diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.includes.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.includes.php
index e57f2ab3..08737c20 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.includes.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.includes.php
@@ -7,7 +7,7 @@
* primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
* FILE, changes will be overwritten the next time the script is run.
*
- * @version 4.0.0
+ * @version 4.2.0
*
* @warning
* You must *not* include any other HTML Purifier files before this file,
@@ -176,6 +176,7 @@ require 'HTMLPurifier/Injector/DisplayLinkURI.php';
require 'HTMLPurifier/Injector/Linkify.php';
require 'HTMLPurifier/Injector/PurifierLinkify.php';
require 'HTMLPurifier/Injector/RemoveEmpty.php';
+require 'HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
require 'HTMLPurifier/Injector/SafeObject.php';
require 'HTMLPurifier/Lexer/DOMLex.php';
require 'HTMLPurifier/Lexer/DirectLex.php';
@@ -195,9 +196,12 @@ require 'HTMLPurifier/Token/Start.php';
require 'HTMLPurifier/Token/Text.php';
require 'HTMLPurifier/URIFilter/DisableExternal.php';
require 'HTMLPurifier/URIFilter/DisableExternalResources.php';
+require 'HTMLPurifier/URIFilter/DisableResources.php';
require 'HTMLPurifier/URIFilter/HostBlacklist.php';
require 'HTMLPurifier/URIFilter/MakeAbsolute.php';
require 'HTMLPurifier/URIFilter/Munge.php';
+require 'HTMLPurifier/URIScheme/data.php';
+require 'HTMLPurifier/URIScheme/file.php';
require 'HTMLPurifier/URIScheme/ftp.php';
require 'HTMLPurifier/URIScheme/http.php';
require 'HTMLPurifier/URIScheme/https.php';
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.php
index 71e90632..0430ad39 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.php
@@ -19,7 +19,7 @@
*/
/*
- HTML Purifier 4.0.0 - Standards Compliant HTML Filtering
+ HTML Purifier 4.2.0 - Standards Compliant HTML Filtering
Copyright (C) 2006-2008 Edward Z. Yang
This library is free software; you can redistribute it and/or
@@ -55,10 +55,10 @@ class HTMLPurifier
{
/** Version of HTML Purifier */
- public $version = '4.0.0';
+ public $version = '4.2.0';
/** Constant with version of HTML Purifier */
- const VERSION = '4.0.0';
+ const VERSION = '4.2.0';
/** Global configuration object */
public $config;
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.safe-includes.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.safe-includes.php
index 5f0e1d8f..899a1f2e 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.safe-includes.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier.safe-includes.php
@@ -170,6 +170,7 @@ require_once $__dir . '/HTMLPurifier/Injector/DisplayLinkURI.php';
require_once $__dir . '/HTMLPurifier/Injector/Linkify.php';
require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php';
require_once $__dir . '/HTMLPurifier/Injector/RemoveEmpty.php';
+require_once $__dir . '/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php';
require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php';
require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php';
@@ -189,9 +190,12 @@ require_once $__dir . '/HTMLPurifier/Token/Start.php';
require_once $__dir . '/HTMLPurifier/Token/Text.php';
require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php';
require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/data.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/file.php';
require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
require_once $__dir . '/HTMLPurifier/URIScheme/http.php';
require_once $__dir . '/HTMLPurifier/URIScheme/https.php';
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef.php
index 7fac54e8..6f82201e 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef.php
@@ -82,6 +82,42 @@ abstract class HTMLPurifier_AttrDef
return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
}
+ /**
+ * Parses a possibly escaped CSS string and returns the "pure"
+ * version of it.
+ */
+ protected function expandCSSEscape($string) {
+ // flexibly parse it
+ $ret = '';
+ for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+ if ($string[$i] === '\\') {
+ $i++;
+ if ($i >= $c) {
+ $ret .= '\\';
+ break;
+ }
+ if (ctype_xdigit($string[$i])) {
+ $code = $string[$i];
+ for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+ if (!ctype_xdigit($string[$i])) break;
+ $code .= $string[$i];
+ }
+ // We have to be extremely careful when adding
+ // new characters, to make sure we're not breaking
+ // the encoding.
