[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fmsystem-commits] [17160] Stable: Merge 17158:17159 from trunk
From: |
sigurdne |
Subject: |
[Fmsystem-commits] [17160] Stable: Merge 17158:17159 from trunk |
Date: |
Tue, 17 Oct 2017 10:14:04 -0400 (EDT) |
Revision: 17160
http://svn.sv.gnu.org/viewvc/?view=rev&root=fmsystem&revision=17160
Author: sigurdne
Date: 2017-10-17 10:14:04 -0400 (Tue, 17 Oct 2017)
Log Message:
-----------
Stable: Merge 17158:17159 from trunk
Modified Paths:
--------------
branches/Version-2_0-branch/helpdesk/setup/phpgw_no.lang
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Arborize.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrCollections.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/Color.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/ImgRequired.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/CSSDefinition.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/List.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/Table.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Config.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/DefinitionCache.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Encoder.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/EntityParser.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Filter/ExtractStyleBlocks.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Generator.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/HTMLModuleManager.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Injector/Linkify.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Injector/RemoveEmpty.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Injector/SafeObject.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Lexer/DOMLex.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Lexer/DirectLex.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Lexer/PH5P.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Lexer.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Printer/ConfigForm.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Strategy/MakeWellFormed.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Token.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/URI.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/URIScheme/data.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier.includes.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier.safe-includes.php
Added Paths:
-----------
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoopener.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoreferrer.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/HTMLModule/TargetNoopener.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/HTMLModule/TargetNoreferrer.php
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/URIScheme/tel.php
Property Changed:
----------------
branches/Version-2_0-branch/
Index: branches/Version-2_0-branch
===================================================================
--- branches/Version-2_0-branch 2017-10-17 14:10:28 UTC (rev 17159)
+++ branches/Version-2_0-branch 2017-10-17 14:14:04 UTC (rev 17160)
Property changes on: branches/Version-2_0-branch
___________________________________________________________________
Modified: svn:mergeinfo
## -1,4 +1,4 ##
/branches/dev-syncromind:13653
/branches/dev-syncromind-2:14933-16846
/branches/stavangerkommune:12743-12875,12986
-/trunk:14721-14732,14734-14735,14737,14739,14741,14743-14744,14746-14749,14751,14753,14755-14757,14759,14761-14764,14766-14768,14770-14783,14785-14792,14794-14813,14815-14816,14818,14820-14822,14824-14825,14827-14829,14831-14834,14836,14838,14840-14842,14844-14845,14847,14849-14866,14868-14869,14871,14873-14875,14877-14878,14880-14884,14886-14896,14898,14900-14902,14904,14906-14909,14911-14915,14917-14919,14921-14922,14924-14978,14980-15258,15260-15261,15263-15264,15266-15285,15287-15288,15290-15291,15293,15295,15297,15299-15305,15307-15310,15312-15335,15337-15352,15354,15356,15358,15360-15541,15543-15566,15568-15569,15571,15573-15581,15583,15585-15617,15619,15621-15630,15632-15635,15637-15639,15641-15643,15645,15647-15665,15667-15668,15670-15671,15673-15693,15695-15712,15714-15764,15766-15767,15769-15787,15789-15802,15804-15811,15813-15814,15816-15818,15820-15849,15851-15887,15889-15900,15902-16046,16048-16051,16053,16055,16057-16063,16065-16071,16073-16077,16079-16081,16083-16099,16101-16130,16132-16140,16142,16144-16212,16214-16219,16221,16223-16224,16226,16228-16229,16231,16233,16235,16237,16239-16240,16242,16244-16246,16248,16250-16251,16253-16255,16257-16259,16261,16263,16265,16267,16269-16276,16278,16280-16283,16285,16287-16288,16290,16292-16295,16297-16305,16307-16314,16316-16318,16320-16322,16324,16326-16330,16332,16334,16336,16338-16339,16341-16342,16344,16346,16348,16350,16352-16353,16355-16358,16360,16362,16364-16369,16371,16373,16375-16378,16380,16382-16383,16385,16387,16389,16391,16393-16395,16397,16399-16402,16404,16406,16408,16410-16415,16417,16419-16420,16422-16425,16427,16429-16440,16442,16444,16446,16448-16449,16451,16453,16455-16463,16465-16472,16474-16475,16477-16484,16486,16488,16490-16497,16499,16501-16503,16505-16512,16514-16517,16519,16521,16523,16525,16527-16532,16534,16536-16541,16543,16545-16554,16556,16558-16565,16567-16575,16577-16584,16586-16588,16590,16592-16593,16595-16596,16598,16600-16601,16603-16608,16610-16614,16616-16618,16620-16621,16