Merge branch 'release/1.4.8'

fuel/application/config/purifier.php

@@ -0,0 +1,22 @@
+<?php 
+$config['settings'] = array(
+	'default' => array(
+		'HTML.Doctype'             => 'XHTML 1.0 Strict',
+		'HTML.Allowed'             => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
+		//'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
+		'AutoFormat.AutoParagraph' => false, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
+		'AutoFormat.RemoveEmpty'   => true,
+	),
+	'comment' => array(
+		'HTML.Doctype'             => 'XHTML 1.0 Strict',
+		'HTML.Allowed'             => 'p,a[href|title],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,strike',
+		'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
+		'AutoFormat.AutoParagraph' => true, 
+		'AutoFormat.Linkify'       => true,
+		'AutoFormat.RemoveEmpty'   => true,
+	),
+	'youtube' => array(
+		'HTML.SafeIframe'          => 'true',
+		'URI.SafeIframeRegexp'     => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
+	)
+);

fuel/application/views/_docs/index.php

@@ -85,8 +85,10 @@
 					$form_fields = $sub_model->form_fields();
 					foreach($sub_model->form_fields() as $field => $field_params) : ?>
 					<?php if ($field != 'id') : 
-					$label = (!empty($field_params['label'])) ? $field_params['label'] : $CI->form_builder->create_label($field_params);
-					$label = ucfirst(str_replace('_', ' ', $field));
+					$label = (!empty($field_params['label'])) ? $field_params['label'] : $CI->form_builder->create_label($field_params, FALSE);
+					if (empty($label)) :
+						$label = ucfirst(str_replace(array('_id', '_'), array(' ID', ' '), $field));
+					endif;
 					?>
 					<li><strong><?=$label?></strong><?php if (!empty($field_params['comment'])) : ?> - <?=$field_params['comment']?><?php endif; ?></li>
 					<?php endif; ?>

fuel/modules/fuel/config/fuel_constants.php

@@ -1,6 +1,6 @@
 <?php 
 // INSTALL_ROOT is defined in the index.php bootstrap file
-define('FUEL_VERSION', '1.4.7');
+define('FUEL_VERSION', '1.4.8');
 if (!defined('MODULES_FOLDER'))
 {
 	define('MODULES_FOLDER', '../../fuel/modules');

fuel/modules/fuel/controllers/Module.php

@@ -1141,7 +1141,7 @@ protected function _process_edit($id)
 	{
 		$this->model->on_before_post($this->input->post());
 
-		$posted = $this->_process();
+		$posted = $this->_process($id);
 
 		// run before_edit hook
 		$this->_run_hook('before_edit', $posted);
@@ -1453,7 +1453,7 @@ protected function _form_vars($id = NULL, $values = array(), $field = NULL, $inl
 		return $vars;
 	}
 
-	protected function _process()
+	protected function _process($id = NULL)
 	{
 		$this->load->helper('security');
 		$this->load->library('form_builder');
@@ -1514,7 +1514,7 @@ protected function _process()
 		// set key_field if it is not id
 		if ( ! empty($_POST['id']) AND $this->model->key_field() != 'id')
 		{
-			$_POST[$this->model->key_field()] = $_POST['id'];
+			$_POST[$this->model->key_field()] = !empty($id) ? $id : $_POST['id'];
 		}
 
 		// run any form field post processing hooks

fuel/modules/fuel/core/MY_Model.php

@@ -2344,8 +2344,9 @@ public function validate($record, $run_hook = FALSE)
 	public function field_type($field)
 	{
 		$field_info = $this->field_info($field);
+		$switch = (!empty($field_info['type'])) ? $field_info['type'] : '';
 
-		switch($field_info['type'])
+		switch($switch)
 		{
 			case 'var' : case 'varchar': case 'string': case 'tinytext': case 'text':  case 'longtext':
 				return 'string';
@@ -2364,7 +2365,7 @@ public function field_type($field)
 			case 'enum':
 				return 'enum';
 			default:
-				return $field_info['type'];
+				return $switch;
 		}
 	}
 

