Skip to content
Browse files

Better XSS protection

* Add HTMLPurifier library (LGPL)
* Add helper functions to html helper
* Set default encoding header to UTF-8
* Make sure the doctype is the same everywhere (admin/members/frontend)
* Remove use of strip_tags() and htmlspecialchars()
* Replace vanilla htmlentities with html::escape() - make sure no one forgets the UTF-8
* Remove _csv_text() fn - no longer used and was using strip_tags()
1 parent 765a3ee commit 593719ff805a302e3ab2f2e535c875f90a04ea56 @rjmackay committed Apr 9, 2013
Showing with 14,354 additions and 90 deletions.
  1. +1 −1 application/controllers/admin/reports.php
  2. +2 −2 application/controllers/feed.php
  3. +3 −5 application/controllers/json.php
  4. +0 −6 application/controllers/members/reports.php
  5. +3 −3 application/controllers/reports.php
  6. +1 −0 application/controllers/scheduler/s_alerts.php
  7. +78 −0 application/helpers/MY_html.php
  8. +5 −5 application/helpers/category.php
  9. +0 −48 application/helpers/utf8tohtml.php
  10. +2 −5 application/hooks/actions.php
  11. +4 −3 application/libraries/Imap.php
  12. +3 −0 application/libraries/MY_Controller.php
  13. +5 −5 application/libraries/VideoEmbed.php
  14. +2 −2 application/libraries/XMLImporter.php
  15. +5 −5 application/libraries/api/MY_Comments_Api_Object.php
  16. +9 −0 application/libraries/htmlpurifier/CREDITS
  17. +11 −0 application/libraries/htmlpurifier/HTMLPurifier.auto.php
  18. +26 −0 application/libraries/htmlpurifier/HTMLPurifier.autoload.php
  19. +4 −0 application/libraries/htmlpurifier/HTMLPurifier.composer.php
  20. +23 −0 application/libraries/htmlpurifier/HTMLPurifier.func.php
  21. +222 −0 application/libraries/htmlpurifier/HTMLPurifier.includes.php
  22. +30 −0 application/libraries/htmlpurifier/HTMLPurifier.kses.php
  23. +11 −0 application/libraries/htmlpurifier/HTMLPurifier.path.php
  24. +237 −0 application/libraries/htmlpurifier/HTMLPurifier.php
  25. +216 −0 application/libraries/htmlpurifier/HTMLPurifier.safe-includes.php
  26. +128 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrCollections.php
  27. +123 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef.php
  28. +87 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS.php
  29. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/AlphaValue.php
  30. +87 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Background.php
  31. +133 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
  32. +43 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Border.php
  33. +78 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Color.php
  34. +38 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Composite.php
  35. +28 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php
  36. +54 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Filter.php
  37. +149 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Font.php
  38. +197 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php
  39. +24 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Ident.php
  40. +40 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php
  41. +47 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Length.php
  42. +78 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/ListStyle.php
  43. +58 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Multiple.php
  44. +69 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Number.php
  45. +40 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/Percentage.php
  46. +38 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/TextDecoration.php
  47. +61 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
  48. +28 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Clone.php
  49. +65 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Enum.php
  50. +28 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Bool.php
  51. +34 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Class.php
  52. +33 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Color.php
  53. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/FrameTarget.php
  54. +80 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
  55. +41 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Length.php
  56. +53 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/LinkTypes.php
  57. +41 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/MultiLength.php
  58. +52 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Nmtokens.php
  59. +48 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/HTML/Pixels.php
  60. +73 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Integer.php
  61. +73 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Lang.php
  62. +34 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Switch.php
  63. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/Text.php
  64. +77 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI.php
  65. +17 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI/Email.php
  66. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php
  67. +101 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
  68. +39 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI/IPv4.php
  69. +99 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrDef/URI/IPv6.php
  70. +56 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform.php
  71. +23 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Background.php
  72. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/BdoDir.php
  73. +23 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/BgColor.php
  74. +36 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/BoolToCSS.php
  75. +18 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Border.php
  76. +58 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/EnumToCSS.php
  77. +43 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/ImgRequired.php
  78. +44 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/ImgSpace.php
  79. +40 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Input.php
  80. +28 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Lang.php
  81. +27 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Length.php
  82. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Name.php
  83. +27 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/NameSync.php
  84. +45 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Nofollow.php
  85. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/SafeEmbed.php
  86. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/SafeObject.php
  87. +64 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/SafeParam.php
  88. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/ScriptRequired.php
  89. +38 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/TargetBlank.php
  90. +18 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTransform/Textarea.php
  91. +91 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrTypes.php
  92. +162 −0 application/libraries/htmlpurifier/HTMLPurifier/AttrValidator.php
  93. +109 −0 application/libraries/htmlpurifier/HTMLPurifier/Bootstrap.php
  94. +328 −0 application/libraries/htmlpurifier/HTMLPurifier/CSSDefinition.php
  95. +48 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef.php
  96. +48 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Chameleon.php
  97. +90 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Custom.php
  98. +20 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Empty.php
  99. +120 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/List.php
  100. +26 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Optional.php
  101. +117 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Required.php
  102. +88 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/StrictBlockquote.php
  103. +227 −0 application/libraries/htmlpurifier/HTMLPurifier/ChildDef/Table.php
  104. +710 −0 application/libraries/htmlpurifier/HTMLPurifier/Config.php
  105. +164 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema.php
  106. +44 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php
  107. +106 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Builder/Xml.php
  108. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Exception.php
  109. +42 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Interchange.php
  110. +77 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Interchange/Directive.php
  111. +37 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Interchange/Id.php
  112. +180 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/InterchangeBuilder.php
  113. +206 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/Validator.php
  114. +66 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/ValidatorAtom.php
  115. BIN application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
  116. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt
  117. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt
  118. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt
  119. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt
  120. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt
  121. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt
  122. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt
  123. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt
  124. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt
  125. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt
  126. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt
  127. +5 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt
  128. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt
  129. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt
  130. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt
  131. +31 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt
  132. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt
  133. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt
  134. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt
  135. +12 −0 ...ion/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt
  136. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt
  137. +11 −0 ...es/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt
  138. +15 −0 ...ion/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt
  139. +46 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt
  140. +11 −0 ...braries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt
  141. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt
  142. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt
  143. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt
  144. +18 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt
  145. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt
  146. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt
  147. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt
  148. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt
  149. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
  150. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt
  151. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt
  152. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
  153. +18 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt
  154. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt
  155. +29 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
  156. +14 −0 ...cation/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt
  157. +17 −0 .../libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt
  158. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt
  159. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt
  160. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt
  161. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt
  162. +7 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt
  163. +13 −0 ...ication/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt
  164. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt
  165. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.Language.txt
  166. +34 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt
  167. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt
  168. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt
  169. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt
  170. +11 −0 ...ion/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
  171. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt
  172. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt
  173. +14 −0 ...on/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt
  174. +29 −0 ...ation/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt
  175. +16 −0 ...on/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt
  176. +74 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
  177. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