623-16624,16626,16628,16630,16632-16638,16640,16642,16644,16646-16651,16653-16663,16665,16667,16669,16671,16673,16675,16677,16679-16680,16682,16684,16686,16688-16692,16694-16695,16697-16699,16701,16703,16705-16706,16708,16710,16712,16714,16716-16718,16720-16728,16730-16732,16734-16739,16741,16743-16746,16748-16750,16752-16755,16757,16759-16761,16763,16765,16767,16769-16774,16776,16778-16783,16785-16788,16790,16792,16794,16796-16802,16804-16807,16809,16811-16817,16819,16821-16825,16827-16831,16833,16835-16836,16838,16840-16844,16846-16847,16849,16851,16853-16854,16856-16859,16861,16863-16865,16867,16869-16871,16873,16875-16876,16878,16880-16881,16883,16885,16887-16888,16890,16892,16894-16900,16902,16904,16906,16908-16909,16911-16916,16918-16919,16921,16923,16925,16927,16929-16930,16932,16934,16936-16937,16939-16942,16944,16946,16948,16950,16952-16953,16955-16959,16961,16963,16965-16970,16972,16974-16977,16979-16982,16984,16986,16988-16999,17001,17003,17005-17018,17020-17023,17025-17026,17028-17033,17035,17037,17039-17040,17042-17050,17052-17053,17055,17057-17058,17060,17062-17064,17066,17068-17074,17076-17088,17090,17092,17094,17096,17098,17100-17101,17103-17104,17106-17108,17110-17121,17123-17124,17126-17132,17134-17143,17145-17150,17152-17157
\ No newline at end of property
+/trunk:14721-14732,14734-14735,14737,14739,14741,14743-14744,14746-14749,14751,14753,14755-14757,14759,14761-14764,14766-14768,14770-14783,14785-14792,14794-14813,14815-14816,14818,14820-14822,14824-14825,14827-14829,14831-14834,14836,14838,14840-14842,14844-14845,14847,14849-14866,14868-14869,14871,14873-14875,14877-14878,14880-14884,14886-14896,14898,14900-14902,14904,14906-14909,14911-14915,14917-14919,14921-14922,14924-14978,14980-15258,15260-15261,15263-15264,15266-15285,15287-15288,15290-15291,15293,15295,15297,15299-15305,15307-15310,15312-15335,15337-15352,15354,15356,15358,15360-15541,15543-15566,15568-15569,15571,15573-15581,15583,15585-15617,15619,15621-15630,15632-15635,15637-15639,15641-15643,15645,15647-15665,15667-15668,15670-15671,15673-15693,15695-15712,15714-15764,15766-15767,15769-15787,15789-15802,15804-15811,15813-15814,15816-15818,15820-15849,15851-15887,15889-15900,15902-16046,16048-16051,16053,16055,16057-16063,16065-16071,16073-16077,16079-16081,16083-16099,16101-16130,16132-16140,16142,16144-16212,16214-16219,16221,16223-16224,16226,16228-16229,16231,16233,16235,16237,16239-16240,16242,16244-16246,16248,16250-16251,16253-16255,16257-16259,16261,16263,16265,16267,16269-16276,16278,16280-16283,16285,16287-16288,16290,16292-16295,16297-16305,16307-16314,16316-16318,16320-16322,16324,16326-16330,16332,16334,16336,16338-16339,16341-16342,16344,16346,16348,16350,16352-16353,16355-16358,16360,16362,16364-16369,16371,16373,16375-16378,16380,16382-16383,16385,16387,16389,16391,16393-16395,16397,16399-16402,16404,16406,16408,16410-16415,16417,16419-16420,16422-16425,16427,16429-16440,16442,16444,16446,16448-16449,16451,16453,16455-16463,16465-16472,16474-16475,16477-16484,16486,16488,16490-16497,16499,16501-16503,16505-16512,16514-16517,16519,16521,16523,16525,16527-16532,16534,16536-16541,16543,16545-16554,16556,16558-16565,16567-16575,16577-16584,16586-16588,16590,16592-16593,16595-16596,16598,16600-16601,16603-16608,16610-16614,16616-16618,16620-16621,16623-16624,16626,16628,16630,16632-16638,16640,16642,16644,16646-16651,16653-16663,16665,16667,16669,16671,16673,16675,16677,16679-16680,16682,16684,16686,16688-16692,16694-16695,16697-16699,16701,16703,16705-16706,16708,16710,16712,16714,16716-16718,16720-16728,16730-16732,16734-16739,16741,16743-16746,16748-16750,16752-16755,16757,16759-16761,16763,16765,16767,16769-16774,16776,16778-16783,16785-16788,16790,16792,16794,16796-16802,16804-16807,16809,16811-16817,16819,16821-16825,16827-16831,16833,16835-16836,16838,16840-16844,16846-16847,16849,16851,16853-16854,16856-16859,16861,16863-16865,16867,16869-16871,16873,16875-16876,16878,16880-16881,16883,16885,16887-16888,16890,16892,16894-16900,16902,16904,16906,16908-16909,16911-16916,16918-16919,16921,16923,16925,16927,16929-16930,16932,16934,16936-16937,16939-16942,16944,16946,16948,16950,16952-16953,16955-16959,16961,16963,16965-16970,16972,16974-16977,16979-16982,16984,16986,16988-16999,17001,17003,17005-17018,17020-17023,17025-17026,17028-17033,17035,17037,17039-17040,17042-17050,17052-17053,17055,17057-17058,17060,17062-17064,17066,17068-17074,17076-17088,17090,17092,17094,17096,17098,17100-17101,17103-17104,17106-17108,17110-17121,17123-17124,17126-17132,17134-17143,17145-17150,17152-17157,17159
\ No newline at end of property
Modified: branches/Version-2_0-branch/helpdesk/setup/phpgw_no.lang
===================================================================
--- branches/Version-2_0-branch/helpdesk/setup/phpgw_no.lang 2017-10-17
14:10:28 UTC (rev 17159)
+++ branches/Version-2_0-branch/helpdesk/setup/phpgw_no.lang 2017-10-17
14:14:04 UTC (rev 17160)
@@ -117,7 +117,7 @@
priority changed helpdesk no Prioritet er endret
percent helpdesk no prosent
project helpdesk no Prosjekt
-reported by helpdesk no Rapportert av
+reported by helpdesk no Innmelder
entry date helpdesk no Registrert dato
entry_date helpdesk no Registrert dato
send helpdesk no Send
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Arborize.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Arborize.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Arborize.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -19,8 +19,8 @@
