-     * List of HTMLPurifier_Injector to be performed during well-formedness fixing.
-     * An injector will only be invoked if all of it's pre-requisites are met;
-     * if an injector fails setup, there will be no error; it will simply be
-     * silently disabled.
-     */
-    public $info_injector = array();
-
-    /**
-     * Boolean flag that indicates whether or not getChildDef is implemented.
-     * For optimization reasons: may save a call to a function. Be sure
-     * to set it if you do implement getChildDef(), otherwise it will have
-     * no effect!
-     */
-    public $defines_child_def = false;
-
-    /**
-     * Boolean flag whether or not this module is safe. If it is not safe, all
-     * of its members are unsafe. Modules are safe by default (this might be
-     * slightly dangerous, but it doesn't make much sense to force HTML Purifier,
-     * which is based off of safe HTML, to explicitly say, "This is safe," even
-     * though there are modules which are "unsafe")
-     *
-     * @note Previously, safety could be applied at an element level granularity.
-     *       We've removed this ability, so in order to add "unsafe" elements
-     *       or attributes, a dedicated module with this property set to false
-     *       must be used.
-     */
-    public $safe = true;
-
-    /**
-     * Retrieves a proper HTMLPurifier_ChildDef subclass based on
-     * content_model and content_model_type member variables of
-     * the HTMLPurifier_ElementDef class. There is a similar function
-     * in HTMLPurifier_HTMLDefinition.
-     * @param $def HTMLPurifier_ElementDef instance
-     * @return HTMLPurifier_ChildDef subclass
-     */
-    public function getChildDef($def) {return false;}
-
-    // -- Convenience -----------------------------------------------------
-
-    /**
-     * Convenience function that sets up a new element
-     * @param $element Name of element to add
-     * @param $type What content set should element be registered to?
-     *              Set as false to skip this step.
-     * @param $contents Allowed children in form of:
-     *              "$content_model_type: $content_model"
-     * @param $attr_includes What attribute collections to register to
-     *              element?
-     * @param $attr What unique attributes does the element define?
-     * @note See ElementDef for in-depth descriptions of these parameters.
-     * @return Created element definition object, so you
-     *         can set advanced parameters
-     */
-    public function addElement($element, $type, $contents, $attr_includes = array(), $attr = array()) {
-        $this->elements[] = $element;
-        // parse content_model
-        list($content_model_type, $content_model) = $this->parseContents($contents);
-        // merge in attribute inclusions
-        $this->mergeInAttrIncludes($attr, $attr_includes);
-        // add element to content sets
-        if ($type) $this->addElementToContentSet($element, $type);
-        // create element
-        $this->info[$element] = HTMLPurifier_ElementDef::create(
-            $content_model, $content_model_type, $attr
-        );
-        // literal object $contents means direct child manipulation
-        if (!is_string($contents)) $this->info[$element]->child = $contents;
-        return $this->info[$element];
-    }
-
-    /**
-     * Convenience function that creates a totally blank, non-standalone
-     * element.
-     * @param $element Name of element to create
-     * @return Created element
-     */
-    public function addBlankElement($element) {
-        if (!isset($this->info[$element])) {
-            $this->elements[] = $element;
-            $this->info[$element] = new HTMLPurifier_ElementDef();
-            $this->info[$element]->standalone = false;
-        } else {
-            trigger_error("Definition for $element already exists in module, cannot redefine");
-        }
-        return $this->info[$element];
-    }
-
-    /**
-     * Convenience function that registers an element to a content set
-     * @param Element to register
-     * @param Name content set (warning: case sensitive, usually upper-case
-     *        first letter)
-     */
-    public function addElementToContentSet($element, $type) {
-        if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
-        else $this->content_sets[$type] .= ' | ';
-        $this->content_sets[$type] .= $element;
-    }
-
-    /**
-     * Convenience function that transforms single-string contents
-     * into separate content model and content model type
-     * @param $contents Allowed children in form of:
-     *                  "$content_model_type: $content_model"
-     * @note If contents is an object, an array of two nulls will be
-     *       returned, and the callee needs to take the original $contents
-     *       and use it directly.
-     */
-    public function parseContents($contents) {
-        if (!is_string($contents)) return array(null, null); // defer
-        switch ($contents) {