+ $char = HTMLPurifier_Encoder::unichr(hexdec($code));
+ if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+ $ret .= $char;
+ if ($i < $c && trim($string[$i]) !== '') $i--;
+ continue;
+ }
+ if ($string[$i] === "\n") continue;
+ }
+ $ret .= $string[$i];
+ }
+ return $ret;
+ }
+
}
// vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
index e067a754..665321e3 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
@@ -59,7 +59,8 @@ class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
$keywords = array();
$keywords['h'] = false; // left, right
$keywords['v'] = false; // top, bottom
- $keywords['c'] = false; // center
+ $keywords['ch'] = false; // center (first word)
+ $keywords['cv'] = false; // center (second word)
$measures = array();
$i = 0;
@@ -79,6 +80,13 @@ class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
$lbit = ctype_lower($bit) ? $bit : strtolower($bit);
if (isset($lookup[$lbit])) {
$status = $lookup[$lbit];
+ if ($status == 'c') {
+ if ($i == 0) {
+ $status = 'ch';
+ } else {
+ $status = 'cv';
+ }
+ }
$keywords[$status] = $lbit;
$i++;
}
@@ -101,20 +109,19 @@ class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
if (!$i) return false; // no valid values were caught
-
$ret = array();
// first keyword
if ($keywords['h']) $ret[] = $keywords['h'];
- elseif (count($measures)) $ret[] = array_shift($measures);
- elseif ($keywords['c']) {
- $ret[] = $keywords['c'];
- $keywords['c'] = false; // prevent re-use: center = center center
+ elseif ($keywords['ch']) {
+ $ret[] = $keywords['ch'];
+ $keywords['cv'] = false; // prevent re-use: center = center center
}
+ elseif (count($measures)) $ret[] = array_shift($measures);
if ($keywords['v']) $ret[] = $keywords['v'];
+ elseif ($keywords['cv']) $ret[] = $keywords['cv'];
elseif (count($measures)) $ret[] = array_shift($measures);
- elseif ($keywords['c']) $ret[] = $keywords['c'];
if (empty($ret)) return false;
return implode(' ', $ret);
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php
index 33435c76..f1ceec4a 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -34,37 +34,10 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
$quote = $font[0];
if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2);
-
- $new_font = '';
- for ($i = 0, $c = strlen($font); $i < $c; $i++) {
- if ($font[$i] === '\\') {
- $i++;
- if ($i >= $c) {
- $new_font .= '\\';
- break;
- }
- if (ctype_xdigit($font[$i])) {
- $code = $font[$i];
- for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
- if (!ctype_xdigit($font[$i])) break;
- $code .= $font[$i];
- }
- // We have to be extremely careful when adding
- // new characters, to make sure we're not breaking
- // the encoding.
- $char = HTMLPurifier_Encoder::unichr(hexdec($code));
- if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
- $new_font .= $char;
- if ($i < $c && trim($font[$i]) !== '') $i--;
- continue;
- }
- if ($font[$i] === "\n") continue;
- }
- $new_font .= $font[$i];
- }
-
- $font = $new_font;
}
+
+ $font = $this->expandCSSEscape($font);
+
// $font is a pure representation of the font name
if (ctype_alnum($font) && $font !== '') {
@@ -73,12 +46,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
continue;
}
- // complicated font, requires quoting
+ // bugger out on whitespace. form feed (0C) really
+ // shouldn't show up regardless
+ $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
- // armor single quotes and new lines
- $font = str_replace("\\", "\\\\", $font);
- $font = str_replace("'", "\\'", $font);
- $final .= "'$font', ";
+ // These ugly transforms don't pose a security
+ // risk (as \\ and \" might). We could try to be clever and
+ // use single-quote wrapping when there is a double quote
+ // present, but I have choosen not to implement that.