if ($token instanceof HTMLPurifier_Token_End) {
$token->start = null; // [MUT]
$r = array_pop($stack);
- assert($r->name === $token->name);
- assert(empty($token->attr));
+ //assert($r->name === $token->name);
+ //assert(empty($token->attr));
$r->endCol = $token->col;
$r->endLine = $token->line;
$r->endArmor = $token->armor;
@@ -32,7 +32,7 @@
$stack[] = $node;
}
}
- assert(count($stack) == 1);
+ //assert(count($stack) == 1);
return $stack[0];
}
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrCollections.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrCollections.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrCollections.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -22,6 +22,11 @@
*/
public function __construct($attr_types, $modules)
{
+ $this->doConstruct($attr_types, $modules);
+ }
+
+ public function doConstruct($attr_types, $modules)
+ {
// load extensions from the modules
foreach ($modules as $module) {
foreach ($module->attr_collections as $coll_i => $coll) {
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/Color.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/Color.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/Color.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -7,6 +7,16 @@
{
/**
+ * @type HTMLPurifier_AttrDef_CSS_AlphaValue
+ */
+ protected $alpha;
+
+ public function __construct()
+ {
+ $this->alpha = new HTMLPurifier_AttrDef_CSS_AlphaValue();
+ }
+
+ /**
* @param string $color
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
@@ -29,59 +39,104 @@
return $colors[$lower];
}
- if (strpos($color, 'rgb(') !== false) {
- // rgb literal handling
+ if (preg_match('#(rgb|rgba|hsl|hsla)\(#', $color, $matches) === 1) {
$length = strlen($color);
if (strpos($color, ')') !== $length - 1) {
return false;
}
- $triad = substr($color, 4, $length - 4 - 1);
- $parts = explode(',', $triad);
- if (count($parts) !== 3) {
+
+ // get used function : rgb, rgba, hsl or hsla
+ $function = $matches[1];
+
+ $parameters_size = 3;
+ $alpha_channel = false;
+ if (substr($function, -1) === 'a') {
+ $parameters_size = 4;
+ $alpha_channel = true;
+ }
+
+ /*
+ * Allowed types for values :
+ * parameter_position => [type => max_value]
+ */
+ $allowed_types = array(
+ 1 => array('percentage' => 100, 'integer' => 255),
+ 2 => array('percentage' => 100, 'integer' => 255),
+ 3 => array('percentage' => 100, 'integer' => 255),
+ );
+ $allow_different_types = false;
+
+ if (strpos($function, 'hsl') !== false) {
+ $allowed_types = array(
+ 1 => array('integer' => 360),
+ 2 => array('percentage' => 100),
+ 3 => array('percentage' => 100),
+ );
+ $allow_different_types = true;
+ }
+
+ $values = trim(str_replace($function, '', $color), ' ()');
+
+ $parts = explode(',', $values);
+ if (count($parts) !== $parameters_size) {
return false;
}
- $type = false; // to ensure that they're all the same type
+
+ $type = false;
$new_parts = array();
+ $i = 0;
+
foreach ($parts as $part) {
+ $i++;
$part = trim($part);
+
if ($part === '') {
return false;
}
- $length = strlen($part);
- if ($part[$length - 1] === '%') {
- // handle percents
- if (!$type) {
- $type = 'percentage';
- } elseif ($type !== 'percentage') {
+
+ // different check for alpha channel
+ if ($alpha_channel === true && $i === count($parts)) {
+ $result = $this->alpha->validate($part, $config, $context);
+
+ if ($result === false) {
return false;
}
- $num = (float)substr($part, 0, $length - 1);
- if ($num < 0) {
- $num = 0;
+
+ $new_parts[] = (string)$result;
+ continue;
}
- if ($num > 100) {
- $num = 100;
- }
- $new_parts[] = "$num%";
+
+ if (substr($part, -1) === '%') {
+ $current_type = 'percentage';
} else {
- // handle integers
- if (!$type) {
- $type = 'integer';
- } elseif ($type !== 'integer') {
+ $current_type = 'integer';
+ }
+
+ if (!array_key_exists($current_type, $allowed_types[$i])) {
return false;
}
- $num = (int)$part;
- if ($num < 0) {
- $num = 0;
+
+ if (!$type) {
+ $type = $current_type;
}
- if ($num > 255) {
- $num = 255;
+
+ if ($allow_different_types === false && $type !=
$current_type) {
+ return false;
}
- $new_parts[] = (string)$num;
+
+ $max_value = $allowed_types[$i][$current_type];
+
+ if ($current_type == 'integer') {
+ // Return value between range 0 -> $max_value
+ $new_parts[] = (int)max(min($part, $max_value), 0);
+ } elseif ($current_type == 'percentage') {
+ $new_parts[] = (float)max(min(rtrim($part, '%'),
$max_value), 0) . '%';
}
}
- $new_triad = implode(',', $new_parts);
- $color = "rgb($new_triad)";
+
+ $new_values = implode(',', $new_parts);
+
+ $color = $function . '(' . $new_values . ')';
} else {
// hexadecimal handling
if ($color[0] === '#') {
@@ -100,6 +155,7 @@
}
return $color;
}
+
}
// vim: et sw=4 sts=4
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -33,6 +33,9 @@
return false;
}
$uri_string = substr($uri_string, 4);
+ if (strlen($uri_string) == 0) {
+ return false;
+ }
$new_length = strlen($uri_string) - 1;
if ($uri_string[$new_length] != ')') {
return false;
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/CSS.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -25,15 +25,42 @@
$css = $this->parseCDATA($css);
$definition = $config->getCSSDefinition();
+ $allow_duplicates = $config->get("CSS.AllowDuplicates");
- // we're going to break the spec and explode by semicolons.
