model update

5 files changed, 5966 insertions, 5966 deletions

diff --git a/lib/htmlawed/htmLawed.php b/lib/htmlawed/htmLawed.php
index b384d98..a370d76 100755
--- a/lib/htmlawed/htmLawed.php
+++ b/lib/htmlawed/htmLawed.php
@@ -1,729 +1,729 @@
-<?php
-
-/*
-htmLawed 1.2.5, 24 September 2019
-Copyright Santosh Patnaik
-Dual licensed with LGPL 3 and GPL 2+
-A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed
-
-See htmLawed_README.txt/htm
-*/
-
-function htmLawed($t, $C=1, $S=array()){
-$C = is_array($C) ? $C : array();
-if(!empty($C['valid_xhtml'])){
- $C['elements'] = empty($C['elements']) ? '*-acronym-big-center-dir-font-isindex-s-strike-tt' : $C['elements'];
- $C['make_tag_strict'] = isset($C['make_tag_strict']) ? $C['make_tag_strict'] : 2;
- $C['xml:lang'] = isset($C['xml:lang']) ? $C['xml:lang'] : 2;
-}
-// config eles
-$e = array('a'=>1, 'abbr'=>1, 'acronym'=>1, 'address'=>1, 'applet'=>1, 'area'=>1, 'article'=>1, 'aside'=>1, 'audio'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'blockquote'=>1, 'br'=>1, 'button'=>1, 'canvas'=>1, 'caption'=>1, 'center'=>1, 'cite'=>1, 'code'=>1, 'col'=>1, 'colgroup'=>1, 'command'=>1, 'data'=>1, 'datalist'=>1, 'dd'=>1, 'del'=>1, 'details'=>1, 'dfn'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'dt'=>1, 'em'=>1, 'embed'=>1, 'fieldset'=>1, 'figcaption'=>1, 'figure'=>1, 'font'=>1, 'footer'=>1, 'form'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'header'=>1, 'hgroup'=>1, 'hr'=>1, 'i'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'ins'=>1, 'isindex'=>1, 'kbd'=>1, 'keygen'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'link'=>1, 'main'=>1, 'map'=>1, 'mark'=>1, 'menu'=>1, 'meta'=>1, 'meter'=>1, 'nav'=>1, 'noscript'=>1, 'object'=>1, 'ol'=>1, 'optgroup'=>1, 'option'=>1, 'output'=>1, 'p'=>1, 'param'=>1, 'pre'=>1, 'progress'=>1, 'q'=>1, 'rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1, 'ruby'=>1, 's'=>1, 'samp'=>1, 'script'=>1, 'section'=>1, 'select'=>1, 'small'=>1, 'source'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'style'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'table'=>1, 'tbody'=>1, 'td'=>1, 'textarea'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'time'=>1, 'tr'=>1, 'track'=>1, 'tt'=>1, 'u'=>1, 'ul'=>1, 'var'=>1, 'video'=>1, 'wbr'=>1); // 118 incl. deprecated & some Ruby
-
-if(!empty($C['safe'])){
- unset($e['applet'], $e['audio'], $e['canvas'], $e['embed'], $e['iframe'], $e['object'], $e['script'], $e['video']);
-}
-$x = !empty($C['elements']) ? str_replace(array("\n", "\r", "\t", ' '), '', $C['elements']) : '*';
-if($x == '-*'){$e = array();}
-elseif(strpos($x, '*') === false){$e = array_flip(explode(',', $x));}
-else{
- if(isset($x[1])){
-  preg_match_all('`(?:^|-|\+)[^\-+]+?(?=-|\+|$)`', $x, $m, PREG_SET_ORDER);
-  for($i=count($m); --$i>=0;){$m[$i] = $m[$i][0];}
-  foreach($m as $v){
-   if($v[0] == '+'){$e[substr($v, 1)] = 1;}
-   if($v[0] == '-' && isset($e[($v = substr($v, 1))]) && !in_array('+'. $v, $m)){unset($e[$v]);}
-  }
- }
-}
-$C['elements'] =& $e;
-// config attrs
-$x = !empty($C['deny_attribute']) ? strtolower(str_replace(array("\n", "\r", "\t", ' '), '', $C['deny_attribute'])) : '';
-$x = array_flip((isset($x[0]) && $x[0] == '*') ? str_replace('/', 'data-', explode('-', str_replace('data-', '/', $x))) : explode(',', $x. (!empty($C['safe']) ? ',on*' : '')));
-$C['deny_attribute'] = $x;
-// config URLs
-$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet'. (empty($C['safe']) ? ', app, javascript; *: data, javascript, ' : '; *:'). 'file, http, https';
-$C['schemes'] = array();
-foreach(explode(';', trim(str_replace(array(' ', "\t", "\r", "\n"), '', $x), ';')) as $v){
- $x = $x2 = null; list($x, $x2) = explode(':', $v, 2);
- if($x2){$C['schemes'][$x] = array_flip(explode(',', $x2));}
-}
-if(!isset($C['schemes']['*'])){
- $C['schemes']['*'] = array('file'=>1, 'http'=>1, 'https'=>1);
- if(empty($C['safe'])){$C['schemes']['*'] += array('data'=>1, 'javascript'=>1);}
-}
-if(!empty($C['safe']) && empty($C['schemes']['style'])){$C['schemes']['style'] = array('!'=>1);}
-$C['abs_url'] = isset($C['abs_url']) ? $C['abs_url'] : 0;
-if(!isset($C['base_url']) or !preg_match('`^[a-zA-Z\d.+\-]+://[^/]+/(.+?/)?$`', $C['base_url'])){
- $C['base_url'] = $C['abs_url'] = 0;
-}
-// config rest
-$C['and_mark'] = empty($C['and_mark']) ? 0 : 1;
-$C['anti_link_spam'] = (isset($C['anti_link_spam']) && is_array($C['anti_link_spam']) && count($C['anti_link_spam']) == 2 && (empty($C['anti_link_spam'][0]) or hl_regex($C['anti_link_spam'][0])) && (empty($C['anti_link_spam'][1]) or hl_regex($C['anti_link_spam'][1]))) ? $C['anti_link_spam'] : 0;
-$C['anti_mail_spam'] = isset($C['anti_mail_spam']) ? $C['anti_mail_spam'] : 0;
-$C['balance'] = isset($C['balance']) ? (bool)$C['balance'] : 1;
-$C['cdata'] = isset($C['cdata']) ? $C['cdata'] : (empty($C['safe']) ? 3 : 0);
-$C['clean_ms_char'] = empty($C['clean_ms_char']) ? 0 : $C['clean_ms_char'];
-$C['comment'] = isset($C['comment']) ? $C['comment'] : (empty($C['safe']) ? 3 : 0);
-$C['css_expression'] = empty($C['css_expression']) ? 0 : 1;
-$C['direct_list_nest'] = empty($C['direct_list_nest']) ? 0 : 1;
-$C['hexdec_entity'] = isset($C['hexdec_entity']) ? $C['hexdec_entity'] : 1;
-$C['hook'] = (!empty($C['hook']) && function_exists($C['hook'])) ? $C['hook'] : 0;
-$C['hook_tag'] = (!empty($C['hook_tag']) && function_exists($C['hook_tag'])) ? $C['hook_tag'] : 0;
-$C['keep_bad'] = isset($C['keep_bad']) ? $C['keep_bad'] : 6;
-$C['lc_std_val'] = isset($C['lc_std_val']) ? (bool)$C['lc_std_val'] : 1;
-$C['make_tag_strict'] = isset($C['make_tag_strict']) ? $C['make_tag_strict'] : 1;
-$C['named_entity'] = isset($C['named_entity']) ? (bool)$C['named_entity'] : 1;
-$C['no_deprecated_attr'] = isset($C['no_deprecated_attr']) ? $C['no_deprecated_attr'] : 1;
-$C['parent'] = isset($C['parent'][0]) ? strtolower($C['parent']) : 'body';
-$C['show_setting'] = !empty($C['show_setting']) ? $C['show_setting'] : 0;
-$C['style_pass'] = empty($C['style_pass']) ? 0 : 1;
-$C['tidy'] = empty($C['tidy']) ? 0 : $C['tidy'];
-$C['unique_ids'] = isset($C['unique_ids']) && (!preg_match('`\W`', $C['unique_ids'])) ? $C['unique_ids'] : 1;
-$C['xml:lang'] = isset($C['xml:lang']) ? $C['xml:lang'] : 0;
-
-if(isset($GLOBALS['C'])){$reC = $GLOBALS['C'];}
-$GLOBALS['C'] = $C;
-$S = is_array($S) ? $S : hl_spec($S);
-if(isset($GLOBALS['S'])){$reS = $GLOBALS['S'];}
-$GLOBALS['S'] = $S;
-
-$t = preg_replace('`[\x00-\x08\x0b-\x0c\x0e-\x1f]`', '', $t);
-if($C['clean_ms_char']){
- $x = array("\x7f"=>'', "\x80"=>'&#8364;', "\x81"=>'', "\x83"=>'&#402;', "\x85"=>'&#8230;', "\x86"=>'&#8224;', "\x87"=>'&#8225;', "\x88"=>'&#710;', "\x89"=>'&#8240;', "\x8a"=>'&#352;', "\x8b"=>'&#8249;', "\x8c"=>'&#338;', "\x8d"=>'', "\x8e"=>'&#381;', "\x8f"=>'', "\x90"=>'', "\x95"=>'&#8226;', "\x96"=>'&#8211;', "\x97"=>'&#8212;', "\x98"=>'&#732;', "\x99"=>'&#8482;', "\x9a"=>'&#353;', "\x9b"=>'&#8250;', "\x9c"=>'&#339;', "\x9d"=>'', "\x9e"=>'&#382;', "\x9f"=>'&#376;');
- $x = $x + ($C['clean_ms_char'] == 1 ? array("\x82"=>'&#8218;', "\x84"=>'&#8222;', "\x91"=>'&#8216;', "\x92"=>'&#8217;', "\x93"=>'&#8220;', "\x94"=>'&#8221;') : array("\x82"=>'\'', "\x84"=>'"', "\x91"=>'\'', "\x92"=>'\'', "\x93"=>'"', "\x94"=>'"'));
- $t = strtr($t, $x);
-}
-if($C['cdata'] or $C['comment']){$t = preg_replace_callback('`<!(?:(?:--.*?--)|(?:\[CDATA\[.*?\]\]))>`sm', 'hl_cmtcd', $t);}
-$t = preg_replace_callback('`&amp;([a-zA-Z][a-zA-Z0-9]{1,30}|#(?:[0-9]{1,8}|[Xx][0-9A-Fa-f]{1,7}));`', 'hl_ent', str_replace('&', '&amp;', $t));
-if($C['unique_ids'] && !isset($GLOBALS['hl_Ids'])){$GLOBALS['hl_Ids'] = array();}
-if($C['hook']){$t = $C['hook']($t, $C, $S);}
-if($C['show_setting'] && preg_match('`^[a-z][a-z0-9_]*$`i', $C['show_setting'])){
- $GLOBALS[$C['show_setting']] = array('config'=>$C, 'spec'=>$S, 'time'=>microtime());
-}
-// main
-$t = preg_replace_callback('`<(?:(?:\s|$)|(?:[^>]*(?:>|$)))|>`m', 'hl_tag', $t);
-$t = $C['balance'] ? hl_bal($t, $C['keep_bad'], $C['parent']) : $t;
-$t = (($C['cdata'] or $C['comment']) && strpos($t, "\x01") !== false) ? str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05"), array('', '', '&', '<', '>'), $t) : $t;
-$t = $C['tidy'] ? hl_tidy($t, $C['tidy'], $C['parent']) : $t;
-unset($C, $e);
-if(isset($reC)){$GLOBALS['C'] = $reC;}
-if(isset($reS)){$GLOBALS['S'] = $reS;}
-return $t;
-}
-
-function hl_attrval($a, $t, $p){
-// check attr val against $S
-static $ma = array('accesskey', 'class', 'itemtype', 'rel');
-$s = in_array($a, $ma) ? ' ' : ($a == 'srcset' ? ',': '');
-$r = array();
-$t = !empty($s) ? explode($s, $t) : array($t);
-foreach($t as $tk=>$tv){
- $o = 1; $tv = trim($tv); $l = strlen($tv);
- foreach($p as $k=>$v){
-  if(!$l){continue;}
-  switch($k){
-   case 'maxlen': if($l > $v){$o = 0;}
-   break; case 'minlen': if($l < $v){$o = 0;}
-   break; case 'maxval': if((float)($tv) > $v){$o = 0;}
-   break; case 'minval': if((float)($tv) < $v){$o = 0;}
-   break; case 'match': if(!preg_match($v, $tv)){$o = 0;}
-   break; case 'nomatch': if(preg_match($v, $tv)){$o = 0;}
-   break; case 'oneof':
-    $m = 0;
-    foreach(explode('|', $v) as $n){if($tv == $n){$m = 1; break;}}
-    $o = $m;
-   break; case 'noneof':
-    $m = 1;
-    foreach(explode('|', $v) as $n){if($tv == $n){$m = 0; break;}}
-    $o = $m;
-   break; default:
-   break;
-  }
-  if(!$o){break;}
- }
- if($o){$r[] = $tv;}
-}
-if($s == ','){$s = ', ';} 
-$r = implode($s, $r);
-return (isset($r[0]) ? $r : (isset($p['default']) ? $p['default'] : 0));
-}
-
-function hl_bal($t, $do=1, $in='div'){
-// balance tags
-// by content
-$cB = array('blockquote'=>1, 'form'=>1, 'map'=>1, 'noscript'=>1); // Block
-$cE = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1); // Empty
-$cF = array('a'=>1, 'article'=>1, 'aside'=>1, 'audio'=>1, 'button'=>1, 'canvas'=>1, 'del'=>1, 'details'=>1, 'div'=>1, 'dd'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'header'=>1, 'iframe'=>1, 'ins'=>1, 'li'=>1, 'main'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'object'=>1, 'section'=>1, 'style'=>1, 'td'=>1, 'th'=>1, 'video'=>1); // Flow; later context-wise dynamic move of ins & del to $cI
-$cI = array('abbr'=>1, 'acronym'=>1, 'address'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'caption'=>1, 'cite'=>1, 'code'=>1, 'data'=>1, 'datalist'=>1, 'dfn'=>1, 'dt'=>1, 'em'=>1, 'figcaption'=>1, 'font'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hgroup'=>1, 'i'=>1, 'kbd'=>1, 'label'=>1, 'legend'=>1, 'mark'=>1, 'meter'=>1, 'output'=>1, 'p'=>1, 'pre'=>1, 'progress'=>1, 'q'=>1, 'rb'=>1, 'rt'=>1, 's'=>1, 'samp'=>1, 'small'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'time'=>1, 'tt'=>1, 'u'=>1, 'var'=>1); // Inline
-$cN = array('a'=>array('a'=>1, 'address'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'keygen'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'address'=>array('address'=>1, 'article'=>1, 'aside'=>1, 'header'=>1, 'keygen'=>1, 'footer'=>1, 'nav'=>1, 'section'=>1), 'button'=>array('a'=>1, 'address'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'fieldset'=>1, 'form'=>1, 'iframe'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'fieldset'=>array('fieldset'=>1), 'footer'=>array('header'=>1, 'footer'=>1), 'form'=>array('form'=>1), 'header'=>array('header'=>1, 'footer'=>1), 'label'=>array('label'=>1), 'main'=>array('main'=>1), 'meter'=>array('meter'=>1), 'noscript'=>array('script'=>1), 'pre'=>array('big'=>1, 'font'=>1, 'img'=>1, 'object'=>1, 'script'=>1, 'small'=>1, 'sub'=>1, 'sup'=>1), 'progress'=>array('progress'=>1), 'rb'=>array('ruby'=>1), 'rt'=>array('ruby'=>1), 'time'=>array('time'=>1), ); // Illegal
-$cN2 = array_keys($cN);
-$cS = array('colgroup'=>array('col'=>1), 'datalist'=>array('option'=>1), 'dir'=>array('li'=>1), 'dl'=>array('dd'=>1, 'dt'=>1), 'hgroup'=>array('h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1), 'menu'=>array('li'=>1), 'ol'=>array('li'=>1), 'optgroup'=>array('option'=>1), 'option'=>array('#pcdata'=>1), 'rbc'=>array('rb'=>1), 'rp'=>array('#pcdata'=>1), 'rtc'=>array('rt'=>1), 'ruby'=>array('rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1), 'select'=>array('optgroup'=>1, 'option'=>1), 'script'=>array('#pcdata'=>1), 'table'=>array('caption'=>1, 'col'=>1, 'colgroup'=>1, 'tfoot'=>1, 'tbody'=>1, 'tr'=>1, 'thead'=>1), 'tbody'=>array('tr'=>1), 'tfoot'=>array('tr'=>1), 'textarea'=>array('#pcdata'=>1), 'thead'=>array('tr'=>1), 'tr'=>array('td'=>1, 'th'=>1), 'ul'=>array('li'=>1)); // Specific - immediate parent-child
-if($GLOBALS['C']['direct_list_nest']){$cS['ol'] = $cS['ul'] = $cS['menu'] += array('menu'=>1, 'ol'=>1, 'ul'=>1);}
-$cO = array('address'=>array('p'=>1), 'applet'=>array('param'=>1), 'audio'=>array('source'=>1, 'track'=>1), 'blockquote'=>array('script'=>1), 'details'=>array('summary'=>1), 'fieldset'=>array('legend'=>1, '#pcdata'=>1),  'figure'=>array('figcaption'=>1),'form'=>array('script'=>1), 'map'=>array('area'=>1), 'object'=>array('param'=>1, 'embed'=>1), 'video'=>array('source'=>1, 'track'=>1)); // Other
-$cT = array('colgroup'=>1, 'dd'=>1, 'dt'=>1, 'li'=>1, 'option'=>1, 'p'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1); // Omitable closing
-// block/inline type; a/ins/del both type; #pcdata: text
-$eB = array('a'=>1, 'address'=>1, 'article'=>1, 'aside'=>1, 'blockquote'=>1, 'center'=>1, 'del'=>1, 'details'=>1, 'dir'=>1, 'dl'=>1, 'div'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'form'=>1, 'ins'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'header'=>1, 'hr'=>1, 'isindex'=>1, 'main'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'ol'=>1, 'p'=>1, 'pre'=>1, 'section'=>1, 'style'=>1, 'table'=>1, 'ul'=>1);
-$eI = array('#pcdata'=>1, 'a'=>1, 'abbr'=>1, 'acronym'=>1, 'applet'=>1, 'audio'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'br'=>1, 'button'=>1, 'canvas'=>1, 'cite'=>1, 'code'=>1, 'command'=>1, 'data'=>1, 'datalist'=>1, 'del'=>1, 'dfn'=>1, 'em'=>1, 'embed'=>1, 'figcaption'=>1, 'font'=>1, 'i'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'ins'=>1, 'kbd'=>1, 'label'=>1, 'link'=>1, 'map'=>1, 'mark'=>1, 'meta'=>1, 'meter'=>1, 'object'=>1, 'output'=>1, 'progress'=>1, 'q'=>1, 'ruby'=>1, 's'=>1, 'samp'=>1, 'select'=>1, 'script'=>1, 'small'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'textarea'=>1, 'time'=>1, 'tt'=>1, 'u'=>1, 'var'=>1, 'video'=>1, 'wbr'=>1);
-$eN = array('a'=>1, 'address'=>1, 'article'=>1, 'aside'=>1, 'big'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'fieldset'=>1, 'font'=>1, 'footer'=>1, 'form'=>1, 'header'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'meter'=>1, 'nav'=>1, 'object'=>1, 'progress'=>1, 'ruby'=>1, 'script'=>1, 'select'=>1, 'small'=>1, 'sub'=>1, 'sup'=>1, 'textarea'=>1, 'time'=>1); // Exclude from specific ele; $cN values
-$eO = array('area'=>1, 'caption'=>1, 'col'=>1, 'colgroup'=>1, 'command'=>1, 'dd'=>1, 'dt'=>1, 'hgroup'=>1, 'keygen'=>1, 'legend'=>1, 'li'=>1, 'optgroup'=>1, 'option'=>1, 'param'=>1, 'rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1, 'script'=>1, 'source'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'thead'=>1, 'th'=>1, 'tr'=>1, 'track'=>1); // Missing in $eB & $eI
-$eF = $eB + $eI;
-
-// $in sets allowed child
-$in = ((isset($eF[$in]) && $in != '#pcdata') or isset($eO[$in])) ? $in : 'div';
-if(isset($cE[$in])){
- return (!$do ? '' : str_replace(array('<', '>'), array('&lt;', '&gt;'), $t));
-}
-if(isset($cS[$in])){$inOk = $cS[$in];}
-elseif(isset($cI[$in])){$inOk = $eI; $cI['del'] = 1; $cI['ins'] = 1;}
-elseif(isset($cF[$in])){$inOk = $eF; unset($cI['del'], $cI['ins']);}
-elseif(isset($cB[$in])){$inOk = $eB; unset($cI['del'], $cI['ins']);}
-if(isset($cO[$in])){$inOk = $inOk + $cO[$in];}
-if(isset($cN[$in])){$inOk = array_diff_assoc($inOk, $cN[$in]);}
-
-$t = explode('<', $t);
-$ok = $q = array(); // $q seq list of open non-empty ele
-ob_start();
-
-for($i=-1, $ci=count($t); ++$i<$ci;){
- // allowed $ok in parent $p
- if($ql = count($q)){
-  $p = array_pop($q);
-  $q[] = $p;
-  if(isset($cS[$p])){$ok = $cS[$p];}
-  elseif(isset($cI[$p])){$ok = $eI; $cI['del'] = 1; $cI['ins'] = 1;}
-  elseif(isset($cF[$p])){$ok = $eF; unset($cI['del'], $cI['ins']);}
-  elseif(isset($cB[$p])){$ok = $eB; unset($cI['del'], $cI['ins']);}
-  if(isset($cO[$p])){$ok = $ok + $cO[$p];}
-  if(isset($cN[$p])){$ok = array_diff_assoc($ok, $cN[$p]);}
- }else{$ok = $inOk; unset($cI['del'], $cI['ins']);}
- // bad tags, & ele content
- if(isset($e) && ($do == 1 or (isset($ok['#pcdata']) && ($do == 3 or $do == 5)))){
-  echo '&lt;', $s, $e, $a, '&gt;';
- }
- if(isset($x[0])){
-  if(strlen(trim($x)) && (($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql))){
-   echo '<div>', $x, '</div>';
-  }
-  elseif($do < 3 or isset($ok['#pcdata'])){echo $x;}
-  elseif(strpos($x, "\x02\x04")){
-   foreach(preg_split('`(\x01\x02[^\x01\x02]+\x02\x01)`', $x, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY) as $v){
-    echo (substr($v, 0, 2) == "\x01\x02" ? $v : ($do > 4 ? preg_replace('`\S`', '', $v) : ''));
-   }
-  }elseif($do > 4){echo preg_replace('`\S`', '', $x);}
- }
- // get markup
- if(!preg_match('`^(/?)([a-z1-6]+)([^>]*)>(.*)`sm', $t[$i], $r)){$x = $t[$i]; continue;}
- $s = null; $e = null; $a = null; $x = null; list($all, $s, $e, $a, $x) = $r;
- // close tag
- if($s){
-  if(isset($cE[$e]) or !in_array($e, $q)){continue;} // Empty/unopen
-  if($p == $e){array_pop($q); echo '</', $e, '>'; unset($e); continue;} // Last open
-  $add = ''; // Nesting - close open tags that need to be
-  for($j=-1, $cj=count($q); ++$j<$cj;){  
-   if(($d = array_pop($q)) == $e){break;}
-   else{$add .= "</{$d}>";}
-  }
-  echo $add, '</', $e, '>'; unset($e); continue;
- }
- // open tag
- // $cB ele needs $eB ele as child
- if(isset($cB[$e]) && strlen(trim($x))){
-  $t[$i] = "{$e}{$a}>";
-  array_splice($t, $i+1, 0, 'div>'. $x); unset($e, $x); ++$ci; --$i; continue;
- }
- if((($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql)) && !isset($eB[$e]) && !isset($ok[$e])){
-  array_splice($t, $i, 0, 'div>'); unset($e, $x); ++$ci; --$i; continue;
- }
- // if no open ele, $in = parent; mostly immediate parent-child relation should hold
- if(!$ql or !isset($eN[$e]) or !array_intersect($q, $cN2)){
-  if(!isset($ok[$e])){
-   if($ql && isset($cT[$p])){echo '</', array_pop($q), '>'; unset($e, $x); --$i;}
-   continue;
-  }
-  if(!isset($cE[$e])){$q[] = $e;}