  178. +25 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt
  179. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt
  180. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
  181. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt
  182. +23 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
  183. +20 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt
  184. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt
  185. +18 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt
  186. +23 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt
  187. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt
  188. +33 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt
  189. +16 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt
  190. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt
  191. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt
  192. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
  193. +20 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
  194. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt
  195. +7 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt
  196. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Parent.txt
  197. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt
  198. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
  199. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
  200. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
  201. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt
  202. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt
  203. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt
  204. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt
  205. +24 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt
  206. +8 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TidyRemove.txt
  207. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt
  208. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.XHTML.txt
  209. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.CommentScriptContents.txt
  210. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt
  211. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt
  212. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt
  213. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt
  214. +25 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Output.TidyFormat.txt
  215. +7 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt
  216. +17 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
  217. +17 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.Base.txt
  218. +10 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
  219. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt
  220. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt
  221. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt
  222. +11 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt
  223. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt
  224. +15 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt
  225. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.Host.txt
  226. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt
  227. +13 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt
  228. +83 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt
  229. +17 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt
  230. +30 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt
  231. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt
  232. +22 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt
  233. +3 −0 application/libraries/htmlpurifier/HTMLPurifier/ConfigSchema/schema/info.ini
  234. +155 −0 application/libraries/htmlpurifier/HTMLPurifier/ContentSets.php
  235. +82 −0 application/libraries/htmlpurifier/HTMLPurifier/Context.php
  236. +50 −0 application/libraries/htmlpurifier/HTMLPurifier/Definition.php
  237. +108 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache.php
  238. +62 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Decorator.php
  239. +43 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php
  240. +46 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Decorator/Memory.php
  241. +47 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Decorator/Template.php.in
  242. +39 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Null.php
  243. +191 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer.php
  244. BIN ...HTMLPurifier/DefinitionCache/Serializer/HTML/4.5.0,13c3933dafea215dd3045ef97f3cf8230304e6ae,1.ser
  245. BIN ...HTMLPurifier/DefinitionCache/Serializer/HTML/4.5.0,48c66b36f832d31ddeb0bd1df231a8b404e9ce91,1.ser
  246. BIN ...HTMLPurifier/DefinitionCache/Serializer/HTML/4.5.0,bd08c5afbc77123dbd4e9e026a723c450e9f844b,1.ser
  247. BIN ...HTMLPurifier/DefinitionCache/Serializer/HTML/4.5.0,c025fd58185e35b4d1117abfd9869ab4087f03ce,1.ser
  248. +3 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer/README
  249. BIN .../HTMLPurifier/DefinitionCache/Serializer/URI/4.5.0,10a7f1a4d1fdb0b461bc5b6e5a9c2f9a4a0ec765,1.ser
  250. BIN .../HTMLPurifier/DefinitionCache/Serializer/URI/4.5.0,8d03c8ec0e84e7feb92afd4c0f1735841b5fdacf,1.ser
  251. +91 −0 application/libraries/htmlpurifier/HTMLPurifier/DefinitionCacheFactory.php
  252. +60 −0 application/libraries/htmlpurifier/HTMLPurifier/Doctype.php
  253. +103 −0 application/libraries/htmlpurifier/HTMLPurifier/DoctypeRegistry.php
  254. +195 −0 application/libraries/htmlpurifier/HTMLPurifier/ElementDef.php
  255. +545 −0 application/libraries/htmlpurifier/HTMLPurifier/Encoder.php
  256. +44 −0 application/libraries/htmlpurifier/HTMLPurifier/EntityLookup.php
  257. +1 −0 application/libraries/htmlpurifier/HTMLPurifier/EntityLookup/entities.ser
  258. +144 −0 application/libraries/htmlpurifier/HTMLPurifier/EntityParser.php
  259. +209 −0 application/libraries/htmlpurifier/HTMLPurifier/ErrorCollector.php
  260. +60 −0 application/libraries/htmlpurifier/HTMLPurifier/ErrorStruct.php
  261. +12 −0 application/libraries/htmlpurifier/HTMLPurifier/Exception.php
  262. +46 −0 application/libraries/htmlpurifier/HTMLPurifier/Filter.php
  263. +289 −0 application/libraries/htmlpurifier/HTMLPurifier/Filter/ExtractStyleBlocks.php
  264. +39 −0 application/libraries/htmlpurifier/HTMLPurifier/Filter/YouTube.php
  265. +254 −0 application/libraries/htmlpurifier/HTMLPurifier/Generator.php
  266. +425 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLDefinition.php
  267. +244 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule.php
  268. +31 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Bdo.php
  269. +26 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/CommonAttributes.php
  270. +38 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Edit.php
  271. +119 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Forms.php
  272. +31 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Hypertext.php
  273. +38 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Iframe.php
  274. +40 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Image.php
  275. +159 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Legacy.php
  276. +43 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/List.php
  277. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Name.php
  278. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Nofollow.php
  279. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php
  280. +47 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Object.php
  281. +36 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Presentation.php
  282. +33 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Proprietary.php
  283. +27 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Ruby.php
  284. +34 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/SafeEmbed.php
  285. +52 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/SafeObject.php
  286. +37 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/SafeScripting.php
  287. +54 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Scripting.php
  288. +24 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/StyleAttribute.php
  289. +69 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tables.php
  290. +23 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Target.php
  291. +19 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/TargetBlank.php
  292. +71 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Text.php
  293. +207 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy.php
  294. +24 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/Name.php
  295. +24 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/Proprietary.php
  296. +21 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/Strict.php
  297. +9 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/Transitional.php
  298. +17 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/XHTML.php
  299. +161 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php
  300. +14 −0 application/libraries/htmlpurifier/HTMLPurifier/HTMLModule/XMLCommonAttributes.php
Sorry, we could not display the entire diff because too many files (409) changed.
View
2 application/controllers/admin/reports.php
@@ -102,7 +102,7 @@ public function index($page = 1)
$order_field = 'date'; $sort = 'DESC';
if (isset($_GET['order']))
{
- $order_field = htmlentities($_GET['order']);
+ $order_field = html::escape($_GET['order']);
}
if (isset($_GET['sort']))
{
View
4 application/controllers/feed.php
@@ -105,12 +105,12 @@ public function index($feedtype = 'rss2')
//header("Content-Type: text/xml; charset=utf-8");
$view = new View('feed/'.$feedtype);
- $view->feed_title = htmlspecialchars(Kohana::config('settings.site_name'));
+ $view->feed_title = Kohana::config('settings.site_name');
$view->site_url = $site_url;
$view->georss = 1; // this adds georss namespace in the feed
$view->feed_url = $site_url.$feedpath;
$view->feed_date = gmdate("D, d M Y H:i:s T", time());
- $view->feed_description = htmlspecialchars(Kohana::lang('ui_admin.incident_feed').' '.Kohana::config('settings.site_name'));
+ $view->feed_description = Kohana::lang('ui_admin.incident_feed').' '.Kohana::config('settings.site_name');
$view->items = $feed_items;
$view->render(TRUE);
}
View
8 application/controllers/json.php
@@ -685,11 +685,9 @@ protected function get_geometry($incident_id, $incident_title, $incident_date, $
$title = ($item->geometry_label) ? $item->geometry_label : $incident_title;
$item_name = $this->get_title($title, $incident_link);
- $fillcolor = ($item->geometry_color) ?
- utf8tohtml::convert($item->geometry_color,TRUE) : "ffcc66";
+ $fillcolor = ($item->geometry_color) ? $item->geometry_color : "ffcc66";
- $strokecolor = ($item->geometry_color) ?
- utf8tohtml::convert($item->geometry_color,TRUE) : "CC0000";
+ $strokecolor = ($item->geometry_color) ? $item->geometry_color : "CC0000";
$strokewidth = ($item->geometry_strokewidth) ? $item->geometry_strokewidth : "3";
@@ -699,7 +697,7 @@ protected function get_geometry($incident_id, $incident_title, $incident_date, $
'id' => $incident_id,
'feature_id' => $item->id,
'name' => $item_name,
- 'description' => utf8tohtml::convert($item->geometry_comment,TRUE),
+ 'description' => $item->geometry_comment,
'color' => $fillcolor,
'icon' => '',
'strokecolor' => $strokecolor,
View
6 application/controllers/members/reports.php
@@ -786,10 +786,4 @@ private function _get_searchstring($keyword_raw)
return "1=1";
}
}
-
- private function _csv_text($text)
- {
- $text = stripslashes(htmlspecialchars($text));
- return $text;
- }
}
View
6 application/controllers/reports.php
@@ -547,10 +547,10 @@ public function view($id = FALSE)
}
else
{
- $comment->comment_author = strip_tags($post->comment_author);
- $comment->comment_email = strip_tags($post->comment_email);
+ $comment->comment_author = html::strip_tags($post->comment_author, FALSE);
+ $comment->comment_email = html::strip_tags($post->comment_email, FALSE);
}
- $comment->comment_description = strip_tags($post->comment_description);
+ $comment->comment_description = html::strip_tags($post->comment_description, FALSE);
$comment->comment_ip = $_SERVER['REMOTE_ADDR'];
$comment->comment_date = date("Y-m-d H:i:s",time());
View
1 application/controllers/scheduler/s_alerts.php
@@ -91,6 +91,7 @@ public function index()
// Convert HTML to Text
$incident_description = $incident->incident_description;
$incident_url = url::site().'reports/view/'.$incident->id;
+ $incident_description = html::clean($incident_description);
$html2text = new Html2Text($incident_description);
$incident_description = $html2text->get_text();
View
78 application/helpers/MY_html.php
@@ -0,0 +1,78 @@
+<?php defined('SYSPATH') OR die('No direct access allowed.');
+/**
+ * HTML helper class.
