From 10831dd274ff65d4852b47dbc398adae61845206 Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <nukeawhale@gmail.com>
Date: Sat, 4 May 2013 00:15:41 +0200
Subject: use html purifier for sanitation

---
 .../HTMLPurifier/AttrTransform/Background.php      | 23 ++++++++
 .../library/HTMLPurifier/AttrTransform/BdoDir.php  | 19 +++++++
 .../library/HTMLPurifier/AttrTransform/BgColor.php | 23 ++++++++
 .../HTMLPurifier/AttrTransform/BoolToCSS.php       | 36 ++++++++++++
 .../library/HTMLPurifier/AttrTransform/Border.php  | 18 ++++++
 .../HTMLPurifier/AttrTransform/EnumToCSS.php       | 58 ++++++++++++++++++++
 .../HTMLPurifier/AttrTransform/ImgRequired.php     | 43 +++++++++++++++
 .../HTMLPurifier/AttrTransform/ImgSpace.php        | 44 +++++++++++++++
 .../library/HTMLPurifier/AttrTransform/Input.php   | 40 ++++++++++++++
 .../library/HTMLPurifier/AttrTransform/Lang.php    | 28 ++++++++++
 .../library/HTMLPurifier/AttrTransform/Length.php  | 27 +++++++++
 .../library/HTMLPurifier/AttrTransform/Name.php    | 21 +++++++
 .../HTMLPurifier/AttrTransform/NameSync.php        | 27 +++++++++
 .../HTMLPurifier/AttrTransform/Nofollow.php        | 45 +++++++++++++++
 .../HTMLPurifier/AttrTransform/SafeEmbed.php       | 15 +++++
 .../HTMLPurifier/AttrTransform/SafeObject.php      | 16 ++++++
 .../HTMLPurifier/AttrTransform/SafeParam.php       | 64 ++++++++++++++++++++++
 .../HTMLPurifier/AttrTransform/ScriptRequired.php  | 16 ++++++
 .../HTMLPurifier/AttrTransform/TargetBlank.php     | 38 +++++++++++++
 .../HTMLPurifier/AttrTransform/Textarea.php        | 18 ++++++
 20 files changed, 619 insertions(+)
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php
 create mode 100644 3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php

(limited to '3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform')

diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
new file mode 100644
index 000000000..3dfcfd339
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php
@@ -0,0 +1,23 @@
+<?php
+
+/**
+ * Pre-transform that changes proprietary background attribute to CSS.
+ */
+class HTMLPurifier_AttrTransform_Background extends HTMLPurifier_AttrTransform {
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr['background'])) return $attr;
+
+        $background = $this->confiscateAttr($attr, 'background');
+        // some validation should happen here
+
+        $this->prependCSS($attr, "background-image:url($background);");
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
new file mode 100644
index 000000000..e9800bb49
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php
@@ -0,0 +1,19 @@
+<?php
+
+// this MUST be placed in post, as it assumes that any value in dir is valid
+
+/**
+ * Post-trasnform that ensures that bdo tags have the dir attribute set.
+ */
+class HTMLPurifier_AttrTransform_BdoDir extends HTMLPurifier_AttrTransform
+{
+
+    public function transform($attr, $config, $context) {
+        if (isset($attr['dir'])) return $attr;
+        $attr['dir'] = $config->get('Attr.DefaultTextDir');
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
new file mode 100644
index 000000000..821ac573b
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php
@@ -0,0 +1,23 @@
+<?php
+
+/**
+ * Pre-transform that changes deprecated bgcolor attribute to CSS.
+ */
+class HTMLPurifier_AttrTransform_BgColor extends HTMLPurifier_AttrTransform {
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr['bgcolor'])) return $attr;
+
+        $bgcolor = $this->confiscateAttr($attr, 'bgcolor');
+        // some validation should happen here
+
+        $this->prependCSS($attr, "background-color:$bgcolor;");
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
new file mode 100644
index 000000000..d9bf3b53b
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php
@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * Pre-transform that changes converts a boolean attribute to fixed CSS
+ */
+class HTMLPurifier_AttrTransform_BoolToCSS extends HTMLPurifier_AttrTransform {
+
+    /**
+     * Name of boolean attribute that is trigger
+     */
+    protected $attr;
+
+    /**
+     * CSS declarations to add to style, needs trailing semicolon
+     */
+    protected $css;
+
+    /**
+     * @param $attr string attribute name to convert from
+     * @param $css string CSS declarations to add to style (needs semicolon)
+     */
+    public function __construct($attr, $css) {
+        $this->attr = $attr;
+        $this->css  = $css;
+    }
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr[$this->attr])) return $attr;
+        unset($attr[$this->attr]);
+        $this->prependCSS($attr, $this->css);
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
new file mode 100644
index 000000000..b032ef2ff
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php
@@ -0,0 +1,18 @@
+<?php
+
+/**
+ * Pre-transform that changes deprecated border attribute to CSS.