-  echo '<', $e, $a, '>'; unset($e); continue;
- }
- // specific parent-child
- if(isset($cS[$p][$e])){
-  if(!isset($cE[$e])){$q[] = $e;}
-  echo '<', $e, $a, '>'; unset($e); continue;
- }
- // nesting
- $add = '';
- $q2 = array();
- for($k=-1, $kc=count($q); ++$k<$kc;){
-  $d = $q[$k];
-  $ok2 = array();
-  if(isset($cS[$d])){$q2[] = $d; continue;}
-  $ok2 = isset($cI[$d]) ? $eI : $eF;
-  if(isset($cO[$d])){$ok2 = $ok2 + $cO[$d];}
-  if(isset($cN[$d])){$ok2 = array_diff_assoc($ok2, $cN[$d]);}
-  if(!isset($ok2[$e])){
-   if(!$k && !isset($inOk[$e])){continue 2;}
-   $add = "</{$d}>";
-   for(;++$k<$kc;){$add = "</{$q[$k]}>{$add}";}
-   break;
-  }
-  else{$q2[] = $d;}
- }
- $q = $q2;
- if(!isset($cE[$e])){$q[] = $e;}
- echo $add, '<', $e, $a, '>'; unset($e); continue;
-}
-
-// end
-if($ql = count($q)){
- $p = array_pop($q);
- $q[] = $p;
- if(isset($cS[$p])){$ok = $cS[$p];}
- elseif(isset($cI[$p])){$ok = $eI; $cI['del'] = 1; $cI['ins'] = 1;}
- elseif(isset($cF[$p])){$ok = $eF; unset($cI['del'], $cI['ins']);}
- elseif(isset($cB[$p])){$ok = $eB; unset($cI['del'], $cI['ins']);}
- if(isset($cO[$p])){$ok = $ok + $cO[$p];}
- if(isset($cN[$p])){$ok = array_diff_assoc($ok, $cN[$p]);}
-}else{$ok = $inOk; unset($cI['del'], $cI['ins']);}
-if(isset($e) && ($do == 1 or (isset($ok['#pcdata']) && ($do == 3 or $do == 5)))){
- echo '&lt;', $s, $e, $a, '&gt;';
-}
-if(isset($x[0])){
- if(strlen(trim($x)) && (($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql))){
-  echo '<div>', $x, '</div>';
- }
- elseif($do < 3 or isset($ok['#pcdata'])){echo $x;}
- elseif(strpos($x, "\x02\x04")){
-  foreach(preg_split('`(\x01\x02[^\x01\x02]+\x02\x01)`', $x, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY) as $v){
-   echo (substr($v, 0, 2) == "\x01\x02" ? $v : ($do > 4 ? preg_replace('`\S`', '', $v) : ''));
-  }
- }elseif($do > 4){echo preg_replace('`\S`', '', $x);}
-}
-while(!empty($q) && ($e = array_pop($q))){echo '</', $e, '>';}
-$o = ob_get_contents();
-ob_end_clean();
-return $o;
-}
-
-function hl_cmtcd($t){
-// comment/CDATA sec handler
-$t = $t[0];
-global $C;
-if(!($v = $C[$n = $t[3] == '-' ? 'comment' : 'cdata'])){return $t;}
-if($v == 1){return '';}
-if($n == 'comment' && $v < 4){
- if(substr(($t = preg_replace('`--+`', '-', substr($t, 4, -3))), -1) != ' '){$t .= ' ';}
-}
-else{$t = substr($t, 1, -1);}
-$t = $v == 2 ? str_replace(array('&', '<', '>'), array('&amp;', '&lt;', '&gt;'), $t) : $t;
-return str_replace(array('&', '<', '>'), array("\x03", "\x04", "\x05"), ($n == 'comment' ? "\x01\x02\x04!--$t--\x05\x02\x01" : "\x01\x01\x04$t\x05\x01\x01"));
-}
-
-function hl_ent($t){
-// entitity handler
-global $C;
-$t = $t[1];
-static $U = array('quot'=>1,'amp'=>1,'lt'=>1,'gt'=>1);
-static $N = array('fnof'=>'402', 'Alpha'=>'913', 'Beta'=>'914', 'Gamma'=>'915', 'Delta'=>'916', 'Epsilon'=>'917', 'Zeta'=>'918', 'Eta'=>'919', 'Theta'=>'920', 'Iota'=>'921', 'Kappa'=>'922', 'Lambda'=>'923', 'Mu'=>'924', 'Nu'=>'925', 'Xi'=>'926', 'Omicron'=>'927', 'Pi'=>'928', 'Rho'=>'929', 'Sigma'=>'931', 'Tau'=>'932', 'Upsilon'=>'933', 'Phi'=>'934', 'Chi'=>'935', 'Psi'=>'936', 'Omega'=>'937', 'alpha'=>'945', 'beta'=>'946', 'gamma'=>'947', 'delta'=>'948', 'epsilon'=>'949', 'zeta'=>'950', 'eta'=>'951', 'theta'=>'952', 'iota'=>'953', 'kappa'=>'954', 'lambda'=>'955', 'mu'=>'956', 'nu'=>'957', 'xi'=>'958', 'omicron'=>'959', 'pi'=>'960', 'rho'=>'961', 'sigmaf'=>'962', 'sigma'=>'963', 'tau'=>'964', 'upsilon'=>'965', 'phi'=>'966', 'chi'=>'967', 'psi'=>'968', 'omega'=>'969', 'thetasym'=>'977', 'upsih'=>'978', 'piv'=>'982', 'bull'=>'8226', 'hellip'=>'8230', 'prime'=>'8242', 'Prime'=>'8243', 'oline'=>'8254', 'frasl'=>'8260', 'weierp'=>'8472', 'image'=>'8465', 'real'=>'8476', 'trade'=>'8482', 'alefsym'=>'8501', 'larr'=>'8592', 'uarr'=>'8593', 'rarr'=>'8594', 'darr'=>'8595', 'harr'=>'8596', 'crarr'=>'8629', 'lArr'=>'8656', 'uArr'=>'8657', 'rArr'=>'8658', 'dArr'=>'8659', 'hArr'=>'8660', 'forall'=>'8704', 'part'=>'8706', 'exist'=>'8707', 'empty'=>'8709', 'nabla'=>'8711', 'isin'=>'8712', 'notin'=>'8713', 'ni'=>'8715', 'prod'=>'8719', 'sum'=>'8721', 'minus'=>'8722', 'lowast'=>'8727', 'radic'=>'8730', 'prop'=>'8733', 'infin'=>'8734', 'ang'=>'8736', 'and'=>'8743', 'or'=>'8744', 'cap'=>'8745', 'cup'=>'8746', 'int'=>'8747', 'there4'=>'8756', 'sim'=>'8764', 'cong'=>'8773', 'asymp'=>'8776', 'ne'=>'8800', 'equiv'=>'8801', 'le'=>'8804', 'ge'=>'8805', 'sub'=>'8834', 'sup'=>'8835', 'nsub'=>'8836', 'sube'=>'8838', 'supe'=>'8839', 'oplus'=>'8853', 'otimes'=>'8855', 'perp'=>'8869', 'sdot'=>'8901', 'lceil'=>'8968', 'rceil'=>'8969', 'lfloor'=>'8970', 'rfloor'=>'8971', 'lang'=>'9001', 'rang'=>'9002', 'loz'=>'9674', 'spades'=>'9824', 'clubs'=>'9827', 'hearts'=>'9829', 'diams'=>'9830', 'apos'=>'39',  'OElig'=>'338', 'oelig'=>'339', 'Scaron'=>'352', 'scaron'=>'353', 'Yuml'=>'376', 'circ'=>'710', 'tilde'=>'732', 'ensp'=>'8194', 'emsp'=>'8195', 'thinsp'=>'8201', 'zwnj'=>'8204', 'zwj'=>'8205', 'lrm'=>'8206', 'rlm'=>'8207', 'ndash'=>'8211', 'mdash'=>'8212', 'lsquo'=>'8216', 'rsquo'=>'8217', 'sbquo'=>'8218', 'ldquo'=>'8220', 'rdquo'=>'8221', 'bdquo'=>'8222', 'dagger'=>'8224', 'Dagger'=>'8225', 'permil'=>'8240', 'lsaquo'=>'8249', 'rsaquo'=>'8250', 'euro'=>'8364', 'nbsp'=>'160', 'iexcl'=>'161', 'cent'=>'162', 'pound'=>'163', 'curren'=>'164', 'yen'=>'165', 'brvbar'=>'166', 'sect'=>'167', 'uml'=>'168', 'copy'=>'169', 'ordf'=>'170', 'laquo'=>'171', 'not'=>'172', 'shy'=>'173', 'reg'=>'174', 'macr'=>'175', 'deg'=>'176', 'plusmn'=>'177', 'sup2'=>'178', 'sup3'=>'179', 'acute'=>'180', 'micro'=>'181', 'para'=>'182', 'middot'=>'183', 'cedil'=>'184', 'sup1'=>'185', 'ordm'=>'186', 'raquo'=>'187', 'frac14'=>'188', 'frac12'=>'189', 'frac34'=>'190', 'iquest'=>'191', 'Agrave'=>'192', 'Aacute'=>'193', 'Acirc'=>'194', 'Atilde'=>'195', 'Auml'=>'196', 'Aring'=>'197', 'AElig'=>'198', 'Ccedil'=>'199', 'Egrave'=>'200', 'Eacute'=>'201', 'Ecirc'=>'202', 'Euml'=>'203', 'Igrave'=>'204', 'Iacute'=>'205', 'Icirc'=>'206', 'Iuml'=>'207', 'ETH'=>'208', 'Ntilde'=>'209', 'Ograve'=>'210', 'Oacute'=>'211', 'Ocirc'=>'212', 'Otilde'=>'213', 'Ouml'=>'214', 'times'=>'215', 'Oslash'=>'216', 'Ugrave'=>'217', 'Uacute'=>'218', 'Ucirc'=>'219', 'Uuml'=>'220', 'Yacute'=>'221', 'THORN'=>'222', 'szlig'=>'223', 'agrave'=>'224', 'aacute'=>'225', 'acirc'=>'226', 'atilde'=>'227', 'auml'=>'228', 'aring'=>'229', 'aelig'=>'230', 'ccedil'=>'231', 'egrave'=>'232', 'eacute'=>'233', 'ecirc'=>'234', 'euml'=>'235', 'igrave'=>'236', 'iacute'=>'237', 'icirc'=>'238', 'iuml'=>'239', 'eth'=>'240', 'ntilde'=>'241', 'ograve'=>'242', 'oacute'=>'243', 'ocirc'=>'244', 'otilde'=>'245', 'ouml'=>'246', 'divide'=>'247', 'oslash'=>'248', 'ugrave'=>'249', 'uacute'=>'250', 'ucirc'=>'251', 'uuml'=>'252', 'yacute'=>'253', 'thorn'=>'254', 'yuml'=>'255');
-if($t[0] != '#'){
- return ($C['and_mark'] ? "\x06" : '&'). (isset($U[$t]) ? $t : (isset($N[$t]) ? (!$C['named_entity'] ? '#'. ($C['hexdec_entity'] > 1 ? 'x'. dechex($N[$t]) : $N[$t]) : $t) : 'amp;'. $t)). ';';
-}
-if(($n = ctype_digit($t = substr($t, 1)) ? intval($t) : hexdec(substr($t, 1))) < 9 or ($n > 13 && $n < 32) or $n == 11 or $n == 12 or ($n > 126 && $n < 160 && $n != 133) or ($n > 55295 && ($n < 57344 or ($n > 64975 && $n < 64992) or $n == 65534 or $n == 65535 or $n > 1114111))){
- return ($C['and_mark'] ? "\x06" : '&'). "amp;#{$t};";
-}
-return ($C['and_mark'] ? "\x06" : '&'). '#'. (((ctype_digit($t) && $C['hexdec_entity'] < 2) or !$C['hexdec_entity']) ? $n : 'x'. dechex($n)). ';';
-}
-
-function hl_prot($p, $c=null){
-// check URL scheme
-global $C;
-$b = $a = '';
-if($c == null){$c = 'style'; $b = $p[1]; $a = $p[3]; $p = trim($p[2]);}
-$c = isset($C['schemes'][$c]) ? $C['schemes'][$c] : $C['schemes']['*'];
-static $d = 'denied:';
-if(isset($c['!']) && substr($p, 0, 7) != $d){$p = "$d$p";}
-if(isset($c['*']) or !strcspn($p, '#?;') or (substr($p, 0, 7) == $d)){return "{$b}{$p}{$a}";} // All ok, frag, query, param
-if(preg_match('`^([^:?[@!$()*,=/\'\]]+?)(:|&#(58|x3a);|%3a|\\\\0{0,4}3a).`i', $p, $m) && !isset($c[strtolower($m[1])])){ // Denied prot
- return "{$b}{$d}{$p}{$a}";
-}
-if($C['abs_url']){
- if($C['abs_url'] == -1 && strpos($p, $C['base_url']) === 0){ // Make url rel
-  $p = substr($p, strlen($C['base_url']));
- }elseif(empty($m[1])){ // Make URL abs
-  if(substr($p, 0, 2) == '//'){$p = substr($C['base_url'], 0, strpos($C['base_url'], ':')+1). $p;}
-  elseif($p[0] == '/'){$p = preg_replace('`(^.+?://[^/]+)(.*)`', '$1', $C['base_url']). $p;}
-  elseif(strcspn($p, './')){$p = $C['base_url']. $p;}
-  else{
-   preg_match('`^([a-zA-Z\d\-+.]+://[^/]+)(.*)`', $C['base_url'], $m);
-   $p = preg_replace('`(?<=/)\./`', '', $m[2]. $p);
-   while(preg_match('`(?<=/)([^/]{3,}|[^/.]+?|\.[^/.]|[^/.]\.)/\.\./`', $p)){
-    $p = preg_replace('`(?<=/)([^/]{3,}|[^/.]+?|\.[^/.]|[^/.]\.)/\.\./`', '', $p);
-   }
-   $p = $m[1]. $p;
-  }
- }
-}
-return "{$b}{$p}{$a}";
-}
-
-function hl_regex($p){
-// check regex
-if(empty($p)){return 0;}
-if($v = function_exists('error_clear_last') && function_exists('error_get_last')){error_clear_last();}
-else{
- if($t = ini_get('track_errors')){$o = isset($php_errormsg) ? $php_errormsg : null;}
- else{ini_set('track_errors', 1);}
- unset($php_errormsg);
-}
-if(($d = ini_get('display_errors'))){ini_set('display_errors', 0);}
-preg_match($p, '');
-if($v){$r = error_get_last() == null ? 1 : 0; }
-else{
- $r = isset($php_errormsg) ? 0 : 1;
- if($t){$php_errormsg = isset($o) ? $o : null;}
- else{ini_set('track_errors', 0);}
-}
-if($d){ini_set('display_errors', 1);}
-return $r;
-}
-
-function hl_spec($t){
-// final $spec
-$s = array();
-if(!function_exists('hl_aux1')){function hl_aux1($m){
- return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", '`"'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", '"'), $m[0]), 1, -1);
-}}
-$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', 'hl_aux1', trim($t))); 
-for($i = count(($t = explode(';', $t))); --$i>=0;){
- $w = $t[$i];
- if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a =  substr($w, $e+1)))){continue;}
- $y = $n = array();
- foreach(explode(',', $a) as $v){
-  if(!preg_match('`^([a-z:\-\*]+)(?:\((.*?)\))?`i', $v, $m)){continue;}
-  if(($x = strtolower($m[1])) == '-*'){$n['*'] = 1; continue;}
-  if($x[0] == '-'){$n[substr($x, 1)] = 1; continue;}
-  if(!isset($m[2])){$y[$x] = 1; continue;}
-  foreach(explode('/', $m[2]) as $m){
-   if(empty($m) or ($p = strpos($m, '=')) == 0 or $p < 5){$y[$x] = 1; continue;}
-   $y[$x][strtolower(substr($m, 0, $p))] = str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08"), array(";", "|", "~", " ", ",", "/", "(", ")"), substr($m, $p+1));
-  }
-  if(isset($y[$x]['match']) && !hl_regex($y[$x]['match'])){unset($y[$x]['match']);}
-  if(isset($y[$x]['nomatch']) && !hl_regex($y[$x]['nomatch'])){unset($y[$x]['nomatch']);}
- }
- if(!count($y) && !count($n)){continue;}
- foreach(explode(',', substr($w, 0, $e)) as $v){
-  if(!strlen(($v = strtolower($v)))){continue;}
-  if(count($y)){if(!isset($s[$v])){$s[$v] = $y;} else{$s[$v] = array_merge($s[$v], $y);}}
-  if(count($n)){if(!isset($s[$v]['n'])){$s[$v]['n'] = $n;} else{$s[$v]['n'] = array_merge($s[$v]['n'], $n);}}
- }
-}
-return $s;
-}
-
-function hl_tag($t){
-// tag/attribute handler
-global $C;
-$t = $t[0];
-// invalid < >
-if($t == '< '){return '&lt; ';}
-if($t == '>'){return '&gt;';}
-if(!preg_match('`^<(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?>$`m', $t, $m)){
- return str_replace(array('<', '>'), array('&lt;', '&gt;'), $t);
-}elseif(!isset($C['elements'][($e = strtolower($m[2]))])){
- return (($C['keep_bad']%2) ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : '');
-}
-// attr string
-$a = str_replace(array("\n", "\r", "\t"), ' ', trim($m[3]));
-// tag transform
-static $eD = array('acronym'=>1, 'applet'=>1, 'big'=>1, 'center'=>1, 'dir'=>1, 'font'=>1, 'isindex'=>1, 's'=>1, 'strike'=>1, 'tt'=>1); // Deprecated
-if($C['make_tag_strict'] && isset($eD[$e])){
- $trt = hl_tag2($e, $a, $C['make_tag_strict']);
- if(!$e){return (($C['keep_bad']%2) ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : '');}
-}
-// close tag
-static $eE = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1); // Empty ele
-if(!empty($m[1])){
- return (!isset($eE[$e]) ? (empty($C['hook_tag']) ? "</$e>" : $C['hook_tag']($e)) : (($C['keep_bad'])%2 ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : ''));
-}
-
-// open tag & attr
-static $aN = array('abbr'=>array('td'=>1, 'th'=>1), 'accept'=>array('form'=>1, 'input'=>1), 'accept-charset'=>array('form'=>1), 'action'=>array('form'=>1), 'align'=>array('applet'=>1, 'caption'=>1, 'col'=>1, 'colgroup'=>1, 'div'=>1, 'embed'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'object'=>1, 'p'=>1, 'table'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'allowfullscreen'=>array('iframe'=>1), 'alt'=>array('applet'=>1, 'area'=>1, 'img'=>1, 'input'=>1), 'archive'=>array('applet'=>1, 'object'=>1), 'async'=>array('script'=>1), 'autocomplete'=>array('form'=>1, 'input'=>1), 'autofocus'=>array('button'=>1, 'input'=>1, 'keygen'=>1, 'select'=>1, 'textarea'=>1), 'autoplay'=>array('audio'=>1, 'video'=>1), 'axis'=>array('td'=>1, 'th'=>1), 'bgcolor'=>array('embed'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1), 'border'=>array('img'=>1, 'object'=>1, 'table'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellpadding'=>array('table'=>1), 'cellspacing'=>array('table'=>1), 'challenge'=>array('keygen'=>1), 'char'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charoff'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charset'=>array('a'=>1, 'script'=>1), 'checked'=>array('command'=>1, 'input'=>1), 'cite'=>array('blockquote'=>1, 'del'=>1, 'ins'=>1, 'q'=>1), 'classid'=>array('object'=>1), 'clear'=>array('br'=>1), 'code'=>array('applet'=>1), 'codebase'=>array('applet'=>1, 'object'=>1), 'codetype'=>array('object'=>1), 'color'=>array('font'=>1), 'cols'=>array('textarea'=>1), 'colspan'=>array('td'=>1, 'th'=>1), 'compact'=>array('dir'=>1, 'dl'=>1, 'menu'=>1, 'ol'=>1, 'ul'=>1), 'content'=>array('meta'=>1), 'controls'=>array('audio'=>1, 'video'=>1), 'coords'=>array('a'=>1, 'area'=>1), 'crossorigin'=>array('img'=>1), 'data'=>array('object'=>1), 'datetime'=>array('del'=>1, 'ins'=>1, 'time'=>1), 'declare'=>array('object'=>1), 'default'=>array('track'=>1), 'defer'=>array('script'=>1), 'dirname'=>array('input'=>1, 'textarea'=>1), 'disabled'=>array('button'=>1, 'command'=>1, 'fieldset'=>1, 'input'=>1, 'keygen'=>1, 'optgroup'=>1, 'option'=>1, 'select'=>1, 'textarea'=>1), 'download'=>array('a'=>1), 'enctype'=>array('form'=>1), 'face'=>array('font'=>1), 'flashvars'=>array('embed'=>1), 'for'=>array('label'=>1, 'output'=>1), 'form'=>array('button'=>1, 'fieldset'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'object'=>1, 'output'=>1, 'select'=>1, 'textarea'=>1), 'formaction'=>array('button'=>1, 'input'=>1), 'formenctype'=>array('button'=>1, 'input'=>1), 'formmethod'=>array('button'=>1, 'input'=>1), 'formnovalidate'=>array('button'=>1, 'input'=>1), 'formtarget'=>array('button'=>1, 'input'=>1), 'frame'=>array('table'=>1), 'frameborder'=>array('iframe'=>1), 'headers'=>array('td'=>1, 'th'=>1), 'height'=>array('applet'=>1, 'canvas'=>1, 'embed'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'td'=>1, 'th'=>1, 'video'=>1), 'high'=>array('meter'=>1), 'href'=>array('a'=>1, 'area'=>1, 'link'=>1), 'hreflang'=>array('a'=>1, 'area'=>1, 'link'=>1), 'hspace'=>array('applet'=>1, 'embed'=>1, 'img'=>1, 'object'=>1), 'icon'=>array('command'=>1), 'ismap'=>array('img'=>1, 'input'=>1), 'keyparams'=>array('keygen'=>1), 'keytype'=>array('keygen'=>1), 'kind'=>array('track'=>1), 'label'=>array('command'=>1, 'menu'=>1, 'option'=>1, 'optgroup'=>1, 'track'=>1), 'language'=>array('script'=>1), 'list'=>array('input'=>1), 'longdesc'=>array('img'=>1, 'iframe'=>1), 'loop'=>array('audio'=>1, 'video'=>1), 'low'=>array('meter'=>1), 'marginheight'=>array('iframe'=>1), 'marginwidth'=>array('iframe'=>1), 'max'=>array('input'=>1, 'meter'=>1, 'progress'=>1), 'maxlength'=>array('input'=>1, 'textarea'=>1), 'media'=>array('a'=>1, 'area'=>1, 'link'=>1, 'source'=>1, 'style'=>1), 'mediagroup'=>array('audio'=>1, 'video'=>1), 'method'=>array('form'=>1), 'min'=>array('input'=>1, 'meter'=>1), 'model'=>array('embed'=>1), 'multiple'=>array('input'=>1, 'select'=>1), 'muted'=>array('audio'=>1, 'video'=>1), 'name'=>array('a'=>1, 'applet'=>1, 'button'=>1, 'embed'=>1, 'fieldset'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'keygen'=>1, 'map'=>1, 'object'=>1, 'output'=>1, 'param'=>1, 'select'=>1, 'textarea'=>1), 'nohref'=>array('area'=>1), 'noshade'=>array('hr'=>1), 'novalidate'=>array('form'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'object'=>array('applet'=>1), 'open'=>array('details'=>1), 'optimum'=>array('meter'=>1), 'pattern'=>array('input'=>1), 'ping'=>array('a'=>1, 'area'=>1), 'placeholder'=>array('input'=>1, 'textarea'=>1), 'pluginspage'=>array('embed'=>1), 'pluginurl'=>array('embed'=>1), 'poster'=>array('video'=>1), 'pqg'=>array('keygen'=>1), 'preload'=>array('audio'=>1, 'video'=>1), 'prompt'=>array('isindex'=>1), 'pubdate'=>array('time'=>1), 'radiogroup'=>array('command'=>1), 'readonly'=>array('input'=>1, 'textarea'=>1), 'rel'=>array('a'=>1, 'area'=>1, 'link'=>1), 'required'=>array('input'=>1, 'select'=>1, 'textarea'=>1), 'rev'=>array('a'=>1), 'reversed'=>array('ol'=>1), 'rows'=>array('textarea'=>1), 'rowspan'=>array('td'=>1, 'th'=>1), 'rules'=>array('table'=>1), 'sandbox'=>array('iframe'=>1), 'scope'=>array('td'=>1, 'th'=>1), 'scoped'=>array('style'=>1), 'scrolling'=>array('iframe'=>1), 'seamless'=>array('iframe'=>1), 'selected'=>array('option'=>1), 'shape'=>array('a'=>1, 'area'=>1), 'size'=>array('font'=>1, 'hr'=>1, 'input'=>1, 'select'=>1), 'sizes'=>array('link'=>1), 'span'=>array('col'=>1, 'colgroup'=>1), 'src'=>array('audio'=>1, 'embed'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'script'=>1, 'source'=>1, 'track'=>1, 'video'=>1), 'srcdoc'=>array('iframe'=>1), 'srclang'=>array('track'=>1), 'srcset'=>array('img'=>1), 'standby'=>array('object'=>1), 'start'=>array('ol'=>1), 'step'=>array('input'=>1), 'summary'=>array('table'=>1), 'target'=>array('a'=>1, 'area'=>1, 'form'=>1), 'type'=>array('a'=>1, 'area'=>1, 'button'=>1, 'command'=>1, 'embed'=>1, 'input'=>1, 'li'=>1, 'link'=>1, 'menu'=>1, 'object'=>1, 'ol'=>1, 'param'=>1, 'script'=>1, 'source'=>1, 'style'=>1, 'ul'=>1), 'typemustmatch'=>array('object'=>1), 'usemap'=>array('img'=>1, 'input'=>1, 'object'=>1), 'valign'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'value'=>array('button'=>1, 'data'=>1, 'input'=>1, 'li'=>1, 'meter'=>1, 'option'=>1, 'param'=>1, 'progress'=>1), 'valuetype'=>array('param'=>1), 'vspace'=>array('applet'=>1, 'embed'=>1, 'img'=>1, 'object'=>1), 'width'=>array('applet'=>1, 'canvas'=>1, 'col'=>1, 'colgroup'=>1, 'embed'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'pre'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'video'=>1), 'wmode'=>array('embed'=>1), 'wrap'=>array('textarea'=>1)); // Ele-specific
