CHG: update HTML Purifier from 4.14.0-master-1dd3e52 dev-release to 4.15.0

Author: marcovtwout

CHANGELOG

@@ -5,7 +5,7 @@ Version 1.1.26 under development
 --------------------------------
 
 - Enh #4386: Added support for PHP 8.1 (marcovtwout, JonathanArgentao, ivany4, csears123)
-- Enh #4386: Updated HTMLPurifier to version 4.14.0-master-1dd3e52 for PHP 8.1 support (https://github.com/ezyang/htmlpurifier/blob/v4.14.0/NEWS) (marcovtwout)
+- Enh #4386: Updated HTMLPurifier to version 4.15.0 for PHP 8.1 support (https://github.com/ezyang/htmlpurifier/blob/v4.15.0/NEWS) (marcovtwout)
 - Enh #4392: Added support for SSL to CRedisCache (andres101)
 - Bug #4453: Alpine Linux compatibility: Avoid using `GLOB_BRACE` in `CFileHelper::removeDirectory` (ivany4)
 

framework/vendors/README.html

@@ -84,7 +84,7 @@ <h1>Third-Party Library List</h1>
   <td><a href="https://www.yiiframework.com/doc/api/1.1/CGettextMoFile">CGettextMoFile</a></td>
 </tr>
 <tr>
-  <td><a href="http://htmlpurifier.org/">HTML Purifier</a> (v4.14.0-master-1dd3e52)</td>
+  <td><a href="http://htmlpurifier.org/">HTML Purifier</a> (v4.15.0)</td>
   <td><a href="htmlpurifier/LICENSE.txt">LGPL</a></td>
   <td><a href="https://www.yiiframework.com/doc/api/1.1/CHtmlPurifier">CHtmlPurifier</a></td>
 </tr>

framework/vendors/htmlpurifier/HTMLPurifier.standalone.php

@@ -7,10 +7,7 @@
  * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
  * FILE, changes will be overwritten the next time the script is run.
  *
- * @version 4.14.0-master-1dd3e52
- * Build manually:
- * - checkout https://github.com/ezyang/htmlpurifier/commit/1dd3e52365c32a142fb7c9c9f8f038f18e353270
- * - php maintainance/generate-standalone.php
+ * @version 4.15.0
  *
  * @warning
  *      You must *not* include any other HTML Purifier files before this file,
@@ -42,7 +39,7 @@
  */
 
 /*
-    HTML Purifier 4.14.0 - Standards Compliant HTML Filtering
+    HTML Purifier 4.15.0 - Standards Compliant HTML Filtering
     Copyright (C) 2006-2008 Edward Z. Yang
 
     This library is free software; you can redistribute it and/or
@@ -81,12 +78,12 @@ class HTMLPurifier
      * Version of HTML Purifier.
      * @type string
      */
-    public $version = '4.14.0';
+    public $version = '4.15.0';
 
     /**
      * Constant with version of HTML Purifier.
      */
-    const VERSION = '4.14.0';
+    const VERSION = '4.15.0';
 
     /**
      * Global configuration object.
@@ -789,6 +786,7 @@ public function __construct()
         $this->info['IAlign']   = self::makeEnum('top,middle,bottom,left,right');
         $this->info['LAlign']   = self::makeEnum('top,bottom,left,right');
         $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
+        $this->info['ContentEditable'] = new HTMLPurifier_AttrDef_HTML_ContentEditable();
 
         // unimplemented aliases
         $this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
@@ -1830,7 +1828,7 @@ class HTMLPurifier_Config
      * HTML Purifier's version
      * @type string
      */
-    public $version = '4.14.0';
+    public $version = '4.15.0';
 
     /**
      * Whether or not to automatically finalize
@@ -4243,8 +4241,8 @@ public static function convertToUTF8($str, $config, $context)
             // characters to their true byte-wise ASCII/UTF-8 equivalents.
             $str = strtr($str, self::testEncodingSupportsASCII($encoding));
             return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_encode($str);
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
+            $str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
             return $str;
         }
         $bug = HTMLPurifier_Encoder::testIconvTruncateBug();
@@ -4295,8 +4293,8 @@ public static function convertFromUTF8($str, $config, $context)
             // Normal stuff
             $str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
             return $str;
-        } elseif ($encoding === 'iso-8859-1') {
-            $str = utf8_decode($str);
+        } elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
+            $str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
             return $str;
         }
         trigger_error('Encoding not supported', E_USER_ERROR);
@@ -7691,6 +7689,11 @@ class HTMLPurifier_Lexer
      */
     public $tracksLineNumbers = false;
 
+    /**
+     * @type HTMLPurifier_EntityParser
+     */
+    private $_entity_parser;
+
     // -- STATIC ----------------------------------------------------------
 
     /**
@@ -12885,6 +12888,23 @@ public function validate($string, $config, $context)
 
 
 
+class HTMLPurifier_AttrDef_HTML_ContentEditable extends HTMLPurifier_AttrDef
+{
+    public function validate($string, $config, $context)
+    {
+        $allowed = array('false');
+        if ($config->get('HTML.Trusted')) {
+            $allowed = array('', 'true', 'false');
+        }
+
+        $enum = new HTMLPurifier_AttrDef_Enum($allowed);
+
+        return $enum->validate($string, $config, $context);
+    }
+}
+
+
+
 /**
  * Special-case enum attribute definition that lazy loads allowed frame targets
  */
@@ -14153,6 +14173,11 @@ public function transform($attr, $config, $context)
 class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
 {
 
+    /**
+     * @type HTMLPurifier_AttrDef_HTML_ID
+     */
+    public $idDef;
+
     public function __construct()
     {
         $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
@@ -14319,6 +14344,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
      */
     private $uri;
 
+    /**
+     * @type HTMLPurifier_AttrDef_Enum
+     */
+    public $wmode;
+
     public function __construct()
     {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
@@ -14781,6 +14811,8 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
     // XXX: This whole business with 'wrap' is all a bit unsatisfactory
     public $elements = array('li' => true, 'ul' => true, 'ol' => true);
 
+    public $whitespace;
+
     /**
      * @param array $children
      * @param HTMLPurifier_Config $config
@@ -16082,6 +16114,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
             'class' => 'Class',
             'id' => 'ID',
             'title' => 'CDATA',
+            'contenteditable' => 'ContentEditable',
         ),
         'Lang' => array(),
         'I18N' => array(
@@ -18774,6 +18807,16 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
      */
     private $context;
 
+    /**
+     * @type SplObjectStorage
+     */
+    private $markForDeletion;
+
+    public function __construct()
+    {
+        $this->markForDeletion = new SplObjectStorage();
+    }
+
     public function prepare($config, $context)
     {
         $this->attrValidator = new HTMLPurifier_AttrValidator();
@@ -18807,7 +18850,7 @@ public function handleElement(&$token)
 
         if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
             // Mark closing span tag for deletion
-            $current->markForDeletion = true;
+            $this->markForDeletion->attach($current);
             // Delete open span tag
             $token = false;
         }
@@ -18818,7 +18861,8 @@ public function handleElement(&$token)
      */
     public function handleEnd(&$token)
     {
-        if ($token->markForDeletion) {
+        if ($this->markForDeletion->contains($token)) {
+            $this->markForDeletion->detach($token);
             $token = false;
         }
     }
@@ -21642,7 +21686,7 @@ public function prepare($config)
     public function filter(&$uri, $config, $context)
     {
         foreach ($this->blacklist as $blacklisted_host_fragment) {
-            if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
+            if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
                 return false;
             }
         }