diff --git a/phpgwapi/inc/htmlpurifier/INSTALL b/phpgwapi/inc/htmlpurifier/INSTALL
new file mode 100755
index 0000000000..e64ccb0b7d
--- /dev/null
+++ b/phpgwapi/inc/htmlpurifier/INSTALL
@@ -0,0 +1,374 @@
+
+Install
+ How to install HTML Purifier
+
+HTML Purifier is designed to run out of the box, so actually using the
+library is extremely easy. (Although... if you were looking for a
+step-by-step installation GUI, you've downloaded the wrong software!)
+
+While the impatient can get going immediately with some of the sample
+code at the bottom of this library, it's well worth reading this entire
+document--most of the other documentation assumes that you are familiar
+with these contents.
+
+
+---------------------------------------------------------------------------
+1. Compatibility
+
+HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and
+up. It has no core dependencies with other libraries. PHP
+4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0.
+HTML Purifier is not compatible with zend.ze1_compatibility_mode.
+
+These optional extensions can enhance the capabilities of HTML Purifier:
+
+ * iconv : Converts text to and from non-UTF-8 encodings
+ * bcmath : Used for unit conversion and imagecrash protection
+ * tidy : Used for pretty-printing HTML
+
+
+---------------------------------------------------------------------------
+2. Reconnaissance
+
+A big plus of HTML Purifier is its inerrant support of standards, so
+your web-pages should be standards-compliant. (They should also use
+semantic markup, but that's another issue altogether, one HTML Purifier
+cannot fix without reading your mind.)
+
+HTML Purifier can process these doctypes:
+
+* XHTML 1.0 Transitional (default)
+* XHTML 1.0 Strict
+* HTML 4.01 Transitional
+* HTML 4.01 Strict
+* XHTML 1.1
+
+...and these character encodings:
+
+* UTF-8 (default)
+* Any encoding iconv supports (with crippled internationalization support)
+
+These defaults reflect what my choices would be if I were authoring an
+HTML document, however, what you choose depends on the nature of your
+codebase. If you don't know what doctype you are using, you can determine
+the doctype from this identifier at the top of your source code:
+
+
+
+...and the character encoding from this code:
+
+
+
+If the character encoding declaration is missing, STOP NOW, and
+read 'docs/enduser-utf8.html' (web accessible at
+http://htmlpurifier.org/docs/enduser-utf8.html). In fact, even if it is
+present, read this document anyway, as many websites specify their
+document's character encoding incorrectly.
+
+
+---------------------------------------------------------------------------
+3. Including the library
+
+The procedure is quite simple:
+
+ require_once '/path/to/library/HTMLPurifier.auto.php';
+
+This will setup an autoloader, so the library's files are only included
+when you use them.
+
+Only the contents in the library/ folder are necessary, so you can remove
+everything else when using HTML Purifier in a production environment.
+
+If you installed HTML Purifier via PEAR, all you need to do is:
+
+ require_once 'HTMLPurifier.auto.php';
+
+Please note that the usual PEAR practice of including just the classes you
+want will not work with HTML Purifier's autoloading scheme.
+
+Advanced users, read on; other users can skip to section 4.
+
+Autoload compatibility
+----------------------
+
+ HTML Purifier attempts to be as smart as possible when registering an
+ autoloader, but there are some cases where you will need to change
+ your own code to accomodate HTML Purifier. These are those cases:
+
+ PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload
+ Because spl_autoload_register() doesn't exist in early versions
+ of PHP 5, HTML Purifier has no way of adding itself to the autoload
+ stack. Modify your __autoload function to test
+ HTMLPurifier_Bootstrap::autoload($class)
+
+ For example, suppose your autoload function looks like this:
+
+ function __autoload($class) {
+ require str_replace('_', '/', $class) . '.php';
+ return true;
+ }
+
+ A modified version with HTML Purifier would look like this:
+
+ function __autoload($class) {
+ if (HTMLPurifier_Bootstrap::autoload($class)) return true;
+ require str_replace('_', '/', $class) . '.php';
+ return true;
+ }
+
+ Note that there *is* some custom behavior in our autoloader; the
+ original autoloader in our example would work for 99% of the time,
+ but would fail when including language files.
+
+ AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
+ spl_autoload_register() has the curious behavior of disabling
+ the existing __autoload() handler. Users need to explicitly
+ spl_autoload_register('__autoload'). Because we use SPL when it
+ is available, __autoload() will ALWAYS be disabled. If __autoload()
+ is declared before HTML Purifier is loaded, this is not a problem:
+ HTML Purifier will register the function for you. But if it is
+ declared afterwards, it will mysteriously not work. This
+ snippet of code (after your autoloader is defined) will fix it:
+
+ spl_autoload_register('__autoload')
+
+ Users should also be on guard if they use a version of PHP previous
+ to 5.1.2 without an autoloader--HTML Purifier will define __autoload()
+ for you, which can collide with an autoloader that was added by *you*
+ later.