-static $aNA = array('aria-activedescendant'=>1, 'aria-atomic'=>1, 'aria-autocomplete'=>1, 'aria-busy'=>1, 'aria-checked'=>1, 'aria-controls'=>1, 'aria-describedby'=>1, 'aria-disabled'=>1, 'aria-dropeffect'=>1, 'aria-expanded'=>1, 'aria-flowto'=>1, 'aria-grabbed'=>1, 'aria-haspopup'=>1, 'aria-hidden'=>1, 'aria-invalid'=>1, 'aria-label'=>1, 'aria-labelledby'=>1, 'aria-level'=>1, 'aria-live'=>1, 'aria-multiline'=>1, 'aria-multiselectable'=>1, 'aria-orientation'=>1, 'aria-owns'=>1, 'aria-posinset'=>1, 'aria-pressed'=>1, 'aria-readonly'=>1, 'aria-relevant'=>1, 'aria-required'=>1, 'aria-selected'=>1, 'aria-setsize'=>1, 'aria-sort'=>1, 'aria-valuemax'=>1, 'aria-valuemin'=>1, 'aria-valuenow'=>1, 'aria-valuetext'=>1); // ARIA
-static $aNE = array('allowfullscreen'=>1, 'checkbox'=>1, 'checked'=>1, 'command'=>1, 'compact'=>1, 'declare'=>1, 'defer'=>1, 'default'=>1, 'disabled'=>1, 'hidden'=>1, 'inert'=>1, 'ismap'=>1, 'itemscope'=>1, 'multiple'=>1, 'nohref'=>1, 'noresize'=>1, 'noshade'=>1, 'nowrap'=>1, 'open'=>1, 'radio'=>1, 'readonly'=>1, 'required'=>1, 'reversed'=>1, 'selected'=>1); // Empty
-static $aNO = array('onabort'=>1, 'onblur'=>1, 'oncanplay'=>1, 'oncanplaythrough'=>1, 'onchange'=>1, 'onclick'=>1, 'oncontextmenu'=>1, 'oncopy'=>1, 'oncuechange'=>1, 'oncut'=>1, 'ondblclick'=>1, 'ondrag'=>1, 'ondragend'=>1, 'ondragenter'=>1, 'ondragleave'=>1, 'ondragover'=>1, 'ondragstart'=>1, 'ondrop'=>1, 'ondurationchange'=>1, 'onemptied'=>1, 'onended'=>1, 'onerror'=>1, 'onfocus'=>1, 'onformchange'=>1, 'onforminput'=>1, 'oninput'=>1, 'oninvalid'=>1, 'onkeydown'=>1, 'onkeypress'=>1, 'onkeyup'=>1, 'onload'=>1, 'onloadeddata'=>1, 'onloadedmetadata'=>1, 'onloadstart'=>1, 'onlostpointercapture'=>1, 'onmousedown'=>1, 'onmousemove'=>1, 'onmouseout'=>1, 'onmouseover'=>1, 'onmouseup'=>1, 'onmousewheel'=>1, 'onpaste'=>1, 'onpause'=>1, 'onplay'=>1, 'onplaying'=>1, 'onpointercancel'=>1, 'ongotpointercapture'=>1, 'onpointerdown'=>1, 'onpointerenter'=>1, 'onpointerleave'=>1, 'onpointermove'=>1, 'onpointerout'=>1, 'onpointerover'=>1, 'onpointerup'=>1, 'onprogress'=>1, 'onratechange'=>1, 'onreadystatechange'=>1, 'onreset'=>1, 'onsearch'=>1, 'onscroll'=>1, 'onseeked'=>1, 'onseeking'=>1, 'onselect'=>1, 'onshow'=>1, 'onstalled'=>1, 'onsubmit'=>1, 'onsuspend'=>1, 'ontimeupdate'=>1, 'ontoggle'=>1, 'ontouchcancel'=>1, 'ontouchend'=>1, 'ontouchmove'=>1, 'ontouchstart'=>1, 'onvolumechange'=>1, 'onwaiting'=>1, 'onwheel'=>1); // Event
-static $aNP = array('action'=>1, 'cite'=>1, 'classid'=>1, 'codebase'=>1, 'data'=>1, 'href'=>1, 'itemtype'=>1, 'longdesc'=>1, 'model'=>1, 'pluginspage'=>1, 'pluginurl'=>1, 'src'=>1, 'srcset'=>1, 'usemap'=>1); // Need scheme check; excludes style, on*
-static $aNU = array('accesskey'=>1, 'class'=>1, 'contenteditable'=>1, 'contextmenu'=>1, 'dir'=>1, 'draggable'=>1, 'dropzone'=>1, 'hidden'=>1, 'id'=>1, 'inert'=>1, 'itemid'=>1, 'itemprop'=>1, 'itemref'=>1, 'itemscope'=>1, 'itemtype'=>1, 'lang'=>1, 'role'=>1, 'spellcheck'=>1, 'style'=>1, 'tabindex'=>1, 'title'=>1, 'translate'=>1, 'xmlns'=>1, 'xml:base'=>1, 'xml:lang'=>1, 'xml:space'=>1); // Univ; excludes on*, aria*
-
-if($C['lc_std_val']){
- // predef attr vals for $eAL & $aNE ele
- static $aNL = array('all'=>1, 'auto'=>1, 'baseline'=>1, 'bottom'=>1, 'button'=>1, 'captions'=>1, 'center'=>1, 'chapters'=>1, 'char'=>1, 'checkbox'=>1, 'circle'=>1, 'col'=>1, 'colgroup'=>1, 'color'=>1, 'cols'=>1, 'data'=>1, 'date'=>1, 'datetime'=>1, 'datetime-local'=>1, 'default'=>1, 'descriptions'=>1, 'email'=>1, 'file'=>1, 'get'=>1, 'groups'=>1, 'hidden'=>1, 'image'=>1, 'justify'=>1, 'left'=>1, 'ltr'=>1, 'metadata'=>1, 'middle'=>1, 'month'=>1, 'none'=>1, 'number'=>1, 'object'=>1, 'password'=>1, 'poly'=>1, 'post'=>1, 'preserve'=>1, 'radio'=>1, 'range'=>1, 'rect'=>1, 'ref'=>1, 'reset'=>1, 'right'=>1, 'row'=>1, 'rowgroup'=>1, 'rows'=>1, 'rtl'=>1, 'search'=>1, 'submit'=>1, 'subtitles'=>1, 'tel'=>1, 'text'=>1, 'time'=>1, 'top'=>1, 'url'=>1, 'week'=>1);
- static $eAL = array('a'=>1, 'area'=>1, 'bdo'=>1, 'button'=>1, 'col'=>1, 'fieldset'=>1, 'form'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'ol'=>1, 'optgroup'=>1, 'option'=>1, 'param'=>1, 'script'=>1, 'select'=>1, 'table'=>1, 'td'=>1, 'textarea'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1, 'track'=>1, 'xml:space'=>1);
- $lcase = isset($eAL[$e]) ? 1 : 0;
-}
-
-$depTr = 0;
-if($C['no_deprecated_attr']){
- // depr attr:applicable ele
- static $aND = array('align'=>array('caption'=>1, 'div'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'object'=>1, 'p'=>1, 'table'=>1), 'bgcolor'=>array('table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1), 'border'=>array('object'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellspacing'=>array('table'=>1), 'clear'=>array('br'=>1), 'compact'=>array('dl'=>1, 'ol'=>1, 'ul'=>1), 'height'=>array('td'=>1, 'th'=>1), 'hspace'=>array('img'=>1, 'object'=>1), 'language'=>array('script'=>1), 'name'=>array('a'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'map'=>1), 'noshade'=>array('hr'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'size'=>array('hr'=>1), 'vspace'=>array('img'=>1, 'object'=>1), 'width'=>array('hr'=>1, 'pre'=>1, 'table'=>1, 'td'=>1, 'th'=>1));
- static $eAD = array('a'=>1, 'br'=>1, 'caption'=>1, 'div'=>1, 'dl'=>1, 'form'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'map'=>1, 'object'=>1, 'ol'=>1, 'p'=>1, 'pre'=>1, 'script'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1, 'ul'=>1);
- $depTr = isset($eAD[$e]) ? 1 : 0;
-}
-
-// attr name-vals
-if(strpos($a, "\x01") !== false){$a = preg_replace('`\x01[^\x01]*\x01`', '', $a);} // No comment/CDATA sec
-$mode = 0; $a = trim($a, ' /'); $aA = array();
-while(strlen($a)){
- $w = 0;
- switch($mode){
-  case 0: // Name
-   if(preg_match('`^[a-zA-Z][^\s=/]+`', $a, $m)){
-    $nm = strtolower($m[0]);
-    $w = $mode = 1; $a = ltrim(substr_replace($a, '', 0, strlen($m[0])));
-   }
-  break; case 1:
-   if($a[0] == '='){ // =
-    $w = 1; $mode = 2; $a = ltrim($a, '= ');
-   }else{ // No val
-    $w = 1; $mode = 0; $a = ltrim($a);
-    $aA[$nm] = '';
-   }
-  break; case 2: // Val
-   if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){
-    $a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;
-    $aA[$nm] = trim(str_replace('<', '&lt;', ($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m));
-   }
-  break;
- }
- if($w == 0){ // Parse errs, deal with space, " & '
-  $a = preg_replace('`^(?:"[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*`', '', $a);
-  $mode = 0;
- }
-}
-if($mode == 1){$aA[$nm] = '';}
-
-// clean attrs
-global $S;
-$rl = isset($S[$e]) ? $S[$e] : array();
-$a = array(); $nfr = 0; $d = $C['deny_attribute'];
-foreach($aA as $k=>$v){
- if(((isset($d['*']) ? isset($d[$k]) : !isset($d[$k])) && (isset($aN[$k][$e]) or isset($aNU[$k]) or (isset($aNO[$k]) && !isset($d['on*'])) or (isset($aNA[$k]) && !isset($d['aria*'])) or (!isset($d['data*']) && preg_match('`data-((?!xml)[^:]+$)`', $k))) && !isset($rl['n'][$k]) && !isset($rl['n']['*'])) or isset($rl[$k])){
-  if(isset($aNE[$k])){$v = $k;}
-  elseif(!empty($lcase) && (($e != 'button' or $e != 'input') or $k == 'type')){ // Rather loose but ?not cause issues
-   $v = (isset($aNL[($v2 = strtolower($v))])) ? $v2 : $v;
-  }
-  if($k == 'style' && !$C['style_pass']){
-   if(false !== strpos($v, '&#')){
-    static $sC = array('&#x20;'=>' ', '&#32;'=>' ', '&#x45;'=>'e', '&#69;'=>'e', '&#x65;'=>'e', '&#101;'=>'e', '&#x58;'=>'x', '&#88;'=>'x', '&#x78;'=>'x', '&#120;'=>'x', '&#x50;'=>'p', '&#80;'=>'p', '&#x70;'=>'p', '&#112;'=>'p', '&#x53;'=>'s', '&#83;'=>'s', '&#x73;'=>'s', '&#115;'=>'s', '&#x49;'=>'i', '&#73;'=>'i', '&#x69;'=>'i', '&#105;'=>'i', '&#x4f;'=>'o', '&#79;'=>'o', '&#x6f;'=>'o', '&#111;'=>'o', '&#x4e;'=>'n', '&#78;'=>'n', '&#x6e;'=>'n', '&#110;'=>'n', '&#x55;'=>'u', '&#85;'=>'u', '&#x75;'=>'u', '&#117;'=>'u', '&#x52;'=>'r', '&#82;'=>'r', '&#x72;'=>'r', '&#114;'=>'r', '&#x4c;'=>'l', '&#76;'=>'l', '&#x6c;'=>'l', '&#108;'=>'l', '&#x28;'=>'(', '&#40;'=>'(', '&#x29;'=>')', '&#41;'=>')', '&#x20;'=>':', '&#32;'=>':', '&#x22;'=>'"', '&#34;'=>'"', '&#x27;'=>"'", '&#39;'=>"'", '&#x2f;'=>'/', '&#47;'=>'/', '&#x2a;'=>'*', '&#42;'=>'*', '&#x5c;'=>'\\', '&#92;'=>'\\');
-    $v = strtr($v, $sC);
-   }
-   $v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
-   $v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
-  }elseif(isset($aNP[$k]) or isset($aNO[$k])){
-   $v = str_replace("­", ' ', (strpos($v, '&') !== false ? str_replace(array('&#xad;', '&#173;', '&shy;'), ' ', $v) : $v)); # double-quoted char: soft-hyphen; appears here as "­" or hyphen or something else depending on viewing software
-   if($k == 'srcset'){
-    $v2 = '';
-    foreach(explode(',', $v) as $k1=>$v1){
-     $v1 = explode(' ', ltrim($v1), 2);
-     $k1 = isset($v1[1]) ? trim($v1[1]) : '';
-     $v1 = trim($v1[0]);
-     if(isset($v1[0])){$v2 .= hl_prot($v1, $k). (empty($k1) ? '' : ' '. $k1). ', ';}
-    }
-    $v = trim($v2, ', ');
-   }
-   if($k == 'itemtype'){
-    $v2 = '';
-    foreach(explode(' ', $v) as $v1){
-     if(isset($v1[0])){$v2 .= hl_prot($v1, $k). ' ';}
-    }
-    $v = trim($v2, ' ');
-   }
-   else{$v = hl_prot($v, $k);}
-   if($k == 'href'){ // X-spam
-    if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){
-     $v = str_replace('@', htmlspecialchars($C['anti_mail_spam']), $v);
-    }elseif($C['anti_link_spam']){
-     $r1 = $C['anti_link_spam'][1];
-     if(!empty($r1) && preg_match($r1, $v)){continue;}
-     $r0 = $C['anti_link_spam'][0];
-     if(!empty($r0) && preg_match($r0, $v)){
-      if(isset($a['rel'])){
-       if(!preg_match('`\bnofollow\b`i', $a['rel'])){$a['rel'] .= ' nofollow';}
-      }elseif(isset($aA['rel'])){
-       if(!preg_match('`\bnofollow\b`i', $aA['rel'])){$nfr = 1;}
-      }else{$a['rel'] = 'nofollow';}
-     }
-    }
-   }
-  }
-  if(isset($rl[$k]) && is_array($rl[$k]) && ($v = hl_attrval($k, $v, $rl[$k])) === 0){continue;}
-  $a[$k] = str_replace('"', '&quot;', $v);
- }
-}
-if($nfr){$a['rel'] = isset($a['rel']) ? $a['rel']. ' nofollow' : 'nofollow';}
-
-// rqd attr
-static $eAR = array('area'=>array('alt'=>'area'), 'bdo'=>array('dir'=>'ltr'), 'command'=>array('label'=>''), 'form'=>array('action'=>''), 'img'=>array('src'=>'', 'alt'=>'image'), 'map'=>array('name'=>''), 'optgroup'=>array('label'=>''), 'param'=>array('name'=>''), 'style'=>array('scoped'=>''), 'textarea'=>array('rows'=>'10', 'cols'=>'50'));
-if(isset($eAR[$e])){
- foreach($eAR[$e] as $k=>$v){
-  if(!isset($a[$k])){$a[$k] = isset($v[0]) ? $v : $k;}
- }
-}
-
-// depr attr
-if($depTr){
- $c = array();
- foreach($a as $k=>$v){
-  if($k == 'style' or !isset($aND[$k][$e])){continue;}
-  $v = str_replace(array('\\', ':', ';', '&#'), '', $v);
-  if($k == 'align'){
-   unset($a['align']);
-   if($e == 'img' && ($v == 'left' or $v == 'right')){$c[] = 'float: '. $v;}
-   elseif(($e == 'div' or $e == 'table') && $v == 'center'){$c[] = 'margin: auto';}
-   else{$c[] = 'text-align: '. $v;}
-  }elseif($k == 'bgcolor'){
-   unset($a['bgcolor']);
-   $c[] = 'background-color: '. $v;
-  }elseif($k == 'border'){
-   unset($a['border']); $c[] = "border: {$v}px";
-  }elseif($k == 'bordercolor'){
-   unset($a['bordercolor']); $c[] = 'border-color: '. $v;
-  }elseif($k == 'cellspacing'){
-   unset($a['cellspacing']); $c[] = "border-spacing: {$v}px";
-  }elseif($k == 'clear'){
-   unset($a['clear']); $c[] = 'clear: '. ($v != 'all' ? $v : 'both');
-  }elseif($k == 'compact'){
-   unset($a['compact']); $c[] = 'font-size: 85%';
-  }elseif($k == 'height' or $k == 'width'){
-   unset($a[$k]); $c[] = $k. ': '. ($v[0] != '*' ? $v. (ctype_digit($v) ? 'px' : '') : 'auto');
-  }elseif($k == 'hspace'){
-   unset($a['hspace']); $c[] = "margin-left: {$v}px; margin-right: {$v}px";
-  }elseif($k == 'language' && !isset($a['type'])){
-   unset($a['language']);
-   $a['type'] = 'text/'. strtolower($v);
-  }elseif($k == 'name'){
-   if($C['no_deprecated_attr'] == 2 or ($e != 'a' && $e != 'map')){unset($a['name']);}
-   if(!isset($a['id']) && !preg_match('`\W`', $v)){$a['id'] = $v;}
-  }elseif($k == 'noshade'){
-   unset($a['noshade']); $c[] = 'border-style: none; border: 0; background-color: gray; color: gray';
-  }elseif($k == 'nowrap'){
-   unset($a['nowrap']); $c[] = 'white-space: nowrap';
-  }elseif($k == 'size'){
-   unset($a['size']); $c[] = 'size: '. $v. 'px';
-  }elseif($k == 'vspace'){
-   unset($a['vspace']); $c[] = "margin-top: {$v}px; margin-bottom: {$v}px";
-  }
- }
- if(count($c)){
-  $c = implode('; ', $c);
-  $a['style'] = isset($a['style']) ? rtrim($a['style'], ' ;'). '; '. $c. ';': $c. ';';
- }
-}
-// unique ID
-if($C['unique_ids'] && isset($a['id'])){
- if(preg_match('`\s`', ($id = $a['id'])) or (isset($GLOBALS['hl_Ids'][$id]) && $C['unique_ids'] == 1)){unset($a['id']);
- }else{
-  while(isset($GLOBALS['hl_Ids'][$id])){$id = $C['unique_ids']. $id;}
-  $GLOBALS['hl_Ids'][($a['id'] = $id)] = 1;
- }
-}
-// xml:lang
-if($C['xml:lang'] && isset($a['lang'])){
- $a['xml:lang'] = isset($a['xml:lang']) ? $a['xml:lang'] : $a['lang'];
- if($C['xml:lang'] == 2){unset($a['lang']);}
-}
-// for transformed tag
-if(!empty($trt)){
- $a['style'] = isset($a['style']) ? rtrim($a['style'], ' ;'). '; '. $trt : $trt;
-}
-// return with empty ele /
-if(empty($C['hook_tag'])){
- $aA = '';
- foreach($a as $k=>$v){$aA .= " {$k}=\"{$v}\"";}
- return "<{$e}{$aA}". (isset($eE[$e]) ? ' /' : ''). '>';
-}
-else{return $C['hook_tag']($e, $a);}
-}
-
-function hl_tag2(&$e, &$a, $t=1){
-// transform tag
-if($e == 'big'){$e = 'span'; return 'font-size: larger;';}
-if($e == 's' or $e == 'strike'){$e = 'span'; return 'text-decoration: line-through;';}
-if($e == 'tt'){$e = 'code'; return '';}
-if($e == 'center'){$e = 'div'; return 'text-align: center;';}
-static $fs = array('0'=>'xx-small', '1'=>'xx-small', '2'=>'small', '3'=>'medium', '4'=>'large', '5'=>'x-large', '6'=>'xx-large', '7'=>'300%', '-1'=>'smaller', '-2'=>'60%', '+1'=>'larger', '+2'=>'150%', '+3'=>'200%', '+4'=>'300%');
-if($e == 'font'){
- $a2 = '';
- while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){
-  $a = str_replace($m[0], ' ', $a);
-  $a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace(array('"', ';', ':'), '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? (' font-size: '. $fs[$m]. ';') : '');
- }
- while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){
-  $a = str_replace($m[0], ' ', $a);
-  $a2 .= ' font-family: '. str_replace(array('"', ';', ':'), '\'', trim($m[3])). ';';
- }
- $e = 'span'; return ltrim(str_replace('<', '', $a2));
-}
-if($e == 'acronym'){$e = 'abbr'; return '';}
-if($e == 'dir'){$e = 'ul'; return '';}
-if($t == 2){$e = 0; return 0;}
-return '';
-}
-
-function hl_tidy($t, $w, $p){
-// tidy/compact HTM
-if(strpos(' pre,script,textarea', "$p,")){return $t;}
-if(!function_exists('hl_aux2')){function hl_aux2($m){
- return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", ' '), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4];
-}}
-$t = preg_replace(array('`(<\w[^>]*(?<!/)>)\s+`', '`\s+`', '`(<\w[^>]*(?<!/)>) `'), array(' $1', ' ', '$1'), preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)(</\2>)`sm'), 'hl_aux2', $t));
-if(($w = strtolower($w)) == -1){
- return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t);
-}
-$s = strpos(" $w", 't') ? "\t" : ' ';
-$s = preg_match('`\d`', $w, $m) ? str_repeat($s, $m[0]) : str_repeat($s, ($s == "\t" ? 1 : 2));
-$N = preg_match('`[ts]([1-9])`', $w, $m) ? $m[1] : 0;
-$a = array('br'=>1);
-$b = array('button'=>1, 'command'=>1, 'input'=>1, 'option'=>1, 'param'=>1, 'track'=>1);
-$c = array('audio'=>1, 'canvas'=>1, 'caption'=>1, 'dd'=>1, 'dt'=>1, 'figcaption'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'isindex'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'object'=>1, 'p'=>1, 'pre'=>1, 'style'=>1, 'summary'=>1, 'td'=>1, 'textarea'=>1, 'th'=>1, 'video'=>1);
-$d = array('address'=>1, 'article'=>1, 'aside'=>1, 'blockquote'=>1, 'center'=>1, 'colgroup'=>1, 'datalist'=>1, 'details'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'form'=>1, 'header'=>1, 'hgroup'=>1, 'hr'=>1, 'iframe'=>1, 'main'=>1, 'map'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'ol'=>1, 'optgroup'=>1, 'rbc'=>1, 'rtc'=>1, 'ruby'=>1, 'script'=>1, 'section'=>1, 'select'=>1, 'table'=>1, 'tbody'=>1, 'tfoot'=>1, 'thead'=>1, 'tr'=>1, 'ul'=>1);
-$T = explode('<', $t);
-$X = 1;
-while($X){
- $n = $N;
- $t = $T;
- ob_start();
- if(isset($d[$p])){echo str_repeat($s, ++$n);}
- echo ltrim(array_shift($t));
- for($i=-1, $j=count($t); ++$i<$j;){
-  $r = ''; list($e, $r) = explode('>', $t[$i]);
-  $x = $e[0] == '/' ? 0 : (substr($e, -1) == '/' ? 1 : ($e[0] != '!' ? 2 : -1));
-  $y = !$x ? ltrim($e, '/') : ($x > 0 ? substr($e, 0, strcspn($e, ' ')) : 0);
-  $e = "<$e>"; 
-  if(isset($d[$y])){
-   if(!$x){
-    if($n){echo "\n", str_repeat($s, --$n), "$e\n", str_repeat($s, $n);}
-    else{++$N; ob_end_clean(); continue 2;}
-   }
-   else{echo "\n", str_repeat($s, $n), "$e\n", str_repeat($s, ($x != 1 ? ++$n : $n));}
-   echo $r; continue;
-  }
-  $f = "\n". str_repeat($s, $n);
-  if(isset($c[$y])){
-   if(!$x){echo $e, $f, $r;}
-   else{echo $f, $e, $r;}
-  }elseif(isset($b[$y])){echo $f, $e, $r;
-  }elseif(isset($a[$y])){echo $e, $f, $r;
-  }elseif(!$y){echo $f, $e, $f, $r;
-  }else{echo $e, $r;}
- }
- $X = 0;
-}
-$t = str_replace(array("\n ", " \n"), "\n", preg_replace('`[\n]\s*?[\n]+`', "\n", ob_get_contents()));
-ob_end_clean();
-if(($l = strpos(" $w", 'r') ? (strpos(" $w", 'n') ? "\r\n" : "\r") : 0)){
- $t = str_replace("\n", $l, $t);
-}
-return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t);
-}
-
-function hl_version(){
-// version
-return '1.2.5';
-}
+<?php

