PHP 5.4 이상부터 의미가 없어진 변수 입력 제거

* [매뉴얼](https://secure.php.net/en/htmlspecialchars)에서 기본값이 되었다고 설명함.
* 빼먹은 `LOCK_EX` 다시 추가.

classes/security/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php

@@ -25,7 +25,7 @@ class HTMLPurifier_AttrTransform_ImgSpace extends HTMLPurifier_AttrTransform
     {
         $this->attr = $attr;
         if (!isset($this->css[$attr])) {
-            trigger_error(htmlspecialchars($attr, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' is not valid space attribute');
+            trigger_error(htmlspecialchars($attr) . ' is not valid space attribute');
         }
     }
 

classes/security/htmlpurifier/library/HTMLPurifier/CSSDefinition.php

@@ -455,7 +455,7 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             // emit errors
             foreach ($allowed_properties as $name => $d) {
                 // :TODO: Is this htmlspecialchars() call really necessary?
-                $name = htmlspecialchars($name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+                $name = htmlspecialchars($name);
                 trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING);
             }
         }

classes/security/htmlpurifier/library/HTMLPurifier/Config.php

@@ -181,7 +181,7 @@ class HTMLPurifier_Config
         if (!isset($this->def->info[$key])) {
             // can't add % due to SimpleTest bug
             $this->triggerError(
-                'Cannot retrieve value of undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+                'Cannot retrieve value of undefined directive ' . htmlspecialchars($key),
                 E_USER_WARNING
             );
             return;
@@ -226,7 +226,7 @@ class HTMLPurifier_Config
         if (!isset($full[$namespace])) {
             $this->triggerError(
                 'Cannot retrieve undefined namespace ' .
-                htmlspecialchars($namespace, ENT_COMPAT | ENT_HTML401, 'UTF-8', false),
+                htmlspecialchars($namespace),
                 E_USER_WARNING
             );
             return;
@@ -309,7 +309,7 @@ class HTMLPurifier_Config
         }
         if (!isset($this->def->info[$key])) {
             $this->triggerError(
-                'Cannot set undefined directive ' . htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' to value',
+                'Cannot set undefined directive ' . htmlspecialchars($key) . ' to value',
                 E_USER_WARNING
             );
             return;

classes/security/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php

@@ -182,7 +182,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
      */
     private function _write($file, $data, $config)
     {
-        $result = file_put_contents($file, $data);
+        $result = file_put_contents($file, $data, LOCK_EX);
         if ($result !== false) {
             // set permissions of the new file (no execute)
             $chmod = $config->get('Cache.SerializerPermissions');

classes/security/htmlpurifier/library/HTMLPurifier/DoctypeRegistry.php

@@ -86,7 +86,7 @@ class HTMLPurifier_DoctypeRegistry
             $doctype = $this->aliases[$doctype];
         }
         if (!isset($this->doctypes[$doctype])) {
-            trigger_error('Doctype ' . htmlspecialchars($doctype, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . ' does not exist', E_USER_ERROR);
+            trigger_error('Doctype ' . htmlspecialchars($doctype) . ' does not exist', E_USER_ERROR);
             $anon = new HTMLPurifier_Doctype($doctype);
             return $anon;
         }

classes/security/htmlpurifier/library/HTMLPurifier/Generator.php

@@ -279,7 +279,7 @@ class HTMLPurifier_Generator
         if ($quote === null) {
             $quote = ENT_COMPAT;
         }
-        return htmlspecialchars($string, $quote, 'UTF-8', false);
+        return htmlspecialchars($string, $quote, 'UTF-8');
     }
 }
 

classes/security/htmlpurifier/library/HTMLPurifier/HTMLDefinition.php

@@ -307,7 +307,7 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
             }
             // emit errors
             foreach ($allowed_elements as $element => $d) {
-                $element = htmlspecialchars($element, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); // PHP doesn't escape errors, be careful!
+                $element = htmlspecialchars($element); // PHP doesn't escape errors, be careful!
                 trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
             }
         }
@@ -366,8 +366,8 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
                 switch ($c) {
                     case 2:
                         if ($bits[0] !== '*') {
-                            $element = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
-                            $attribute = htmlspecialchars($bits[1], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+                            $element = htmlspecialchars($bits[0]);
+                            $attribute = htmlspecialchars($bits[1]);
                             if (!isset($this->info[$element])) {
                                 trigger_error(
                                     "Cannot allow attribute '$attribute' if element " .
@@ -383,7 +383,7 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
                         }
                         // otherwise fall through
                     case 1:
-                        $attribute = htmlspecialchars($bits[0], ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+                        $attribute = htmlspecialchars($bits[0]);
                         trigger_error(
                             "Global attribute '$attribute' is not ".
                             "supported in any elements $support",

classes/security/htmlpurifier/library/HTMLPurifier/Lexer.php

@@ -125,7 +125,7 @@ class HTMLPurifier_Lexer
                 default:
                     throw new HTMLPurifier_Exception(
                         "Cannot instantiate unrecognized Lexer type " .
-                        htmlspecialchars($lexer, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)
+                        htmlspecialchars($lexer)
                     );
             }
         }
@@ -279,7 +279,7 @@ class HTMLPurifier_Lexer
     protected static function CDATACallback($matches)
     {
         // not exactly sure why the character set is needed, but whatever
-        return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8', false);
+        return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8');
     }
 
     /**

classes/security/htmlpurifier/library/HTMLPurifier/Lexer/DirectLex.php

@@ -30,7 +30,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
      */
     protected function scriptCallback($matches)
     {
-        return $matches[1] . htmlspecialchars($matches[2], ENT_COMPAT, 'UTF-8', false) . $matches[3];
+        return $matches[1] . htmlspecialchars($matches[2], ENT_COMPAT, 'UTF-8') . $matches[3];
     }
 
     /**

classes/security/htmlpurifier/library/HTMLPurifier/Printer.php

@@ -131,7 +131,7 @@ class HTMLPurifier_Printer
     protected function escape($string)
     {
         $string = HTMLPurifier_Encoder::cleanUTF8($string);
-        $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false);
+        $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8');
         return $string;
     }