+
+
+For better performance
+----------------------
+
+ Opcode caches, which greatly speed up PHP initialization for scripts
+ with large amounts of code (HTML Purifier included), don't like
+ autoloaders. We offer an include file that includes all of HTML Purifier's
+ files in one go in an opcode cache friendly manner:
+
+ // If /path/to/library isn't already in your include path, uncomment
+ // the below line:
+ // require '/path/to/library/HTMLPurifier.path.php';
+
+ require 'HTMLPurifier.includes.php';
+
+ Optional components still need to be included--you'll know if you try to
+ use a feature and you get a class doesn't exists error! The autoloader
+ can be used in conjunction with this approach to catch classes that are
+ missing. Simply add this afterwards:
+
+ require 'HTMLPurifier.autoload.php';
+
+Standalone version
+------------------
+
+ HTML Purifier has a standalone distribution; you can also generate
+ a standalone file from the full version by running the script
+ maintenance/generate-standalone.php . The standalone version has the
+ benefit of having most of its code in one file, so parsing is much
+ faster and the library is easier to manage.
+
+ If HTMLPurifier.standalone.php exists in the library directory, you
+ can use it like this:
+
+ require '/path/to/HTMLPurifier.standalone.php';
+
+ This is equivalent to including HTMLPurifier.includes.php, except that
+ the contents of standalone/ will be added to your path. To override this
+ behavior, specify a new HTMLPURIFIER_PREFIX where standalone files can
+ be found (usually, this will be one directory up, the "true" library
+ directory in full distributions). Don't forget to set your path too!
+
+ The autoloader can be added to the end to ensure the classes are
+ loaded when necessary; otherwise you can manually include them.
+ To use the autoloader, use this:
+
+ require 'HTMLPurifier.autoload.php';
+
+For advanced users
+------------------
+
+ HTMLPurifier.auto.php performs a number of operations that can be done
+ individually. These are:
+
+ HTMLPurifier.path.php
+ Puts /path/to/library in the include path. For high performance,
+ this should be done in php.ini.
+
+ HTMLPurifier.autoload.php
+ Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class).
+
+ You can do these operations by yourself--in fact, you must modify your own
+ autoload handler if you are using a version of PHP earlier than PHP 5.1.2
+ (See "Autoload compatibility" above).
+
+
+---------------------------------------------------------------------------
+4. Configuration
+
+HTML Purifier is designed to run out-of-the-box, but occasionally HTML
+Purifier needs to be told what to do. If you answer no to any of these
+questions, read on; otherwise, you can skip to the next section (or, if you're
+into configuring things just for the heck of it, skip to 4.3).
+
+* Am I using UTF-8?
+* Am I using XHTML 1.0 Transitional?
+
+If you answered no to any of these questions, instantiate a configuration
+object and read on:
+
+ $config = HTMLPurifier_Config::createDefault();
+
+
+4.1. Setting a different character encoding
+
+You really shouldn't use any other encoding except UTF-8, especially if you
+plan to support multilingual websites (read section three for more details).
+However, switching to UTF-8 is not always immediately feasible, so we can
+adapt.
+
+HTML Purifier uses iconv to support other character encodings, as such,
+any encoding that iconv supports
+HTML Purifier supports with this code:
+
+ $config->set('Core.Encoding', /* put your encoding here */);
+
+An example usage for Latin-1 websites (the most common encoding for English
+websites):
+
+ $config->set('Core.Encoding', 'ISO-8859-1');
+
+Note that HTML Purifier's support for non-Unicode encodings is crippled by the
+fact that any character not supported by that encoding will be silently
+dropped, EVEN if it is ampersand escaped. If you want to work around
+this, you are welcome to read docs/enduser-utf8.html for a fix,
+but please be cognizant of the issues the "solution" creates (for this
+reason, I do not include the solution in this document).
+
+
+4.2. Setting a different doctype
+
+For those of you using HTML 4.01 Transitional, you can disable
+XHTML output like this:
+
+ $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
+
+Other supported doctypes include:
+
+ * HTML 4.01 Strict
+ * HTML 4.01 Transitional
+ * XHTML 1.0 Strict
+ * XHTML 1.0 Transitional
+ * XHTML 1.1
+
+
+4.3. Other settings
+
+There are more configuration directives which can be read about
+here: They're a bit boring,
+but they can help out for those of you who like to exert maximum control over
+your code. Some of the more interesting ones are configurable at the
+demo and are well worth looking into
+for your own system.