+

+/*

+htmLawed 1.2.5, 24 September 2019

+Copyright Santosh Patnaik

+Dual licensed with LGPL 3 and GPL 2+

+A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed

+

+See htmLawed_README.txt/htm

+*/

+

+function htmLawed($t, $C=1, $S=array()){

+$C = is_array($C) ? $C : array();

+if(!empty($C['valid_xhtml'])){

+ $C['elements'] = empty($C['elements']) ? '*-acronym-big-center-dir-font-isindex-s-strike-tt' : $C['elements'];

+ $C['make_tag_strict'] = isset($C['make_tag_strict']) ? $C['make_tag_strict'] : 2;

+ $C['xml:lang'] = isset($C['xml:lang']) ? $C['xml:lang'] : 2;

+}

+// config eles

+$e = array('a'=>1, 'abbr'=>1, 'acronym'=>1, 'address'=>1, 'applet'=>1, 'area'=>1, 'article'=>1, 'aside'=>1, 'audio'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'blockquote'=>1, 'br'=>1, 'button'=>1, 'canvas'=>1, 'caption'=>1, 'center'=>1, 'cite'=>1, 'code'=>1, 'col'=>1, 'colgroup'=>1, 'command'=>1, 'data'=>1, 'datalist'=>1, 'dd'=>1, 'del'=>1, 'details'=>1, 'dfn'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'dt'=>1, 'em'=>1, 'embed'=>1, 'fieldset'=>1, 'figcaption'=>1, 'figure'=>1, 'font'=>1, 'footer'=>1, 'form'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'header'=>1, 'hgroup'=>1, 'hr'=>1, 'i'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'ins'=>1, 'isindex'=>1, 'kbd'=>1, 'keygen'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'link'=>1, 'main'=>1, 'map'=>1, 'mark'=>1, 'menu'=>1, 'meta'=>1, 'meter'=>1, 'nav'=>1, 'noscript'=>1, 'object'=>1, 'ol'=>1, 'optgroup'=>1, 'option'=>1, 'output'=>1, 'p'=>1, 'param'=>1, 'pre'=>1, 'progress'=>1, 'q'=>1, 'rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1, 'ruby'=>1, 's'=>1, 'samp'=>1, 'script'=>1, 'section'=>1, 'select'=>1, 'small'=>1, 'source'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'style'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'table'=>1, 'tbody'=>1, 'td'=>1, 'textarea'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'time'=>1, 'tr'=>1, 'track'=>1, 'tt'=>1, 'u'=>1, 'ul'=>1, 'var'=>1, 'video'=>1, 'wbr'=>1); // 118 incl. deprecated & some Ruby

+

+if(!empty($C['safe'])){

+ unset($e['applet'], $e['audio'], $e['canvas'], $e['embed'], $e['iframe'], $e['object'], $e['script'], $e['video']);

+}

+$x = !empty($C['elements']) ? str_replace(array("\n", "\r", "\t", ' '), '', $C['elements']) : '*';

+if($x == '-*'){$e = array();}

+elseif(strpos($x, '*') === false){$e = array_flip(explode(',', $x));}

+else{

+ if(isset($x[1])){

+  preg_match_all('`(?:^|-|\+)[^\-+]+?(?=-|\+|$)`', $x, $m, PREG_SET_ORDER);

+  for($i=count($m); --$i>=0;){$m[$i] = $m[$i][0];}

+  foreach($m as $v){

+   if($v[0] == '+'){$e[substr($v, 1)] = 1;}

+   if($v[0] == '-' && isset($e[($v = substr($v, 1))]) && !in_array('+'. $v, $m)){unset($e[$v]);}

+  }

+ }

+}

+$C['elements'] =& $e;

+// config attrs

+$x = !empty($C['deny_attribute']) ? strtolower(str_replace(array("\n", "\r", "\t", ' '), '', $C['deny_attribute'])) : '';

+$x = array_flip((isset($x[0]) && $x[0] == '*') ? str_replace('/', 'data-', explode('-', str_replace('data-', '/', $x))) : explode(',', $x. (!empty($C['safe']) ? ',on*' : '')));

+$C['deny_attribute'] = $x;

+// config URLs

+$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet'. (empty($C['safe']) ? ', app, javascript; *: data, javascript, ' : '; *:'). 'file, http, https';

+$C['schemes'] = array();

+foreach(explode(';', trim(str_replace(array(' ', "\t", "\r", "\n"), '', $x), ';')) as $v){

