Merge branch 'release/1.5.0'

fuel/application/config/purifier.php

@@ -1,22 +1,50 @@
 <?php 
+// Purifier settings
+// http://htmlpurifier.org/live/configdoc/plain.html
 $config['settings'] = array(
+
+	// Default setting is used for basic usage including the auto encoding database fields (if the auto_encode_entities property is set on the model which it is by default)
 	'default' => array(
-		'HTML.Doctype'             => 'XHTML 1.0 Strict',
-		'HTML.Allowed'             => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
+		//'HTML.Trusted'             => TRUE, // For Javascript... must also add 'script' to HTML.Allowed
+		//'HTML.SafeIframe'          => TRUE, // For iframes
+		//'URI.SafeIframeRegexp'     => '%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%',
+		'Attr.EnableID'            => TRUE,
+		'Attr.AllowedFrameTargets' => array('_blank'),
+		//'HTML.Allowed'             => 'h1,h2,h3,h4,h5,h6,div[id],b,strong,i,em,a[href|title|target|download|hreflang|type],ul[class],ol,li[class],p[style],br,span[style],img[width|height|alt|src|srcset|sizes]',
 		//'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
-		'AutoFormat.AutoParagraph' => false, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
-		'AutoFormat.RemoveEmpty'   => true,
+		'AutoFormat.AutoParagraph' => FALSE, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
+		'AutoFormat.RemoveEmpty'   => TRUE,
+		'HTML.Doctype'             => 'HTML5'
 	),
+
+	// Can be used with html_purify function (e.g. html_purify($str, 'comment'))
 	'comment' => array(
 		'HTML.Doctype'             => 'XHTML 1.0 Strict',
-		'HTML.Allowed'             => 'p,a[href|title],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,strike',
+		'HTML.Allowed'             => 'p,a[href|title|target],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,strike',
 		'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
-		'AutoFormat.AutoParagraph' => true, 
-		'AutoFormat.Linkify'       => true,
-		'AutoFormat.RemoveEmpty'   => true,
+		'AutoFormat.AutoParagraph' => TRUE, 
+		'AutoFormat.Linkify'       => TRUE,
+		'AutoFormat.RemoveEmpty'   => TRUE,
 	),
+
+	// Can be used with html_purify function (e.g. html_purify($str, 'youtube'))
 	'youtube' => array(
-		'HTML.SafeIframe'          => 'true',
-		'URI.SafeIframeRegexp'     => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
+		'HTML.SafeIframe'          => TRUE,
+		'URI.SafeIframeRegexp'     => '%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%',
 	)
 );
+
+// This provides a simpler way of adding custom attributes not currently supported by Purifier then by extending the config class
+// More information about adding custom attributes can be found here:
+// http://htmlpurifier.org/docs/enduser-customize.html
+$config['custom_attributes'] = array(
+	//['a', 'data-toggle', 'CDATA'], // Array format
+	//'ul|role|CDATA', // String format
+);
+
+// For HTML 5 compatibility issues https://github.com/xemlock/htmlpurifier-html5 
+$config['config_class'] = 'HTMLPurifier_HTML5Config';
+
+// Determines where to cache the definitions files. 
+// Set to FALSE if you don't want to cache (like during testing)
+$config['cache_path'] = APPPATH.'/cache';

fuel/modules/fuel/assets/js/editors/ckeditor/plugins/fuelimage/plugin.js

@@ -49,6 +49,7 @@ CKEDITOR.plugins.add( 'fuelimage', {
 						height = element.getAttribute('height');
 						alt = element.getAttribute('alt');
 						align = element.getAttribute('align');
+						className = element.getAttribute('class');
 					}
 				}
 				imgFolder = editor.element.getAttribute('data-img_folder');

fuel/modules/fuel/assets/js/editors/markitup/jquery.markitup.set.js

@@ -485,7 +485,7 @@ myMarkItUpSettings.displayLinkEditWindow = function(selected, attrs, callback){
 