-            // check for shorthand content model forms
-            case 'Empty':
-                return array('empty', '');
-            case 'Inline':
-                return array('optional', 'Inline | #PCDATA');
-            case 'Flow':
-                return array('optional', 'Flow | #PCDATA');
-        }
-        list($content_model_type, $content_model) = explode(':', $contents);
-        $content_model_type = strtolower(trim($content_model_type));
-        $content_model = trim($content_model);
-        return array($content_model_type, $content_model);
-    }
-
-    /**
-     * Convenience function that merges a list of attribute includes into
-     * an attribute array.
-     * @param $attr Reference to attr array to modify
-     * @param $attr_includes Array of includes / string include to merge in
-     */
-    public function mergeInAttrIncludes(&$attr, $attr_includes) {
-        if (!is_array($attr_includes)) {
-            if (empty($attr_includes)) $attr_includes = array();
-            else $attr_includes = array($attr_includes);
-        }
-        $attr[0] = $attr_includes;
-    }
-
-    /**
-     * Convenience function that generates a lookup table with boolean
-     * true as value.
-     * @param $list List of values to turn into a lookup
-     * @note You can also pass an arbitrary number of arguments in
-     *       place of the regular argument
-     * @return Lookup array equivalent of list
-     */
-    public function makeLookup($list) {
-        if (is_string($list)) $list = func_get_args();
-        $ret = array();
-        foreach ($list as $value) {
-            if (is_null($value)) continue;
-            $ret[$value] = true;
-        }
-        return $ret;
-    }
-
-    /**
-     * Lazy load construction of the module after determining whether
-     * or not it's needed, and also when a finalized configuration object
-     * is available.
-     * @param $config Instance of HTMLPurifier_Config
-     */
-    public function setup($config) {}
+	// -- Overloadable ----------------------------------------------------
+
+	/**
+	 * Short unique string identifier of the module
+	 */
+	public $name;
+
+	/**
+	 * Informally, a list of elements this module changes. Not used in
+	 * any significant way.
+	 */
+	public $elements = array();
+
+	/**
+	 * Associative array of element names to element definitions.
+	 * Some definitions may be incomplete, to be merged in later
+	 * with the full definition.
+	 */
+	public $info = array();
+
+	/**
+	 * Associative array of content set names to content set additions.
+	 * This is commonly used to, say, add an A element to the Inline
+	 * content set. This corresponds to an internal variable $content_sets
+	 * and NOT info_content_sets member variable of HTMLDefinition.
+	 */
+	public $content_sets = array();
+
+	/**
+	 * Associative array of attribute collection names to attribute
+	 * collection additions. More rarely used for adding attributes to
+	 * the global collections. Example is the StyleAttribute module adding
+	 * the style attribute to the Core. Corresponds to HTMLDefinition's
+	 * attr_collections->info, since the object's data is only info,
+	 * with extra behavior associated with it.
+	 */
+	public $attr_collections = array();
+
+	/**
+	 * Associative array of deprecated tag name to HTMLPurifier_TagTransform
+	 */
+	public $info_tag_transform = array();
+
+	/**
+	 * List of HTMLPurifier_AttrTransform to be performed before validation.
+	 */
+	public $info_attr_transform_pre = array();
+
+	/**
+	 * List of HTMLPurifier_AttrTransform to be performed after validation.
+	 */
+	public $info_attr_transform_post = array();
+
+	/**
+	 * List of HTMLPurifier_Injector to be performed during well-formedness fixing.
+	 * An injector will only be invoked if all of it's pre-requisites are met;
+	 * if an injector fails setup, there will be no error; it will simply be
+	 * silently disabled.
+	 */
+	public $info_injector = array();
+
+	/**
+	 * Boolean flag that indicates whether or not getChildDef is implemented.
+	 * For optimization reasons: may save a call to a function. Be sure
+	 * to set it if you do implement getChildDef(), otherwise it will have
+	 * no effect!
+	 */
+	public $defines_child_def = false;
+
+	/**
+	 * Boolean flag whether or not this module is safe. If it is not safe, all
+	 * of its members are unsafe. Modules are safe by default (this might be
+	 * slightly dangerous, but it doesn't make much sense to force HTML Purifier,
+	 * which is based off of safe HTML, to explicitly say, "This is safe," even
+	 * though there are modules which are "unsafe")
+	 *
+	 * @note Previously, safety could be applied at an element level granularity.
+	 *       We've removed this ability, so in order to add "unsafe" elements
+	 *       or attributes, a dedicated module with this property set to false
+	 *       must be used.
+	 */
+	public $safe = true;
+
+	/**
+	 * Retrieves a proper HTMLPurifier_ChildDef subclass based on
+	 * content_model and content_model_type member variables of