+ */
+class HTMLPurifier_AttrTransform_Border extends HTMLPurifier_AttrTransform {
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['border'])) return $attr;
+        $border_width = $this->confiscateAttr($attr, 'border');
+        // some validation should happen here
+        $this->prependCSS($attr, "border:{$border_width}px solid;");
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
new file mode 100644
index 000000000..39618eb4b
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php
@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * Generic pre-transform that converts an attribute with a fixed number of
+ * values (enumerated) to CSS.
+ */
+class HTMLPurifier_AttrTransform_EnumToCSS extends HTMLPurifier_AttrTransform {
+
+    /**
+     * Name of attribute to transform from
+     */
+    protected $attr;
+
+    /**
+     * Lookup array of attribute values to CSS
+     */
+    protected $enumToCSS = array();
+
+    /**
+     * Case sensitivity of the matching
+     * @warning Currently can only be guaranteed to work with ASCII
+     *          values.
+     */
+    protected $caseSensitive = false;
+
+    /**
+     * @param $attr String attribute name to transform from
+     * @param $enumToCSS Lookup array of attribute values to CSS
+     * @param $case_sensitive Boolean case sensitivity indicator, default false
+     */
+    public function __construct($attr, $enum_to_css, $case_sensitive = false) {
+        $this->attr = $attr;
+        $this->enumToCSS = $enum_to_css;
+        $this->caseSensitive = (bool) $case_sensitive;
+    }
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr[$this->attr])) return $attr;
+
+        $value = trim($attr[$this->attr]);
+        unset($attr[$this->attr]);
+
+        if (!$this->caseSensitive) $value = strtolower($value);
+
+        if (!isset($this->enumToCSS[$value])) {
+            return $attr;
+        }
+
+        $this->prependCSS($attr, $this->enumToCSS[$value]);
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
new file mode 100644
index 000000000..ca8b62343
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php
@@ -0,0 +1,43 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Transform that supplies default values for the src and alt attributes
+ * in img tags, as well as prevents the img tag from being removed
+ * because of a missing alt tag. This needs to be registered as both
+ * a pre and post attribute transform.
+ */
+class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform
+{
+
+    public function transform($attr, $config, $context) {
+
+        $src = true;
+        if (!isset($attr['src'])) {
+            if ($config->get('Core.RemoveInvalidImg')) return $attr;
+            $attr['src'] = $config->get('Attr.DefaultInvalidImage');
+            $src = false;
+        }
+
+        if (!isset($attr['alt'])) {
+            if ($src) {
+                $alt = $config->get('Attr.DefaultImageAlt');
+                if ($alt === null) {
+                    // truncate if the alt is too long
+                    $attr['alt'] = substr(basename($attr['src']),0,40);
+                } else {
+                    $attr['alt'] = $alt;
+                }
+            } else {
+                $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt');
+            }
+        }
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
new file mode 100644
index 000000000..25cb88753
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * Pre-transform that changes deprecated hspace and vspace attributes to CSS
+ */
+class HTMLPurifier_AttrTransform_ImgSpace extends HTMLPurifier_AttrTransform {
+
+    protected $attr;
+    protected $css = array(
+        'hspace' => array('left', 'right'),
+        'vspace' => array('top', 'bottom')
+    );
+
+    public function __construct($attr) {
+        $this->attr = $attr;
+        if (!isset($this->css[$attr])) {
+            trigger_error(htmlspecialchars($attr) . ' is not valid space attribute');
+        }
+    }
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr[$this->attr])) return $attr;
+
+        $width = $this->confiscateAttr($attr, $this->attr);
+        // some validation could happen here
+
+        if (!isset($this->css[$this->attr])) return $attr;
+
+        $style = '';
+        foreach ($this->css[$this->attr] as $suffix) {
+            $property = "margin-$suffix";
+            $style .= "$property:{$width}px;";
+        }
+
+        $this->prependCSS($attr, $style);
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
new file mode 100644
index 000000000..2c3b4f85b
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * Performs miscellaneous cross attribute validation and filtering for
+ * input elements. This is meant to be a post-transform.