+ $x = $x2 = null; list($x, $x2) = explode(':', $v, 2);

+ if($x2){$C['schemes'][$x] = array_flip(explode(',', $x2));}

+}

+if(!isset($C['schemes']['*'])){

+ $C['schemes']['*'] = array('file'=>1, 'http'=>1, 'https'=>1);

+ if(empty($C['safe'])){$C['schemes']['*'] += array('data'=>1, 'javascript'=>1);}

+}

+if(!empty($C['safe']) && empty($C['schemes']['style'])){$C['schemes']['style'] = array('!'=>1);}

+$C['abs_url'] = isset($C['abs_url']) ? $C['abs_url'] : 0;

+if(!isset($C['base_url']) or !preg_match('`^[a-zA-Z\d.+\-]+://[^/]+/(.+?/)?$`', $C['base_url'])){

+ $C['base_url'] = $C['abs_url'] = 0;

+}

+// config rest

+$C['and_mark'] = empty($C['and_mark']) ? 0 : 1;

+$C['anti_link_spam'] = (isset($C['anti_link_spam']) && is_array($C['anti_link_spam']) && count($C['anti_link_spam']) == 2 && (empty($C['anti_link_spam'][0]) or hl_regex($C['anti_link_spam'][0])) && (empty($C['anti_link_spam'][1]) or hl_regex($C['anti_link_spam'][1]))) ? $C['anti_link_spam'] : 0;

+$C['anti_mail_spam'] = isset($C['anti_mail_spam']) ? $C['anti_mail_spam'] : 0;

+$C['balance'] = isset($C['balance']) ? (bool)$C['balance'] : 1;

+$C['cdata'] = isset($C['cdata']) ? $C['cdata'] : (empty($C['safe']) ? 3 : 0);

+$C['clean_ms_char'] = empty($C['clean_ms_char']) ? 0 : $C['clean_ms_char'];

+$C['comment'] = isset($C['comment']) ? $C['comment'] : (empty($C['safe']) ? 3 : 0);

+$C['css_expression'] = empty($C['css_expression']) ? 0 : 1;

+$C['direct_list_nest'] = empty($C['direct_list_nest']) ? 0 : 1;

+$C['hexdec_entity'] = isset($C['hexdec_entity']) ? $C['hexdec_entity'] : 1;

+$C['hook'] = (!empty($C['hook']) && function_exists($C['hook'])) ? $C['hook'] : 0;

+$C['hook_tag'] = (!empty($C['hook_tag']) && function_exists($C['hook_tag'])) ? $C['hook_tag'] : 0;

+$C['keep_bad'] = isset($C['keep_bad']) ? $C['keep_bad'] : 6;

+$C['lc_std_val'] = isset($C['lc_std_val']) ? (bool)$C['lc_std_val'] : 1;

+$C['make_tag_strict'] = isset($C['make_tag_strict']) ? $C['make_tag_strict'] : 1;

+$C['named_entity'] = isset($C['named_entity']) ? (bool)$C['named_entity'] : 1;

+$C['no_deprecated_attr'] = isset($C['no_deprecated_attr']) ? $C['no_deprecated_attr'] : 1;

+$C['parent'] = isset($C['parent'][0]) ? strtolower($C['parent']) : 'body';

+$C['show_setting'] = !empty($C['show_setting']) ? $C['show_setting'] : 0;

+$C['style_pass'] = empty($C['style_pass']) ? 0 : 1;

+$C['tidy'] = empty($C['tidy']) ? 0 : $C['tidy'];

+$C['unique_ids'] = isset($C['unique_ids']) && (!preg_match('`\W`', $C['unique_ids'])) ? $C['unique_ids'] : 1;

+$C['xml:lang'] = isset($C['xml:lang']) ? $C['xml:lang'] : 0;

+

+if(isset($GLOBALS['C'])){$reC = $GLOBALS['C'];}

+$GLOBALS['C'] = $C;

+$S = is_array($S) ? $S : hl_spec($S);

+if(isset($GLOBALS['S'])){$reS = $GLOBALS['S'];}

+$GLOBALS['S'] = $S;

+

+$t = preg_replace('`[\x00-\x08\x0b-\x0c\x0e-\x1f]`', '', $t);

+if($C['clean_ms_char']){

+ $x = array("\x7f"=>'', "\x80"=>'&#8364;', "\x81"=>'', "\x83"=>'&#402;', "\x85"=>'&#8230;', "\x86"=>'&#8224;', "\x87"=>'&#8225;', "\x88"=>'&#710;', "\x89"=>'&#8240;', "\x8a"=>'&#352;', "\x8b"=>'&#8249;', "\x8c"=>'&#338;', "\x8d"=>'', "\x8e"=>'&#381;', "\x8f"=>'', "\x90"=>'', "\x95"=>'&#8226;', "\x96"=>'&#8211;', "\x97"=>'&#8212;', "\x98"=>'&#732;', "\x99"=>'&#8482;', "\x9a"=>'&#353;', "\x9b"=>'&#8250;', "\x9c"=>'&#339;', "\x9d"=>'', "\x9e"=>'&#382;', "\x9f"=>'&#376;');

+ $x = $x + ($C['clean_ms_char'] == 1 ? array("\x82"=>'&#8218;', "\x84"=>'&#8222;', "\x91"=>'&#8216;', "\x92"=>'&#8217;', "\x93"=>'&#8220;', "\x94"=>'&#8221;') : array("\x82"=>'\'', "\x84"=>'"', "\x91"=>'\'', "\x92"=>'\'', "\x93"=>'"', "\x94"=>'"'));

+ $t = strtr($t, $x);

+}

+if($C['cdata'] or $C['comment']){$t = preg_replace_callback('`<!(?:(?:--.*?--)|(?:\[CDATA\[.*?\]\]))>`sm', 'hl_cmtcd', $t);}

+$t = preg_replace_callback('`&amp;([a-zA-Z][a-zA-Z0-9]{1,30}|#(?:[0-9]{1,8}|[Xx][0-9A-Fa-f]{1,7}));`', 'hl_ent', str_replace('&', '&amp;', $t));

+if($C['unique_ids'] && !isset($GLOBALS['hl_Ids'])){$GLOBALS['hl_Ids'] = array();}

+if($C['hook']){$t = $C['hook']($t, $C, $S);}

+if($C['show_setting'] && preg_match('`^[a-z][a-z0-9_]*$`i', $C['show_setting'])){

+ $GLOBALS[$C['show_setting']] = array('config'=>$C, 'spec'=>$S, 'time'=>microtime());

+}

+// main

+$t = preg_replace_callback('`<(?:(?:\s|$)|(?:[^>]*(?:>|$)))|>`m', 'hl_tag', $t);

+$t = $C['balance'] ? hl_bal($t, $C['keep_bad'], $C['parent']) : $t;

+$t = (($C['cdata'] or $C['comment']) && strpos($t, "\x01") !== false) ? str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05"), array('', '', '&', '<', '>'), $t) : $t;

+$t = $C['tidy'] ? hl_tidy($t, $C['tidy'], $C['parent']) : $t;

+unset($C, $e);

+if(isset($reC)){$GLOBALS['C'] = $reC;}

+if(isset($reS)){$GLOBALS['S'] = $reS;}

+return $t;

+}

+

+function hl_attrval($a, $t, $p){

+// check attr val against $S

+static $ma = array('accesskey', 'class', 'itemtype', 'rel');

+$s = in_array($a, $ma) ? ' ' : ($a == 'srcset' ? ',': '');

+$r = array();

+$t = !empty($s) ? explode($s, $t) : array($t);

+foreach($t as $tk=>$tv){

+ $o = 1; $tv = trim($tv); $l = strlen($tv);

+ foreach($p as $k=>$v){

+  if(!$l){continue;}

+  switch($k){

+   case 'maxlen': if($l > $v){$o = 0;}

+   break; case 'minlen': if($l < $v){$o = 0;}

+   break; case 'maxval': if((float)($tv) > $v){$o = 0;}

+   break; case 'minval': if((float)($tv) < $v){$o = 0;}

+   break; case 'match': if(!preg_match($v, $tv)){$o = 0;}

+   break; case 'nomatch': if(preg_match($v, $tv)){$o = 0;}

+   break; case 'oneof':

+    $m = 0;

+    foreach(explode('|', $v) as $n){if($tv == $n){$m = 1; break;}}

+    $o = $m;

+   break; case 'noneof':

+    $m = 1;

+    foreach(explode('|', $v) as $n){if($tv == $n){$m = 0; break;}}

+    $o = $m;

+   break; default:

+   break;

+  }

+  if(!$o){break;}

+ }

+ if($o){$r[] = $tv;}

+}

+if($s == ','){$s = ', ';} 

+$r = implode($s, $r);

+return (isset($r[0]) ? $r : (isset($p['default']) ? $p['default'] : 0));

+}

+

+function hl_bal($t, $do=1, $in='div'){

+// balance tags

+// by content

+$cB = array('blockquote'=>1, 'form'=>1, 'map'=>1, 'noscript'=>1); // Block

+$cE = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1); // Empty

+$cF = array('a'=>1, 'article'=>1, 'aside'=>1, 'audio'=>1, 'button'=>1, 'canvas'=>1, 'del'=>1, 'details'=>1, 'div'=>1, 'dd'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'header'=>1, 'iframe'=>1, 'ins'=>1, 'li'=>1, 'main'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'object'=>1, 'section'=>1, 'style'=>1, 'td'=>1, 'th'=>1, 'video'=>1); // Flow; later context-wise dynamic move of ins & del to $cI

+$cI = array('abbr'=>1, 'acronym'=>1, 'address'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'caption'=>1, 'cite'=>1, 'code'=>1, 'data'=>1, 'datalist'=>1, 'dfn'=>1, 'dt'=>1, 'em'=>1, 'figcaption'=>1, 'font'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hgroup'=>1, 'i'=>1, 'kbd'=>1, 'label'=>1, 'legend'=>1, 'mark'=>1, 'meter'=>1, 'output'=>1, 'p'=>1, 'pre'=>1, 'progress'=>1, 'q'=>1, 'rb'=>1, 'rt'=>1, 's'=>1, 'samp'=>1, 'small'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'time'=>1, 'tt'=>1, 'u'=>1, 'var'=>1); // Inline

+$cN = array('a'=>array('a'=>1, 'address'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'keygen'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'address'=>array('address'=>1, 'article'=>1, 'aside'=>1, 'header'=>1, 'keygen'=>1, 'footer'=>1, 'nav'=>1, 'section'=>1), 'button'=>array('a'=>1, 'address'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'fieldset'=>1, 'form'=>1, 'iframe'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'fieldset'=>array('fieldset'=>1), 'footer'=>array('header'=>1, 'footer'=>1), 'form'=>array('form'=>1), 'header'=>array('header'=>1, 'footer'=>1), 'label'=>array('label'=>1), 'main'=>array('main'=>1), 'meter'=>array('meter'=>1), 'noscript'=>array('script'=>1), 'pre'=>array('big'=>1, 'font'=>1, 'img'=>1, 'object'=>1, 'script'=>1, 'small'=>1, 'sub'=>1, 'sup'=>1), 'progress'=>array('progress'=>1), 'rb'=>array('ruby'=>1), 'rt'=>array('ruby'=>1), 'time'=>array('time'=>1), ); // Illegal

+$cN2 = array_keys($cN);

+$cS = array('colgroup'=>array('col'=>1), 'datalist'=>array('option'=>1), 'dir'=>array('li'=>1), 'dl'=>array('dd'=>1, 'dt'=>1), 'hgroup'=>array('h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1), 'menu'=>array('li'=>1), 'ol'=>array('li'=>1), 'optgroup'=>array('option'=>1), 'option'=>array('#pcdata'=>1), 'rbc'=>array('rb'=>1), 'rp'=>array('#pcdata'=>1), 'rtc'=>array('rt'=>1), 'ruby'=>array('rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1), 'select'=>array('optgroup'=>1, 'option'=>1), 'script'=>array('#pcdata'=>1), 'table'=>array('caption'=>1, 'col'=>1, 'colgroup'=>1, 'tfoot'=>1, 'tbody'=>1, 'tr'=>1, 'thead'=>1), 'tbody'=>array('tr'=>1), 'tfoot'=>array('tr'=>1), 'textarea'=>array('#pcdata'=>1), 'thead'=>array('tr'=>1), 'tr'=>array('td'=>1, 'th'=>1), 'ul'=>array('li'=>1)); // Specific - immediate parent-child

+if($GLOBALS['C']['direct_list_nest']){$cS['ol'] = $cS['ul'] = $cS['menu'] += array('menu'=>1, 'ol'=>1, 'ul'=>1);}

+$cO = array('address'=>array('p'=>1), 'applet'=>array('param'=>1), 'audio'=>array('source'=>1, 'track'=>1), 'blockquote'=>array('script'=>1), 'details'=>array('summary'=>1), 'fieldset'=>array('legend'=>1, '#pcdata'=>1),  'figure'=>array('figcaption'=>1),'form'=>array('script'=>1), 'map'=>array('area'=>1), 'object'=>array('param'=>1, 'embed'=>1), 'video'=>array('source'=>1, 'track'=>1)); // Other

+$cT = array('colgroup'=>1, 'dd'=>1, 'dt'=>1, 'li'=>1, 'option'=>1, 'p'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1); // Omitable closing

+// block/inline type; a/ins/del both type; #pcdata: text

+$eB = array('a'=>1, 'address'=>1, 'article'=>1, 'aside'=>1, 'blockquote'=>1, 'center'=>1, 'del'=>1, 'details'=>1, 'dir'=>1, 'dl'=>1, 'div'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'form'=>1, 'ins'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'header'=>1, 'hr'=>1, 'isindex'=>1, 'main'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'ol'=>1, 'p'=>1, 'pre'=>1, 'section'=>1, 'style'=>1, 'table'=>1, 'ul'=>1);

+$eI = array('#pcdata'=>1, 'a'=>1, 'abbr'=>1, 'acronym'=>1, 'applet'=>1, 'audio'=>1, 'b'=>1, 'bdi'=>1, 'bdo'=>1, 'big'=>1, 'br'=>1, 'button'=>1, 'canvas'=>1, 'cite'=>1, 'code'=>1, 'command'=>1, 'data'=>1, 'datalist'=>1, 'del'=>1, 'dfn'=>1, 'em'=>1, 'embed'=>1, 'figcaption'=>1, 'font'=>1, 'i'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'ins'=>1, 'kbd'=>1, 'label'=>1, 'link'=>1, 'map'=>1, 'mark'=>1, 'meta'=>1, 'meter'=>1, 'object'=>1, 'output'=>1, 'progress'=>1, 'q'=>1, 'ruby'=>1, 's'=>1, 'samp'=>1, 'select'=>1, 'script'=>1, 'small'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'sub'=>1, 'summary'=>1, 'sup'=>1, 'textarea'=>1, 'time'=>1, 'tt'=>1, 'u'=>1, 'var'=>1, 'video'=>1, 'wbr'=>1);

+$eN = array('a'=>1, 'address'=>1, 'article'=>1, 'aside'=>1, 'big'=>1, 'button'=>1, 'details'=>1, 'embed'=>1, 'fieldset'=>1, 'font'=>1, 'footer'=>1, 'form'=>1, 'header'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'meter'=>1, 'nav'=>1, 'object'=>1, 'progress'=>1, 'ruby'=>1, 'script'=>1, 'select'=>1, 'small'=>1, 'sub'=>1, 'sup'=>1, 'textarea'=>1, 'time'=>1); // Exclude from specific ele; $cN values

+$eO = array('area'=>1, 'caption'=>1, 'col'=>1, 'colgroup'=>1, 'command'=>1, 'dd'=>1, 'dt'=>1, 'hgroup'=>1, 'keygen'=>1, 'legend'=>1, 'li'=>1, 'optgroup'=>1, 'option'=>1, 'param'=>1, 'rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1, 'script'=>1, 'source'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'thead'=>1, 'th'=>1, 'tr'=>1, 'track'=>1); // Missing in $eB & $eI

+$eF = $eB + $eI;

+

+// $in sets allowed child

+$in = ((isset($eF[$in]) && $in != '#pcdata') or isset($eO[$in])) ? $in : 'div';

+if(isset($cE[$in])){

+ return (!$do ? '' : str_replace(array('<', '>'), array('&lt;', '&gt;'), $t));

+}

+if(isset($cS[$in])){$inOk = $cS[$in];}

+elseif(isset($cI[$in])){$inOk = $eI; $cI['del'] = 1; $cI['ins'] = 1;}

+elseif(isset($cF[$in])){$inOk = $eF; unset($cI['del'], $cI['ins']);}

+elseif(isset($cB[$in])){$inOk = $eB; unset($cI['del'], $cI['ins']);}

+if(isset($cO[$in])){$inOk = $inOk + $cO[$in];}

+if(isset($cN[$in])){$inOk = array_diff_assoc($inOk, $cN[$in]);}

+

+$t = explode('<', $t);

+$ok = $q = array(); // $q seq list of open non-empty ele

+ob_start();

+

+for($i=-1, $ci=count($t); ++$i<$ci;){

+ // allowed $ok in parent $p

+ if($ql = count($q)){

+  $p = array_pop($q);

+  $q[] = $p;

+  if(isset($cS[$p])){$ok = $cS[$p];}

+  elseif(isset($cI[$p])){$ok = $eI; $cI['del'] = 1; $cI['ins'] = 1;}

+  elseif(isset($cF[$p])){$ok = $eF; unset($cI['del'], $cI['ins']);}

+  elseif(isset($cB[$p])){$ok = $eB; unset($cI['del'], $cI['ins']);}

+  if(isset($cO[$p])){$ok = $ok + $cO[$p];}

+  if(isset($cN[$p])){$ok = array_diff_assoc($ok, $cN[$p]);}

+ }else{$ok = $inOk; unset($cI['del'], $cI['ins']);}

+ // bad tags, & ele content

+ if(isset($e) && ($do == 1 or (isset($ok['#pcdata']) && ($do == 3 or $do == 5)))){

+  echo '&lt;', $s, $e, $a, '&gt;';

+ }

+ if(isset($x[0])){

+  if(strlen(trim($x)) && (($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql))){

+   echo '<div>', $x, '</div>';

+  }

+  elseif($do < 3 or isset($ok['#pcdata'])){echo $x;}

+  elseif(strpos($x, "\x02\x04")){

+   foreach(preg_split('`(\x01\x02[^\x01\x02]+\x02\x01)`', $x, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY) as $v){

+    echo (substr($v, 0, 2) == "\x01\x02" ? $v : ($do > 4 ? preg_replace('`\S`', '', $v) : ''));

+   }

+  }elseif($do > 4){echo preg_replace('`\S`', '', $x);}

+ }

+ // get markup

+ if(!preg_match('`^(/?)([a-z1-6]+)([^>]*)>(.*)`sm', $t[$i], $r)){$x = $t[$i]; continue;}

+ $s = null; $e = null; $a = null; $x = null; list($all, $s, $e, $a, $x) = $r;

+ // close tag

+ if($s){

+  if(isset($cE[$e]) or !in_array($e, $q)){continue;} // Empty/unopen

+  if($p == $e){array_pop($q); echo '</', $e, '>'; unset($e); continue;} // Last open

+  $add = ''; // Nesting - close open tags that need to be

+  for($j=-1, $cj=count($q); ++$j<$cj;){  

+   if(($d = array_pop($q)) == $e){break;}

+   else{$add .= "</{$d}>";}

+  }

+  echo $add, '</', $e, '>'; unset($e); continue;

+ }

+ // open tag

+ // $cB ele needs $eB ele as child

+ if(isset($cB[$e]) && strlen(trim($x))){

+  $t[$i] = "{$e}{$a}>";

+  array_splice($t, $i+1, 0, 'div>'. $x); unset($e, $x); ++$ci; --$i; continue;

+ }

+ if((($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql)) && !isset($eB[$e]) && !isset($ok[$e])){

+  array_splice($t, $i, 0, 'div>'); unset($e, $x); ++$ci; --$i; continue;

+ }

+ // if no open ele, $in = parent; mostly immediate parent-child relation should hold