+	 * the HTMLPurifier_ElementDef class. There is a similar function
+	 * in HTMLPurifier_HTMLDefinition.
+	 * @param $def HTMLPurifier_ElementDef instance
+	 * @return HTMLPurifier_ChildDef subclass
+	 */
+	public function getChildDef($def) {return false;}
+
+	// -- Convenience -----------------------------------------------------
+
+	/**
+	 * Convenience function that sets up a new element
+	 * @param $element Name of element to add
+	 * @param $type What content set should element be registered to?
+	 *              Set as false to skip this step.
+	 * @param $contents Allowed children in form of:
+	 *              "$content_model_type: $content_model"
+	 * @param $attr_includes What attribute collections to register to
+	 *              element?
+	 * @param $attr What unique attributes does the element define?
+	 * @note See ElementDef for in-depth descriptions of these parameters.
+	 * @return Created element definition object, so you
+	 *         can set advanced parameters
+	 */
+	public function addElement($element, $type, $contents, $attr_includes = array(), $attr = array()) {
+		$this->elements[] = $element;
+		// parse content_model
+		list($content_model_type, $content_model) = $this->parseContents($contents);
+		// merge in attribute inclusions
+		$this->mergeInAttrIncludes($attr, $attr_includes);
+		// add element to content sets
+		if ($type) $this->addElementToContentSet($element, $type);
+		// create element
+		$this->info[$element] = HTMLPurifier_ElementDef::create(
+			$content_model, $content_model_type, $attr
+		);
+		// literal object $contents means direct child manipulation
+		if (!is_string($contents)) $this->info[$element]->child = $contents;
+		return $this->info[$element];
+	}
+
+	/**
+	 * Convenience function that creates a totally blank, non-standalone
+	 * element.
+	 * @param $element Name of element to create
+	 * @return Created element
+	 */
+	public function addBlankElement($element) {
+		if (!isset($this->info[$element])) {
+			$this->elements[] = $element;
+			$this->info[$element] = new HTMLPurifier_ElementDef();
+			$this->info[$element]->standalone = false;
+		} else {
+			trigger_error("Definition for $element already exists in module, cannot redefine");
+		}
+		return $this->info[$element];
+	}
+
+	/**
+	 * Convenience function that registers an element to a content set
+	 * @param Element to register
+	 * @param Name content set (warning: case sensitive, usually upper-case
+	 *        first letter)
+	 */
+	public function addElementToContentSet($element, $type) {
+		if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
+		else $this->content_sets[$type] .= ' | ';
+		$this->content_sets[$type] .= $element;
+	}
+
+	/**
+	 * Convenience function that transforms single-string contents
+	 * into separate content model and content model type
+	 * @param $contents Allowed children in form of:
+	 *                  "$content_model_type: $content_model"
+	 * @note If contents is an object, an array of two nulls will be
+	 *       returned, and the callee needs to take the original $contents
+	 *       and use it directly.
+	 */
+	public function parseContents($contents) {
+		if (!is_string($contents)) return array(null, null); // defer
+		switch ($contents) {
+			// check for shorthand content model forms
+			case 'Empty':
+				return array('empty', '');
+			case 'Inline':
+				return array('optional', 'Inline | #PCDATA');
+			case 'Flow':
+				return array('optional', 'Flow | #PCDATA');
+		}
+		list($content_model_type, $content_model) = explode(':', $contents);
+		$content_model_type = strtolower(trim($content_model_type));
+		$content_model = trim($content_model);
+		return array($content_model_type, $content_model);
+	}
+
+	/**
+	 * Convenience function that merges a list of attribute includes into
+	 * an attribute array.
+	 * @param $attr Reference to attr array to modify
+	 * @param $attr_includes Array of includes / string include to merge in
+	 */
+	public function mergeInAttrIncludes(&$attr, $attr_includes) {
+		if (!is_array($attr_includes)) {
+			if (empty($attr_includes)) $attr_includes = array();
+			else $attr_includes = array($attr_includes);
+		}
+		$attr[0] = $attr_includes;
+	}
+
+	/**
+	 * Convenience function that generates a lookup table with boolean
+	 * true as value.
+	 * @param $list List of values to turn into a lookup
+	 * @note You can also pass an arbitrary number of arguments in
+	 *       place of the regular argument
+	 * @return Lookup array equivalent of list
+	 */
+	public function makeLookup($list) {
+		if (is_string($list)) $list = func_get_args();
+		$ret = array();
+		foreach ($list as $value) {
+			if (is_null($value)) continue;
+			$ret[$value] = true;
+		}
+		return $ret;
+	}
+
+	/**
+	 * Lazy load construction of the module after determining whether
+	 * or not it's needed, and also when a finalized configuration object
+	 * is available.
+	 * @param $config Instance of HTMLPurifier_Config
+	 */
+	public function setup($config) {}
 