 				$selected = $('#selected', iframeContext);
 				var selectedUrl = ($input.length && $input.val().length) ? $input.val() : $urlSelect.val();
-				var isHTTP = (selectedUrl.match(/^\w+:\/\//)) ? true : false;
+				var isHTTP = (((selectedUrl.match(/^\w+:\/\//))) || ((selectedUrl.match(/^mailto:/)))) ? true : false;
 				var replace = '<a href="';
 
 				if (selectedUrl.substr(0, 1) != '{') {

fuel/modules/fuel/config/fuel_constants.php

@@ -1,6 +1,6 @@
 <?php 
 // INSTALL_ROOT is defined in the index.php bootstrap file
-define('FUEL_VERSION', '1.4.13');
+define('FUEL_VERSION', '1.5.0');
 if (!defined('MODULES_FOLDER'))
 {
 	define('MODULES_FOLDER', '../../fuel/modules');
@@ -82,5 +82,10 @@
 	}
 }
 
+if ( ! defined('FUEL_DSN'))
+{
+	define('FUEL_DSN', 'default');
+}
+
 /* End of file fuel_constants.php */
 /* Location: ./modules/fuel/config/fuel_constants.php */

fuel/modules/fuel/controllers/Module.php

@@ -1621,9 +1621,22 @@ function delete($id = NULL)
 
 		$inline = $this->fuel->admin->is_inline();
 
-		if ( ! empty($_POST['id']))
+		if (! empty($_POST['id']))
 		{
-			$posted = explode('|', $this->input->post('id', TRUE));
+
+			if (!$this->_is_valid_csrf())
+			{
+				add_error(lang('data_not_deleted'));
+			}
+
+			if (!empty($id))
+			{
+				$posted = array($id);
+			}
+			else
+			{
+				$posted = explode('|', $this->input->post('id', TRUE));
+			}
 
 			// run before_delete hook
 			$this->_run_hook('before_delete', $posted);
@@ -1743,7 +1756,7 @@ function delete($id = NULL)
 
 			$action_uri = 'delete/'.$id;
 			$vars['form_action'] = ($inline) ? $this->module_uri.'/inline_'.$action_uri : $this->module_uri.'/'.$action_uri;
-
+			$this->_prep_csrf();
 			$this->fuel->admin->render($this->views['delete'], $vars, '', FUEL_FOLDER);
 		}
 	}
@@ -2060,7 +2073,8 @@ function toggle_off($id = NULL, $field = 'published')
 	// reduce code by creating this shortcut function for the unpublish/publish
 	function _toggle($id, $field, $toggle)
 	{
-		if ( ! $this->fuel->auth->module_has_action('save') OR ($field == 'publish' AND !$this->fuel->auth->has_permission($this->permission, 'publish')))
+		if ( ! $this->fuel->auth->module_has_action('save') OR 
+			(($field == 'publish' AND !$this->fuel->auth->has_permission($this->permission, 'publish')) OR ($field == 'active' AND !$this->fuel->auth->has_permission($this->permission, 'activate'))))
 		{
 			return FALSE;
 		}

fuel/modules/fuel/core/MY_Model.php

@@ -147,7 +147,7 @@ public function initialize($table = NULL, $params = array())
 		}
 
 		// if a DSN property is set,then we will load that database in
-		if (!empty($this->dsn))
+		if (!empty($this->dsn) AND ($this->dsn != FUEL_DSN))
 		{
 			$this->set_db($this->load->database($this->dsn, TRUE, TRUE));
 		}
@@ -172,6 +172,7 @@ public function initialize($table = NULL, $params = array())
 				show_error(lang('db_unable_to_connect'));
 			}
 		}
+
 		$this->validator = new Validator();
 		$this->validator->register_to_global_errors = FALSE;
 

fuel/modules/fuel/helpers/MY_html_helper.php

@@ -178,8 +178,8 @@ function html_purify($dirty_html, $config = [], $replace = false, $remove_allowe
 		}
 
 		// Modified to include the library if it doesn't exist
-		require_once(FUEL_PATH.'libraries/HTMLPurifier/HTMLPurifier.standalone.php');
-
+		require_once(FUEL_PATH.'libraries/HTML5Purifier/vendor/autoload.php');
+	
 		$CI = &get_instance();
 		$CI->load->config('purifier', TRUE);
 
@@ -227,9 +227,24 @@ function html_purify($dirty_html, $config = [], $replace = false, $remove_allowe
 				show_error('No HTML purifier configuration found');
 			}
 
-			$purifier_config = \HTMLPurifier_Config::createDefault();
+			$config_class = $CI->config->item('config_class', 'purifier');
+			$purifier_config = $config_class::createDefault();
 			$purifier_config->set('Core.Encoding', $CI->config->item('charset'));
 