+ *
+ * LICENSE: This source file is subject to LGPL license
+ * that is available through the world-wide-web at the following URI:
+ * http://www.gnu.org/copyleft/lesser.html
+ * @author Ushahidi Team <team@ushahidi.com>
+ * @package Ushahidi - http://source.ushahididev.com
+ * @module File Helper
+ * @copyright Ushahidi - http://www.ushahidi.com
+ * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License (LGPL)
+ */
+class html extends html_Core {
+
+ /**
+ * Helper function for easy use of HTMLPurifier
+ */
+ public function clean($input)
+ {
+ require_once APPPATH.'libraries/htmlpurifier/HTMLPurifier.auto.php';
+
+ $config = HTMLPurifier_Config::createDefault();
+ // Defaults to UTF-8
+ // $config->set('Core.Encoding', 'UTF-8');
+ // $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
+ $config->set('Core.EnableIDNA', TRUE);
+ $config->set('HTML.Allowed', "a[href|title],p,img[src|alt],br,b,u,strong,em,i");
+ // Allow some basic iframes
+ $config->set('HTML.SafeIframe', true);
+ $config->set('URI.SafeIframeRegexp',
+ '%^http://(www.youtube.com/embed/|player.vimeo.com/video/|w.soundcloud.com/player)%'
+ );
+ $config->set('Filter.YouTube', true);
+ $purifier = new HTMLPurifier($config);
+ $clean_html = $purifier->purify($input);
+
+ return $clean_html;
+ }
+
+ /**
+ * Helper function to clean and escape plaintext before display
+ *
+ * This should be used to strip tags and then escape html entities, etc.
+ */
+ public function strip_tags($input, $encode = TRUE)
+ {
+ require_once APPPATH.'libraries/htmlpurifier/HTMLPurifier.auto.php';
+
+ $config = HTMLPurifier_Config::createDefault();
+ // Defaults to UTF-8
+ // $config->set('Core.Encoding', 'UTF-8');
+ // $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
+ $config->set('Core.EnableIDNA', TRUE);
+ $config->set('HTML.Allowed', "");
+
+ $purifier = new HTMLPurifier($config);
+ $clean_html = $purifier->purify($input);
+
+ return $encode ? self::escape($clean_html) : $clean_html;
+ }
+
+ /**
+ * Helper function to escape plaintext before display
+ *
+ * This should be used to escape html entities, etc.
+ */
+ public function escape($input)
+ {
+ // Ensure we have valid correctly encoded string..
+ // http://stackoverflow.com/questions/1412239/why-call-mb-convert-encoding-to-sanitize-text
+ $input = mb_convert_encoding($input, "UTF-8", "UTF-8");
+ // why are we using html entities? this -> http://stackoverflow.com/a/110576/992171
+ return htmlentities($input, ENT_QUOTES, 'UTF-8');
+ }
+
+}
+
View
10 application/helpers/category.php
@@ -194,8 +194,8 @@ public static function get_category_tree_data($count = FALSE, $include_hidden =
$category_data[$category->id] = array(
'category_id' => $category->id,
- 'category_title' => htmlentities(Category_Lang_Model::category_title($category->id), ENT_QUOTES, "UTF-8"),
- 'category_description' => htmlentities(Category_Lang_Model::category_description($category->id), ENT_QUOTES, "UTF-8"),
+ 'category_title' => html::escape(Category_Lang_Model::category_title($category->id)),
+ 'category_description' => html::escape(Category_Lang_Model::category_description($category->id)),
'category_color' => $category->category_color,
'category_image' => $category->category_image,
'children' => $children,
@@ -226,8 +226,8 @@ public static function get_category_tree_data($count = FALSE, $include_hidden =
// Add children
$category_data[$category->parent_id]['children'][$category->id] = array(
'category_id' => $category->id,
- 'category_title' => htmlentities(Category_Lang_Model::category_title($category->id), ENT_QUOTES, "UTF-8"),
- 'category_description' => htmlentities(Category_Lang_Model::category_description($category->id), ENT_QUOTES, "UTF-8"),
+ 'category_title' => html::escape(Category_Lang_Model::category_title($category->id)),
+ 'category_description' => html::escape(Category_Lang_Model::category_description($category->id)),
'parent_id' => $category->parent_id,
'category_color' => $category->category_color,
'category_image' => $category->category_image,
@@ -264,7 +264,7 @@ private static function _generate_treeview_html($category_data)
$tree_html .= "<li".$category_class.">"
. "<a href=\"#\" class=\"cat_selected\" id=\"filter_link_cat_".$id."\" title=\"{$category['category_description']}\">"
. "<span class=\"item-swatch\" style=\"background-color: #".$category['category_color']."\">$category_image</span>"
- . "<span class=\"item-title\">".strip_tags($category['category_title'])."</span>"
+ . "<span class=\"item-title\">".html::strip_tags($category['category_title'])."</span>"
. "<span class=\"item-count\">".$category['report_count']."</span>"
. "</a></li>";
View
48 application/helpers/utf8tohtml.php
@@ -1,48 +0,0 @@
-<?php
-// This function lifted from php.net: http://www.php.net/manual/en/function.htmlentities.php#96648
-
-// converts a UTF8-string into HTML entities
-// - $utf8: the UTF8-string to convert
-// - $encodeTags: booloean. TRUE will convert "<" to "&lt;"
-// - return: returns the converted HTML-string
-class utf8tohtml {
- public function convert($utf8, $encodeTags) {
- $result = '';
- for ($i = 0; $i < strlen($utf8); $i++) {
- $char = $utf8[$i];
- $ascii = ord($char);
- if ($ascii < 128) {
- // one-byte character
- $result .= ($encodeTags) ? htmlentities($char) : $char;
- } else if ($ascii < 192) {
- // non-utf8 character or not a start byte
- } else if ($ascii < 224) {
- // two-byte character
- $result .= htmlentities(substr($utf8, $i, 2), ENT_QUOTES, 'UTF-8');
- $i++;
- } else if ($ascii < 240) {
- // three-byte character
- $ascii1 = ord($utf8[$i+1]);
- $ascii2 = ord($utf8[$i+2]);
- $unicode = (15 & $ascii) * 4096 +
- (63 & $ascii1) * 64 +
- (63 & $ascii2);
- $result .= "&#$unicode;";
- $i += 2;
- } else if ($ascii < 248) {
- // four-byte character
- $ascii1 = ord($utf8[$i+1]);
- $ascii2 = ord($utf8[$i+2]);
- $ascii3 = ord($utf8[$i+3]);
- $unicode = (15 & $ascii) * 262144 +
- (63 & $ascii1) * 4096 +
- (63 & $ascii2) * 64 +
- (63 & $ascii3);
- $result .= "&#$unicode;";
- $i += 3;
- }
- }
- return $result;
- }
-}
-?>
View
7 application/hooks/actions.php
@@ -862,11 +862,8 @@ public function __response_create_report($vars)
// If this is a feed item
elseif (isset($this->data->item_title))
{
- $incident_title = strip_tags(html_entity_decode(html_entity_decode($this->data->item_title, ENT_QUOTES)));
- $incident_description = strip_tags(
- // @todo place with real html sanitizing
- str_ireplace(array('<p>','</p>','<br>','<br />','<br/>'), "\n", html_entity_decode($this->data->item_description, ENT_QUOTES))
- );
+ $incident_title = html::strip_tags(html_entity_decode(html_entity_decode($this->data->item_title, ENT_QUOTES)));
+ $incident_description = html::clean(html_entity_decode($this->data->item_description, ENT_QUOTES));
$incident_date = $this->data->item_date;
}
View
7 application/libraries/Imap.php
@@ -183,16 +183,17 @@ public function get_messages($search_criteria="UNSEEN",
// This isn't the perfect solution but windows-1256 encoding doesn't work with mb_detect_encoding()
// so if it doesn't return an encoding, lets assume it's arabic. (sucks)
- if(mb_detect_encoding($body, 'auto', true) == '')
+ if(mb_detect_encoding($body, 'auto', TRUE) == '')
{
$body = iconv("windows-1256", "UTF-8", $body);
}
// Convert to valid UTF8
$detected_encoding = mb_detect_encoding($body, "auto");