+
+For example, you can fine tune allowed elements and attributes, convert
+relative URLs to absolute ones, and even autoparagraph input text! These
+are, respectively, %HTML.Allowed, %URI.MakeAbsolute and %URI.Base, and
+%AutoFormat.AutoParagraph. The %Namespace.Directive naming convention
+translates to:
+
+ $config->set('Namespace.Directive', $value);
+
+E.g.
+
+ $config->set('HTML.Allowed', 'p,b,a[href],i');
+ $config->set('URI.Base', 'http://www.example.com');
+ $config->set('URI.MakeAbsolute', true);
+ $config->set('AutoFormat.AutoParagraph', true);
+
+
+---------------------------------------------------------------------------
+5. Caching
+
+HTML Purifier generates some cache files (generally one or two) to speed up
+its execution. For maximum performance, make sure that
+library/HTMLPurifier/DefinitionCache/Serializer is writeable by the webserver.
+
+If you are in the library/ folder of HTML Purifier, you can set the
+appropriate permissions using:
+
+ chmod -R 0755 HTMLPurifier/DefinitionCache/Serializer
+
+If the above command doesn't work, you may need to assign write permissions
+to all. This may be necessary if your webserver runs as nobody, but is
+not recommended since it means any other user can write files in the
+directory. Use:
+
+ chmod -R 0777 HTMLPurifier/DefinitionCache/Serializer
+
+You can also chmod files via your FTP client; this option
+is usually accessible by right clicking the corresponding directory and
+then selecting "chmod" or "file permissions".
+
+Starting with 2.0.1, HTML Purifier will generate friendly error messages
+that will tell you exactly what you have to chmod the directory to, if in doubt,
+follow its advice.
+
+If you are unable or unwilling to give write permissions to the cache
+directory, you can either disable the cache (and suffer a performance
+hit):
+
+ $config->set('Core.DefinitionCache', null);
+
+Or move the cache directory somewhere else (no trailing slash):
+
+ $config->set('Cache.SerializerPath', '/home/user/absolute/path');
+
+
+---------------------------------------------------------------------------
+6. Using the code
+
+The interface is mind-numbingly simple:
+
+ $purifier = new HTMLPurifier();
+ $clean_html = $purifier->purify( $dirty_html );
+
+...or, if you're using the configuration object:
+
+ $purifier = new HTMLPurifier($config);
+ $clean_html = $purifier->purify( $dirty_html );
+
+That's it! For more examples, check out docs/examples/ (they aren't very
+different though). Also, docs/enduser-slow.html gives advice on what to
+do if HTML Purifier is slowing down your application.
+
+
+---------------------------------------------------------------------------
+7. Quick install
+
+First, make sure library/HTMLPurifier/DefinitionCache/Serializer is
+writable by the webserver (see Section 5: Caching above for details).
+If your website is in UTF-8 and XHTML Transitional, use this code:
+
+purify($dirty_html);
+?>
+
+If your website is in a different encoding or doctype, use this code:
+
+set('Core.Encoding', 'ISO-8859-1'); // replace with your encoding
+ $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype
+ $purifier = new HTMLPurifier($config);
+
+ $clean_html = $purifier->purify($dirty_html);
+?>
+
+ vim: et sw=4 sts=4
diff --git a/phpgwapi/inc/htmlpurifier/NEWS b/phpgwapi/inc/htmlpurifier/NEWS
new file mode 100755
index 0000000000..8e7aef02be
--- /dev/null
+++ b/phpgwapi/inc/htmlpurifier/NEWS
@@ -0,0 +1,989 @@
+NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
+= KEY ====================
+ # Breaks back-compat
+ ! Feature
+ - Bugfix
+ + Sub-comment
+ . Internal change
+==========================
+
+4.3.0, released 2011-03-27
+# Fixed broken caching of customized raw definitions, but requires an
+ API change. The old API still works but will emit a warning,
+ see http://htmlpurifier.org/docs/enduser-customize.html#optimized
+ for how to upgrade your code.
+# Protect against Internet Explorer innerHTML behavior by specially
+ treating attributes with backticks but no angled brackets, quotes or
+ spaces. This constitutes a slight semantic change, which can be
+ reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro
+ and Mario Heiderich.
+# Protect against cssText/innerHTML by restricting allowed characters
+ used in fonts further than mandated by the specification and encoding
+ some extra special characters in URLs. Reported by Neike
+ Taika-Tessaro and Mario Heiderich.