 }
 

Spacing +1 added lines, -1 removed lines

@@ -109,7 +109,7 @@
      * @param $def HTMLPurifier_ElementDef instance
      * @return HTMLPurifier_ChildDef subclass
      */
-    public function getChildDef($def) {return false;}
+    public function getChildDef($def) {return false; }
 
     // -- Convenience -----------------------------------------------------
 

Braces +26 added lines, -9 removed lines

@@ -134,13 +134,17 @@ 
         // merge in attribute inclusions
         $this->mergeInAttrIncludes($attr, $attr_includes);
         // add element to content sets
-        if ($type) $this->addElementToContentSet($element, $type);
+        if ($type) {
+        	$this->addElementToContentSet($element, $type);
+        }
         // create element
         $this->info[$element] = HTMLPurifier_ElementDef::create(
             $content_model, $content_model_type, $attr
         );
         // literal object $contents means direct child manipulation
-        if (!is_string($contents)) $this->info[$element]->child = $contents;
+        if (!is_string($contents)) {
+        	$this->info[$element]->child = $contents;
+        }
         return $this->info[$element];
     }
 
@@ -168,8 +172,11 @@ 
      *        first letter)
      */
     public function addElementToContentSet($element, $type) {
-        if (!isset($this->content_sets[$type])) $this->content_sets[$type] = '';
-        else $this->content_sets[$type] .= ' | ';
+        if (!isset($this->content_sets[$type])) {
+        	$this->content_sets[$type] = '';
+        } else {
+        	$this->content_sets[$type] .= ' | ';
+        }
         $this->content_sets[$type] .= $element;
     }
 
@@ -183,7 +190,10 @@ 
      *       and use it directly.
      */
     public function parseContents($contents) {
-        if (!is_string($contents)) return array(null, null); // defer
+        if (!is_string($contents)) {
+        	return array(null, null);
+        }
+        // defer
         switch ($contents) {
             // check for shorthand content model forms
             case 'Empty':
@@ -207,8 +217,11 @@ 
      */
     public function mergeInAttrIncludes(&$attr, $attr_includes) {
         if (!is_array($attr_includes)) {
-            if (empty($attr_includes)) $attr_includes = array();
-            else $attr_includes = array($attr_includes);
+            if (empty($attr_includes)) {
+            	$attr_includes = array();
+            } else {
+            	$attr_includes = array($attr_includes);
+            }
         }
         $attr[0] = $attr_includes;
     }
@@ -222,10 +235,14 @@ 
      * @return Lookup array equivalent of list
      */
     public function makeLookup($list) {
-        if (is_string($list)) $list = func_get_args();
+        if (is_string($list)) {
+        	$list = func_get_args();
+        }
         $ret = array();
         foreach ($list as $value) {
-            if (is_null($value)) continue;
+            if (is_null($value)) {
+            	continue;
+            }
             $ret[$value] = true;
         }
         return $ret;