+ */
+class HTMLPurifier_AttrTransform_Input extends HTMLPurifier_AttrTransform {
+
+    protected $pixels;
+
+    public function __construct() {
+        $this->pixels = new HTMLPurifier_AttrDef_HTML_Pixels();
+    }
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['type'])) $t = 'text';
+        else $t = strtolower($attr['type']);
+        if (isset($attr['checked']) && $t !== 'radio' && $t !== 'checkbox') {
+            unset($attr['checked']);
+        }
+        if (isset($attr['maxlength']) && $t !== 'text' && $t !== 'password') {
+            unset($attr['maxlength']);
+        }
+        if (isset($attr['size']) && $t !== 'text' && $t !== 'password') {
+            $result = $this->pixels->validate($attr['size'], $config, $context);
+            if ($result === false) unset($attr['size']);
+            else $attr['size'] = $result;
+        }
+        if (isset($attr['src']) && $t !== 'image') {
+            unset($attr['src']);
+        }
+        if (!isset($attr['value']) && ($t === 'radio' || $t === 'checkbox')) {
+            $attr['value'] = '';
+        }
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
new file mode 100644
index 000000000..8d4839347
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Post-transform that copies lang's value to xml:lang (and vice-versa)
+ * @note Theoretically speaking, this could be a pre-transform, but putting
+ *       post is more efficient.
+ */
+class HTMLPurifier_AttrTransform_Lang extends HTMLPurifier_AttrTransform
+{
+
+    public function transform($attr, $config, $context) {
+
+        $lang     = isset($attr['lang']) ? $attr['lang'] : false;
+        $xml_lang = isset($attr['xml:lang']) ? $attr['xml:lang'] : false;
+
+        if ($lang !== false && $xml_lang === false) {
+            $attr['xml:lang'] = $lang;
+        } elseif ($xml_lang !== false) {
+            $attr['lang'] = $xml_lang;
+        }
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
new file mode 100644
index 000000000..ed2643a20
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php
@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * Class for handling width/height length attribute transformations to CSS
+ */
+class HTMLPurifier_AttrTransform_Length extends HTMLPurifier_AttrTransform
+{
+
+    protected $name;
+    protected $cssName;
+
+    public function __construct($name, $css_name = null) {
+        $this->name = $name;
+        $this->cssName = $css_name ? $css_name : $name;
+    }
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr[$this->name])) return $attr;
+        $length = $this->confiscateAttr($attr, $this->name);
+        if(ctype_digit($length)) $length .= 'px';
+        $this->prependCSS($attr, $this->cssName . ":$length;");
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
new file mode 100644
index 000000000..dda70eac3
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php
@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Pre-transform that changes deprecated name attribute to ID if necessary
+ */
+class HTMLPurifier_AttrTransform_Name extends HTMLPurifier_AttrTransform
+{
+
+    public function transform($attr, $config, $context) {
+        // Abort early if we're using relaxed definition of name
+        if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr;
+        if (!isset($attr['name'])) return $attr;
+        $id = $this->confiscateAttr($attr, 'name');
+        if ( isset($attr['id']))   return $attr;
+        $attr['id'] = $id;
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php
new file mode 100644
index 000000000..68fae8ce6
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php
@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * Post-transform that performs validation to the name attribute; if
+ * it is present with an equivalent id attribute, it is passed through;
+ * otherwise validation is performed.
+ */
+class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
+{
+
+    public function __construct() {
+        $this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
+    }
+
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['name'])) return $attr;
+        $name = $attr['name'];
+        if (isset($attr['id']) && $attr['id'] === $name) return $attr;
+        $result = $this->idDef->validate($name, $config, $context);
+        if ($result === false) unset($attr['name']);
+        else $attr['name'] = $result;
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php
new file mode 100644
index 000000000..b0dc5e125
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php
@@ -0,0 +1,45 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="nofollow" to all outbound links.  This transform is
+ * only attached if Attr.Nofollow is TRUE.