+ // (warning: this code relies on the selection of quotation
+ // mark below)
+ $font = str_replace('\\', '\\5C ', $font);
+ $font = str_replace('"', '\\22 ', $font);
+
+ // complicated font, requires quoting
+ $final .= "\"$font\", "; // note that this will later get turned into "
}
$final = rtrim($final, ', ');
if ($final === '') return false;
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/URI.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/URI.php
index d09c87bc..98df033d 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrDef/CSS/URI.php
@@ -34,20 +34,16 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
$uri = substr($uri, 1, $new_length - 1);
}
- $keys = array( '(', ')', ',', ' ', '"', "'");
- $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
- $uri = str_replace($values, $keys, $uri);
+ $uri = $this->expandCSSEscape($uri);
$result = parent::validate($uri, $config, $context);
if ($result === false) return false;
- // escape necessary characters according to CSS spec
- // except for the comma, none of these should appear in the
- // URI at all
- $result = str_replace($keys, $values, $result);
+ // extra sanity check; should have been done by URI
+ $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
- return "url($result)";
+ return "url(\"$result\")";
}
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/ImgRequired.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/ImgRequired.php
index a1e5a83a..3d09eca3 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/ImgRequired.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/ImgRequired.php
@@ -24,7 +24,8 @@ class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform
if ($src) {
$alt = $config->get('Attr.DefaultImageAlt');
if ($alt === null) {
- $attr['alt'] = basename($attr['src']);
+ // truncate if the alt is too long
+ $attr['alt'] = substr(basename($attr['src']),0,40);
} else {
$attr['alt'] = $alt;
}
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/SafeParam.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/SafeParam.php
index e677feae..d14390bc 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/AttrTransform/SafeParam.php
@@ -33,12 +33,25 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
case 'allowNetworking':
$attr['value'] = 'internal';
break;
+ case 'allowFullScreen':
+ if ($config->get('HTML.FlashAllowFullScreen')) {
+ $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
+ } else {
+ $attr['value'] = 'false';
+ }
+ break;
case 'wmode':
$attr['value'] = 'window';
break;
case 'movie':
+ case 'src':
+ $attr['name'] = "movie";
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
break;
+ case 'flashvars':
+ // we're going to allow arbitrary inputs to the SWF, on
+ // the reasoning that it could only hack the SWF, not us.
+ break;
// add other cases to support other param name/value pairs
default:
$attr['name'] = $attr['value'] = null;
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/CSSDefinition.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/CSSDefinition.php
index 17bf9931..09afc1f1 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/CSSDefinition.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/CSSDefinition.php
@@ -272,20 +272,29 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
// setup allowed elements
$support = "(for information on implementing this, see the ".
"support forums) ";
- $allowed_attributes = $config->get('CSS.AllowedProperties');
- if ($allowed_attributes !== null) {
+ $allowed_properties = $config->get('CSS.AllowedProperties');
+ if ($allowed_properties !== null) {
foreach ($this->info as $name => $d) {
- if(!isset($allowed_attributes[$name])) unset($this->info[$name]);
- unset($allowed_attributes[$name]);
+ if(!isset($allowed_properties[$name])) unset($this->info[$name]);
+ unset($allowed_properties[$name]);
}
// emit errors
- foreach ($allowed_attributes as $name => $d) {
+ foreach ($allowed_properties as $name => $d) {
// :TODO: Is this htmlspecialchars() call really necessary?
$name = htmlspecialchars($name);
trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING);
}
}
+ $forbidden_properties = $config->get('CSS.ForbiddenProperties');
+ if ($forbidden_properties !== null) {
+ foreach ($this->info as $name => $d) {
+ if (isset($forbidden_properties[$name])) {
+ unset($this->info[$name]);
+ }
+ }
+ }
+
}
}
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Config.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Config.php
index 28529e7f..ada1b701 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Config.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Config.php
@@ -20,7 +20,7 @@ class HTMLPurifier_Config
/**
* HTML Purifier's version
*/
- public $version = '4.0.0';
+ public $version = '4.2.0';
/**
* Bool indicator whether or not to automatically finalize
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema.ser b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema.ser
index bbf12f9c..978089c6 100644
Binary files a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema.ser and b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema.ser differ
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt
new file mode 100644
index 00000000..dde990ab
--- /dev/null
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt
@@ -0,0 +1,11 @@
+AutoFormat.RemoveSpansWithoutAttributes
+TYPE: bool
+VERSION: 4.0.1
+DEFAULT: false
+--DESCRIPTION--
+
+ This directive causes span tags without any attributes
+ to be removed. It will also remove spans that had all attributes
+ removed during processing.
+
+ This is the logical inverse of %CSS.AllowedProperties, and it will
+ override that directive or any other directive. If possible,
+ %CSS.AllowedProperties is recommended over this directive,
+ because it can sometimes be difficult to tell whether or not you've
+ forbidden all of the CSS properties you truly would like to disallow.
+
+ Whether or not to normalize newlines to the operating
+ system default. When false, HTML Purifier
+ will attempt to preserve mixed newline files.
+
+--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
new file mode 100644
index 00000000..3397d9f7
--- /dev/null
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
@@ -0,0 +1,11 @@
+Core.RemoveProcessingInstructions
+TYPE: bool
+VERSION: 4.2.0
+DEFAULT: false
+--DESCRIPTION--
+Instead of escaping processing instructions in the form <? ...