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/Bdo.php

Indentation +16 added lines, -16 removed lines

@@ -7,24 +7,24 @@
 class HTMLPurifier_HTMLModule_Bdo extends HTMLPurifier_HTMLModule
 {
 
-    public $name = 'Bdo';
-    public $attr_collections = array(
-        'I18N' => array('dir' => false)
-    );
+	public $name = 'Bdo';
+	public $attr_collections = array(
+		'I18N' => array('dir' => false)
+	);
 
-    public function setup($config) {
-        $bdo = $this->addElement(
-            'bdo', 'Inline', 'Inline', array('Core', 'Lang'),
-            array(
-                'dir' => 'Enum#ltr,rtl', // required
-                // The Abstract Module specification has the attribute
-                // inclusions wrong for bdo: bdo allows Lang
-            )
-        );
-        $bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir();
+	public function setup($config) {
+		$bdo = $this->addElement(
+			'bdo', 'Inline', 'Inline', array('Core', 'Lang'),
+			array(
+				'dir' => 'Enum#ltr,rtl', // required
+				// The Abstract Module specification has the attribute
+				// inclusions wrong for bdo: bdo allows Lang
+			)
+		);
+		$bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir();
 
-        $this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
-    }
+		$this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
+	}
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/CommonAttributes.php

Indentation +17 added lines, -17 removed lines

@@ -2,24 +2,24 @@
 
 class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
 {
-    public $name = 'CommonAttributes';
+	public $name = 'CommonAttributes';
 
-    public $attr_collections = array(
-        'Core' => array(
-            0 => array('Style'),
-            // 'xml:space' => false,
-            'class' => 'Class',
-            'id' => 'ID',
-            'title' => 'CDATA',
-        ),
-        'Lang' => array(),
-        'I18N' => array(
-            0 => array('Lang'), // proprietary, for xml:lang/lang
-        ),
-        'Common' => array(
-            0 => array('Core', 'I18N')
-        )
-    );
+	public $attr_collections = array(
+		'Core' => array(
+			0 => array('Style'),
+			// 'xml:space' => false,
+			'class' => 'Class',
+			'id' => 'ID',
+			'title' => 'CDATA',
+		),
+		'Lang' => array(),
+		'I18N' => array(
+			0 => array('Lang'), // proprietary, for xml:lang/lang
+		),
+		'Common' => array(
+			0 => array('Core', 'I18N')
+		)
+	);
 
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/Edit.php

Indentation +25 added lines, -25 removed lines

@@ -7,31 +7,31 @@
 class HTMLPurifier_HTMLModule_Edit extends HTMLPurifier_HTMLModule
 {
 