+ if(!$ql or !isset($eN[$e]) or !array_intersect($q, $cN2)){

+  if(!isset($ok[$e])){

+   if($ql && isset($cT[$p])){echo '</', array_pop($q), '>'; unset($e, $x); --$i;}

+   continue;

+  }

+  if(!isset($cE[$e])){$q[] = $e;}

+  echo '<', $e, $a, '>'; unset($e); continue;

+ }

+ // specific parent-child

+ if(isset($cS[$p][$e])){

+  if(!isset($cE[$e])){$q[] = $e;}

+  echo '<', $e, $a, '>'; unset($e); continue;

+ }

+ // nesting

+ $add = '';

+ $q2 = array();

+ for($k=-1, $kc=count($q); ++$k<$kc;){

+  $d = $q[$k];

+  $ok2 = array();

+  if(isset($cS[$d])){$q2[] = $d; continue;}

+  $ok2 = isset($cI[$d]) ? $eI : $eF;

+  if(isset($cO[$d])){$ok2 = $ok2 + $cO[$d];}

+  if(isset($cN[$d])){$ok2 = array_diff_assoc($ok2, $cN[$d]);}

+  if(!isset($ok2[$e])){

+   if(!$k && !isset($inOk[$e])){continue 2;}

+   $add = "</{$d}>";

+   for(;++$k<$kc;){$add = "</{$q[$k]}>{$add}";}

+   break;

+  }

+  else{$q2[] = $d;}

+ }

+ $q = $q2;

+ if(!isset($cE[$e])){$q[] = $e;}

+ echo $add, '<', $e, $a, '>'; unset($e); continue;

+}

+

+// end

+if($ql = count($q)){

+ $p = array_pop($q);

+ $q[] = $p;

+ if(isset($cS[$p])){$ok = $cS[$p];}

+ elseif(isset($cI[$p])){$ok = $eI; $cI['del'] = 1; $cI['ins'] = 1;}

+ elseif(isset($cF[$p])){$ok = $eF; unset($cI['del'], $cI['ins']);}

+ elseif(isset($cB[$p])){$ok = $eB; unset($cI['del'], $cI['ins']);}

+ if(isset($cO[$p])){$ok = $ok + $cO[$p];}

+ if(isset($cN[$p])){$ok = array_diff_assoc($ok, $cN[$p]);}

+}else{$ok = $inOk; unset($cI['del'], $cI['ins']);}

+if(isset($e) && ($do == 1 or (isset($ok['#pcdata']) && ($do == 3 or $do == 5)))){

+ echo '&lt;', $s, $e, $a, '&gt;';

+}

+if(isset($x[0])){

+ if(strlen(trim($x)) && (($ql && isset($cB[$p])) or (isset($cB[$in]) && !$ql))){

+  echo '<div>', $x, '</div>';

+ }

+ elseif($do < 3 or isset($ok['#pcdata'])){echo $x;}

+ elseif(strpos($x, "\x02\x04")){

+  foreach(preg_split('`(\x01\x02[^\x01\x02]+\x02\x01)`', $x, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY) as $v){

+   echo (substr($v, 0, 2) == "\x01\x02" ? $v : ($do > 4 ? preg_replace('`\S`', '', $v) : ''));

+  }

+ }elseif($do > 4){echo preg_replace('`\S`', '', $x);}

+}

+while(!empty($q) && ($e = array_pop($q))){echo '</', $e, '>';}

+$o = ob_get_contents();

+ob_end_clean();

+return $o;

+}

+

+function hl_cmtcd($t){

+// comment/CDATA sec handler

+$t = $t[0];

+global $C;

+if(!($v = $C[$n = $t[3] == '-' ? 'comment' : 'cdata'])){return $t;}

+if($v == 1){return '';}

+if($n == 'comment' && $v < 4){

+ if(substr(($t = preg_replace('`--+`', '-', substr($t, 4, -3))), -1) != ' '){$t .= ' ';}

+}

+else{$t = substr($t, 1, -1);}

+$t = $v == 2 ? str_replace(array('&', '<', '>'), array('&amp;', '&lt;', '&gt;'), $t) : $t;

+return str_replace(array('&', '<', '>'), array("\x03", "\x04", "\x05"), ($n == 'comment' ? "\x01\x02\x04!--$t--\x05\x02\x01" : "\x01\x01\x04$t\x05\x01\x01"));

+}

+

+function hl_ent($t){

+// entitity handler

+global $C;

+$t = $t[1];

+static $U = array('quot'=>1,'amp'=>1,'lt'=>1,'gt'=>1);

+static $N = array('fnof'=>'402', 'Alpha'=>'913', 'Beta'=>'914', 'Gamma'=>'915', 'Delta'=>'916', 'Epsilon'=>'917', 'Zeta'=>'918', 'Eta'=>'919', 'Theta'=>'920', 'Iota'=>'921', 'Kappa'=>'922', 'Lambda'=>'923', 'Mu'=>'924', 'Nu'=>'925', 'Xi'=>'926', 'Omicron'=>'927', 'Pi'=>'928', 'Rho'=>'929', 'Sigma'=>'931', 'Tau'=>'932', 'Upsilon'=>'933', 'Phi'=>'934', 'Chi'=>'935', 'Psi'=>'936', 'Omega'=>'937', 'alpha'=>'945', 'beta'=>'946', 'gamma'=>'947', 'delta'=>'948', 'epsilon'=>'949', 'zeta'=>'950', 'eta'=>'951', 'theta'=>'952', 'iota'=>'953', 'kappa'=>'954', 'lambda'=>'955', 'mu'=>'956', 'nu'=>'957', 'xi'=>'958', 'omicron'=>'959', 'pi'=>'960', 'rho'=>'961', 'sigmaf'=>'962', 'sigma'=>'963', 'tau'=>'964', 'upsilon'=>'965', 'phi'=>'966', 'chi'=>'967', 'psi'=>'968', 'omega'=>'969', 'thetasym'=>'977', 'upsih'=>'978', 'piv'=>'982', 'bull'=>'8226', 'hellip'=>'8230', 'prime'=>'8242', 'Prime'=>'8243', 'oline'=>'8254', 'frasl'=>'8260', 'weierp'=>'8472', 'image'=>'8465', 'real'=>'8476', 'trade'=>'8482', 'alefsym'=>'8501', 'larr'=>'8592', 'uarr'=>'8593', 'rarr'=>'8594', 'darr'=>'8595', 'harr'=>'8596', 'crarr'=>'8629', 'lArr'=>'8656', 'uArr'=>'8657', 'rArr'=>'8658', 'dArr'=>'8659', 'hArr'=>'8660', 'forall'=>'8704', 'part'=>'8706', 'exist'=>'8707', 'empty'=>'8709', 'nabla'=>'8711', 'isin'=>'8712', 'notin'=>'8713', 'ni'=>'8715', 'prod'=>'8719', 'sum'=>'8721', 'minus'=>'8722', 'lowast'=>'8727', 'radic'=>'8730', 'prop'=>'8733', 'infin'=>'8734', 'ang'=>'8736', 'and'=>'8743', 'or'=>'8744', 'cap'=>'8745', 'cup'=>'8746', 'int'=>'8747', 'there4'=>'8756', 'sim'=>'8764', 'cong'=>'8773', 'asymp'=>'8776', 'ne'=>'8800', 'equiv'=>'8801', 'le'=>'8804', 'ge'=>'8805', 'sub'=>'8834', 'sup'=>'8835', 'nsub'=>'8836', 'sube'=>'8838', 'supe'=>'8839', 'oplus'=>'8853', 'otimes'=>'8855', 'perp'=>'8869', 'sdot'=>'8901', 'lceil'=>'8968', 'rceil'=>'8969', 'lfloor'=>'8970', 'rfloor'=>'8971', 'lang'=>'9001', 'rang'=>'9002', 'loz'=>'9674', 'spades'=>'9824', 'clubs'=>'9827', 'hearts'=>'9829', 'diams'=>'9830', 'apos'=>'39',  'OElig'=>'338', 'oelig'=>'339', 'Scaron'=>'352', 'scaron'=>'353', 'Yuml'=>'376', 'circ'=>'710', 'tilde'=>'732', 'ensp'=>'8194', 'emsp'=>'8195', 'thinsp'=>'8201', 'zwnj'=>'8204', 'zwj'=>'8205', 'lrm'=>'8206', 'rlm'=>'8207', 'ndash'=>'8211', 'mdash'=>'8212', 'lsquo'=>'8216', 'rsquo'=>'8217', 'sbquo'=>'8218', 'ldquo'=>'8220', 'rdquo'=>'8221', 'bdquo'=>'8222', 'dagger'=>'8224', 'Dagger'=>'8225', 'permil'=>'8240', 'lsaquo'=>'8249', 'rsaquo'=>'8250', 'euro'=>'8364', 'nbsp'=>'160', 'iexcl'=>'161', 'cent'=>'162', 'pound'=>'163', 'curren'=>'164', 'yen'=>'165', 'brvbar'=>'166', 'sect'=>'167', 'uml'=>'168', 'copy'=>'169', 'ordf'=>'170', 'laquo'=>'171', 'not'=>'172', 'shy'=>'173', 'reg'=>'174', 'macr'=>'175', 'deg'=>'176', 'plusmn'=>'177', 'sup2'=>'178', 'sup3'=>'179', 'acute'=>'180', 'micro'=>'181', 'para'=>'182', 'middot'=>'183', 'cedil'=>'184', 'sup1'=>'185', 'ordm'=>'186', 'raquo'=>'187', 'frac14'=>'188', 'frac12'=>'189', 'frac34'=>'190', 'iquest'=>'191', 'Agrave'=>'192', 'Aacute'=>'193', 'Acirc'=>'194', 'Atilde'=>'195', 'Auml'=>'196', 'Aring'=>'197', 'AElig'=>'198', 'Ccedil'=>'199', 'Egrave'=>'200', 'Eacute'=>'201', 'Ecirc'=>'202', 'Euml'=>'203', 'Igrave'=>'204', 'Iacute'=>'205', 'Icirc'=>'206', 'Iuml'=>'207', 'ETH'=>'208', 'Ntilde'=>'209', 'Ograve'=>'210', 'Oacute'=>'211', 'Ocirc'=>'212', 'Otilde'=>'213', 'Ouml'=>'214', 'times'=>'215', 'Oslash'=>'216', 'Ugrave'=>'217', 'Uacute'=>'218', 'Ucirc'=>'219', 'Uuml'=>'220', 'Yacute'=>'221', 'THORN'=>'222', 'szlig'=>'223', 'agrave'=>'224', 'aacute'=>'225', 'acirc'=>'226', 'atilde'=>'227', 'auml'=>'228', 'aring'=>'229', 'aelig'=>'230', 'ccedil'=>'231', 'egrave'=>'232', 'eacute'=>'233', 'ecirc'=>'234', 'euml'=>'235', 'igrave'=>'236', 'iacute'=>'237', 'icirc'=>'238', 'iuml'=>'239', 'eth'=>'240', 'ntilde'=>'241', 'ograve'=>'242', 'oacute'=>'243', 'ocirc'=>'244', 'otilde'=>'245', 'ouml'=>'246', 'divide'=>'247', 'oslash'=>'248', 'ugrave'=>'249', 'uacute'=>'250', 'ucirc'=>'251', 'uuml'=>'252', 'yacute'=>'253', 'thorn'=>'254', 'yuml'=>'255');

+if($t[0] != '#'){

+ return ($C['and_mark'] ? "\x06" : '&'). (isset($U[$t]) ? $t : (isset($N[$t]) ? (!$C['named_entity'] ? '#'. ($C['hexdec_entity'] > 1 ? 'x'. dechex($N[$t]) : $N[$t]) : $t) : 'amp;'. $t)). ';';

+}

+if(($n = ctype_digit($t = substr($t, 1)) ? intval($t) : hexdec(substr($t, 1))) < 9 or ($n > 13 && $n < 32) or $n == 11 or $n == 12 or ($n > 126 && $n < 160 && $n != 133) or ($n > 55295 && ($n < 57344 or ($n > 64975 && $n < 64992) or $n == 65534 or $n == 65535 or $n > 1114111))){

+ return ($C['and_mark'] ? "\x06" : '&'). "amp;#{$t};";

+}

+return ($C['and_mark'] ? "\x06" : '&'). '#'. (((ctype_digit($t) && $C['hexdec_entity'] < 2) or !$C['hexdec_entity']) ? $n : 'x'. dechex($n)). ';';

+}

+

+function hl_prot($p, $c=null){

+// check URL scheme

+global $C;

+$b = $a = '';

+if($c == null){$c = 'style'; $b = $p[1]; $a = $p[3]; $p = trim($p[2]);}

+$c = isset($C['schemes'][$c]) ? $C['schemes'][$c] : $C['schemes']['*'];

+static $d = 'denied:';

+if(isset($c['!']) && substr($p, 0, 7) != $d){$p = "$d$p";}

+if(isset($c['*']) or !strcspn($p, '#?;') or (substr($p, 0, 7) == $d)){return "{$b}{$p}{$a}";} // All ok, frag, query, param

+if(preg_match('`^([^:?[@!$()*,=/\'\]]+?)(:|&#(58|x3a);|%3a|\\\\0{0,4}3a).`i', $p, $m) && !isset($c[strtolower($m[1])])){ // Denied prot

+ return "{$b}{$d}{$p}{$a}";

+}

+if($C['abs_url']){

+ if($C['abs_url'] == -1 && strpos($p, $C['base_url']) === 0){ // Make url rel

+  $p = substr($p, strlen($C['base_url']));

+ }elseif(empty($m[1])){ // Make URL abs

+  if(substr($p, 0, 2) == '//'){$p = substr($C['base_url'], 0, strpos($C['base_url'], ':')+1). $p;}

+  elseif($p[0] == '/'){$p = preg_replace('`(^.+?://[^/]+)(.*)`', '$1', $C['base_url']). $p;}

+  elseif(strcspn($p, './')){$p = $C['base_url']. $p;}

+  else{

+   preg_match('`^([a-zA-Z\d\-+.]+://[^/]+)(.*)`', $C['base_url'], $m);

+   $p = preg_replace('`(?<=/)\./`', '', $m[2]. $p);

+   while(preg_match('`(?<=/)([^/]{3,}|[^/.]+?|\.[^/.]|[^/.]\.)/\.\./`', $p)){

+    $p = preg_replace('`(?<=/)([^/]{3,}|[^/.]+?|\.[^/.]|[^/.]\.)/\.\./`', '', $p);

+   }

+   $p = $m[1]. $p;

+  }

+ }

+}

+return "{$b}{$p}{$a}";

+}

+

+function hl_regex($p){

+// check regex

+if(empty($p)){return 0;}

+if($v = function_exists('error_clear_last') && function_exists('error_get_last')){error_clear_last();}

+else{

+ if($t = ini_get('track_errors')){$o = isset($php_errormsg) ? $php_errormsg : null;}

+ else{ini_set('track_errors', 1);}

+ unset($php_errormsg);

+}

+if(($d = ini_get('display_errors'))){ini_set('display_errors', 0);}

+preg_match($p, '');

+if($v){$r = error_get_last() == null ? 1 : 0; }

+else{

+ $r = isset($php_errormsg) ? 0 : 1;

+ if($t){$php_errormsg = isset($o) ? $o : null;}

+ else{ini_set('track_errors', 0);}

+}

+if($d){ini_set('display_errors', 1);}

+return $r;

+}

+

+function hl_spec($t){

+// final $spec

+$s = array();

+if(!function_exists('hl_aux1')){function hl_aux1($m){

+ return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", '`"'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", '"'), $m[0]), 1, -1);

+}}

+$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', 'hl_aux1', trim($t))); 

+for($i = count(($t = explode(';', $t))); --$i>=0;){

+ $w = $t[$i];

+ if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a =  substr($w, $e+1)))){continue;}

+ $y = $n = array();

+ foreach(explode(',', $a) as $v){

+  if(!preg_match('`^([a-z:\-\*]+)(?:\((.*?)\))?`i', $v, $m)){continue;}

+  if(($x = strtolower($m[1])) == '-*'){$n['*'] = 1; continue;}

+  if($x[0] == '-'){$n[substr($x, 1)] = 1; continue;}

+  if(!isset($m[2])){$y[$x] = 1; continue;}

+  foreach(explode('/', $m[2]) as $m){

+   if(empty($m) or ($p = strpos($m, '=')) == 0 or $p < 5){$y[$x] = 1; continue;}

+   $y[$x][strtolower(substr($m, 0, $p))] = str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08"), array(";", "|", "~", " ", ",", "/", "(", ")"), substr($m, $p+1));

+  }

+  if(isset($y[$x]['match']) && !hl_regex($y[$x]['match'])){unset($y[$x]['match']);}

+  if(isset($y[$x]['nomatch']) && !hl_regex($y[$x]['nomatch'])){unset($y[$x]['nomatch']);}

+ }

+ if(!count($y) && !count($n)){continue;}

+ foreach(explode(',', substr($w, 0, $e)) as $v){

+  if(!strlen(($v = strtolower($v)))){continue;}

+  if(count($y)){if(!isset($s[$v])){$s[$v] = $y;} else{$s[$v] = array_merge($s[$v], $y);}}

+  if(count($n)){if(!isset($s[$v]['n'])){$s[$v]['n'] = $n;} else{$s[$v]['n'] = array_merge($s[$v]['n'], $n);}}

+ }

+}

+return $s;

+}

+

+function hl_tag($t){

+// tag/attribute handler

+global $C;

+$t = $t[0];

+// invalid < >

+if($t == '< '){return '&lt; ';}

+if($t == '>'){return '&gt;';}

+if(!preg_match('`^<(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?>$`m', $t, $m)){

+ return str_replace(array('<', '>'), array('&lt;', '&gt;'), $t);

+}elseif(!isset($C['elements'][($e = strtolower($m[2]))])){

+ return (($C['keep_bad']%2) ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : '');

+}

+// attr string

+$a = str_replace(array("\n", "\r", "\t"), ' ', trim($m[3]));

+// tag transform

+static $eD = array('acronym'=>1, 'applet'=>1, 'big'=>1, 'center'=>1, 'dir'=>1, 'font'=>1, 'isindex'=>1, 's'=>1, 'strike'=>1, 'tt'=>1); // Deprecated

+if($C['make_tag_strict'] && isset($eD[$e])){

+ $trt = hl_tag2($e, $a, $C['make_tag_strict']);

+ if(!$e){return (($C['keep_bad']%2) ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : '');}

+}

+// close tag

+static $eE = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1); // Empty ele

+if(!empty($m[1])){

+ return (!isset($eE[$e]) ? (empty($C['hook_tag']) ? "</$e>" : $C['hook_tag']($e)) : (($C['keep_bad'])%2 ? str_replace(array('<', '>'), array('&lt;', '&gt;'), $t) : ''));