+?>, remove it out-right. This may be useful if the HTML
+you are validating contains XML processing instruction gunk, however,
+it can also be user-unfriendly for people attempting to post PHP
+snippets.
+--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
index 7fa6536b..321eaa2d 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
@@ -3,6 +3,11 @@ TYPE: bool
VERSION: 3.1.0
DEFAULT: false
--DESCRIPTION--
+
+ Warning: Deprecated in favor of %HTML.SafeObject and
+ %Output.FlashCompat (turn both on to allow YouTube videos and other
+ Flash content).
+
Warning: If another directive conflicts with the
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt
new file mode 100644
index 00000000..7878dc0b
--- /dev/null
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt
@@ -0,0 +1,11 @@
+HTML.FlashAllowFullScreen
+TYPE: bool
+VERSION: 4.2.0
+DEFAULT: false
+--DESCRIPTION--
+
+ Whether or not to permit embedded Flash content from
+ %HTML.SafeObject to expand to the full screen. Corresponds to
+ the allowFullScreen parameter.
+
+--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
index f635a685..cdda09a4 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
@@ -7,8 +7,7 @@ DEFAULT: false
Whether or not to permit embed tags in documents, with a number of extra
security features added to prevent script execution. This is similar to
what websites like MySpace do to embed tags. Embed is a proprietary
- element and will cause your website to stop validating. You probably want
- to enable this with %HTML.SafeObject.
- Highly experimental.
-
+ element and will cause your website to stop validating; you should
+ see if you can use %Output.FlashCompat with %HTML.SafeObject instead
+ first.
--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
index 32967b88..ceb342e2 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
@@ -6,9 +6,8 @@ DEFAULT: false
Whether or not to permit object tags in documents, with a number of extra
security features added to prevent script execution. This is similar to
- what websites like MySpace do to object tags. You may also want to
- enable %HTML.SafeEmbed for maximum interoperability with Internet Explorer,
- although embed tags will cause your website to stop validating.
- Highly experimental.
+ what websites like MySpace do to object tags. You should also enable
+ %Output.FlashCompat in order to generate Internet Explorer
+ compatibility code for your object tags.
+ If true, HTML Purifier will generate Internet Explorer compatibility
+ code for all object code. This is highly recommended if you enable
+ %HTML.SafeObject.
+
+--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
index 98fdfe92..666635a5 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
@@ -12,4 +12,6 @@ array (
--DESCRIPTION--
Whitelist that defines the schemes that a URI is allowed to have. This
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
+There is also support for the data and file
+URI schemes, but they are not enabled by default.
--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt
index 51e6ea91..f891de49 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt
@@ -1,12 +1,15 @@
URI.DisableResources
TYPE: bool
-VERSION: 1.3.0
+VERSION: 4.2.0
DEFAULT: false
--DESCRIPTION--
-
Disables embedding resources, essentially meaning no pictures. You can
still link to them though. See %URI.DisableExternalResources for why
this might be a good idea.
+
+ Note: While this directive has been available since 1.3.0,
+ it didn't actually start doing anything until 4.2.0.
+
--# vim: et sw=4 sts=4
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ElementDef.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ElementDef.php
index c4f5df97..cbd4e345 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ElementDef.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/ElementDef.php
@@ -97,6 +97,13 @@ class HTMLPurifier_ElementDef
*/
public $autoclose = array();
+ /**
+ * If a foreign element is found in this element, test if it is
+ * allowed by this sub-element; if it is, instead of closing the
+ * current element, place it inside this element.
+ */
+ public $wrap;
+
/**
* Whether or not this is a formatting element affected by the
* "Active Formatting Elements" algorithm.
diff --git a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Filter/YouTube.php b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Filter/YouTube.php
index aa3c17a0..9a9d9f96 100644
--- a/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Filter/YouTube.php
+++ b/3.0/modules/purifier/vendor/HTMLPurifier/HTMLPurifier/Filter/YouTube.php
@@ -7,13 +7,13 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
public function preFilter($html, $config, $context) {
$pre_regex = '##s';
+ 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?#s';
$pre_replace = '\1';
return preg_replace($pre_regex, $pre_replace, $html);
}
public function postFilter($html, $config, $context) {
- $post_regex = '#([A-Za-z0-9\-_]+)#';
+ $post_regex = '#((?:v|cp)/[A-Za-z0-9\-_=]+)#';
return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
}
@@ -24,10 +24,10 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
protected function postFilterCallback($matches) {
$url = $this->armorUrl($matches[1]);
return '