[geeklog-hg] geeklog: Merged with upstream
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sat Sep 7 12:03:51 EDT 2013
changeset 9284:a07ed702fddf
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/a07ed702fddf
user: Tom <websitemaster at cogeco.net>
date: Sat Sep 07 12:02:59 2013 -0400
description:
Merged with upstream
diffstat:
public_html/editors/fckeditor/editor/filemanager/connectors/php/config.php | 2 +-
system/classes/htmlawed/htmLawed.php | 20 +++++-----
system/classes/htmlawed/htmLawed_README.txt | 12 ++++--
3 files changed, 19 insertions(+), 15 deletions(-)
diffs (127 lines):
diff -r 740c7476b1be -r a07ed702fddf public_html/editors/fckeditor/editor/filemanager/connectors/php/config.php
--- a/public_html/editors/fckeditor/editor/filemanager/connectors/php/config.php Sat Sep 07 10:41:22 2013 -0400
+++ b/public_html/editors/fckeditor/editor/filemanager/connectors/php/config.php Sat Sep 07 12:02:59 2013 -0400
@@ -26,7 +26,7 @@
die('This file can not be used on its own!');
}
-include '../../../../../lib-common.php';
+include '../../../../../../lib-common.php';
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
diff -r 740c7476b1be -r a07ed702fddf system/classes/htmlawed/htmLawed.php
--- a/system/classes/htmlawed/htmLawed.php Sat Sep 07 10:41:22 2013 -0400
+++ b/system/classes/htmlawed/htmLawed.php Sat Sep 07 12:02:59 2013 -0400
@@ -1,7 +1,7 @@
<?php
/*
-htmLawed 1.1.14, 8 August 2012
+htmLawed 1.1.16, 29 August 2013
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
@@ -336,7 +336,7 @@
static $d = 'denied:';
if(isset($c['!']) && substr($p, 0, 7) != $d){$p = "$d$p";}
if(isset($c['*']) or !strcspn($p, '#?;') or (substr($p, 0, 7) == $d)){return "{$b}{$p}{$a}";} // All ok, frag, query, param
-if(preg_match('`^([a-z\d\-+.&#; ]+?)(:|&#(58|x3a);|%3a|\\\\0{0,4}3a).`i', $p, $m) && !isset($c[strtolower($m[1])])){ // Denied prot
+if(preg_match('`^([^:?[@!$()*,=/\'\]]+?)(:|&#(58|x3a);|%3a|\\\\0{0,4}3a).`i', $p, $m) && !isset($c[strtolower($m[1])])){ // Denied prot
return "{$b}{$d}{$p}{$a}";
}
if($C['abs_url']){
@@ -644,7 +644,7 @@
function hl_tidy($t, $w, $p){
// Tidy/compact HTM
if(strpos(' pre,script,textarea', "$p,")){return $t;}
-$t = str_replace(' </', '</', preg_replace(array('`(<\w[^>]*(?<!/)>)\s+`', '`\s+`', '`(<\w[^>]*(?<!/)>) `'), array(' $1', ' ', '$1'), preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)(</\2>)`sm'), create_function('$m', 'return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", " "), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4];'), $t)));
+$t = preg_replace('`\s+`', ' ', preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)(</\2>)`sm'), create_function('$m', 'return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", " "), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4];'), $t));
if(($w = strtolower($w)) == -1){
return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t);
}
@@ -652,7 +652,7 @@
$s = preg_match('`\d`', $w, $m) ? str_repeat($s, $m[0]) : str_repeat($s, ($s == "\t" ? 1 : 2));
$N = preg_match('`[ts]([1-9])`', $w, $m) ? $m[1] : 0;
$a = array('br'=>1);
-$b = array('button'=>1, 'input'=>1, 'option'=>1);
+$b = array('button'=>1, 'input'=>1, 'option'=>1, 'param'=>1);
$c = array('caption'=>1, 'dd'=>1, 'dt'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'isindex'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'object'=>1, 'p'=>1, 'pre'=>1, 'td'=>1, 'textarea'=>1, 'th'=>1);
$d = array('address'=>1, 'blockquote'=>1, 'center'=>1, 'colgroup'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'fieldset'=>1, 'form'=>1, 'hr'=>1, 'iframe'=>1, 'map'=>1, 'menu'=>1, 'noscript'=>1, 'ol'=>1, 'optgroup'=>1, 'rbc'=>1, 'rtc'=>1, 'ruby'=>1, 'script'=>1, 'select'=>1, 'table'=>1, 'tbody'=>1, 'tfoot'=>1, 'thead'=>1, 'tr'=>1, 'ul'=>1);
$T = explode('<', $t);
@@ -674,20 +674,20 @@
else{++$N; ob_end_clean(); continue 2;}
}
else{echo "\n", str_repeat($s, $n), "$e\n", str_repeat($s, ($x != 1 ? ++$n : $n));}
- echo ltrim($r); continue;
+ echo $r; continue;
}
$f = "\n". str_repeat($s, $n);
if(isset($c[$y])){
- if(!$x){echo $e, $f, ltrim($r);}
+ if(!$x){echo $e, $f, $r;}
else{echo $f, $e, $r;}
}elseif(isset($b[$y])){echo $f, $e, $r;
- }elseif(isset($a[$y])){echo $e, $f, ltrim($r);
- }elseif(!$y){echo $f, $e, $f, ltrim($r);
+ }elseif(isset($a[$y])){echo $e, $f, $r;
+ }elseif(!$y){echo $f, $e, $f, $r;
}else{echo $e, $r;}
}
$X = 0;
}
-$t = preg_replace('`[\n]\s*?[\n]+`', "\n", ob_get_contents());
+$t = str_replace(array("\n ", " \n"), "\n", preg_replace('`[\n]\s*?[\n]+`', "\n", ob_get_contents()));
ob_end_clean();
if(($l = strpos(" $w", 'r') ? (strpos(" $w", 'n') ? "\r\n" : "\r") : 0)){
$t = str_replace("\n", $l, $t);
@@ -698,7 +698,7 @@
function hl_version(){
// rel
-return '1.1.14';
+return '1.1.16';
// eof
}
diff -r 740c7476b1be -r a07ed702fddf system/classes/htmlawed/htmLawed_README.txt
--- a/system/classes/htmlawed/htmLawed_README.txt Sat Sep 07 10:41:22 2013 -0400
+++ b/system/classes/htmlawed/htmLawed_README.txt Sat Sep 07 12:02:59 2013 -0400
@@ -1,6 +1,6 @@
/*
-htmLawed_README.txt, 17 September 2012
-htmLawed 1.1.14, 8 August 2012
+htmLawed_README.txt, 29 August 2013
+htmLawed 1.1.16, 29 August 2013
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
@@ -744,7 +744,7 @@
The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.
- The '$config["clean_ms_char"]' parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the 'Windows 1252' ('Cp-1252') or a similar encoding like 'Cp-1251'. Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.
+ The '$config["clean_ms_char"]' parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the 'Windows 1252' ('Cp-1252') or a similar encoding like 'Cp-1251' (otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.
-- 3.2 Character references/entities ------------------------------o
@@ -1344,6 +1344,10 @@
`Version number - Release date. Notes`
+ 1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols
+
+ 1.1.15 - 11 August 2013. Improved tidying/prettifying functionality
+
1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during 'tidying' when 'balance' is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like 'blockquote'.
1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes
@@ -1462,7 +1466,7 @@
-- 4.10 Acknowledgements ------------------------------------------o
- Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Edward Yang, and many anonymous users.
+ Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.
Thank you!
More information about the geeklog-cvs
mailing list