- // This is because semicolon rarely appears in escaped form
- // Doing this is generally flaky but fast
- // IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI
- // for details
- $declarations = explode(';', $css);
+ // According to the CSS2.1 spec, the places where a
+ // non-delimiting semicolon can appear are in strings
+ // escape sequences. So here is some dumb hack to
+ // handle quotes.
+ $len = strlen($css);
+ $accum = "";
+ $declarations = array();
+ $quoted = false;
+ for ($i = 0; $i < $len; $i++) {
+ $c = strcspn($css, ";'\"", $i);
+ $accum .= substr($css, $i, $c);
+ $i += $c;
+ if ($i == $len) break;
+ $d = $css[$i];
+ if ($quoted) {
+ $accum .= $d;
+ if ($d == $quoted) {
+ $quoted = false;
+ }
+ } else {
+ if ($d == ";") {
+ $declarations[] = $accum;
+ $accum = "";
+ } else {
+ $accum .= $d;
+ $quoted = $d;
+ }
+ }
+ }
+ if ($accum != "") $declarations[] = $accum;
+
$propvalues = array();
+ $new_declarations = '';
/**
* Name of the current CSS property being validated.
@@ -83,8 +110,12 @@
if ($result === false) {
continue;
}
+ if ($allow_duplicates) {
+ $new_declarations .= "$property:$result;";
+ } else {
$propvalues[$property] = $result;
}
+ }
$context->destroy('CurrentCSSProperty');
@@ -92,7 +123,6 @@
// slightly inefficient, but it's the only way of getting rid of
// duplicates. Perhaps config to optimize it, but not now.
- $new_declarations = '';
foreach ($propvalues as $prop => $value) {
$new_declarations .= "$prop:$value;";
}
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -72,8 +72,13 @@
// we purposely avoid using regex, hopefully this is faster
+ if ($config->get('Attr.ID.HTML5') === true) {
+ if (preg_match('/[\t\n\x0b\x0c ]/', $id)) {
+ return false;
+ }
+ } else {
if (ctype_alpha($id)) {
- $result = true;
+ // OK
} else {
if (!ctype_alpha(@$id[0])) {
return false;
@@ -83,7 +88,10 @@
$id,
'A..Za..z0..9:-._'
);
- $result = ($trim === '');
+ if ($trim !== '') {
+ return false;
+ }
+ }
}
$regexp = $config->get('Attr.IDBlacklistRegexp');
@@ -91,7 +99,7 @@
return false;
}
- if (!$this->selector && $result) {
+ if (!$this->selector) {
$id_accumulator->add($id);
}
@@ -98,7 +106,7 @@
// if no change was made to the ID, return the result
// else, return the new id if stripping whitespace made it
// valid, or return false.
- return $result ? $id : false;
+ return $id;
}
}
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -76,24 +76,33 @@
// fairly well supported.
$underscore = $config->get('Core.AllowHostnameUnderscore') ? '_' : '';
+ // Based off of RFC 1738, but amended so that
+ // as per RFC 3696, the top label need only not be all numeric.