fuel/modules/fuel/helpers/MY_html_helper.php

@@ -151,5 +151,121 @@ function html_attrs($attrs)
 	}
 }
 
+// https://github.com/refringe/CodeIgniter-HTMLPurifier/blob/master/htmlpurifier_helper.php
+/*
+ * Codeigniter HTMLPurifier Helper
+ *
+ * Purify input using the HTMLPurifier standalone class.
+ * Easily use multiple purifier configurations.
+ *
+ * @author     Tyler Brownell <[email protected]>
+ * @copyright  Public Domain
+ *
+ * @access  public
+ * @param   string or array  $dirty_html  A string (or array of strings) to be cleaned.
+ * @param   string           $config      The name of the configuration (switch case) to use.
+ * @param   boolean          $replace     Determines whether to replace the main config or append to it.
+ * @param   boolean          $remove_allowed_funcs     Determines whether search for allowed functions to remove.
+ * @return  string or array               The cleaned string (or array of strings).
+ */
+if (!function_exists('html_purify'))
+{
+	function html_purify($dirty_html, $config = [], $replace = false, $remove_allowed_funcs = false)
+	{
+		if (!is_string($dirty_html) OR is_numeric($dirty_html))
+		{
+			return $dirty_html;
+		}
+
+		// Modified to include the library if it doesn't exist
+		require_once(FUEL_PATH.'libraries/HTMLPurifier/HTMLPurifier.standalone.php');
+
+		$CI = &get_instance();
+		$CI->load->config('purifier', TRUE);
+
+		$settings = $CI->config->item('settings', 'purifier');
+
+		if (is_array($dirty_html))
+		{
+			foreach ($dirty_html as $key => $val)
+			{
+				$clean_html[$key] = html_purify($val, $config, $replace);
+			}
+
+		} else {
+
+			if (is_string($config) AND isset($settings[$config]))
+			{
+				$config = $settings[$config];
+			}
+			else
+			{
+				$config = ($replace) ? $config : array_merge($settings['default'], $config);
+			}
+
+			// This is no bueno when sanitizing data so we make sure it's not set unless explicitly passed.
+			if (!isset($config['AutoFormat.AutoParagraph']))
+			{
+				$config['AutoFormat.AutoParagraph'] = false;
+			}
+
+			$encodeAmpersands = true;
+
+			if (isset($config['HTML.EncodeAmpersand']) && $config['HTML.EncodeAmpersand'] === false)
+			{
+				$encodeAmpersands = false;
+				unset($config['HTML.EncodeAmpersand']);
+			}
+
+			if ($encodeAmpersands)
+			{
+				$dirty_html = preg_replace('/&(?![a-z#]+;)/i', '__TEMP_AMP__', $dirty_html);
+			}
+
+			if (empty($config))
+			{
+				show_error('No HTML purifier configuration found');
+			}
+
+			$purifier_config = \HTMLPurifier_Config::createDefault();
+			$purifier_config->set('Core.Encoding', $CI->config->item('charset'));
+
+			if (!$remove_allowed_funcs)
+			{
+				$allowed_funcs = $CI->fuel->config('parser_allowed_functions');
+				$parse_delimiters = $CI->fuel->config('parser_delimiters');
+				$tag_delimiters = $parse_delimiters['tag_variable'];
+				$keep_replace = array('__TEMP_LEFT_CURLY_BRACE__', '__TEMP_RIGHT_CURLY_BRACE__');
+
+				// Escape functions that are allowed with delimiters
+				$funcs = implode('|', $allowed_funcs);
+				$regex = '#'.preg_quote($tag_delimiters[0]).'.*(('.$funcs.')\(.*\).*)'.preg_quote($tag_delimiters[1]).'#U';
+				$dirty_html = preg_replace($regex, $keep_replace[0].'$1'.$keep_replace[1], $dirty_html);
+			}
+
+			foreach ($config as $key => $val)
+			{
+				$purifier_config->set($key, $val);
+			}
+
+			$purifier_config = \HTMLPurifier_Config::createDefault();
+			$purifier = new \HTMLPurifier($purifier_config);
+			$clean_html = $purifier->purify($dirty_html);
+
+			if ($encodeAmpersands)
+			{
+				$clean_html = str_replace('__TEMP_AMP__', '&', $clean_html);
+			}
+
+			if (!$remove_allowed_funcs)
+			{
+				$clean_html = str_replace($keep_replace, $tag_delimiters, $clean_html);
+			}
+		}
+
+		return $clean_html;
+	}
+}
+
 /* End of file MY_html_helper.php */
 /* Location: ./modules/fuel/helpers/MY_html_helper.php */