if($detected_encoding == 'ASCII') $detected_encoding = 'iso-8859-1';
- $body = htmlentities($body,NULL,$detected_encoding);
- $subject = htmlentities(strip_tags($subject),NULL,'UTF-8');
+ $body = mb_convert_encoding($body, $detected_encoding, 'UTF-8');
+ $body = html::escape($body);
+ $subject = html::strip_tags($subject);
array_push($messages, array('message_id' => $message_id,
'date' => $date,
View
3 application/libraries/MY_Controller.php
@@ -77,5 +77,8 @@ public function __construct()
url::redirect('login');
}
}
+
+ // Set default content-type header
+ header('Content-type: text/html; charset=UTF-8');
}
}
View
10 application/libraries/VideoEmbed.php
@@ -160,7 +160,7 @@ public function embed($raw, $auto = FALSE, $echo = TRUE)
$you_auto = ($auto) ? "&autoplay=1" : "";
$output = '<iframe id="ytplayer" type="text/html" width="320" height="265" '
- . 'src="http://www.youtube.com/embed/'.htmlentities($code, ENT_QUOTES, "UTF-8").'?origin='.urlencode(url::base()).htmlentities($you_auto, ENT_QUOTES, "UTF-8").'" '
+ . 'src="http://www.youtube.com/embed/'.html::escape($code).'?origin='.urlencode(url::base()).html::escape($you_auto).'" '
. 'frameborder="0"></iframe>';
break;
@@ -169,29 +169,29 @@ public function embed($raw, $auto = FALSE, $echo = TRUE)
$google_auto = ($auto) ? "&autoPlay=true" : "";
$output = "<embed style='width:320px; height:265px;' id='VideoPlayback' type='application/x-shockwave-flash'"
- . " src='http://video.google.com/googleplayer.swf?docId=-".htmlentities($code.$google_auto, ENT_QUOTES, "UTF-8")."&hl=en' flashvars=''>"
+ . " src='http://video.google.com/googleplayer.swf?docId=-".html::escape($code.$google_auto)."&hl=en' flashvars=''>"
. "</embed>";
break;
case "metacafe":
// Sanitize input
$code = strrev(trim(strrev($code), "/"));
- $output = "<embed src='http://www.metacafe.com/fplayer/".htmlentities($code, ENT_QUOTES, "UTF-8").".swf'"
+ $output = "<embed src='http://www.metacafe.com/fplayer/".html::escape($code).".swf'"
. " width='320' height='265' wmode='transparent' pluginspage='http://get.adobe.com/flashplayer/'"
. " type='application/x-shockwave-flash'> "
. "</embed>";
break;
case "dotsub":
- $output = "<iframe src='http://dotsub.com/media/".htmlentities($code, ENT_QUOTES, "UTF-8")."' frameborder='0' width='320' height='500'></iframe>";
+ $output = "<iframe src='http://dotsub.com/media/".html::escape($code)."' frameborder='0' width='320' height='500'></iframe>";
break;
case "vimeo":
$vimeo_auto = ($auto) ? "?autoplay=1" : "";
- $output = '<iframe src="http://player.vimeo.com/video/'.htmlentities($code.$vimeo_auto, ENT_QUOTES, "UTF-8").'" width="320" height="265" frameborder="0">'
+ $output = '<iframe src="http://player.vimeo.com/video/'.html::escape($code.$vimeo_auto).'" width="320" height="265" frameborder="0">'
. '</iframe>';
break;
}
View
4 application/libraries/XMLImporter.php
@@ -313,7 +313,7 @@ public function import_categories($categories)
// Also add it to the array of categories added during import
$this->categories_added[] = $new_category->id;
- $this->notices[] = Kohana::lang('import.new_category').htmlspecialchars($cat_title);
+ $this->notices[] = Kohana::lang('import.new_category').html::escape($cat_title);
}
/* Category Translations */
@@ -687,7 +687,7 @@ public function import_reports($reports)
// If report date is not in the required format
if ( ! strtotime($report_date))
{
- $this->errors[] = Kohana::lang('import.incident_date').$this->totalreports.': '.htmlspecialchars($report_date);
+ $this->errors[] = Kohana::lang('import.incident_date').$this->totalreports.': '.html::escape($report_date);
}
// Report title and date(in correct format) both provided, proceed
View
10 application/libraries/api/MY_Comments_Api_Object.php
@@ -695,11 +695,11 @@ private function _add_comment()
}
$comment = new Comment_Model();
- $comment->incident_id = strip_tags($incident_id);
- $comment->checkin_id = strip_tags($checkin_id);
- $comment->comment_author = strip_tags($comment_author);
- $comment->comment_description = strip_tags($post->comment_description);
- $comment->comment_email = strip_tags($comment_email);
+ $comment->incident_id = intval($incident_id);
+ $comment->checkin_id = intval($checkin_id);
+ $comment->comment_author = html::strip_tags($comment_author, FALSE);
+ $comment->comment_description = html::strip_tags($post->comment_description, FALSE);
+ $comment->comment_email = html::strip_tags($comment_email, FALSE);
$comment->comment_ip = $_SERVER['REMOTE_ADDR'];
$comment->comment_date = date("Y-m-d H:i:s", time());
View
9 application/libraries/htmlpurifier/CREDITS
@@ -0,0 +1,9 @@
+
+CREDITS
+
+Almost everything written by Edward Z. Yang (Ambush Commander). Lots of thanks
+to the DevNetwork Community for their help (see docs/ref-devnetwork.html for
+more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake
+for letting me package his fantastic XSS cheatsheet for a smoketest.
+
+ vim: et sw=4 sts=4
View
11 application/libraries/htmlpurifier/HTMLPurifier.auto.php
@@ -0,0 +1,11 @@
+<?php
+
+/**
+ * This is a stub include that automatically configures the include path.
+ */
+
+set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
+require_once 'HTMLPurifier/Bootstrap.php';
+require_once 'HTMLPurifier.autoload.php';
+
+// vim: et sw=4 sts=4
View
26 application/libraries/htmlpurifier/HTMLPurifier.autoload.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * @file
+ * Convenience file that registers autoload handler for HTML Purifier.
+ * It also does some sanity checks.
+ */
+
+if (function_exists('spl_autoload_register') && function_exists('spl_autoload_unregister')) {
+ // We need unregister for our pre-registering functionality
+ HTMLPurifier_Bootstrap::registerAutoload();
+ if (function_exists('__autoload')) {
+ // Be polite and ensure that userland autoload gets retained
+ spl_autoload_register('__autoload');
+ }
+} elseif (!function_exists('__autoload')) {
+ function __autoload($class) {
+ return HTMLPurifier_Bootstrap::autoload($class);
+ }
+}
+
+if (ini_get('zend.ze1_compatibility_mode')) {
+ trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
+}
+
+// vim: et sw=4 sts=4
View
4 application/libraries/htmlpurifier/HTMLPurifier.composer.php
@@ -0,0 +1,4 @@
+<?php
+if (!defined('HTMLPURIFIER_PREFIX')) {
+ define('HTMLPURIFIER_PREFIX', __DIR__);
+}
View
23 application/libraries/htmlpurifier/HTMLPurifier.func.php
@@ -0,0 +1,23 @@
+<?php
+
+/**
+ * @file
+ * Defines a function wrapper for HTML Purifier for quick use.
+ * @note ''HTMLPurifier()'' is NOT the same as ''new HTMLPurifier()''
+ */
+
+/**
+ * Purify HTML.
+ * @param $html String HTML to purify
+ * @param $config Configuration to use, can be any value accepted by
+ * HTMLPurifier_Config::create()
+ */
+function HTMLPurifier($html, $config = null) {
+ static $purifier = false;
+ if (!$purifier) {
+ $purifier = new HTMLPurifier();
+ }
+ return $purifier->purify($html, $config);
+}
+
+// vim: et sw=4 sts=4
View
222 application/libraries/htmlpurifier/HTMLPurifier.includes.php
@@ -0,0 +1,222 @@
+<?php
+
+/**
+ * @file
+ * This file was auto-generated by generate-includes.php and includes all of
+ * the core files required by HTML Purifier. Use this if performance is a
+ * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
+ * FILE, changes will be overwritten the next time the script is run.