// The productions describing this are:
$a = '[a-z]'; // alpha
$an = '[a-z0-9]'; // alphanum
$and = "[a-z0-9-$underscore]"; // alphanum | "-"
// domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
- $domainlabel = "$an($and*$an)?";
- // toplabel = alpha | alpha *( alphanum | "-" ) alphanum
- $toplabel = "$a($and*$an)?";
+ $domainlabel = "$an(?:$and*$an)?";
+ // AMENDED as per RFC 3696
+ // toplabel = alphanum | alphanum *( alphanum | "-" ) alphanum
+ // side condition: not all numeric
+ $toplabel = "$an(?:$and*$an)?";
// hostname = *( domainlabel "." ) toplabel [ "." ]
- if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ if (preg_match("/^(?:$domainlabel\.)*($toplabel)\.?$/i", $string,
$matches)) {
+ if (!ctype_digit($matches[1])) {
return $string;
}
+ }
+ // PHP 5.3 and later support this functionality natively
+ if (function_exists('idn_to_ascii')) {
+ $string = idn_to_ascii($string);
+
// If we have Net_IDNA2 support, we can support IRIs by
// punycoding them. (This is the most portable thing to do,
// since otherwise we have to assume browsers support
-
- if ($config->get('Core.EnableIDNA')) {
+ } elseif ($config->get('Core.EnableIDNA')) {
$idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' =>
false, 'strict' => true));
// we need to encode each period separately
$parts = explode('.', $string);
@@ -114,13 +123,14 @@
}
}
$string = implode('.', $new_parts);
- if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string))
{
- return $string;
- }
} catch (Exception $e) {
// XXX error reporting
}
}
+ // Try again
+ if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ return $string;
+ }
return false;
}
}
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrDef.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -86,7 +86,13 @@
*/
protected function mungeRgb($string)
{
- return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/',
'rgb(\1,\2,\3)', $string);
+ $p = '\s*(\d+(\.\d+)?([%]?))\s*';
+
+ if (preg_match('/(rgba|hsla)\(/', $string)) {
+ return
preg_replace('/(rgba|hsla)\('.$p.','.$p.','.$p.','.$p.'\)/',
'\1(\2,\5,\8,\11)', $string);
+ }
+
+ return preg_replace('/(rgb|hsl)\('.$p.','.$p.','.$p.'\)/',
'\1(\2,\5,\8)', $string);
}
/**
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/ImgRequired.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/ImgRequired.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/ImgRequired.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -32,8 +32,7 @@
if ($src) {
$alt = $config->get('Attr.DefaultImageAlt');
if ($alt === null) {
- // truncate if the alt is too long
- $attr['alt'] = substr(basename($attr['src']), 0, 40);
+ $attr['alt'] = basename($attr['src']);
} else {
$attr['alt'] = $alt;
}
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoopener.php
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoopener.php)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoopener.php
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoopener.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,37 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="noopener" to any links which target a different window
+ * than the current one. This is used to prevent malicious websites
+ * from silently replacing the original window, which could be used
+ * to do phishing.
+ * This transform is controlled by %HTML.TargetNoopener.
+ */
+class HTMLPurifier_AttrTransform_TargetNoopener extends
HTMLPurifier_AttrTransform
+{
+ /**
+ * @param array $attr
+ * @param HTMLPurifier_Config $config
+ * @param HTMLPurifier_Context $context
+ * @return array
+ */
+ public function transform($attr, $config, $context)
+ {
+ if (isset($attr['rel'])) {
+ $rels = explode(' ', $attr['rel']);
+ } else {
+ $rels = array();
+ }
+ if (isset($attr['target']) && !in_array('noopener', $rels)) {
+ $rels[] = 'noopener';
+ }
+ if (!empty($rels) || isset($attr['rel'])) {
+ $attr['rel'] = implode(' ', $rels);
+ }
+
+ return $attr;
+ }
+}
+
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoreferrer.php
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoreferrer.php)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoreferrer.php
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/AttrTransform/TargetNoreferrer.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,37 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="noreferrer" to any links which target a different window
+ * than the current one. This is used to prevent malicious websites
+ * from silently replacing the original window, which could be used
+ * to do phishing.
+ * This transform is controlled by %HTML.TargetNoreferrer.
+ */
+class HTMLPurifier_AttrTransform_TargetNoreferrer extends
HTMLPurifier_AttrTransform
+{
+ /**
+ * @param array $attr
+ * @param HTMLPurifier_Config $config
+ * @param HTMLPurifier_Context $context
+ * @return array
+ */
+ public function transform($attr, $config, $context)
+ {
+ if (isset($attr['rel'])) {
+ $rels = explode(' ', $attr['rel']);
+ } else {
+ $rels = array();
+ }
+ if (isset($attr['target']) && !in_array('noreferrer', $rels)) {
+ $rels[] = 'noreferrer';
+ }
+ if (!empty($rels) || isset($attr['rel'])) {
+ $attr['rel'] = implode(' ', $rels);
+ }
+
+ return $attr;
+ }
+}
+
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/CSSDefinition.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/CSSDefinition.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/CSSDefinition.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -225,6 +225,10 @@
);
$max = $config->get('CSS.MaxImgLength');
+ $this->info['min-width'] =
+ $this->info['max-width'] =
+ $this->info['min-height'] =
+ $this->info['max-height'] =
$this->info['width'] =
$this->info['height'] =
$max === null ?
