HTMLPurifier update

약간 커스텀 된 부분 모두 반영.
File lock 부분과 htmlspecialchars 부분.

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.Predicate.txt

@@ -0,0 +1,14 @@
+AutoFormat.RemoveEmpty.Predicate
+TYPE: hash
+VERSION: 4.7.0
+DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
+--DESCRIPTION--
+<p>
+  Given that an element has no contents, it will be removed by default, unless
+  this predicate dictates otherwise.  The predicate can either be an associative
+  map from tag name to list of attributes that must be present for the element
+  to be considered preserved: thus, the default always preserves <code>colgroup</code>,
+  <code>th</code> and <code>td</code>, and also <code>iframe</code> if it
+  has a <code>src</code>.
+</p>
+--# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt

@@ -0,0 +1,16 @@
+Core.AllowHostnameUnderscore
+TYPE: bool
+VERSION: 4.6.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    By RFC 1123, underscores are not permitted in host names.
+    (This is in contrast to the specification for DNS, RFC
+    2181, which allows underscores.)
+    However, most browsers do the right thing when faced with
+    an underscore in the host name, and so some poorly written
+    websites are written with the expectation this should work.
+    Setting this parameter to true relaxes our allowed character
+    check so that underscores are permitted.
+</p>
+--# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt

@@ -0,0 +1,14 @@
+Core.DisableExcludes
+TYPE: bool
+DEFAULT: false
+VERSION: 4.5.0
+--DESCRIPTION--
+<p>
+  This directive disables SGML-style exclusions, e.g. the exclusion of
+  <code>&lt;object&gt;</code> in any descendant of a
+  <code>&lt;pre&gt;</code> tag.  Disabling excludes will allow some
+  invalid documents to pass through HTML Purifier, but HTML Purifier
+  will also be less likely to accidentally remove large documents during
+  processing.
+</p>
+--# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt

@@ -2,9 +2,11 @@ Core.EscapeInvalidChildren
 TYPE: bool
 DEFAULT: false
 --DESCRIPTION--
-When true, a child is found that is not allowed in the context of the
+<p><strong>Warning:</strong> this configuration option is no longer does anything as of 4.6.0.</p>
+
+<p>When true, a child is found that is not allowed in the context of the
 parent element will be transformed into text as if it were ASCII. When
 false, that element and all internal tags will be dropped, though text will
 be preserved.  There is no option for dropping the element but preserving
-child nodes.
+child nodes.</p>
 --# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt

@@ -4,6 +4,6 @@ VERSION: 2.0.1
 DEFAULT: NULL
 --DESCRIPTION--
 
-A custom doctype for power-users who defined there own document
+A custom doctype for power-users who defined their own document
 type. This directive only applies when %HTML.Doctype is blank.
 --# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt

@@ -0,0 +1,10 @@
+HTML.SafeScripting
+TYPE: lookup
+VERSION: 4.5.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    Whether or not to permit script tags to external scripts in documents.
+    Inline scripting is not allowed, and the script must match an explicit whitelist.
+</p>
+--# vim: et sw=4 sts=4

classes/security/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt

@@ -11,7 +11,7 @@ DEFAULT: NULL
     to check if a URI has passed through HTML Purifier with this line:
 </p>
 
-<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
+<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>
 
 <p>
     If the output is TRUE, the redirector script should accept the URI.