+}

+

+// open tag & attr

+static $aN = array('abbr'=>array('td'=>1, 'th'=>1), 'accept'=>array('form'=>1, 'input'=>1), 'accept-charset'=>array('form'=>1), 'action'=>array('form'=>1), 'align'=>array('applet'=>1, 'caption'=>1, 'col'=>1, 'colgroup'=>1, 'div'=>1, 'embed'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'object'=>1, 'p'=>1, 'table'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'allowfullscreen'=>array('iframe'=>1), 'alt'=>array('applet'=>1, 'area'=>1, 'img'=>1, 'input'=>1), 'archive'=>array('applet'=>1, 'object'=>1), 'async'=>array('script'=>1), 'autocomplete'=>array('form'=>1, 'input'=>1), 'autofocus'=>array('button'=>1, 'input'=>1, 'keygen'=>1, 'select'=>1, 'textarea'=>1), 'autoplay'=>array('audio'=>1, 'video'=>1), 'axis'=>array('td'=>1, 'th'=>1), 'bgcolor'=>array('embed'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1), 'border'=>array('img'=>1, 'object'=>1, 'table'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellpadding'=>array('table'=>1), 'cellspacing'=>array('table'=>1), 'challenge'=>array('keygen'=>1), 'char'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charoff'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charset'=>array('a'=>1, 'script'=>1), 'checked'=>array('command'=>1, 'input'=>1), 'cite'=>array('blockquote'=>1, 'del'=>1, 'ins'=>1, 'q'=>1), 'classid'=>array('object'=>1), 'clear'=>array('br'=>1), 'code'=>array('applet'=>1), 'codebase'=>array('applet'=>1, 'object'=>1), 'codetype'=>array('object'=>1), 'color'=>array('font'=>1), 'cols'=>array('textarea'=>1), 'colspan'=>array('td'=>1, 'th'=>1), 'compact'=>array('dir'=>1, 'dl'=>1, 'menu'=>1, 'ol'=>1, 'ul'=>1), 'content'=>array('meta'=>1), 'controls'=>array('audio'=>1, 'video'=>1), 'coords'=>array('a'=>1, 'area'=>1), 'crossorigin'=>array('img'=>1), 'data'=>array('object'=>1), 'datetime'=>array('del'=>1, 'ins'=>1, 'time'=>1), 'declare'=>array('object'=>1), 'default'=>array('track'=>1), 'defer'=>array('script'=>1), 'dirname'=>array('input'=>1, 'textarea'=>1), 'disabled'=>array('button'=>1, 'command'=>1, 'fieldset'=>1, 'input'=>1, 'keygen'=>1, 'optgroup'=>1, 'option'=>1, 'select'=>1, 'textarea'=>1), 'download'=>array('a'=>1), 'enctype'=>array('form'=>1), 'face'=>array('font'=>1), 'flashvars'=>array('embed'=>1), 'for'=>array('label'=>1, 'output'=>1), 'form'=>array('button'=>1, 'fieldset'=>1, 'input'=>1, 'keygen'=>1, 'label'=>1, 'object'=>1, 'output'=>1, 'select'=>1, 'textarea'=>1), 'formaction'=>array('button'=>1, 'input'=>1), 'formenctype'=>array('button'=>1, 'input'=>1), 'formmethod'=>array('button'=>1, 'input'=>1), 'formnovalidate'=>array('button'=>1, 'input'=>1), 'formtarget'=>array('button'=>1, 'input'=>1), 'frame'=>array('table'=>1), 'frameborder'=>array('iframe'=>1), 'headers'=>array('td'=>1, 'th'=>1), 'height'=>array('applet'=>1, 'canvas'=>1, 'embed'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'td'=>1, 'th'=>1, 'video'=>1), 'high'=>array('meter'=>1), 'href'=>array('a'=>1, 'area'=>1, 'link'=>1), 'hreflang'=>array('a'=>1, 'area'=>1, 'link'=>1), 'hspace'=>array('applet'=>1, 'embed'=>1, 'img'=>1, 'object'=>1), 'icon'=>array('command'=>1), 'ismap'=>array('img'=>1, 'input'=>1), 'keyparams'=>array('keygen'=>1), 'keytype'=>array('keygen'=>1), 'kind'=>array('track'=>1), 'label'=>array('command'=>1, 'menu'=>1, 'option'=>1, 'optgroup'=>1, 'track'=>1), 'language'=>array('script'=>1), 'list'=>array('input'=>1), 'longdesc'=>array('img'=>1, 'iframe'=>1), 'loop'=>array('audio'=>1, 'video'=>1), 'low'=>array('meter'=>1), 'marginheight'=>array('iframe'=>1), 'marginwidth'=>array('iframe'=>1), 'max'=>array('input'=>1, 'meter'=>1, 'progress'=>1), 'maxlength'=>array('input'=>1, 'textarea'=>1), 'media'=>array('a'=>1, 'area'=>1, 'link'=>1, 'source'=>1, 'style'=>1), 'mediagroup'=>array('audio'=>1, 'video'=>1), 'method'=>array('form'=>1), 'min'=>array('input'=>1, 'meter'=>1), 'model'=>array('embed'=>1), 'multiple'=>array('input'=>1, 'select'=>1), 'muted'=>array('audio'=>1, 'video'=>1), 'name'=>array('a'=>1, 'applet'=>1, 'button'=>1, 'embed'=>1, 'fieldset'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'keygen'=>1, 'map'=>1, 'object'=>1, 'output'=>1, 'param'=>1, 'select'=>1, 'textarea'=>1), 'nohref'=>array('area'=>1), 'noshade'=>array('hr'=>1), 'novalidate'=>array('form'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'object'=>array('applet'=>1), 'open'=>array('details'=>1), 'optimum'=>array('meter'=>1), 'pattern'=>array('input'=>1), 'ping'=>array('a'=>1, 'area'=>1), 'placeholder'=>array('input'=>1, 'textarea'=>1), 'pluginspage'=>array('embed'=>1), 'pluginurl'=>array('embed'=>1), 'poster'=>array('video'=>1), 'pqg'=>array('keygen'=>1), 'preload'=>array('audio'=>1, 'video'=>1), 'prompt'=>array('isindex'=>1), 'pubdate'=>array('time'=>1), 'radiogroup'=>array('command'=>1), 'readonly'=>array('input'=>1, 'textarea'=>1), 'rel'=>array('a'=>1, 'area'=>1, 'link'=>1), 'required'=>array('input'=>1, 'select'=>1, 'textarea'=>1), 'rev'=>array('a'=>1), 'reversed'=>array('ol'=>1), 'rows'=>array('textarea'=>1), 'rowspan'=>array('td'=>1, 'th'=>1), 'rules'=>array('table'=>1), 'sandbox'=>array('iframe'=>1), 'scope'=>array('td'=>1, 'th'=>1), 'scoped'=>array('style'=>1), 'scrolling'=>array('iframe'=>1), 'seamless'=>array('iframe'=>1), 'selected'=>array('option'=>1), 'shape'=>array('a'=>1, 'area'=>1), 'size'=>array('font'=>1, 'hr'=>1, 'input'=>1, 'select'=>1), 'sizes'=>array('link'=>1), 'span'=>array('col'=>1, 'colgroup'=>1), 'src'=>array('audio'=>1, 'embed'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'script'=>1, 'source'=>1, 'track'=>1, 'video'=>1), 'srcdoc'=>array('iframe'=>1), 'srclang'=>array('track'=>1), 'srcset'=>array('img'=>1), 'standby'=>array('object'=>1), 'start'=>array('ol'=>1), 'step'=>array('input'=>1), 'summary'=>array('table'=>1), 'target'=>array('a'=>1, 'area'=>1, 'form'=>1), 'type'=>array('a'=>1, 'area'=>1, 'button'=>1, 'command'=>1, 'embed'=>1, 'input'=>1, 'li'=>1, 'link'=>1, 'menu'=>1, 'object'=>1, 'ol'=>1, 'param'=>1, 'script'=>1, 'source'=>1, 'style'=>1, 'ul'=>1), 'typemustmatch'=>array('object'=>1), 'usemap'=>array('img'=>1, 'input'=>1, 'object'=>1), 'valign'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'value'=>array('button'=>1, 'data'=>1, 'input'=>1, 'li'=>1, 'meter'=>1, 'option'=>1, 'param'=>1, 'progress'=>1), 'valuetype'=>array('param'=>1), 'vspace'=>array('applet'=>1, 'embed'=>1, 'img'=>1, 'object'=>1), 'width'=>array('applet'=>1, 'canvas'=>1, 'col'=>1, 'colgroup'=>1, 'embed'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'pre'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'video'=>1), 'wmode'=>array('embed'=>1), 'wrap'=>array('textarea'=>1)); // Ele-specific

+static $aNA = array('aria-activedescendant'=>1, 'aria-atomic'=>1, 'aria-autocomplete'=>1, 'aria-busy'=>1, 'aria-checked'=>1, 'aria-controls'=>1, 'aria-describedby'=>1, 'aria-disabled'=>1, 'aria-dropeffect'=>1, 'aria-expanded'=>1, 'aria-flowto'=>1, 'aria-grabbed'=>1, 'aria-haspopup'=>1, 'aria-hidden'=>1, 'aria-invalid'=>1, 'aria-label'=>1, 'aria-labelledby'=>1, 'aria-level'=>1, 'aria-live'=>1, 'aria-multiline'=>1, 'aria-multiselectable'=>1, 'aria-orientation'=>1, 'aria-owns'=>1, 'aria-posinset'=>1, 'aria-pressed'=>1, 'aria-readonly'=>1, 'aria-relevant'=>1, 'aria-required'=>1, 'aria-selected'=>1, 'aria-setsize'=>1, 'aria-sort'=>1, 'aria-valuemax'=>1, 'aria-valuemin'=>1, 'aria-valuenow'=>1, 'aria-valuetext'=>1); // ARIA

+static $aNE = array('allowfullscreen'=>1, 'checkbox'=>1, 'checked'=>1, 'command'=>1, 'compact'=>1, 'declare'=>1, 'defer'=>1, 'default'=>1, 'disabled'=>1, 'hidden'=>1, 'inert'=>1, 'ismap'=>1, 'itemscope'=>1, 'multiple'=>1, 'nohref'=>1, 'noresize'=>1, 'noshade'=>1, 'nowrap'=>1, 'open'=>1, 'radio'=>1, 'readonly'=>1, 'required'=>1, 'reversed'=>1, 'selected'=>1); // Empty

+static $aNO = array('onabort'=>1, 'onblur'=>1, 'oncanplay'=>1, 'oncanplaythrough'=>1, 'onchange'=>1, 'onclick'=>1, 'oncontextmenu'=>1, 'oncopy'=>1, 'oncuechange'=>1, 'oncut'=>1, 'ondblclick'=>1, 'ondrag'=>1, 'ondragend'=>1, 'ondragenter'=>1, 'ondragleave'=>1, 'ondragover'=>1, 'ondragstart'=>1, 'ondrop'=>1, 'ondurationchange'=>1, 'onemptied'=>1, 'onended'=>1, 'onerror'=>1, 'onfocus'=>1, 'onformchange'=>1, 'onforminput'=>1, 'oninput'=>1, 'oninvalid'=>1, 'onkeydown'=>1, 'onkeypress'=>1, 'onkeyup'=>1, 'onload'=>1, 'onloadeddata'=>1, 'onloadedmetadata'=>1, 'onloadstart'=>1, 'onlostpointercapture'=>1, 'onmousedown'=>1, 'onmousemove'=>1, 'onmouseout'=>1, 'onmouseover'=>1, 'onmouseup'=>1, 'onmousewheel'=>1, 'onpaste'=>1, 'onpause'=>1, 'onplay'=>1, 'onplaying'=>1, 'onpointercancel'=>1, 'ongotpointercapture'=>1, 'onpointerdown'=>1, 'onpointerenter'=>1, 'onpointerleave'=>1, 'onpointermove'=>1, 'onpointerout'=>1, 'onpointerover'=>1, 'onpointerup'=>1, 'onprogress'=>1, 'onratechange'=>1, 'onreadystatechange'=>1, 'onreset'=>1, 'onsearch'=>1, 'onscroll'=>1, 'onseeked'=>1, 'onseeking'=>1, 'onselect'=>1, 'onshow'=>1, 'onstalled'=>1, 'onsubmit'=>1, 'onsuspend'=>1, 'ontimeupdate'=>1, 'ontoggle'=>1, 'ontouchcancel'=>1, 'ontouchend'=>1, 'ontouchmove'=>1, 'ontouchstart'=>1, 'onvolumechange'=>1, 'onwaiting'=>1, 'onwheel'=>1); // Event

+static $aNP = array('action'=>1, 'cite'=>1, 'classid'=>1, 'codebase'=>1, 'data'=>1, 'href'=>1, 'itemtype'=>1, 'longdesc'=>1, 'model'=>1, 'pluginspage'=>1, 'pluginurl'=>1, 'src'=>1, 'srcset'=>1, 'usemap'=>1); // Need scheme check; excludes style, on*

+static $aNU = array('accesskey'=>1, 'class'=>1, 'contenteditable'=>1, 'contextmenu'=>1, 'dir'=>1, 'draggable'=>1, 'dropzone'=>1, 'hidden'=>1, 'id'=>1, 'inert'=>1, 'itemid'=>1, 'itemprop'=>1, 'itemref'=>1, 'itemscope'=>1, 'itemtype'=>1, 'lang'=>1, 'role'=>1, 'spellcheck'=>1, 'style'=>1, 'tabindex'=>1, 'title'=>1, 'translate'=>1, 'xmlns'=>1, 'xml:base'=>1, 'xml:lang'=>1, 'xml:space'=>1); // Univ; excludes on*, aria*

+

+if($C['lc_std_val']){

+ // predef attr vals for $eAL & $aNE ele

+ static $aNL = array('all'=>1, 'auto'=>1, 'baseline'=>1, 'bottom'=>1, 'button'=>1, 'captions'=>1, 'center'=>1, 'chapters'=>1, 'char'=>1, 'checkbox'=>1, 'circle'=>1, 'col'=>1, 'colgroup'=>1, 'color'=>1, 'cols'=>1, 'data'=>1, 'date'=>1, 'datetime'=>1, 'datetime-local'=>1, 'default'=>1, 'descriptions'=>1, 'email'=>1, 'file'=>1, 'get'=>1, 'groups'=>1, 'hidden'=>1, 'image'=>1, 'justify'=>1, 'left'=>1, 'ltr'=>1, 'metadata'=>1, 'middle'=>1, 'month'=>1, 'none'=>1, 'number'=>1, 'object'=>1, 'password'=>1, 'poly'=>1, 'post'=>1, 'preserve'=>1, 'radio'=>1, 'range'=>1, 'rect'=>1, 'ref'=>1, 'reset'=>1, 'right'=>1, 'row'=>1, 'rowgroup'=>1, 'rows'=>1, 'rtl'=>1, 'search'=>1, 'submit'=>1, 'subtitles'=>1, 'tel'=>1, 'text'=>1, 'time'=>1, 'top'=>1, 'url'=>1, 'week'=>1);

+ static $eAL = array('a'=>1, 'area'=>1, 'bdo'=>1, 'button'=>1, 'col'=>1, 'fieldset'=>1, 'form'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'ol'=>1, 'optgroup'=>1, 'option'=>1, 'param'=>1, 'script'=>1, 'select'=>1, 'table'=>1, 'td'=>1, 'textarea'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1, 'track'=>1, 'xml:space'=>1);

+ $lcase = isset($eAL[$e]) ? 1 : 0;

+}

+

+$depTr = 0;

+if($C['no_deprecated_attr']){

+ // depr attr:applicable ele

+ static $aND = array('align'=>array('caption'=>1, 'div'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'object'=>1, 'p'=>1, 'table'=>1), 'bgcolor'=>array('table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1), 'border'=>array('object'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellspacing'=>array('table'=>1), 'clear'=>array('br'=>1), 'compact'=>array('dl'=>1, 'ol'=>1, 'ul'=>1), 'height'=>array('td'=>1, 'th'=>1), 'hspace'=>array('img'=>1, 'object'=>1), 'language'=>array('script'=>1), 'name'=>array('a'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'map'=>1), 'noshade'=>array('hr'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'size'=>array('hr'=>1), 'vspace'=>array('img'=>1, 'object'=>1), 'width'=>array('hr'=>1, 'pre'=>1, 'table'=>1, 'td'=>1, 'th'=>1));

+ static $eAD = array('a'=>1, 'br'=>1, 'caption'=>1, 'div'=>1, 'dl'=>1, 'form'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'legend'=>1, 'map'=>1, 'object'=>1, 'ol'=>1, 'p'=>1, 'pre'=>1, 'script'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'tr'=>1, 'ul'=>1);

+ $depTr = isset($eAD[$e]) ? 1 : 0;

+}

+

+// attr name-vals

+if(strpos($a, "\x01") !== false){$a = preg_replace('`\x01[^\x01]*\x01`', '', $a);} // No comment/CDATA sec

+$mode = 0; $a = trim($a, ' /'); $aA = array();

+while(strlen($a)){

+ $w = 0;

+ switch($mode){

+  case 0: // Name

+   if(preg_match('`^[a-zA-Z][^\s=/]+`', $a, $m)){

+    $nm = strtolower($m[0]);

+    $w = $mode = 1; $a = ltrim(substr_replace($a, '', 0, strlen($m[0])));

+   }

+  break; case 1:

+   if($a[0] == '='){ // =

+    $w = 1; $mode = 2; $a = ltrim($a, '= ');

+   }else{ // No val

+    $w = 1; $mode = 0; $a = ltrim($a);

+    $aA[$nm] = '';

+   }

+  break; case 2: // Val

+   if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){

+    $a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;

+    $aA[$nm] = trim(str_replace('<', '&lt;', ($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m));

+   }

+  break;

+ }

+ if($w == 0){ // Parse errs, deal with space, " & '

+  $a = preg_replace('`^(?:"[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*`', '', $a);

+  $mode = 0;

+ }

+}

+if($mode == 1){$aA[$nm] = '';}

+

+// clean attrs

+global $S;

+$rl = isset($S[$e]) ? $S[$e] : array();

+$a = array(); $nfr = 0; $d = $C['deny_attribute'];

+foreach($aA as $k=>$v){

+ if(((isset($d['*']) ? isset($d[$k]) : !isset($d[$k])) && (isset($aN[$k][$e]) or isset($aNU[$k]) or (isset($aNO[$k]) && !isset($d['on*'])) or (isset($aNA[$k]) && !isset($d['aria*'])) or (!isset($d['data*']) && preg_match('`data-((?!xml)[^:]+$)`', $k))) && !isset($rl['n'][$k]) && !isset($rl['n']['*'])) or isset($rl[$k])){

+  if(isset($aNE[$k])){$v = $k;}

+  elseif(!empty($lcase) && (($e != 'button' or $e != 'input') or $k == 'type')){ // Rather loose but ?not cause issues

+   $v = (isset($aNL[($v2 = strtolower($v))])) ? $v2 : $v;

+  }

+  if($k == 'style' && !$C['style_pass']){

+   if(false !== strpos($v, '&#')){

+    static $sC = array('&#x20;'=>' ', '&#32;'=>' ', '&#x45;'=>'e', '&#69;'=>'e', '&#x65;'=>'e', '&#101;'=>'e', '&#x58;'=>'x', '&#88;'=>'x', '&#x78;'=>'x', '&#120;'=>'x', '&#x50;'=>'p', '&#80;'=>'p', '&#x70;'=>'p', '&#112;'=>'p', '&#x53;'=>'s', '&#83;'=>'s', '&#x73;'=>'s', '&#115;'=>'s', '&#x49;'=>'i', '&#73;'=>'i', '&#x69;'=>'i', '&#105;'=>'i', '&#x4f;'=>'o', '&#79;'=>'o', '&#x6f;'=>'o', '&#111;'=>'o', '&#x4e;'=>'n', '&#78;'=>'n', '&#x6e;'=>'n', '&#110;'=>'n', '&#x55;'=>'u', '&#85;'=>'u', '&#x75;'=>'u', '&#117;'=>'u', '&#x52;'=>'r', '&#82;'=>'r', '&#x72;'=>'r', '&#114;'=>'r', '&#x4c;'=>'l', '&#76;'=>'l', '&#x6c;'=>'l', '&#108;'=>'l', '&#x28;'=>'(', '&#40;'=>'(', '&#x29;'=>')', '&#41;'=>')', '&#x20;'=>':', '&#32;'=>':', '&#x22;'=>'"', '&#34;'=>'"', '&#x27;'=>"'", '&#39;'=>"'", '&#x2f;'=>'/', '&#47;'=>'/', '&#x2a;'=>'*', '&#42;'=>'*', '&#x5c;'=>'\\', '&#92;'=>'\\');

+    $v = strtr($v, $sC);

+   }

+   $v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);

+   $v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;

+  }elseif(isset($aNP[$k]) or isset($aNO[$k])){

+   $v = str_replace("­", ' ', (strpos($v, '&') !== false ? str_replace(array('&#xad;', '&#173;', '&shy;'), ' ', $v) : $v)); # double-quoted char: soft-hyphen; appears here as "­" or hyphen or something else depending on viewing software

+   if($k == 'srcset'){

+    $v2 = '';

+    foreach(explode(',', $v) as $k1=>$v1){

+     $v1 = explode(' ', ltrim($v1), 2);

+     $k1 = isset($v1[1]) ? trim($v1[1]) : '';