-    public $name = 'Edit';
-
-    public function setup($config) {
-        $contents = 'Chameleon: #PCDATA | Inline ! #PCDATA | Flow';
-        $attr = array(
-            'cite' => 'URI',
-            // 'datetime' => 'Datetime', // not implemented
-        );
-        $this->addElement('del', 'Inline', $contents, 'Common', $attr);
-        $this->addElement('ins', 'Inline', $contents, 'Common', $attr);
-    }
-
-    // HTML 4.01 specifies that ins/del must not contain block
-    // elements when used in an inline context, chameleon is
-    // a complicated workaround to acheive this effect
-
-    // Inline context ! Block context (exclamation mark is
-    // separator, see getChildDef for parsing)
-
-    public $defines_child_def = true;
-    public function getChildDef($def) {
-        if ($def->content_model_type != 'chameleon') return false;
-        $value = explode('!', $def->content_model);
-        return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]);
-    }
+	public $name = 'Edit';
+
+	public function setup($config) {
+		$contents = 'Chameleon: #PCDATA | Inline ! #PCDATA | Flow';
+		$attr = array(
+			'cite' => 'URI',
+			// 'datetime' => 'Datetime', // not implemented
+		);
+		$this->addElement('del', 'Inline', $contents, 'Common', $attr);
+		$this->addElement('ins', 'Inline', $contents, 'Common', $attr);
+	}
+
+	// HTML 4.01 specifies that ins/del must not contain block
+	// elements when used in an inline context, chameleon is
+	// a complicated workaround to acheive this effect
+
+	// Inline context ! Block context (exclamation mark is
+	// separator, see getChildDef for parsing)
+
+	public $defines_child_def = true;
+	public function getChildDef($def) {
+		if ($def->content_model_type != 'chameleon') return false;
+		$value = explode('!', $def->content_model);
+		return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]);
+	}
 
 }
 

Braces +3 added lines, -1 removed lines

@@ -28,7 +28,9 @@
 
     public $defines_child_def = true;
     public function getChildDef($def) {
-        if ($def->content_model_type != 'chameleon') return false;
+        if ($def->content_model_type != 'chameleon') {
+        	return false;
+        }
         $value = explode('!', $def->content_model);
         return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]);
     }