+ */
+class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
+{
+    private $parser;
+
+    public function __construct() {
+        $this->parser = new HTMLPurifier_URIParser();
+    }
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr['href'])) {
+            return $attr;
+        }
+
+        // XXX Kind of inefficient
+        $url = $this->parser->parse($attr['href']);
+        $scheme = $url->getSchemeObj($config, $context);
+
+        if ($scheme->browsable && !$url->isLocal($config, $context)) {
+            if (isset($attr['rel'])) {
+                $rels = explode(' ', $attr['rel']);
+                if (!in_array('nofollow', $rels)) {
+                    $rels[] = 'nofollow';
+                }
+                $attr['rel'] = implode(' ', $rels);
+            } else {
+                $attr['rel'] = 'nofollow';
+            }
+        }
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
new file mode 100644
index 000000000..1017e6bca
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php
@@ -0,0 +1,15 @@
+<?php
+
+class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform
+{
+    public $name = "SafeEmbed";
+
+    public function transform($attr, $config, $context) {
+        $attr['allowscriptaccess'] = 'never';
+        $attr['allownetworking'] = 'internal';
+        $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
new file mode 100644
index 000000000..e909f1627
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php
@@ -0,0 +1,16 @@
+<?php
+
+/**
+ * Writes default type for all objects. Currently only supports flash.
+ */
+class HTMLPurifier_AttrTransform_SafeObject extends HTMLPurifier_AttrTransform
+{
+    public $name = "SafeObject";
+
+    function transform($attr, $config, $context) {
+        if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
new file mode 100644
index 000000000..21ac90b80
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * Validates name/value pairs in param tags to be used in safe objects. This
+ * will only allow name values it recognizes, and pre-fill certain attributes
+ * with required values.
+ *
+ * @note
+ *      This class only supports Flash. In the future, Quicktime support
+ *      may be added.
+ *
+ * @warning
+ *      This class expects an injector to add the necessary parameters tags.
+ */
+class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
+{
+    public $name = "SafeParam";
+    private $uri;
+
+    public function __construct() {
+        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
+        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
+    }
+
+    public function transform($attr, $config, $context) {
+        // If we add support for other objects, we'll need to alter the
+        // transforms.
+        switch ($attr['name']) {
+            // application/x-shockwave-flash
+            // Keep this synchronized with Injector/SafeObject.php
+            case 'allowScriptAccess':
+                $attr['value'] = 'never';
+                break;
+            case 'allowNetworking':
+                $attr['value'] = 'internal';
+                break;
+            case 'allowFullScreen':
+                if ($config->get('HTML.FlashAllowFullScreen')) {
+                    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
+                } else {
+                    $attr['value'] = 'false';
+                }
+                break;
+            case 'wmode':
+                $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
+                break;
+            case 'movie':
+            case 'src':
+                $attr['name'] = "movie";
+                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
+                break;
+            case 'flashvars':
+                // we're going to allow arbitrary inputs to the SWF, on
+                // the reasoning that it could only hack the SWF, not us.
+                break;
+            // add other cases to support other param name/value pairs
+            default:
+                $attr['name'] = $attr['value'] = null;
+        }
+        return $attr;
+    }
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
new file mode 100644
index 000000000..7dfd2e8c2
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php
@@ -0,0 +1,16 @@
+<?php
+
+/**
+ * Implements required attribute stipulation for <script>
+ */
+class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform
+{
+    public function transform($attr, $config, $context) {
+        if (!isset($attr['type'])) {
+            $attr['type'] = 'text/javascript';
+        }
+        return $attr;
+    }
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php
new file mode 100644
index 000000000..fbef7ffc9
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php
@@ -0,0 +1,38 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds target="blank" to all outbound links.  This transform is
+ * only attached if Attr.TargetBlank is TRUE.  This works regardless
+ * of whether or not Attr.AllowedFrameTargets
+ */
+class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform
+{
+    private $parser;
+
+    public function __construct() {
+        $this->parser = new HTMLPurifier_URIParser();
+    }
+
+    public function transform($attr, $config, $context) {
+
+        if (!isset($attr['href'])) {
+            return $attr;
+        }
+
+        // XXX Kind of inefficient
+        $url = $this->parser->parse($attr['href']);
+        $scheme = $url->getSchemeObj($config, $context);
+
+        if ($scheme->browsable && !$url->isBenign($config, $context)) {
+            $attr['target'] = '_blank';
+        }
+
+        return $attr;
+
+    }
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php
new file mode 100644
index 000000000..83749e9c6
--- /dev/null
+++ b/3rdparty/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php
@@ -0,0 +1,18 @@
+<?php
+
+/**
+ * Sets height/width defaults for <textarea>
+ */
+class HTMLPurifier_AttrTransform_Textarea extends HTMLPurifier_AttrTransform
+{
+
+    public function transform($attr, $config, $context) {
+        // Calculated from Firefox
+        if (!isset($attr['cols'])) $attr['cols'] = '22';
+        if (!isset($attr['rows'])) $attr['rows'] = '3';
+        return $attr;
+    }
+
+}
+
+// vim: et sw=4 sts=4
-- 
cgit v1.2.3