@@ -370,6 +374,19 @@
);
$this->info['page-break-inside'] = new
HTMLPurifier_AttrDef_Enum(array('auto', 'avoid'));
+ $border_radius = new HTMLPurifier_AttrDef_CSS_Composite(
+ array(
+ new HTMLPurifier_AttrDef_CSS_Percentage(true), // disallow
negative
+ new HTMLPurifier_AttrDef_CSS_Length('0') // disallow negative
+ ));
+
+ $this->info['border-top-left-radius'] =
+ $this->info['border-top-right-radius'] =
+ $this->info['border-bottom-right-radius'] =
+ $this->info['border-bottom-left-radius'] = new
HTMLPurifier_AttrDef_CSS_Multiple($border_radius, 2);
+ // TODO: support SLASH syntax
+ $this->info['border-radius'] = new
HTMLPurifier_AttrDef_CSS_Multiple($border_radius, 4);
+
}
/**
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/List.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/List.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/List.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -38,6 +38,12 @@
return false;
}
+ // if li is not allowed, delete parent node
+ if (!isset($config->getHTMLDefinition()->info['li'])) {
+ trigger_error("Cannot allow ul/ol without allowing li",
E_USER_WARNING);
+ return false;
+ }
+
// the new set of children
$result = array();
@@ -44,7 +50,7 @@
// a little sanity check to make sure it's not ALL whitespace
$all_whitespace = true;
- $current_li = false;
+ $current_li = null;
foreach ($children as $node) {
if (!empty($node->is_whitespace)) {
@@ -65,7 +71,7 @@
// to handle non-list elements; non-list elements should
// not be appended to an existing li; only li created
// for non-list. This distinction is not currently made.
- if ($current_li === false) {
+ if ($current_li === null) {
$current_li = new HTMLPurifier_Node_Element('li');
$result[] = $current_li;
}
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/Table.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/Table.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ChildDef/Table.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -203,7 +203,7 @@
$current_tr_tbody->children[] = $node;
break;
case '#PCDATA':
- assert($node->is_whitespace);
+ //assert($node->is_whitespace);
if ($current_tr_tbody === null) {
$ret[] = $node;
} else {
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Config.php
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Config.php
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/Config.php
2017-10-17 14:14:04 UTC (rev 17160)
@@ -21,7 +21,7 @@
* HTML Purifier's version
* @type string
*/
- public $version = '4.7.0';
+ public $version = '4.9.3';
/**
* Whether or not to automatically finalize
@@ -333,7 +333,7 @@
}
// Raw type might be negative when using the fully optimized form
- // of stdclass, which indicates allow_null == true
+ // of stdClass, which indicates allow_null == true
$rtype = is_int($def) ? $def : $def->type;
if ($rtype < 0) {
$type = -$rtype;
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,10 @@
+Attr.ID.HTML5
+TYPE: bool/null
+DEFAULT: null
+VERSION: 4.8.0
+--DESCRIPTION--
+In HTML5, restrictions on the format of the id attribute have been
significantly
+relaxed, such that any string is valid so long as it contains no spaces and
+is at least one character. In lieu of a general HTML5 compatibility flag,
+set this configuration directive to true to use the relaxed rules.
+--# vim: et sw=4 sts=4
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,11 @@
+CSS.AllowDuplicates
+TYPE: bool
+DEFAULT: false
+VERSION: 4.8.0
+--DESCRIPTION--
+<p>
+ By default, HTML Purifier removes duplicate CSS properties,
+ like <code>color:red; color:blue</code>. If this is set to
+ true, duplicate properties are allowed.
+</p>
+--# vim: et sw=4 sts=4
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -1,5 +1,5 @@
Cache.SerializerPermissions
-TYPE: int
+TYPE: int/null
VERSION: 4.3.0
DEFAULT: 0755
--DESCRIPTION--
@@ -8,4 +8,9 @@
Directory permissions of the files and directories created inside
the DefinitionCache/Serializer or other custom serializer path.
</p>
+<p>
+ In HTML Purifier 4.8.0, this also supports <code>NULL</code>,
+ which means that no chmod'ing or directory creation shall
+ occur.
+</p>
--# vim: et sw=4 sts=4
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,16 @@
+Core.AggressivelyRemoveScript
+TYPE: bool
+VERSION: 4.9.0
+DEFAULT: true
+--DESCRIPTION--
+<p>
+ This directive enables aggressive pre-filter removal of
+ script tags. This is not necessary for security,
+ but it can help work around a bug in libxml where embedded
+ HTML elements inside script sections cause the parser to
+ choke. To revert to pre-4.9.0 behavior, set this to false.
+ This directive has no effect if %Core.Trusted is true,
+ %Core.RemoveScriptContents is false, or %Core.HiddenElements
+ does not contain script.
+</p>
+--# vim: et sw=4 sts=4
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,36 @@
+Core.LegacyEntityDecoder
+TYPE: bool
+VERSION: 4.9.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+ Prior to HTML Purifier 4.9.0, entities were decoded by performing
+ a global search replace for all entities whose decoded versions
+ did not have special meanings under HTML, and replaced them with
+ their decoded versions. We would match all entities, even if they did
+ not have a trailing semicolon, but only if there weren't any trailing
+ alphanumeric characters.