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/Forms.php

Indentation +109 added lines, -109 removed lines

@@ -5,115 +5,115 @@
  */
 class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
 {
-    public $name = 'Forms';
-    public $safe = false;
-
-    public $content_sets = array(
-        'Block' => 'Form',
-        'Inline' => 'Formctrl',
-    );
-
-    public function setup($config) {
-        $form = $this->addElement('form', 'Form',
-          'Required: Heading | List | Block | fieldset', 'Common', array(
-            'accept' => 'ContentTypes',
-            'accept-charset' => 'Charsets',
-            'action*' => 'URI',
-            'method' => 'Enum#get,post',
-            // really ContentType, but these two are the only ones used today
-            'enctype' => 'Enum#application/x-www-form-urlencoded,multipart/form-data',
-        ));
-        $form->excludes = array('form' => true);
-
-        $input = $this->addElement('input', 'Formctrl', 'Empty', 'Common', array(
-            'accept' => 'ContentTypes',
-            'accesskey' => 'Character',
-            'alt' => 'Text',
-            'checked' => 'Bool#checked',
-            'disabled' => 'Bool#disabled',
-            'maxlength' => 'Number',
-            'name' => 'CDATA',
-            'readonly' => 'Bool#readonly',
-            'size' => 'Number',
-            'src' => 'URI#embedded',
-            'tabindex' => 'Number',
-            'type' => 'Enum#text,password,checkbox,button,radio,submit,reset,file,hidden,image',
-            'value' => 'CDATA',
-        ));
-        $input->attr_transform_post[] = new HTMLPurifier_AttrTransform_Input();
-
-        $this->addElement('select', 'Formctrl', 'Required: optgroup | option', 'Common', array(
-            'disabled' => 'Bool#disabled',
-            'multiple' => 'Bool#multiple',
-            'name' => 'CDATA',
-            'size' => 'Number',
-            'tabindex' => 'Number',
-        ));
-
-        $this->addElement('option', false, 'Optional: #PCDATA', 'Common', array(
-            'disabled' => 'Bool#disabled',
-            'label' => 'Text',
-            'selected' => 'Bool#selected',
-            'value' => 'CDATA',
-        ));
-        // It's illegal for there to be more than one selected, but not
-        // be multiple. Also, no selected means undefined behavior. This might
-        // be difficult to implement; perhaps an injector, or a context variable.
-
-        $textarea = $this->addElement('textarea', 'Formctrl', 'Optional: #PCDATA', 'Common', array(
-            'accesskey' => 'Character',
-            'cols*' => 'Number',
-            'disabled' => 'Bool#disabled',
-            'name' => 'CDATA',
-            'readonly' => 'Bool#readonly',
-            'rows*' => 'Number',
-            'tabindex' => 'Number',
-        ));
-        $textarea->attr_transform_pre[] = new HTMLPurifier_AttrTransform_Textarea();
-
-        $button = $this->addElement('button', 'Formctrl', 'Optional: #PCDATA | Heading | List | Block | Inline', 'Common', array(
-            'accesskey' => 'Character',
-            'disabled' => 'Bool#disabled',
-            'name' => 'CDATA',
-            'tabindex' => 'Number',
-            'type' => 'Enum#button,submit,reset',
-            'value' => 'CDATA',
-        ));
-
-        // For exclusions, ideally we'd specify content sets, not literal elements
-        $button->excludes = $this->makeLookup(
-            'form', 'fieldset', // Form
-            'input', 'select', 'textarea', 'label', 'button', // Formctrl
-            'a', // as per HTML 4.01 spec, this is omitted by modularization
-            'isindex', 'iframe' // legacy items
-        );
-
-        // Extra exclusion: img usemap="" is not permitted within this element.
-        // We'll omit this for now, since we don't have any good way of
-        // indicating it yet.
-
-        // This is HIGHLY user-unfriendly; we need a custom child-def for this
-        $this->addElement('fieldset', 'Form', 'Custom: (#WS?,legend,(Flow|#PCDATA)*)', 'Common');
-
-        $label = $this->addElement('label', 'Formctrl', 'Optional: #PCDATA | Inline', 'Common', array(
-            'accesskey' => 'Character',
-            // 'for' => 'IDREF', // IDREF not implemented, cannot allow
-        ));
-        $label->excludes = array('label' => true);
-
-        $this->addElement('legend', false, 'Optional: #PCDATA | Inline', 'Common', array(
-            'accesskey' => 'Character',
-        ));
-
-        $this->addElement('optgroup', false, 'Required: option', 'Common', array(
-            'disabled' => 'Bool#disabled',
-            'label*' => 'Text',
-        ));
-
-        // Don't forget an injector for <isindex>. This one's a little complex
-        // because it maps to multiple elements.
-
-    }
+	public $name = 'Forms';
+	public $safe = false;
+
+	public $content_sets = array(
+		'Block' => 'Form',
+		'Inline' => 'Formctrl',
+	);
+
+	public function setup($config) {
+		$form = $this->addElement('form', 'Form',
+		  'Required: Heading | List | Block | fieldset', 'Common', array(
+			'accept' => 'ContentTypes',
+			'accept-charset' => 'Charsets',
+			'action*' => 'URI',
+			'method' => 'Enum#get,post',
+			// really ContentType, but these two are the only ones used today
+			'enctype' => 'Enum#application/x-www-form-urlencoded,multipart/form-data',
+		));
+		$form->excludes = array('form' => true);
+
+		$input = $this->addElement('input', 'Formctrl', 'Empty', 'Common', array(
+			'accept' => 'ContentTypes',
+			'accesskey' => 'Character',
+			'alt' => 'Text',
+			'checked' => 'Bool#checked',
+			'disabled' => 'Bool#disabled',
+			'maxlength' => 'Number',
+			'name' => 'CDATA',
+			'readonly' => 'Bool#readonly',
+			'size' => 'Number',
+			'src' => 'URI#embedded',
+			'tabindex' => 'Number',
+			'type' => 'Enum#text,password,checkbox,button,radio,submit,reset,file,hidden,image',
+			'value' => 'CDATA',
+		));
+		$input->attr_transform_post[] = new HTMLPurifier_AttrTransform_Input();
+
+		$this->addElement('select', 'Formctrl', 'Required: optgroup | option', 'Common', array(
+			'disabled' => 'Bool#disabled',
+			'multiple' => 'Bool#multiple',
+			'name' => 'CDATA',
+			'size' => 'Number',
+			'tabindex' => 'Number',
+		));
+
+		$this->addElement('option', false, 'Optional: #PCDATA', 'Common', array(
+			'disabled' => 'Bool#disabled',
+			'label' => 'Text',
+			'selected' => 'Bool#selected',
+			'value' => 'CDATA',
+		));
+		// It's illegal for there to be more than one selected, but not
+		// be multiple. Also, no selected means undefined behavior. This might
+		// be difficult to implement; perhaps an injector, or a context variable.
+
+		$textarea = $this->addElement('textarea', 'Formctrl', 'Optional: #PCDATA', 'Common', array(
+			'accesskey' => 'Character',
+			'cols*' => 'Number',
+			'disabled' => 'Bool#disabled',
+			'name' => 'CDATA',
+			'readonly' => 'Bool#readonly',
+			'rows*' => 'Number',
+			'tabindex' => 'Number',
+		));
+		$textarea->attr_transform_pre[] = new HTMLPurifier_AttrTransform_Textarea();
+
+		$button = $this->addElement('button', 'Formctrl', 'Optional: #PCDATA | Heading | List | Block | Inline', 'Common', array(
+			'accesskey' => 'Character',
+			'disabled' => 'Bool#disabled',
+			'name' => 'CDATA',
+			'tabindex' => 'Number',
+			'type' => 'Enum#button,submit,reset',
+			'value' => 'CDATA',
+		));
+
+		// For exclusions, ideally we'd specify content sets, not literal elements
+		$button->excludes = $this->makeLookup(
+			'form', 'fieldset', // Form
+			'input', 'select', 'textarea', 'label', 'button', // Formctrl
+			'a', // as per HTML 4.01 spec, this is omitted by modularization
+			'isindex', 'iframe' // legacy items
+		);
+
+		// Extra exclusion: img usemap="" is not permitted within this element.
+		// We'll omit this for now, since we don't have any good way of
+		// indicating it yet.
+
+		// This is HIGHLY user-unfriendly; we need a custom child-def for this
+		$this->addElement('fieldset', 'Form', 'Custom: (#WS?,legend,(Flow|#PCDATA)*)', 'Common');
+
+		$label = $this->addElement('label', 'Formctrl', 'Optional: #PCDATA | Inline', 'Common', array(
+			'accesskey' => 'Character',
+			// 'for' => 'IDREF', // IDREF not implemented, cannot allow
+		));
+		$label->excludes = array('label' => true);
+
+		$this->addElement('legend', false, 'Optional: #PCDATA | Inline', 'Common', array(
+			'accesskey' => 'Character',
+		));
+
+		$this->addElement('optgroup', false, 'Required: option', 'Common', array(
+			'disabled' => 'Bool#disabled',
+			'label*' => 'Text',
+		));
+
+		// Don't forget an injector for <isindex>. This one's a little complex
+		// because it maps to multiple elements.
+
+	}
 }
 
 // vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/HTMLModule/Hypertext.php

Indentation +18 added lines, -18 removed lines

@@ -6,25 +6,25 @@
 class HTMLPurifier_HTMLModule_Hypertext extends HTMLPurifier_HTMLModule
 {
 
-    public $name = 'Hypertext';
+	public $name = 'Hypertext';
 
-    public function setup($config) {
-        $a = $this->addElement(
-            'a', 'Inline', 'Inline', 'Common',
-            array(
-                // 'accesskey' => 'Character',
-                // 'charset' => 'Charset',
-                'href' => 'URI',
-                // 'hreflang' => 'LanguageCode',
-                'rel' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'),
-                'rev' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rev'),
-                // 'tabindex' => 'Number',
-                // 'type' => 'ContentType',
-            )
-        );
-        $a->formatting = true;
-        $a->excludes = array('a' => true);
-    }
+	public function setup($config) {
+		$a = $this->addElement(
+			'a', 'Inline', 'Inline', 'Common',
+			array(
+				// 'accesskey' => 'Character',
+				// 'charset' => 'Charset',
+				'href' => 'URI',
+				// 'hreflang' => 'LanguageCode',
+				'rel' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'),
+				'rev' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rev'),
+				// 'tabindex' => 'Number',
+				// 'type' => 'ContentType',
+			)
+		);
+		$a->formatting = true;
+		$a->excludes = array('a' => true);
+	}
 
 }