update HTMLPurifier; enable embedded flash video in articles

19 files changed, 92 insertions, 7 deletions

diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
index 0e1ff24a3..0e1ff24a3 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
index 40310b914..4d1a05665 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
@@ -10,7 +10,7 @@ class HTMLPurifier_AttrTransform_BdoDir extends HTMLPurifier_AttrTransform
 
     public function transform($attr, $config, $context) {
         if (isset($attr['dir'])) return $attr;
-        $attr['dir'] = $config->get('Attr', 'DefaultTextDir');
+        $attr['dir'] = $config->get('Attr.DefaultTextDir');
         return $attr;
     }
 
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
index ad3916bb9..ad3916bb9 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
index 51159b671..51159b671 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
index 476b0b079..476b0b079 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
index 2a5b4514a..2a5b4514a 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
index 25c9403c2..7f0e4b7a5 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
@@ -15,21 +15,22 @@ class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform
 
         $src = true;
         if (!isset($attr['src'])) {
-            if ($config->get('Core', 'RemoveInvalidImg')) return $attr;
-            $attr['src'] = $config->get('Attr', 'DefaultInvalidImage');
+            if ($config->get('Core.RemoveInvalidImg')) return $attr;
+            $attr['src'] = $config->get('Attr.DefaultInvalidImage');
             $src = false;
         }
 
         if (!isset($attr['alt'])) {
             if ($src) {
-                $alt = $config->get('Attr', 'DefaultImageAlt');
+                $alt = $config->get('Attr.DefaultImageAlt');
                 if ($alt === null) {
-                    $attr['alt'] = basename($attr['src']);
+                    // truncate if the alt is too long
+                    $attr['alt'] = substr(basename($attr['src']),0,40);
                 } else {
                     $attr['alt'] = $alt;
                 }
             } else {
-                $attr['alt'] = $config->get('Attr', 'DefaultInvalidImageAlt');
+                $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt');
             }
         }
 
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
index fd84c10c3..fd84c10c3 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
index 16829552d..16829552d 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
index 5869e7f82..5869e7f82 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
index ea2f30473..ea2f30473 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
index e6f93aee3..15315bc73 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
@@ -7,6 +7,8 @@ class HTMLPurifier_AttrTransform_Name extends HTMLPurifier_AttrTransform
 {
 
     public function transform($attr, $config, $context) {
+        // Abort early if we're using relaxed definition of name
+        if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr;
         if (!isset($attr['name'])) return $attr;
         $id = $this->confiscateAttr($attr, 'name');
         if ( isset($attr['id']))   return $attr;
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php
new file mode 100644
index 000000000..a95638c14
--- /dev/null
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php
@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * Post-transform that performs validation to the name attribute; if
+ * it is present with an equivalent id attribute, it is passed through;
+ * otherwise validation is performed.
+ */
+class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
+{
+
+    public function __construct() {
+        $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
+    }
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['name'])) return $attr;
+        $name = $attr['name'];
+        if (isset($attr['id']) && $attr['id'] === $name) return $attr;
+        $result = $this->idDef->validate($name, $config, $context);
+        if ($result === false) unset($attr['name']);
+        else $attr['name'] = $result;
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php
new file mode 100644
index 000000000..573b42c9c
--- /dev/null
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php
@@ -0,0 +1,41 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="nofollow" to all outbound links.  This transform is
+ * only attached if Attr.Nofollow is TRUE.
+ */
+class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
+{
+    private $parser;
+
+    public function __construct() {
+        $this->parser = new HTMLPurifier_URIParser();
+    }
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr['href'])) {
+            return $attr;
+        }
+
+        // XXX Kind of inefficient
+        $url = $this->parser->parse($attr['href']);
+        $scheme = $url->getSchemeObj($config, $context);
+
+        if (!is_null($url->host) && $scheme !== false && $scheme->browsable) {
+            if (isset($attr['rel'])) {
+                $attr['rel'] .= ' nofollow';
+            } else {
+                $attr['rel'] = 'nofollow';
+            }
+        }
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
index 4da449981..4da449981 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
index 1ed74898b..1ed74898b 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
index 94e8052a9..bd86a7455 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -19,6 +19,7 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
 
     public function __construct() {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
+        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
     }
 
     public function transform($attr, $config, $context) {
@@ -33,12 +34,25 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
             case 'allowNetworking':
                 $attr['value'] = 'internal';
                 break;
+            case 'allowFullScreen':
+                if ($config->get('HTML.FlashAllowFullScreen')) {
+                    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
+                } else {
+                    $attr['value'] = 'false';
+                }
+                break;
             case 'wmode':
-                $attr['value'] = 'window';
+                $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
                 break;
             case 'movie':
+            case 'src':
+                $attr['name'] = "movie";
                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                 break;
+            case 'flashvars':
+                // we're going to allow arbitrary inputs to the SWF, on
+                // the reasoning that it could only hack the SWF, not us.
+                break;
             // add other cases to support other param name/value pairs
             default:
                 $attr['name'] = $attr['value'] = null;
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
index 4499050a2..4499050a2 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php
index 81ac3488b..81ac3488b 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php