+</p>
+<table>
+<tr><th>Original</th><th>Text</th><th>Attribute</th></tr>
+<tr><td>&yen;</td><td>¥</td><td>¥</td></tr>
+<tr><td>&yen</td><td>¥</td><td>¥</td></tr>
+<tr><td>&yena</td><td>&yena</td><td>&yena</td></tr>
+<tr><td>&yen=</td><td>¥=</td><td>¥=</td></tr>
+</table>
+<p>
+ In HTML Purifier 4.9.0, we changed the behavior of entity parsing
+ to match entities that had missing trailing semicolons in less
+ cases, to more closely match HTML5 parsing behavior:
+</p>
+<table>
+<tr><th>Original</th><th>Text</th><th>Attribute</th></tr>
+<tr><td>&yen;</td><td>¥</td><td>¥</td></tr>
+<tr><td>&yen</td><td>¥</td><td>¥</td></tr>
+<tr><td>&yena</td><td>¥a</td><td>&yena</td></tr>
+<tr><td>&yen=</td><td>¥=</td><td>&yen=</td></tr>
+</table>
+<p>
+ This flag reverts back to pre-HTML Purifier 4.9.0 behavior.
+</p>
+--# vim: et sw=4 sts=4
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,10 @@
+--# vim: et sw=4 sts=4
+HTML.TargetNoopener
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noopener rel attributes are added to links which have
+a target attribute associated with them. This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
Copied:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
(from rev 17159,
trunk/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt)
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
(rev 0)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -0,0 +1,9 @@
+HTML.TargetNoreferrer
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noreferrer rel attributes are added to links which have
+a target attribute associated with them. This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -8,6 +8,7 @@
'ftp' => true,
'nntp' => true,
'news' => true,
+ 'tel' => true,
)
--DESCRIPTION--
Whitelist that defines the schemes that a URI is allowed to have. This
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
2017-10-17 14:14:04 UTC (rev 17160)
@@ -1,5 +1,5 @@
URI.DefaultScheme
-TYPE: string
+TYPE: string/null
DEFAULT: 'http'
--DESCRIPTION--
@@ -7,4 +7,9 @@
Defines through what scheme the output will be served, in order to
select the proper object validator when no scheme information is present.
</p>
+
+<p>
+ Starting with HTML Purifier 4.9.0, the default scheme can be null, in
+ which case we reject all URIs which do not have explicit schemes.
+</p>
--# vim: et sw=4 sts=4
Modified:
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
===================================================================
---
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
2017-10-17 14:10:28 UTC (rev 17159)
+++
branches/Version-2_0-branch/phpgwapi/inc/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
2017-10-17 14:14:04 UTC (rev 17160)
@@ -1 +1 @@
-O:25:"HTMLPurifier_ConfigSchema":3:{s:8:"defaults";a:119:{s:19:"Attr.AllowedClasses";N;s:24:"Attr.AllowedFrameTargets";a:0:{}s:15:"Attr.AllowedRel";a:0:{}s:15:"Attr.AllowedRev";a:0:{}s:18:"Attr.ClassUseCDATA";N;s:20:"Attr.DefaultImageAlt";N;s:24:"Attr.DefaultInvalidImage";s:0:"";s:27:"Attr.DefaultInvalidImageAlt";s:13:"Invalid
image";s:19:"Attr.DefaultTextDir";s:3:"ltr";s:13:"Attr.EnableID";b:0;s:21:"Attr.ForbiddenClasses";a:0:{}s:16:"Attr.IDBlacklist";a:0:{}s:22:"Attr.IDBlacklistRegexp";N;s:13:"Attr.IDPrefix";s:0:"";s:18:"Attr.IDPrefixLocal";s:0:"";s:24:"AutoFormat.AutoParagraph";b:0;s:17:"AutoFormat.Custom";a:0:{}s:25:"AutoFormat.DisplayLinkURI";b:0;s:18:"AutoFormat.Linkify";b:0;s:33:"AutoFormat.PurifierLinkify.DocURL";s:3:"#%s";s:26:"AutoFormat.PurifierLinkify";b:0;s:32:"AutoFormat.RemoveEmpty.Predicate";a:4:{s:8:"colgroup";a:0:{}s:2:"th";a:0:{}s:2:"td";a:0:{}s:6:"iframe";a:1:{i:0;s:3:"src";}}s:44:"AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions";a:2:{s:2:"td";b:1;s:2:"th";b:1;}s:33:"AutoFormat.RemoveEmpty.RemoveNbsp";b:0;s:22:"AutoFormat.RemoveEmpty";b:0;s:39:"AutoFormat.RemoveSpansWithoutAttributes";b:0;s:18:"CSS.AllowImportant";b:0;s:15:"CSS.AllowTricky";b:0;s:16:"CSS.AllowedFonts";N;s:21:"CSS.AllowedProperties";N;s:17:"CSS.DefinitionRev";i:1;s:23:"CSS.ForbiddenProperties";a:0:{}s:16:"CSS.MaxImgLength";s:6:"1200px";s:15:"CSS.Proprietary";b:0;s:11:"CSS.Trusted";b:0;s:20:"Cache.DefinitionImpl";s:10:"Serializer";s:20:"Cache.SerializerPath";N;s:27:"Cache.SerializerPermissions";i:493;s:22:"Core.AggressivelyFixLt";b:1;s:28:"Core.AllowHostnameUnderscore";b:0;s:18:"Core.CollectErrors";b:0;s:18:"Core.ColorKeywords";a:17:{s:6:"maroon";s:7:"#800000";s:3:"red";s:7:"#FF0000";s:6:"orange";s:7:"#FFA500";s:6:"yellow";s:7:"#FFFF00";s:5:"olive";s:7:"#808000";s:6:"purple";s:7:"#800080";s:7:"fuchsia";s:7:"#FF00FF";s:5:"white";s:7:"#FFFFFF";s:4:"lime";s:7:"#00FF00";s:5:"green";s:7:"#008000";s:4:"navy";s:7:"#000080";s:4:"blue";s:7:"#0000FF";s:4:"aqua";s:7:"#00FFFF";s:4:"teal";s:7:"#008080";s:5:"black";s:7:"#000000";s:6:"silver";s:7:"#C0C0C0";s:4:"gray";s:7:"#808080";}s:30:"Core.ConvertDocumentToFragment";b:1;s:36:"Core.DirectLexLineNumberSyncInterval";i:0;s:20:"Core.DisableExcludes";b:0;s:15:"Core.EnableIDNA";b:0;s:13:"Core.Encoding";s:5:"utf-8";s:26:"Core.EscapeInvalidChildren";b:0;s:22:"Core.EscapeInvalidTags";b:0;s:29:"Core.EscapeNonASCIICharacters";b:0;s:19:"Core.HiddenElements";a:2:{s:6:"script";b:1;s:5:"style";b:1;}s:13:"Core.Language";s:2:"en";s:14:"Core.LexerImpl";N;s:24:"Core.MaintainLineNumbers";N;s:22:"Core.NormalizeNewlines";b:1;s:21:"Core.RemoveInvalidImg";b:1;s:33:"Core.RemoveProcessingInstructions";b:0;s:25:"Core.RemoveScriptContents";N;s:13:"Filter.Custom";a:0:{}s:34:"Filter.ExtractStyleBlocks.Escaping";b:1;s:31:"Filter.ExtractStyleBlocks.Scope";N;s:34:"Filter.ExtractStyleBlocks.TidyImpl";N;s:25:"Filter.ExtractStyleBlocks";b:0;s:14:"Filter.YouTube";b:0;s:12:"HTML.Allowed";N;s:22:"HTML.AllowedAttributes";N;s:20:"HTML.AllowedComments";a:0:{}s:26:"HTML.AllowedCommentsRegexp";N;s:20:"HTML.AllowedElements";N;s:19:"HTML.AllowedModules";N;s:23:"HTML.Attr.Name.UseCDATA";b:0;s:17:"HTML.BlockWrapper";s:1:"p";s:16:"HTML.CoreModules";a:7:{s:9:"Structure";b:1;s:4:"Text";b:1;s:9:"Hypertext";b:1;s:4:"List";b:1;s:22:"NonXMLCommonAttributes";b:1;s:19:"XMLCommonAttributes";b:1;s:16:"CommonAttributes";b:1;}s:18:"HTML.CustomDoctype";N;s:17:"HTML.DefinitionID";N;s:18:"HTML.DefinitionRev";i:1;s:12:"HTML.Doctype";N;s:25:"HTML.FlashAllowFullScreen";b:0;s:24:"HTML.ForbiddenAttributes";a:0:{}s:22:"HTML.ForbiddenElements";a:0:{}s:17:"HTML.MaxImgLength";i:1200;s:13:"HTML.Nofollow";b:0;s:11:"HTML.Parent";s:3:"div";s:16:"HTML.Proprietary";b:0;s:14:"HTML.SafeEmbed";b:0;s:15:"HTML.SafeIframe";b:0;s:15:"HTML.SafeObject";b:0;s:18:"HTML.SafeScripting";a:0:{}s:11:"HTML.Strict";b:0;s:16:"HTML.TargetBlank";b:0;s:12:"HTML.TidyAdd";a:0:{}s:14:"HTML.TidyLevel";s:6:"medium";s:15:"HTML.TidyRemove";a:0:{}s:12:"HTML.Trusted";b:0;s:10:"HTML.XHTML";b:1;s:28:"Output.CommentScriptContents";b:1;s:19:"Output.FixInnerHTML";b:1;s:18:"Output.FlashCompat";b:0;s:14:"Output.Newline";N;s:15:"Output.SortAttr";b:0;s:17:"Output.TidyFormat";b:0;s:17:"Test.ForceNoIconv";b:0;s:18:"URI.AllowedSchemes";a:6:{s:4:"http";b:1;s:5:"https";b:1;s:6:"mailto";b:1;s:3:"ftp";b:1;s:4:"nntp";b:1;s:4:"news";b:1;}s:8:"URI.Base";N;s:17:"URI.DefaultScheme";s:4:"http";s:16:"URI.DefinitionID";N;s:17:"URI.DefinitionRev";i:1;s:11:"URI.Disable";b:0;s:19:"URI.DisableExternal";b:0;s:28:"URI.DisableExternalResources";b:0;s:20:"URI.DisableResources";b:0;s:8:"URI.Host";N;s:17:"URI.HostBlacklist";a:0:{}s:16:"URI.MakeAbsolute";b:0;s:9:"URI.Munge";N;s:18:"URI.MungeResources";b:0;s:18:"URI.MungeSecretKey";N;s:26:"URI.OverrideAllowedSchemes";b:1;s:20:"URI.SafeIframeRegexp";N;}s:12:"defaultPlist";O:25:"HTMLPurifier_PropertyList":3:{s:7:"