htmlpurifier 4.8 업데이트

gnuboard · Aug 29, 2016 · a560fc3 · a560fc3
1 parent e2c67e8
commit a560fc3
Show file tree

Hide file tree

Showing 8 changed files with 300 additions and 50 deletions.
diff --git a/plugin/htmlpurifier/HTMLPurifier.standalone.php b/plugin/htmlpurifier/HTMLPurifier.standalone.php
diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema.ser b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema.ser
diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
@@ -0,0 +1,10 @@
+Attr.ID.HTML5
+TYPE: bool/null
+DEFAULT: null
+VERSION: 4.8.0
+--DESCRIPTION--
+In HTML5, restrictions on the format of the id attribute have been significantly
+relaxed, such that any string is valid so long as it contains no spaces and
+is at least one character.  In lieu of a general HTML5 compatibility flag,
+set this configuration directive to true to use the relaxed rules.
+--# vim: et sw=4 sts=4
diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
@@ -0,0 +1,11 @@
+CSS.AllowDuplicates
+TYPE: bool
+DEFAULT: false
+VERSION: 4.8.0
+--DESCRIPTION--
+<p>
+  By default, HTML Purifier removes duplicate CSS properties,
+  like <code>color:red; color:blue</code>.  If this is set to
+  true, duplicate properties are allowed.
+</p>
+--# vim: et sw=4 sts=4
diff --git a/.../htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt b/.../htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
@@ -1,5 +1,5 @@
 Cache.SerializerPermissions
-TYPE: int
+TYPE: int/null
 VERSION: 4.3.0
 DEFAULT: 0755
 --DESCRIPTION--
@@ -8,4 +8,9 @@ DEFAULT: 0755
     Directory permissions of the files and directories created inside
     the DefinitionCache/Serializer or other custom serializer path.
 </p>
+<p>
+    In HTML Purifier 4.8.0, this also supports <code>NULL</code>,
+    which means that no chmod'ing or directory creation shall
+    occur.
+</p>
 --# vim: et sw=4 sts=4
diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
@@ -0,0 +1,9 @@
+HTML.TargetNoreferrer
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noreferrer rel attributes are added to links which have
+a target attribute associated with them.  This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
@@ -8,6 +8,7 @@ array (
   'ftp' => true,
   'nntp' => true,
   'news' => true,
+  'tel' => true,
 )
 --DESCRIPTION--
 Whitelist that defines the schemes that a URI is allowed to have.  This

diff --git a/plugin/htmlpurifier/standalone/HTMLPurifier/Printer/ConfigForm.php b/plugin/htmlpurifier/standalone/HTMLPurifier/Printer/ConfigForm.php
@@ -327,6 +327,10 @@ public function render($ns, $directive, $value, $name, $config)
                 case HTMLPurifier_VarParser::HASH:
                     $nvalue = '';
                     foreach ($value as $i => $v) {
+                        if (is_array($v)) {
+                            // HACK
+                            $v = implode(";", $v);
+                        }
                         $nvalue .= "$i:$v" . PHP_EOL;
                     }
                     $value = $nvalue;