fuel/modules/fuel/helpers/MY_string_helper.php

@@ -187,7 +187,7 @@ function strip_javascript($str)
 		if (!is_numeric($str))
 		{
 			$str = preg_replace('#<script[^>]*>.*?</script>#is', '', $str);
-			$str = preg_replace('#(<[^>]*)onerror=|onload=(.+>)#Uis', '$1$2', $str);
+			$str = preg_replace('#(<[^>]*)onerror=|onload=|ontoggle=(.+>)#Uis', '$1$2', $str);
 		}
 
 		return $str;
@@ -248,7 +248,15 @@ function safe_htmlentities($str, $protect_amp = TRUE, $sanitize = TRUE)
 		// sanitize
 		if ($sanitize)
 		{
-			$str = strip_javascript($str);
+			//$str = strip_javascript($str);
+			// Better method
+			// $CI =& get_instance();
+			// $allowed_funcs = $CI->fuel->config('parser_allowed_functions');
+			// $keep_search = array('{', '}');
+			// $keep_replace = array('__TEMP_LEFT_CURLY_BRACE__', '__TEMP_RIGHT_CURLY_BRACE__');
+			// $str = str_replace($keep_search, $keep_replace, $str);
+			$str = html_purify($str);
+			// $str = str_replace($keep_replace, $keep_search, $str);
 		}
 
 		return $str;

fuel/modules/fuel/helpers/fuel_helper.php

@@ -75,7 +75,7 @@ function &FUEL()
 	 * <li><strong>offset</strong> - the find results returned offset value</li>
 	 * <li><strong>return_method</strong>: the return method the find query should use</li>
 	 * <li><strong>assoc_key</strong>: the column name to be used as the associative key in the find method</li>
-	 * <li><strong>data</strong>: the data values to be passed to the block. This variable get's automatically set if you specify the model and find method</li>
+	 * <li><strong>data</strong>: the data values to be passed to the block. This variable gets automatically set if you specify the model and find method</li>
 	 * <li><strong>editable</strong>: css class styles to apply to menu items... can be a nested array</li>
 	 * <li><strong>parse</strong>: determines whether to parse the contents of the block. The default is set to 'auto'</li>
 	 * <li><strong>cache</strong>: determines whether to cache the block. Default is false</li>
@@ -359,7 +359,7 @@ function fuel_var_append($key, $value)
 	 * The <dfn>edit_module</dfn> parameter specifies the module to include for inline editing.
 	 * The <dfn>evaluate</dfn> parameter specifies whether to evaluate any php in the variables.
 	 *
-	 * <p class="important">You should not use this function inside of another function because you may get unexepected results. This is
+	 * <p class="important">You should not use this function inside of another function because you may get unexpected results. This is
 	 * because it returns inline editing markers that later get parsed out by FUEL. For example:</p>
 	 *
 	 * <code>

fuel/modules/fuel/libraries/Form_builder.php

@@ -530,10 +530,10 @@ public function render_divs($fields = NULL)
 
 		$colspan = ($this->label_layout == 'top') ? '1' : '2';
 
-		$first = $this->_find_first_renderable_field();;
+		$first = $this->_find_first_renderable_field();
 
 		$is_fieldset_first = FALSE;
-		if ($first['type'] != 'fieldset')
+		if (!empty($first) AND $first['type'] != 'fieldset')
 		{
 			$str .= $this->_open_div();
 		}
@@ -2891,6 +2891,7 @@ public function create_section($params)
 		$id = isset($params['id']) ? ' id="'.$params['id'].'"' : '';
 		$class = isset($params['class']) ? ' class="'.$params['class'].'"' : '';
 		$tag = (empty($params['tag'])) ? $this->section_tag : $params['tag'];
+		$section = $this->create_tooltip($params);
 		return '<'.$tag.$id.$class.'>'.$section.'</'.$tag.'>';
 	}
 

fuel/modules/fuel/libraries/Fuel_custom_fields.php

@@ -111,7 +111,7 @@ public function wysiwyg($params)
 			$params['data']['link_pdfs'] = 1;
 		}
 
-		// set the image folder for inserting assets
+		// set the link filter when selecting page links
 		if (isset($params['link_filter']))
 		{
 			$params['data']['link_filter'] = $params['link_filter'];