+			// Caching
+			$cache_path = $CI->config->item('cache_path', 'purifier');
+			if ($cache_path === FALSE)
+			{
+				$purifier_config->set('Cache.DefinitionImpl', NULL);
+			}
+			else
+			{
+				$purifier_config->set('Cache.SerializerPath', $CI->config->item('cache_path', 'purifier'));
+			}
+
+
+
+			// Remove template parser allowed functions for Dwoo or Twig
 			if (!$remove_allowed_funcs)
 			{
 				$allowed_funcs = $CI->fuel->config('parser_allowed_functions');
@@ -242,14 +257,30 @@ function html_purify($dirty_html, $config = [], $replace = false, $remove_allowe
 				$regex = '#'.preg_quote($tag_delimiters[0]).'.*(('.$funcs.')\(.*\).*)'.preg_quote($tag_delimiters[1]).'#U';
 				$dirty_html = preg_replace($regex, $keep_replace[0].'$1'.$keep_replace[1], $dirty_html);
 			}
-			
+
 			foreach ($config as $key => $val)
 			{
 				$purifier_config->set($key, $val);
 			}
-
-			$purifier_config = \HTMLPurifier_Config::createDefault();
+
 			$purifier = new \HTMLPurifier($purifier_config);
+			// Custom attributes
+			$custom_attributes = (array) $CI->config->item('custom_attributes', 'purifier');
+			if ($custom_attributes)
+			{
+				$def = $purifier_config->maybeGetRawHTMLDefinition();
+				if ($def)
+				{
+					foreach ($custom_attributes as $attribute_args)
+					{
+						if (is_string($attribute_args))
+						{
+							$attribute_args = explode('|', $attribute_args);
+						}
+						call_user_func_array(array($def, 'addAttribute'), $attribute_args);
+					}
+				}
+			}
 			$clean_html = $purifier->purify($dirty_html);
 
 			if ($encodeAmpersands)

fuel/modules/fuel/helpers/MY_string_helper.php

@@ -250,13 +250,7 @@ function safe_htmlentities($str, $protect_amp = TRUE, $sanitize = TRUE)
 		{
 			//$str = strip_javascript($str);
 			// Better method
-			// $CI =& get_instance();
-			// $allowed_funcs = $CI->fuel->config('parser_allowed_functions');
-			// $keep_search = array('{', '}');
-			// $keep_replace = array('__TEMP_LEFT_CURLY_BRACE__', '__TEMP_RIGHT_CURLY_BRACE__');
-			// $str = str_replace($keep_search, $keep_replace, $str);
 			$str = html_purify($str);
-			// $str = str_replace($keep_replace, $keep_search, $str);
 		}
 
 		return $str;

fuel/modules/fuel/libraries/Fuel_base_controller.php

@@ -158,6 +158,10 @@ protected function _prep_csrf()
 		{
 			$hash = $this->_session_csrf();
 		}
+		if (!isset($this->form_builder))
+		{
+			$this->load->library('form_builder');
+		}
 
 		$this->form_builder->key_check_name = $this->_get_csrf_token_name();
 		$this->form_builder->key_check = $hash;

fuel/modules/fuel/libraries/Fuel_language.php

@@ -613,7 +613,7 @@ function lang_segment($uri = NULL, $routed = 'both')
 	function cleaned_uri($uri = NULL, $routed = FALSE)
 	{
 		$segs = $this->cleaned_uri_segments($uri, $routed);
-		return implode($segs, '/');
+		return implode('/', $segs);
 	}
 
 	// --------------------------------------------------------------------
@@ -624,7 +624,7 @@ function cleaned_uri($uri = NULL, $routed = FALSE)
 	 * @access	public
 	 * @param	string The URI string to check. If none provided, will use the rsegment_array or rsegment_array on the URI object (optional)
 	 * @param	boolean Determines whether to use a routed (TRUE), non-routed (FALSE) when looking at the URI segment if one is not provided in first argument (optional)
-	 * @return	string
+	 * @return	array
 	 */
 	function cleaned_uri_segments($uri = NULL, $routed = FALSE)
 	{

fuel/modules/fuel/libraries/HTML5Purifier/composer.json

@@ -0,0 +1 @@
+{"name":"dummy app","description":"This app is only a dummy for downloading with the option require.","homepage":"https://php-download.com/","type":"project","require":{"xemlock/htmlpurifier-html5":"^0.1.11.0"}}