+ *
+ * @version 4.5.0
+ *
+ * @warning
+ * You must *not* include any other HTML Purifier files before this file,
+ * because 'require' not 'require_once' is used.
+ *
+ * @warning
+ * This file requires that the include path contains the HTML Purifier
+ * library directory; this is not auto-set.
+ */
+
+require 'HTMLPurifier.php';
+require 'HTMLPurifier/AttrCollections.php';
+require 'HTMLPurifier/AttrDef.php';
+require 'HTMLPurifier/AttrTransform.php';
+require 'HTMLPurifier/AttrTypes.php';
+require 'HTMLPurifier/AttrValidator.php';
+require 'HTMLPurifier/Bootstrap.php';
+require 'HTMLPurifier/Definition.php';
+require 'HTMLPurifier/CSSDefinition.php';
+require 'HTMLPurifier/ChildDef.php';
+require 'HTMLPurifier/Config.php';
+require 'HTMLPurifier/ConfigSchema.php';
+require 'HTMLPurifier/ContentSets.php';
+require 'HTMLPurifier/Context.php';
+require 'HTMLPurifier/DefinitionCache.php';
+require 'HTMLPurifier/DefinitionCacheFactory.php';
+require 'HTMLPurifier/Doctype.php';
+require 'HTMLPurifier/DoctypeRegistry.php';
+require 'HTMLPurifier/ElementDef.php';
+require 'HTMLPurifier/Encoder.php';
+require 'HTMLPurifier/EntityLookup.php';
+require 'HTMLPurifier/EntityParser.php';
+require 'HTMLPurifier/ErrorCollector.php';
+require 'HTMLPurifier/ErrorStruct.php';
+require 'HTMLPurifier/Exception.php';
+require 'HTMLPurifier/Filter.php';
+require 'HTMLPurifier/Generator.php';
+require 'HTMLPurifier/HTMLDefinition.php';
+require 'HTMLPurifier/HTMLModule.php';
+require 'HTMLPurifier/HTMLModuleManager.php';
+require 'HTMLPurifier/IDAccumulator.php';
+require 'HTMLPurifier/Injector.php';
+require 'HTMLPurifier/Language.php';
+require 'HTMLPurifier/LanguageFactory.php';
+require 'HTMLPurifier/Length.php';
+require 'HTMLPurifier/Lexer.php';
+require 'HTMLPurifier/PercentEncoder.php';
+require 'HTMLPurifier/PropertyList.php';
+require 'HTMLPurifier/PropertyListIterator.php';
+require 'HTMLPurifier/Strategy.php';
+require 'HTMLPurifier/StringHash.php';
+require 'HTMLPurifier/StringHashParser.php';
+require 'HTMLPurifier/TagTransform.php';
+require 'HTMLPurifier/Token.php';
+require 'HTMLPurifier/TokenFactory.php';
+require 'HTMLPurifier/URI.php';
+require 'HTMLPurifier/URIDefinition.php';
+require 'HTMLPurifier/URIFilter.php';
+require 'HTMLPurifier/URIParser.php';
+require 'HTMLPurifier/URIScheme.php';
+require 'HTMLPurifier/URISchemeRegistry.php';
+require 'HTMLPurifier/UnitConverter.php';
+require 'HTMLPurifier/VarParser.php';
+require 'HTMLPurifier/VarParserException.php';
+require 'HTMLPurifier/AttrDef/CSS.php';
+require 'HTMLPurifier/AttrDef/Clone.php';
+require 'HTMLPurifier/AttrDef/Enum.php';
+require 'HTMLPurifier/AttrDef/Integer.php';
+require 'HTMLPurifier/AttrDef/Lang.php';
+require 'HTMLPurifier/AttrDef/Switch.php';
+require 'HTMLPurifier/AttrDef/Text.php';
+require 'HTMLPurifier/AttrDef/URI.php';
+require 'HTMLPurifier/AttrDef/CSS/Number.php';
+require 'HTMLPurifier/AttrDef/CSS/AlphaValue.php';
+require 'HTMLPurifier/AttrDef/CSS/Background.php';
+require 'HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
+require 'HTMLPurifier/AttrDef/CSS/Border.php';
+require 'HTMLPurifier/AttrDef/CSS/Color.php';
+require 'HTMLPurifier/AttrDef/CSS/Composite.php';
+require 'HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php';
+require 'HTMLPurifier/AttrDef/CSS/Filter.php';
+require 'HTMLPurifier/AttrDef/CSS/Font.php';
+require 'HTMLPurifier/AttrDef/CSS/FontFamily.php';
+require 'HTMLPurifier/AttrDef/CSS/Ident.php';
+require 'HTMLPurifier/AttrDef/CSS/ImportantDecorator.php';
+require 'HTMLPurifier/AttrDef/CSS/Length.php';
+require 'HTMLPurifier/AttrDef/CSS/ListStyle.php';
+require 'HTMLPurifier/AttrDef/CSS/Multiple.php';
+require 'HTMLPurifier/AttrDef/CSS/Percentage.php';
+require 'HTMLPurifier/AttrDef/CSS/TextDecoration.php';
+require 'HTMLPurifier/AttrDef/CSS/URI.php';
+require 'HTMLPurifier/AttrDef/HTML/Bool.php';
+require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
+require 'HTMLPurifier/AttrDef/HTML/Class.php';
+require 'HTMLPurifier/AttrDef/HTML/Color.php';
+require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
+require 'HTMLPurifier/AttrDef/HTML/ID.php';
+require 'HTMLPurifier/AttrDef/HTML/Pixels.php';
+require 'HTMLPurifier/AttrDef/HTML/Length.php';
+require 'HTMLPurifier/AttrDef/HTML/LinkTypes.php';
+require 'HTMLPurifier/AttrDef/HTML/MultiLength.php';
+require 'HTMLPurifier/AttrDef/URI/Email.php';
+require 'HTMLPurifier/AttrDef/URI/Host.php';
+require 'HTMLPurifier/AttrDef/URI/IPv4.php';
+require 'HTMLPurifier/AttrDef/URI/IPv6.php';
+require 'HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php';
+require 'HTMLPurifier/AttrTransform/Background.php';
+require 'HTMLPurifier/AttrTransform/BdoDir.php';
+require 'HTMLPurifier/AttrTransform/BgColor.php';
+require 'HTMLPurifier/AttrTransform/BoolToCSS.php';
+require 'HTMLPurifier/AttrTransform/Border.php';
+require 'HTMLPurifier/AttrTransform/EnumToCSS.php';
+require 'HTMLPurifier/AttrTransform/ImgRequired.php';
+require 'HTMLPurifier/AttrTransform/ImgSpace.php';
+require 'HTMLPurifier/AttrTransform/Input.php';
+require 'HTMLPurifier/AttrTransform/Lang.php';
+require 'HTMLPurifier/AttrTransform/Length.php';
+require 'HTMLPurifier/AttrTransform/Name.php';
+require 'HTMLPurifier/AttrTransform/NameSync.php';
+require 'HTMLPurifier/AttrTransform/Nofollow.php';
+require 'HTMLPurifier/AttrTransform/SafeEmbed.php';
+require 'HTMLPurifier/AttrTransform/SafeObject.php';
+require 'HTMLPurifier/AttrTransform/SafeParam.php';
+require 'HTMLPurifier/AttrTransform/ScriptRequired.php';
+require 'HTMLPurifier/AttrTransform/TargetBlank.php';
+require 'HTMLPurifier/AttrTransform/Textarea.php';
+require 'HTMLPurifier/ChildDef/Chameleon.php';
+require 'HTMLPurifier/ChildDef/Custom.php';
+require 'HTMLPurifier/ChildDef/Empty.php';
+require 'HTMLPurifier/ChildDef/List.php';
+require 'HTMLPurifier/ChildDef/Required.php';
+require 'HTMLPurifier/ChildDef/Optional.php';
+require 'HTMLPurifier/ChildDef/StrictBlockquote.php';
+require 'HTMLPurifier/ChildDef/Table.php';
+require 'HTMLPurifier/DefinitionCache/Decorator.php';
+require 'HTMLPurifier/DefinitionCache/Null.php';
+require 'HTMLPurifier/DefinitionCache/Serializer.php';
+require 'HTMLPurifier/DefinitionCache/Decorator/Cleanup.php';
+require 'HTMLPurifier/DefinitionCache/Decorator/Memory.php';
+require 'HTMLPurifier/HTMLModule/Bdo.php';