+! Added %HTML.Nofollow to add rel="nofollow" to external links.
+! More types of SPL autoloaders allowed on later versions of PHP.
+! Implementations for position, top, left, right, bottom, z-index
+ when %CSS.Trusted is on.
+! Add %Cache.SerializerPermissions option for custom serializer
+ directory/file permissions
+! Fix longstanding bug in Flash support for non-IE browsers, and
+ allow more wmode attributes.
+! Add %CSS.AllowedFonts to restrict permissible font names.
+- Switch to an iterative traversal of the DOM, which prevents us
+ from running out of stack space for deeply nested documents.
+ Thanks Maxim Krizhanovsky for contributing a patch.
+- Make removal of conditional IE comments ungreedy; thanks Bernd
+ for reporting.
+- Escape CDATA before removing Internet Explorer comments.
+- Fix removal of id attributes under certain conditions by ensuring
+ armor attributes are preserved when recreating tags.
+- Check if schema.ser was corrupted.
+- Check if zend.ze1_compatibility_mode is on, and error out if it is.
+ This safety check is only done for HTMLPurifier.auto.php; if you
+ are using standalone or the specialized includes files, you're
+ expected to know what you're doing.
+- Stop repeatedly writing the cache file after I'm done customizing a
+ raw definition. Reported by ajh.
+- Switch to using require_once in the Bootstrap to work around bad
+ interaction with Zend Debugger and APC. Reported by Antonio Parraga.
+- Fix URI handling when hostname is missing but scheme is present.
+ Reported by Neike Taika-Tessaro.
+- Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro
+ for reporting.
+- Fix harmless notice from indexing into empty string. Thanks Matthijs
+ Kooijman for reporting.
+- Don't autoclose no parent elements are able to support the element
+ that triggered the autoclose. In particular fixes strange behavior
+ of stray tags. Thanks pkuliga@gmail.com for reporting and
+ Neike Taika-Tessaro for debugging assistance.
+
+4.2.0, released 2010-09-15
+! Added %Core.RemoveProcessingInstructions, which lets you remove
+ statements.
+! Added %URI.DisableResources functionality; the directive originally
+ did nothing. Thanks David Rothstein for reporting.
+! Add documentation about configuration directive types.
+! Add %CSS.ForbiddenProperties configuration directive.
+! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
+ to utilize full-screen mode.
+! Add optional support for the file URI scheme, enable
+ by explicitly setting %URI.AllowedSchemes.
+! Add %Core.NormalizeNewlines options to allow turning off newline
+ normalization.
+- Fix improper handling of Internet Explorer conditional comments
+ by parser. Thanks zmonteca for reporting.
+- Fix missing attributes bug when running on Mac Snow Leopard and APC.
+ Thanks sidepodcast for the fix.
+- Warn if an element is allowed, but an attribute it requires is
+ not allowed.
+
+4.1.1, released 2010-05-31
+- Fix undefined index warnings in maintenance scripts.
+- Fix bug in DirectLex for parsing elements with a single attribute
+ with entities.
+- Rewrite CSS output logic for font-family and url(). Thanks Mario
+ Heiderich for reporting and Takeshi
+ Terada for suggesting the fix.
+- Emit an error for CollectErrors if a body is extracted
+- Fix bug where in background-position for center keyword handling.
+- Fix infinite loop when a wrapper element is inserted in a context
+ where it's not allowed. Thanks Lars for reporting.
+- Remove +x bit and shebang from index.php; only supported mode is to
+ explicitly call it with php.
+- Make test script less chatty when log_errors is on.
+
+4.1.0, released 2010-04-26
+! Support proprietary height attribute on table element
+! Support YouTube slideshows that contain /cp/ in their URL.
+! Support for data: URI scheme; not enabled by default, add it using
+ %URI.AllowedSchemes
+! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed.
+! Support for Internet Explorer compatibility with %HTML.SafeObject
+ using %Output.FlashCompat.
+! Handle properly, by inserting the necessary - tag.
+- Always quote the insides of url(...) in CSS.
+
+4.0.0, released 2009-07-07
+# APIs for ConfigSchema subsystem have substantially changed. See
+ docs/dev-config-bcbreaks.txt for details; in essence, anything that
+ had both namespace and directive now have a single unified key.
+# Some configuration directives were renamed, specifically:
+ %AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL
+ %FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping
+ %FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope
+ %FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl
+ As usual, the old directive names will still work, but will throw E_NOTICE
+ errors.
