HTML Purifier 4.17

mambax7 · Jun 9, 2024 · 0a14d63 · 0a14d63
1 parent 9aca137
commit 0a14d63
Show file tree

Hide file tree

Showing 22 changed files with 200 additions and 197 deletions.
diff --git a/docs/changelog.250.txt b/docs/changelog.250.txt
@@ -7,6 +7,9 @@ XOOPS 2.5.x Changelog (Language changes: see: /docs/lang_diff.txt)
 - added in Admin Composer packages info (mamba)
 - added new Admin theme (ForMuss)
 
+Updated libraries and assets:
+- HTML Purifier to 4.17 (mamba)
+
 ===================================
 2.5.11 Final             2023/12/24
 ===================================

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.includes.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.includes.php
@@ -7,7 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.15.0
+ * @version 4.17.0
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.php
@@ -19,7 +19,7 @@
  */
 
 /*
-    HTML Purifier 4.15.0 - Standards Compliant HTML Filtering
+    HTML Purifier 4.17.0 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -57,12 +57,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.15.0';
+    public $version = '4.17.0';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    public const VERSION = '4.15.0';
+    public const VERSION = '4.17.0';
 
     /**
      * Global configuration object.

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -9,23 +9,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
 
     public function __construct()
     {
-        $this->mask = '_- ';
-        for ($c = 'a'; $c <= 'z'; $c++) {
-            $this->mask .= $c;
-        }
-        for ($c = 'A'; $c <= 'Z'; $c++) {
-            $this->mask .= $c;
-        }
-        for ($c = '0'; $c <= '9'; $c++) {
-            $this->mask .= $c;
-        } // cast-y, but should be fine
-        // special bytes used by UTF-8
-        for ($i = 0x80; $i <= 0xFF; $i++) {
-            // We don't bother excluding invalid bytes in this range,
-            // because the our restriction of well-formed UTF-8 will
-            // prevent these from ever occurring.
-            $this->mask .= chr($i);
-        }
+        // Lowercase letters
+        $l = range('a', 'z');
+        // Uppercase letters
+        $u = range('A', 'Z');
+        // Digits
+        $d = range('0', '9');
+        // Special bytes used by UTF-8
+        $b = array_map('chr', range(0x80, 0xFF));
+        // All valid characters for the mask
+        $c = array_merge($l, $u, $d, $b);
+        // Concatenate all valid characters into a string 
+        // Use '_- ' as an initial value
+        $this->mask = array_reduce($c, function ($carry, $value) {
+            return $carry . $value;
+        }, '_- ');
 
         /*
             PHP's internal strcspn implementation is

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php
@@ -106,7 +106,7 @@ public function validate($string, $config, $context)
         // If we have Net_IDNA2 support, we can support IRIs by
         // punycoding them. (This is the most portable thing to do,
         // since otherwise we have to assume browsers support
-        } elseif ($config->get('Core.EnableIDNA')) {
+        } elseif ($config->get('Core.EnableIDNA') && class_exists('Net_IDNA2')) {
             $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
             // we need to encode each period separately
             $parts = explode('.', $string);

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php
@@ -33,7 +33,11 @@ public function transform($attr, $config, $context)
 
         // XXX Kind of inefficient
         $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
+
+        // Ignore invalid schemes (e.g. `javascript:`)
+        if (!($scheme = $url->getSchemeObj($config, $context))) {
+            return $attr;
+        }
 
         if ($scheme->browsable && !$url->isBenign($config, $context)) {
             $attr['target'] = '_blank';

diff --git a/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php b/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php
@@ -78,44 +78,11 @@ public static function getPath($class)
     public static function registerAutoload()
     {
         $autoload = array('HTMLPurifier_Bootstrap', 'autoload');
-        if (($funcs = spl_autoload_functions()) === false) {
+        if (spl_autoload_functions() === false) {
             spl_autoload_register($autoload);
-        } elseif (function_exists('spl_autoload_unregister')) {
-            if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+        } else {
                 // prepend flag exists, no need for shenanigans
                 spl_autoload_register($autoload, true, true);
-            } else {
-                $buggy  = version_compare(PHP_VERSION, '5.2.11', '<');
-                $compat = version_compare(PHP_VERSION, '5.1.2', '<=') &&
-                          version_compare(PHP_VERSION, '5.1.0', '>=');
-                foreach ($funcs as $func) {
-                    if ($buggy && is_array($func)) {
-                        // :TRICKY: There are some compatibility issues and some
-                        // places where we need to error out
-                        $reflector = new ReflectionMethod($func[0], $func[1]);
-                        if (!$reflector->isStatic()) {
-                            throw new Exception(
-                                'HTML Purifier autoloader registrar is not compatible
-                                with non-static object methods due to PHP Bug #44144;
-                                Please do not use HTMLPurifier.autoload.php (or any
-                                file that includes this file); instead, place the code:
-                                spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\'))
-                                after your own autoloaders.',
-                            );
-                        }
-                        // Suprisingly, spl_autoload_register supports the
-                        // Class::staticMethod callback format, although call_user_func doesn't
-                        if ($compat) {
-                            $func = implode('::', $func);
-                        }
-                    }
-                    spl_autoload_unregister($func);
-                }
-                spl_autoload_register($autoload);
-                foreach ($funcs as $func) {
-                    spl_autoload_register($func);
-                }
-            }
         }
     }
 }