+require 'HTMLPurifier/HTMLModule/CommonAttributes.php';
+require 'HTMLPurifier/HTMLModule/Edit.php';
+require 'HTMLPurifier/HTMLModule/Forms.php';
+require 'HTMLPurifier/HTMLModule/Hypertext.php';
+require 'HTMLPurifier/HTMLModule/Iframe.php';
+require 'HTMLPurifier/HTMLModule/Image.php';
+require 'HTMLPurifier/HTMLModule/Legacy.php';
+require 'HTMLPurifier/HTMLModule/List.php';
+require 'HTMLPurifier/HTMLModule/Name.php';
+require 'HTMLPurifier/HTMLModule/Nofollow.php';
+require 'HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php';
+require 'HTMLPurifier/HTMLModule/Object.php';
+require 'HTMLPurifier/HTMLModule/Presentation.php';
+require 'HTMLPurifier/HTMLModule/Proprietary.php';
+require 'HTMLPurifier/HTMLModule/Ruby.php';
+require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
+require 'HTMLPurifier/HTMLModule/SafeObject.php';
+require 'HTMLPurifier/HTMLModule/SafeScripting.php';
+require 'HTMLPurifier/HTMLModule/Scripting.php';
+require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
+require 'HTMLPurifier/HTMLModule/Tables.php';
+require 'HTMLPurifier/HTMLModule/Target.php';
+require 'HTMLPurifier/HTMLModule/TargetBlank.php';
+require 'HTMLPurifier/HTMLModule/Text.php';
+require 'HTMLPurifier/HTMLModule/Tidy.php';
+require 'HTMLPurifier/HTMLModule/XMLCommonAttributes.php';
+require 'HTMLPurifier/HTMLModule/Tidy/Name.php';
+require 'HTMLPurifier/HTMLModule/Tidy/Proprietary.php';
+require 'HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php';
+require 'HTMLPurifier/HTMLModule/Tidy/Strict.php';
+require 'HTMLPurifier/HTMLModule/Tidy/Transitional.php';
+require 'HTMLPurifier/HTMLModule/Tidy/XHTML.php';
+require 'HTMLPurifier/Injector/AutoParagraph.php';
+require 'HTMLPurifier/Injector/DisplayLinkURI.php';
+require 'HTMLPurifier/Injector/Linkify.php';
+require 'HTMLPurifier/Injector/PurifierLinkify.php';
+require 'HTMLPurifier/Injector/RemoveEmpty.php';
+require 'HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
+require 'HTMLPurifier/Injector/SafeObject.php';
+require 'HTMLPurifier/Lexer/DOMLex.php';
+require 'HTMLPurifier/Lexer/DirectLex.php';
+require 'HTMLPurifier/Strategy/Composite.php';
+require 'HTMLPurifier/Strategy/Core.php';
+require 'HTMLPurifier/Strategy/FixNesting.php';
+require 'HTMLPurifier/Strategy/MakeWellFormed.php';
+require 'HTMLPurifier/Strategy/RemoveForeignElements.php';
+require 'HTMLPurifier/Strategy/ValidateAttributes.php';
+require 'HTMLPurifier/TagTransform/Font.php';
+require 'HTMLPurifier/TagTransform/Simple.php';
+require 'HTMLPurifier/Token/Comment.php';
+require 'HTMLPurifier/Token/Tag.php';
+require 'HTMLPurifier/Token/Empty.php';
+require 'HTMLPurifier/Token/End.php';
+require 'HTMLPurifier/Token/Start.php';
+require 'HTMLPurifier/Token/Text.php';
+require 'HTMLPurifier/URIFilter/DisableExternal.php';
+require 'HTMLPurifier/URIFilter/DisableExternalResources.php';
+require 'HTMLPurifier/URIFilter/DisableResources.php';
+require 'HTMLPurifier/URIFilter/HostBlacklist.php';
+require 'HTMLPurifier/URIFilter/MakeAbsolute.php';
+require 'HTMLPurifier/URIFilter/Munge.php';
+require 'HTMLPurifier/URIFilter/SafeIframe.php';
+require 'HTMLPurifier/URIScheme/data.php';
+require 'HTMLPurifier/URIScheme/file.php';
+require 'HTMLPurifier/URIScheme/ftp.php';
+require 'HTMLPurifier/URIScheme/http.php';
+require 'HTMLPurifier/URIScheme/https.php';
+require 'HTMLPurifier/URIScheme/mailto.php';
+require 'HTMLPurifier/URIScheme/news.php';
+require 'HTMLPurifier/URIScheme/nntp.php';
+require 'HTMLPurifier/VarParser/Flexible.php';
+require 'HTMLPurifier/VarParser/Native.php';
View
30 application/libraries/htmlpurifier/HTMLPurifier.kses.php
@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * @file
+ * Emulation layer for code that used kses(), substituting in HTML Purifier.
+ */
+
+require_once dirname(__FILE__) . '/HTMLPurifier.auto.php';
+
+function kses($string, $allowed_html, $allowed_protocols = null) {
+ $config = HTMLPurifier_Config::createDefault();
+ $allowed_elements = array();
+ $allowed_attributes = array();
+ foreach ($allowed_html as $element => $attributes) {
+ $allowed_elements[$element] = true;
+ foreach ($attributes as $attribute => $x) {
+ $allowed_attributes["$element.$attribute"] = true;
+ }
+ }
+ $config->set('HTML.AllowedElements', $allowed_elements);
+ $config->set('HTML.AllowedAttributes', $allowed_attributes);
+ $allowed_schemes = array();
+ if ($allowed_protocols !== null) {
+ $config->set('URI.AllowedSchemes', $allowed_protocols);
+ }
+ $purifier = new HTMLPurifier($config);
+ return $purifier->purify($string);
+}
+
+// vim: et sw=4 sts=4
View
11 application/libraries/htmlpurifier/HTMLPurifier.path.php
@@ -0,0 +1,11 @@
+<?php
+
+/**
+ * @file
+ * Convenience stub file that adds HTML Purifier's library file to the path
+ * without any other side-effects.
+ */
+
+set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
+
+// vim: et sw=4 sts=4
View
237 application/libraries/htmlpurifier/HTMLPurifier.php
@@ -0,0 +1,237 @@
+<?php
+
+/*! @mainpage
+ *
+ * HTML Purifier is an HTML filter that will take an arbitrary snippet of
+ * HTML and rigorously test, validate and filter it into a version that
+ * is safe for output onto webpages. It achieves this by:
+ *
+ * -# Lexing (parsing into tokens) the document,
+ * -# Executing various strategies on the tokens:
+ * -# Removing all elements not in the whitelist,
+ * -# Making the tokens well-formed,
+ * -# Fixing the nesting of the nodes, and
+ * -# Validating attributes of the nodes; and
+ * -# Generating HTML from the purified tokens.
+ *
+ * However, most users will only need to interface with the HTMLPurifier
+ * and HTMLPurifier_Config.
+ */
+
+/*
+ HTML Purifier 4.5.0 - Standards Compliant HTML Filtering
+ Copyright (C) 2006-2008 Edward Z. Yang
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * Facade that coordinates HTML Purifier's subsystems in order to purify HTML.
+ *
+ * @note There are several points in which configuration can be specified
+ * for HTML Purifier. The precedence of these (from lowest to
+ * highest) is as follows:
+ * -# Instance: new HTMLPurifier($config)
+ * -# Invocation: purify($html, $config)
+ * These configurations are entirely independent of each other and
+ * are *not* merged (this behavior may change in the future).
+ *
+ * @todo We need an easier way to inject strategies using the configuration
+ * object.