+# The allowed values for class have been relaxed to allow all of CDATA for
+ doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set
+ %Attr.ClassUseCDATA to false.
+# Instead of appending the content model to an old content model, a blank
+ element will replace the old content model. You can use #SUPER to get
+ the old content model.
+! More robust support for name="" and id=""
+! HTMLPurifier_Config::inherit($config) allows you to inherit one
+ configuration, and have changes to that configuration be propagated
+ to all of its children.
+! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on
+ the name attribute when set. Use with care. Thanks Ian Cook for
+ sponsoring.
+! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty
+ tags that contain non-breaking spaces as well other whitespace. You
+ can also modify which tags should have maintained with
+ %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.
+! Implement %Attr.AllowedClasses, which allows administrators to restrict
+ classes users can use to a specified finite set of classes, and
+ %Attr.ForbiddenClasses, which is the logical inverse.
+! You can now maintain your own configuration schema directories by
+ creating a config-schema.php file or passing an extra argument. Check
+ docs/dev-config-schema.html for more details.
+! Added HTMLPurifier_Config->serialize() method, which lets you save away
+ your configuration in a compact serial file, which you can unserialize
+ and use directly without having to go through the overhead of setup.
+- Fix bug where URIDefinition would not get cleared if it's directives got
+ changed.
+- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0)
+- Fix bug in Linkify autoformatter involving http://foo
+- Make %URI.Munge not apply to links that have the same host as your host.
+- Prevent stray
tag from truncating output, if a second
+ is present.
+. Created script maintenance/rename-config.php for renaming a configuration
+ directive while maintaining its alias. This script does not change source code.
+. Implement namespace locking for definition construction, to prevent
+ bugs where a directive is used for definition construction but is not
+ used to construct the cache hash.
+
+3.3.0, released 2009-02-16
+! Implement CSS property 'overflow' when %CSS.AllowTricky is true.
+! Implement generic property list classess
+- Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation
+ does not do the "right thing" with characters not supported in the output
+ set.
+- Spellcheck UTF-8: The Secret To Character Encoding
+- Fix improper removal of the contents of elements with only whitespace. Thanks
+ Eric Wald for reporting.
+- Fix broken test suite in versions of PHP without spl_autoload_register()
+- Fix degenerate case with YouTube filter involving double hyphens.
+ Thanks Pierre Attar for reporting.
+- Fix YouTube rendering problem on certain versions of Firefox.
+- Fix CSSDefinition Printer problems with decorators
+- Add text parameter to unit tests, forces text output
+. Add verbose mode to command line test runner, use (--verbose)
+. Turn on unit tests for UnitConverter
+. Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)
+. Fix newline errors that caused spurious failures when CRLF HTML Purifier was
+ tested on Linux.
+. Removed trailing whitespace from all text files, see
+ remote-trailing-whitespace.php maintenance script.
+. Convert configuration to use property list backend.
+
+3.2.0, released 2008-10-31
+# Using %Core.CollectErrors forces line number/column tracking on, whereas
+ previously you could theoretically turn it off.
+# HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please
+ use handleEnd() instead.
+! %Output.AttrSort for when you need your attributes in alphabetical order to
+ deal with a bug in FCKEditor. Requested by frank farmer.
+! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith.
+! Proper support for name attribute. It is now allowed and equivalent to the id
+ attribute in a and img tags, and is only converted to id when %HTML.TidyLevel
+ is heavy (for all doctypes).
+! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't
+ use on hand-written HTML.
+! Add error-cases for unsupported elements in MakeWellFormed. This enables
+ the strategy to be used, standalone, on untrusted input.
+! %Core.AggressivelyFixLt is on by default. This causes more sensible
+ processing of left angled brackets in smileys and other whatnot.
+! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
+ 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
+ the --only-phpt parameter, although for backwards-compatibility the flag
+ will still work.
+! AutoParagraph auto-formatter will now preserve double-newlines upon output.
+ Users who are not performing inbound filtering, this may seem a little
+ useless, but as a bonus, the test suite and handling of edge cases is also
+ improved.
+! Experimental implementation of forms for %HTML.Trusted
+! Track column numbers when maintain line numbers is on
+! Proprietary 'background' attribute on table-related elements converted into
+ corresponding CSS. Thanks Fusemail for sponsoring this feature!
+! Add forward(), forwardUntilEndToken(), backward() and current() to Injector
+ supertype.
+! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The
+ time of operation varies slightly from notifyEnd() as *all* end tokens are
+ processed by the injector before they are subject to the well-formedness rules.
+! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to
+ basename of image when not present.
+! %AutoFormat.DisplayLinkURI neuters