+ */
+class HTMLPurifier
+{
+
+ /** Version of HTML Purifier */
+ public $version = '4.5.0';
+
+ /** Constant with version of HTML Purifier */
+ const VERSION = '4.5.0';
+
+ /** Global configuration object */
+ public $config;
+
+ /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */
+ private $filters = array();
+
+ /** Single instance of HTML Purifier */
+ private static $instance;
+
+ protected $strategy, $generator;
+
+ /**
+ * Resultant HTMLPurifier_Context of last run purification. Is an array
+ * of contexts if the last called method was purifyArray().
+ */
+ public $context;
+
+ /**
+ * Initializes the purifier.
+ * @param $config Optional HTMLPurifier_Config object for all instances of
+ * the purifier, if omitted, a default configuration is
+ * supplied (which can be overridden on a per-use basis).
+ * The parameter can also be any type that
+ * HTMLPurifier_Config::create() supports.
+ */
+ public function __construct($config = null) {
+
+ $this->config = HTMLPurifier_Config::create($config);
+
+ $this->strategy = new HTMLPurifier_Strategy_Core();
+
+ }
+
+ /**
+ * Adds a filter to process the output. First come first serve
+ * @param $filter HTMLPurifier_Filter object
+ */
+ public function addFilter($filter) {
+ trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING);
+ $this->filters[] = $filter;
+ }
+
+ /**
+ * Filters an HTML snippet/document to be XSS-free and standards-compliant.
+ *
+ * @param $html String of HTML to purify
+ * @param $config HTMLPurifier_Config object for this operation, if omitted,
+ * defaults to the config object specified during this
+ * object's construction. The parameter can also be any type
+ * that HTMLPurifier_Config::create() supports.
+ * @return Purified HTML
+ */
+ public function purify($html, $config = null) {
+
+ // :TODO: make the config merge in, instead of replace
+ $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
+
+ // implementation is partially environment dependant, partially
+ // configuration dependant
+ $lexer = HTMLPurifier_Lexer::create($config);
+
+ $context = new HTMLPurifier_Context();
+
+ // setup HTML generator
+ $this->generator = new HTMLPurifier_Generator($config, $context);
+ $context->register('Generator', $this->generator);
+
+ // set up global context variables
+ if ($config->get('Core.CollectErrors')) {
+ // may get moved out if other facilities use it
+ $language_factory = HTMLPurifier_LanguageFactory::instance();
+ $language = $language_factory->create($config, $context);
+ $context->register('Locale', $language);
+
+ $error_collector = new HTMLPurifier_ErrorCollector($context);
+ $context->register('ErrorCollector', $error_collector);
+ }
+
+ // setup id_accumulator context, necessary due to the fact that
+ // AttrValidator can be called from many places
+ $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
+ $context->register('IDAccumulator', $id_accumulator);
+
+ $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
+
+ // setup filters
+ $filter_flags = $config->getBatch('Filter');
+ $custom_filters = $filter_flags['Custom'];
+ unset($filter_flags['Custom']);
+ $filters = array();
+ foreach ($filter_flags as $filter => $flag) {
+ if (!$flag) continue;
+ if (strpos($filter, '.') !== false) continue;
+ $class = "HTMLPurifier_Filter_$filter";
+ $filters[] = new $class;
+ }
+ foreach ($custom_filters as $filter) {
+ // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat
+ $filters[] = $filter;
+ }
+ $filters = array_merge($filters, $this->filters);
+ // maybe prepare(), but later
+
+ for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
+ $html = $filters[$i]->preFilter($html, $config, $context);
+ }
+
+ // purified HTML
+ $html =
+ $this->generator->generateFromTokens(
+ // list of tokens
+ $this->strategy->execute(
+ // list of un-purified tokens
+ $lexer->tokenizeHTML(
+ // un-purified HTML
+ $html, $config, $context
+ ),
+ $config, $context
+ )
+ );
+
+ for ($i = $filter_size - 1; $i >= 0; $i--) {
+ $html = $filters[$i]->postFilter($html, $config, $context);
+ }
+
+ $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
+ $this->context =& $context;
+ return $html;
+ }
+
+ /**
+ * Filters an array of HTML snippets
+ * @param $config Optional HTMLPurifier_Config object for this operation.
+ * See HTMLPurifier::purify() for more details.
+ * @return Array of purified HTML
+ */
+ public function purifyArray($array_of_html, $config = null) {
+ $context_array = array();
+ foreach ($array_of_html as $key => $html) {
+ $array_of_html[$key] = $this->purify($html, $config);
+ $context_array[$key] = $this->context;
+ }
+ $this->context = $context_array;
+ return $array_of_html;
+ }
+
+ /**
+ * Singleton for enforcing just one HTML Purifier in your system
+ * @param $prototype Optional prototype HTMLPurifier instance to
+ * overload singleton with, or HTMLPurifier_Config
+ * instance to configure the generated version with.
+ */
+ public static function instance($prototype = null) {
+ if (!self::$instance || $prototype) {
+ if ($prototype instanceof HTMLPurifier) {
+ self::$instance = $prototype;
+ } elseif ($prototype) {
+ self::$instance = new HTMLPurifier($prototype);
+ } else {
+ self::$instance = new HTMLPurifier();
+ }
+ }
+ return self::$instance;
+ }
+
+ /**
+ * @note Backwards compatibility, see instance()
+ */
+ public static function getInstance($prototype = null) {
+ return HTMLPurifier::instance($prototype);
+ }
+
+}
+
+// vim: et sw=4 sts=4
View
216 application/libraries/htmlpurifier/HTMLPurifier.safe-includes.php
@@ -0,0 +1,216 @@
+<?php
+
+/**
+ * @file
+ * This file was auto-generated by generate-includes.php and includes all of
+ * the core files required by HTML Purifier. This is a convenience stub that
+ * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT
+ * EDIT THIS FILE, changes will be overwritten the next time the script is run.
+ *
+ * Changes to include_path are not necessary.
+ */
+
+$__dir = dirname(__FILE__);
+
+require_once $__dir . '/HTMLPurifier.php';
+require_once $__dir . '/HTMLPurifier/AttrCollections.php';
+require_once $__dir . '/HTMLPurifier/AttrDef.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform.php';
+require_once $__dir . '/HTMLPurifier/AttrTypes.php';
+require_once $__dir . '/HTMLPurifier/AttrValidator.php';
+require_once $__dir . '/HTMLPurifier/Bootstrap.php';
+require_once $__dir . '/HTMLPurifier/Definition.php';
+require_once $__dir . '/HTMLPurifier/CSSDefinition.php';
+require_once $__dir . '/HTMLPurifier/ChildDef.php';
+require_once $__dir . '/HTMLPurifier/Config.php';
+require_once $__dir . '/HTMLPurifier/ConfigSchema.php';
+require_once $__dir . '/HTMLPurifier/ContentSets.php';
+require_once $__dir . '/HTMLPurifier/Context.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCacheFactory.php';
+require_once $__dir . '/HTMLPurifier/Doctype.php';
+require_once $__dir . '/HTMLPurifier/DoctypeRegistry.php';
+require_once $__dir . '/HTMLPurifier/ElementDef.php';
+require_once $__dir . '/HTMLPurifier/Encoder.php';
+require_once $__dir . '/HTMLPurifier/EntityLookup.php';
+require_once $__dir . '/HTMLPurifier/EntityParser.php';
+require_once $__dir . '/HTMLPurifier/ErrorCollector.php';
+require_once $__dir . '/HTMLPurifier/ErrorStruct.php';
+require_once $__dir . '/HTMLPurifier/Exception.php';
+require_once $__dir . '/HTMLPurifier/Filter.php';
+require_once $__dir . '/HTMLPurifier/Generator.php';
+require_once $__dir . '/HTMLPurifier/HTMLDefinition.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule.php';
+require_once $__dir . '/HTMLPurifier/HTMLModuleManager.php';
+require_once $__dir . '/HTMLPurifier/IDAccumulator.php';
+require_once $__dir . '/HTMLPurifier/Injector.php';
+require_once $__dir . '/HTMLPurifier/Language.php';
+require_once $__dir . '/HTMLPurifier/LanguageFactory.php';
+require_once $__dir . '/HTMLPurifier/Length.php';
+require_once $__dir . '/HTMLPurifier/Lexer.php';
+require_once $__dir . '/HTMLPurifier/PercentEncoder.php';
+require_once $__dir . '/HTMLPurifier/PropertyList.php';
+require_once $__dir . '/HTMLPurifier/PropertyListIterator.php';
+require_once $__dir . '/HTMLPurifier/Strategy.php';
+require_once $__dir . '/HTMLPurifier/StringHash.php';
+require_once $__dir . '/HTMLPurifier/StringHashParser.php';
+require_once $__dir . '/HTMLPurifier/TagTransform.php';
+require_once $__dir . '/HTMLPurifier/Token.php';
+require_once $__dir . '/HTMLPurifier/TokenFactory.php';
+require_once $__dir . '/HTMLPurifier/URI.php';
+require_once $__dir . '/HTMLPurifier/URIDefinition.php';
+require_once $__dir . '/HTMLPurifier/URIFilter.php';
+require_once $__dir . '/HTMLPurifier/URIParser.php';
+require_once $__dir . '/HTMLPurifier/URIScheme.php';
+require_once $__dir . '/HTMLPurifier/URISchemeRegistry.php';
+require_once $__dir . '/HTMLPurifier/UnitConverter.php';
+require_once $__dir . '/HTMLPurifier/VarParser.php';
+require_once $__dir . '/HTMLPurifier/VarParserException.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Clone.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Enum.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Integer.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Lang.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Switch.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Text.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Number.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/AlphaValue.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Background.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Border.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Composite.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Filter.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Font.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/FontFamily.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Ident.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Multiple.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv6.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Background.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BdoDir.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BgColor.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/BoolToCSS.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Border.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/EnumToCSS.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ImgRequired.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Input.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/NameSync.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Nofollow.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/TargetBlank.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/Textarea.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/List.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Required.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Optional.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/StrictBlockquote.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/Table.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Null.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Serializer.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php';
+require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Memory.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Bdo.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/CommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Edit.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Forms.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Hypertext.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Iframe.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Image.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Legacy.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/List.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Name.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Nofollow.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeScripting.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Target.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/TargetBlank.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Text.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/XMLCommonAttributes.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Name.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Proprietary.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Strict.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Transitional.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTML.php';
+require_once $__dir . '/HTMLPurifier/Injector/AutoParagraph.php';
+require_once $__dir . '/HTMLPurifier/Injector/DisplayLinkURI.php';
+require_once $__dir . '/HTMLPurifier/Injector/Linkify.php';
+require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php';
+require_once $__dir . '/HTMLPurifier/Injector/RemoveEmpty.php';
+require_once $__dir . '/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
+require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php';
+require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php';
+require_once $__dir . '/HTMLPurifier/Strategy/Composite.php';
+require_once $__dir . '/HTMLPurifier/Strategy/Core.php';
+require_once $__dir . '/HTMLPurifier/Strategy/FixNesting.php';
+require_once $__dir . '/HTMLPurifier/Strategy/MakeWellFormed.php';
+require_once $__dir . '/HTMLPurifier/Strategy/RemoveForeignElements.php';
+require_once $__dir . '/HTMLPurifier/Strategy/ValidateAttributes.php';
+require_once $__dir . '/HTMLPurifier/TagTransform/Font.php';
+require_once $__dir . '/HTMLPurifier/TagTransform/Simple.php';
+require_once $__dir . '/HTMLPurifier/Token/Comment.php';
+require_once $__dir . '/HTMLPurifier/Token/Tag.php';
+require_once $__dir . '/HTMLPurifier/Token/Empty.php';
+require_once $__dir . '/HTMLPurifier/Token/End.php';
+require_once $__dir . '/HTMLPurifier/Token/Start.php';
+require_once $__dir . '/HTMLPurifier/Token/Text.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/SafeIframe.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/data.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/file.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/http.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/https.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/mailto.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/news.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/nntp.php';
+require_once $__dir . '/HTMLPurifier/VarParser/Flexible.php';
+require_once $__dir . '/HTMLPurifier/VarParser/Native.php';
View
128 application/libraries/htmlpurifier/HTMLPurifier/AttrCollections.php
@@ -0,0 +1,128 @@
+<?php
+
+/**
+ * Defines common attribute collections that modules reference
+ */
+
+class HTMLPurifier_AttrCollections
+{
+
+ /**
+ * Associative array of attribute collections, indexed by name
+ */
+ public $info = array();
+
+ /**
+ * Performs all expansions on internal data for use by other inclusions
+ * It also collects all attribute collection extensions from
+ * modules
+ * @param $attr_types HTMLPurifier_AttrTypes instance
+ * @param $modules Hash array of HTMLPurifier_HTMLModule members
+ */
+ public function __construct($attr_types, $modules) {
+ // load extensions from the modules
+ foreach ($modules as $module) {
+ foreach ($module->attr_collections as $coll_i => $coll) {
+ if (!isset($this->info[$coll_i])) {
+ $this->info[$coll_i] = array();
+ }
+ foreach ($coll as $attr_i => $attr) {
+ if ($attr_i === 0 && isset($this->info[$coll_i][$attr_i])) {
+ // merge in includes
+ $this->info[$coll_i][$attr_i] = array_merge(
+ $this->info[$coll_i][$attr_i], $attr);
+ continue;
+ }
+ $this->info[$coll_i][$attr_i] = $attr;
+ }
+ }
+ }
+ // perform internal expansions and inclusions
+ foreach ($this->info as $name => $attr) {
+ // merge attribute collections that include others
+ $this->performInclusions($this->info[$name]);
+ // replace string identifiers with actual attribute objects
+ $this->expandIdentifiers($this->info[$name], $attr_types);
+ }
+ }
+
+ /**
+ * Takes a reference to an attribute associative array and performs
+ * all inclusions specified by the zero index.
+ * @param &$attr Reference to attribute array
+ */
+ public function performInclusions(&$attr) {
+ if (!isset($attr[0])) return;
+ $merge = $attr[0];
+ $seen = array(); // recursion guard
+ // loop through all the inclusions
+ for ($i = 0; isset($merge[$i]); $i++) {
+ if (isset($seen[$merge[$i]])) continue;
+ $seen[$merge[$i]] = true;
+ // foreach attribute of the inclusion, copy it over
+ if (!isset($this->info[$merge[$i]])) continue;
+ foreach ($this->info[$merge[$i]] as $key => $value) {
+ if (isset($attr[$key])) continue; // also catches more inclusions
+ $attr[$key] = $value;
+ }
+ if (isset($this->info[$merge[$i]][0])) {
+ // recursion
+ $merge = array_merge($merge, $this->info[$merge[$i]][0]);
+ }
+ }
+ unset($attr[0]);
+ }
+
+ /**
+ * Expands all string identifiers in an attribute array by replacing
+ * them with the appropriate values inside HTMLPurifier_AttrTypes
+ * @param &$attr Reference to attribute array
+ * @param $attr_types HTMLPurifier_AttrTypes instance
+ */
+ public function expandIdentifiers(&$attr, $attr_types) {
+
+ // because foreach will process new elements we add, make sure we
+ // skip duplicates
+ $processed = array();
+
+ foreach ($attr as $def_i => $def) {
+ // skip inclusions
+ if ($def_i === 0) continue;
+
+ if (isset($processed[$def_i])) continue;
+
+ // determine whether or not attribute is required
+ if ($required = (strpos($def_i, '*') !== false)) {
+ // rename the definition
+ unset($attr[$def_i]);
+ $def_i = trim($def_i, '*');
+ $attr[$def_i] = $def;
+ }
+
+ $processed[$def_i] = true;
+
+ // if we've already got a literal object, move on
+ if (is_object($def)) {
+ // preserve previous required
+ $attr[$def_i]->required = ($required || $attr[$def_i]->required);
+ continue;
+ }
+
+ if ($def === false) {
+ unset($attr[$def_i]);
+ continue;
+ }
+
+ if ($t = $attr_types->get($def)) {
+ $attr[$def_i] = $t;
+ $attr[$def_i]->required = $required;
+ } else {
+ unset($attr[$def_i]);
+ }
+ }
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
View
123 application/libraries/htmlpurifier/HTMLPurifier/AttrDef.php
@@ -0,0 +1,123 @@
+<?php
+
+/**
+ * Base class for all validating attribute definitions.
+ *