+     $v1 = trim($v1[0]);

+     if(isset($v1[0])){$v2 .= hl_prot($v1, $k). (empty($k1) ? '' : ' '. $k1). ', ';}

+    }

+    $v = trim($v2, ', ');

+   }

+   if($k == 'itemtype'){

+    $v2 = '';

+    foreach(explode(' ', $v) as $v1){

+     if(isset($v1[0])){$v2 .= hl_prot($v1, $k). ' ';}

+    }

+    $v = trim($v2, ' ');

+   }

+   else{$v = hl_prot($v, $k);}

+   if($k == 'href'){ // X-spam

+    if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){

+     $v = str_replace('@', htmlspecialchars($C['anti_mail_spam']), $v);

+    }elseif($C['anti_link_spam']){

+     $r1 = $C['anti_link_spam'][1];

+     if(!empty($r1) && preg_match($r1, $v)){continue;}

+     $r0 = $C['anti_link_spam'][0];

+     if(!empty($r0) && preg_match($r0, $v)){

+      if(isset($a['rel'])){

+       if(!preg_match('`\bnofollow\b`i', $a['rel'])){$a['rel'] .= ' nofollow';}

+      }elseif(isset($aA['rel'])){

+       if(!preg_match('`\bnofollow\b`i', $aA['rel'])){$nfr = 1;}

+      }else{$a['rel'] = 'nofollow';}

+     }

+    }

+   }

+  }

+  if(isset($rl[$k]) && is_array($rl[$k]) && ($v = hl_attrval($k, $v, $rl[$k])) === 0){continue;}

+  $a[$k] = str_replace('"', '&quot;', $v);

+ }

+}

+if($nfr){$a['rel'] = isset($a['rel']) ? $a['rel']. ' nofollow' : 'nofollow';}

+

+// rqd attr

+static $eAR = array('area'=>array('alt'=>'area'), 'bdo'=>array('dir'=>'ltr'), 'command'=>array('label'=>''), 'form'=>array('action'=>''), 'img'=>array('src'=>'', 'alt'=>'image'), 'map'=>array('name'=>''), 'optgroup'=>array('label'=>''), 'param'=>array('name'=>''), 'style'=>array('scoped'=>''), 'textarea'=>array('rows'=>'10', 'cols'=>'50'));

+if(isset($eAR[$e])){

+ foreach($eAR[$e] as $k=>$v){

+  if(!isset($a[$k])){$a[$k] = isset($v[0]) ? $v : $k;}

+ }

+}

+

+// depr attr

+if($depTr){

+ $c = array();

+ foreach($a as $k=>$v){

+  if($k == 'style' or !isset($aND[$k][$e])){continue;}

+  $v = str_replace(array('\\', ':', ';', '&#'), '', $v);

+  if($k == 'align'){

+   unset($a['align']);

+   if($e == 'img' && ($v == 'left' or $v == 'right')){$c[] = 'float: '. $v;}

+   elseif(($e == 'div' or $e == 'table') && $v == 'center'){$c[] = 'margin: auto';}

+   else{$c[] = 'text-align: '. $v;}

+  }elseif($k == 'bgcolor'){

+   unset($a['bgcolor']);

+   $c[] = 'background-color: '. $v;

+  }elseif($k == 'border'){

+   unset($a['border']); $c[] = "border: {$v}px";

+  }elseif($k == 'bordercolor'){

+   unset($a['bordercolor']); $c[] = 'border-color: '. $v;

+  }elseif($k == 'cellspacing'){

+   unset($a['cellspacing']); $c[] = "border-spacing: {$v}px";

+  }elseif($k == 'clear'){

+   unset($a['clear']); $c[] = 'clear: '. ($v != 'all' ? $v : 'both');

+  }elseif($k == 'compact'){

+   unset($a['compact']); $c[] = 'font-size: 85%';

+  }elseif($k == 'height' or $k == 'width'){

+   unset($a[$k]); $c[] = $k. ': '. ($v[0] != '*' ? $v. (ctype_digit($v) ? 'px' : '') : 'auto');

+  }elseif($k == 'hspace'){

+   unset($a['hspace']); $c[] = "margin-left: {$v}px; margin-right: {$v}px";

+  }elseif($k == 'language' && !isset($a['type'])){

+   unset($a['language']);

+   $a['type'] = 'text/'. strtolower($v);

+  }elseif($k == 'name'){

+   if($C['no_deprecated_attr'] == 2 or ($e != 'a' && $e != 'map')){unset($a['name']);}

+   if(!isset($a['id']) && !preg_match('`\W`', $v)){$a['id'] = $v;}

+  }elseif($k == 'noshade'){

+   unset($a['noshade']); $c[] = 'border-style: none; border: 0; background-color: gray; color: gray';

+  }elseif($k == 'nowrap'){

+   unset($a['nowrap']); $c[] = 'white-space: nowrap';

+  }elseif($k == 'size'){

+   unset($a['size']); $c[] = 'size: '. $v. 'px';

+  }elseif($k == 'vspace'){

+   unset($a['vspace']); $c[] = "margin-top: {$v}px; margin-bottom: {$v}px";

+  }

+ }

+ if(count($c)){

+  $c = implode('; ', $c);

+  $a['style'] = isset($a['style']) ? rtrim($a['style'], ' ;'). '; '. $c. ';': $c. ';';

+ }

+}

+// unique ID

+if($C['unique_ids'] && isset($a['id'])){

+ if(preg_match('`\s`', ($id = $a['id'])) or (isset($GLOBALS['hl_Ids'][$id]) && $C['unique_ids'] == 1)){unset($a['id']);

+ }else{

+  while(isset($GLOBALS['hl_Ids'][$id])){$id = $C['unique_ids']. $id;}

+  $GLOBALS['hl_Ids'][($a['id'] = $id)] = 1;

+ }

+}

+// xml:lang

+if($C['xml:lang'] && isset($a['lang'])){

+ $a['xml:lang'] = isset($a['xml:lang']) ? $a['xml:lang'] : $a['lang'];

+ if($C['xml:lang'] == 2){unset($a['lang']);}

+}

+// for transformed tag

+if(!empty($trt)){

+ $a['style'] = isset($a['style']) ? rtrim($a['style'], ' ;'). '; '. $trt : $trt;

+}

+// return with empty ele /

+if(empty($C['hook_tag'])){

+ $aA = '';

+ foreach($a as $k=>$v){$aA .= " {$k}=\"{$v}\"";}

+ return "<{$e}{$aA}". (isset($eE[$e]) ? ' /' : ''). '>';

+}

+else{return $C['hook_tag']($e, $a);}

+}

+

+function hl_tag2(&$e, &$a, $t=1){

+// transform tag

+if($e == 'big'){$e = 'span'; return 'font-size: larger;';}

+if($e == 's' or $e == 'strike'){$e = 'span'; return 'text-decoration: line-through;';}

+if($e == 'tt'){$e = 'code'; return '';}

+if($e == 'center'){$e = 'div'; return 'text-align: center;';}

+static $fs = array('0'=>'xx-small', '1'=>'xx-small', '2'=>'small', '3'=>'medium', '4'=>'large', '5'=>'x-large', '6'=>'xx-large', '7'=>'300%', '-1'=>'smaller', '-2'=>'60%', '+1'=>'larger', '+2'=>'150%', '+3'=>'200%', '+4'=>'300%');

+if($e == 'font'){

+ $a2 = '';

+ while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){

+  $a = str_replace($m[0], ' ', $a);

+  $a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace(array('"', ';', ':'), '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? (' font-size: '. $fs[$m]. ';') : '');

+ }

+ while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){

+  $a = str_replace($m[0], ' ', $a);

+  $a2 .= ' font-family: '. str_replace(array('"', ';', ':'), '\'', trim($m[3])). ';';

+ }

+ $e = 'span'; return ltrim(str_replace('<', '', $a2));

+}

+if($e == 'acronym'){$e = 'abbr'; return '';}

+if($e == 'dir'){$e = 'ul'; return '';}

+if($t == 2){$e = 0; return 0;}

+return '';

+}

+

+function hl_tidy($t, $w, $p){

+// tidy/compact HTM

+if(strpos(' pre,script,textarea', "$p,")){return $t;}

+if(!function_exists('hl_aux2')){function hl_aux2($m){

+ return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", ' '), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4];

+}}

+$t = preg_replace(array('`(<\w[^>]*(?<!/)>)\s+`', '`\s+`', '`(<\w[^>]*(?<!/)>) `'), array(' $1', ' ', '$1'), preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)(</\2>)`sm'), 'hl_aux2', $t));

+if(($w = strtolower($w)) == -1){

+ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t);

+}

+$s = strpos(" $w", 't') ? "\t" : ' ';

+$s = preg_match('`\d`', $w, $m) ? str_repeat($s, $m[0]) : str_repeat($s, ($s == "\t" ? 1 : 2));

+$N = preg_match('`[ts]([1-9])`', $w, $m) ? $m[1] : 0;

+$a = array('br'=>1);

+$b = array('button'=>1, 'command'=>1, 'input'=>1, 'option'=>1, 'param'=>1, 'track'=>1);

+$c = array('audio'=>1, 'canvas'=>1, 'caption'=>1, 'dd'=>1, 'dt'=>1, 'figcaption'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'isindex'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'object'=>1, 'p'=>1, 'pre'=>1, 'style'=>1, 'summary'=>1, 'td'=>1, 'textarea'=>1, 'th'=>1, 'video'=>1);

+$d = array('address'=>1, 'article'=>1, 'aside'=>1, 'blockquote'=>1, 'center'=>1, 'colgroup'=>1, 'datalist'=>1, 'details'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'fieldset'=>1, 'figure'=>1, 'footer'=>1, 'form'=>1, 'header'=>1, 'hgroup'=>1, 'hr'=>1, 'iframe'=>1, 'main'=>1, 'map'=>1, 'menu'=>1, 'nav'=>1, 'noscript'=>1, 'ol'=>1, 'optgroup'=>1, 'rbc'=>1, 'rtc'=>1, 'ruby'=>1, 'script'=>1, 'section'=>1, 'select'=>1, 'table'=>1, 'tbody'=>1, 'tfoot'=>1, 'thead'=>1, 'tr'=>1, 'ul'=>1);

+$T = explode('<', $t);

+$X = 1;

+while($X){

+ $n = $N;

+ $t = $T;

+ ob_start();

+ if(isset($d[$p])){echo str_repeat($s, ++$n);}

+ echo ltrim(array_shift($t));

+ for($i=-1, $j=count($t); ++$i<$j;){

+  $r = ''; list($e, $r) = explode('>', $t[$i]);

+  $x = $e[0] == '/' ? 0 : (substr($e, -1) == '/' ? 1 : ($e[0] != '!' ? 2 : -1));

+  $y = !$x ? ltrim($e, '/') : ($x > 0 ? substr($e, 0, strcspn($e, ' ')) : 0);

+  $e = "<$e>"; 

+  if(isset($d[$y])){

+   if(!$x){

+    if($n){echo "\n", str_repeat($s, --$n), "$e\n", str_repeat($s, $n);}

+    else{++$N; ob_end_clean(); continue 2;}

+   }

+   else{echo "\n", str_repeat($s, $n), "$e\n", str_repeat($s, ($x != 1 ? ++$n : $n));}

+   echo $r; continue;

+  }

+  $f = "\n". str_repeat($s, $n);

+  if(isset($c[$y])){

+   if(!$x){echo $e, $f, $r;}

+   else{echo $f, $e, $r;}

+  }elseif(isset($b[$y])){echo $f, $e, $r;

+  }elseif(isset($a[$y])){echo $e, $f, $r;

+  }elseif(!$y){echo $f, $e, $f, $r;

+  }else{echo $e, $r;}

+ }

+ $X = 0;

+}

+$t = str_replace(array("\n ", " \n"), "\n", preg_replace('`[\n]\s*?[\n]+`', "\n", ob_get_contents()));

+ob_end_clean();

+if(($l = strpos(" $w", 'r') ? (strpos(" $w", 'n') ? "\r\n" : "\r") : 0)){

+ $t = str_replace("\n", $l, $t);

+}

+return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t);

+}

+

+function hl_version(){

+// version

+return '1.2.5';

+}

diff --git a/lib/htmlawed/htmLawedTest.php b/lib/htmlawed/htmLawedTest.php
index 6475bc8..dfbfb27 100755
--- a/lib/htmlawed/htmLawedTest.php
+++ b/lib/htmlawed/htmLawedTest.php
@@ -1,677 +1,677 @@
-<?php
-
-/*
-htmLawedTest.php, 17 May 2017
-To test htmLawed
-Copyright Santosh Patnaik
-Dual licensed with LGPL 3 and GPL 2+
-A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed
-
-Test htmLawed; user provides text input; input and processed input are shown as highlighted code and rendered HTML; also shown are execution time and peak memory usage
-*/
-
-// config
-$_errs = 0; // display PHP errors
-$_limit = 12000; // input character limit
-$_hlimit = 2000; // input character limit for showing hexdumps
-$_hilite = 1; // 0 turns off slow Javascript-based code-highlighting, e.g., if $_limit is high
-$_w3c_validate = 1; // 1 to show buttons to send input/output to w3c validator
-$_sid = 'sid'; // session name; alphanum.
-$_slife = 30; // session life in min.
-
-// errors
-error_reporting(E_ALL | (defined('E_STRICT') ? E_STRICT : 0));
-ini_set('display_errors', $_errs);
-
-// session
-session_name($_sid);
-session_cache_limiter('private');
-session_cache_expire($_slife);
-ini_set('session.gc_maxlifetime', $_slife * 60);
-ini_set('session.use_only_cookies', 1);
-ini_set('session.cookie_lifetime', 0);
-session_start();
-if(!isset($_SESSION['token'])){
- $_SESSION['token'] = md5(uniqid(rand(), 1));
-}
-
-// slashes
-if(get_magic_quotes_gpc()){
- foreach($_POST as $k => $v){
-  $_POST[$k] = stripslashes($v);
- }
- ini_set('magic_quotes_gpc', 0);
-}
-if(get_magic_quotes_runtime()){
- set_magic_quotes_runtime(0);
-}
-
-$_POST['enc'] = (isset($_POST['enc']) and preg_match('`^[-\w]+$`', $_POST['enc'])) ? $_POST['enc'] : 'utf-8';
-
-// token for anti-CSRF
-if(count($_POST)){
- if((empty($_GET['pre']) and ((!empty($_POST['token']) and !empty($_SESSION['token']) and $_POST['token'] != $_SESSION['token']) or empty($_POST[$_sid]) or $_POST[$_sid] != session_id() or empty($_COOKIE[$_sid]) or $_COOKIE[$_sid] != session_id())) or ($_POST[$_sid] != session_id())){
-  $_POST = array('enc'=>'utf-8');
- }
-}
-if(empty($_GET['pre'])){
- $_SESSION['token'] = md5(uniqid(rand(), 1));
- $token = $_SESSION['token'];
- session_regenerate_id(1);
-}
-
-// compress
-if(function_exists('gzencode') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && preg_match('`gzip|deflate`i', $_SERVER['HTTP_ACCEPT_ENCODING']) && !ini_get('zlib.output_compression')){
- ob_start('ob_gzhandler');
-}
-
-// HTM for unprocessed
-if(isset($_POST['inputH'])){
- echo '<html><head><title>htmLawed test: HTML view of unprocessed input</title></head><body style="margin:0; padding: 0;"><p style="background-color: black; color: white; padding: 2px;">&nbsp; Rendering of raw/unprocessed input without an HTML doctype or charset declaration &nbsp; &nbsp; <small><a style="color: white; text-decoration: none;" href="1" onclick="javascript:window.close(this); return false;">close window</a> | <a style="color: white; text-decoration: none;" href="htmLawedTest.php" onclick="javascript: window.open(\'htmLawedTest.php\', \'hlmain\'); window.close(this); return false;">htmLawed test page</a></small></p><div>', $_POST['inputH'], '</div></body></html>';
- exit;
-}
-
-// HTM for processed
-if(isset($_POST['outputH'])){
- echo '<html><head><title>htmLawed test: HTML view of unprocessed input</title></head><body style="margin:0; padding: 0;"><p style="background-color: black; color: white; padding: 2px;">&nbsp; Rendering of filtered/processed input without an HTML doctype or charset declaration &nbsp; &nbsp; <small><a style="color: white; text-decoration: none;" href="1" onclick="javascript:window.close(this); return false;">close window</a> | <a style="color: white; text-decoration: none;" href="htmLawedTest.php" onclick="javascript: window.open(\'htmLawedTest.php\', \'hlmain\'); window.close(this); return false;">htmLawed test page</a></small></p><div>', $_POST['outputH'], '</div></body></html>';
- exit;
-}
-
-// main
-$_POST['text'] = isset($_POST['text']) ? $_POST['text'] : 'text to process; < '. $_limit. ' characters'. ($_hlimit ? ' (for binary hexdump view, < '. $_hlimit. ')' : '');
-$do = (!empty($_POST[$_sid]) && isset($_POST['text'][0]) && !isset($_POST['text'][$_limit])) ? 1 : 0;
-$limit_exceeded = isset($_POST['text'][$_limit]) ? 1 : 0;
-$pre_mem = memory_get_usage();
-$validation = (!empty($_POST[$_sid]) and isset($_POST['w3c_validate'][0])) ? 1 : 0;
-include './htmLawed.php';
-
-function format($t){
- $t = "\n". str_replace(array("\t", "\r\n", "\r", '&', '<', '>', "\n"), array('    ', "\n", "\n", '&amp;', '&lt;', '&gt;', "<span class=\"newline\">&#172;</span><br />\n"), $t);
- return str_replace(array('<br />', "\n ", '  '), array("\n<br />\n", "\n&nbsp;", ' &nbsp;'), $t);
-}
-
-function hexdump($d){
-// Mainly by Aidan Lister <aidan@php.net>, Peter Waller <iridum@php.net>
- $hexi = '';
- $ascii = '';
- ob_start();
- echo '<pre>';
- $offset = 0;
- $len = strlen($d);
- for($i=$j=0; $i<$len; $i++)
- {
-  // Convert to hexidecimal
-  $hexi .= sprintf("%02X ", ord($d[$i]));
-  // Replace non-viewable bytes with '.'
-  if(ord($d[$i]) >= 32){
-   $ascii .= htmlspecialchars($d[$i]);
-  }else{
-   $ascii .= '.';
-  } 
-  // Add extra column spacing
-  if($j == 7){
-   $hexi .= ' ';
-   $ascii .= '  ';
-  }
-  // Add row
-  if(++$j == 16 || $i == $len-1){
-   // Join the hexi / ascii output
-   echo sprintf("%04X   %-49s   %s", $offset, $hexi, $ascii);   
-   // Reset vars
-   $hexi = $ascii = '';
-   $offset += 16;
-   $j = 0;  
-   // Add newline   
-   if ($i !== $len-1){
-    echo "\n";
-   }
-  }
- }
- echo '</pre>';
- $o = ob_get_contents();
- ob_end_clean();
- return $o;
-}
-?>
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html lang="en" xml:lang="en">
-<head>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<meta name="description" content="htmLawed <?php echo hl_version();?> test page" />
-<style type="text/css"><!--/*--><![CDATA[/*><!--*/
-a, a.resizer{text-decoration:none;}
-a:hover, a.resizer:hover{color:red;}
-a.resizer{color:green; float:right;}
-body{background-color:#efefef;}
-body, button, div, html, input, p{font-size:13px; font-family:'Lucida grande', Verdana, Arial, Helvetica, sans-serif;}
-button, input{font-size: 85%;}
-div.help{border-top: 1px dotted gray; margin-top: 15px; padding-top: 15px; color:#999999;}
-#inputC, #inputD, #inputF, #inputR, #outputD, #outputF, #outputR, #settingF, #diff{display:block;}
-#inputC, #settingF{background-color:white; border:1px gray solid; padding:3px;}
-#inputC li{margin: 0; padding: 0;}
-#inputC ul{margin: 0; padding: 0; margin-left: 14px;}
-#inputC input{margin: 0; margin-left: 2px; margin-right: 2px; padding: 1px; vertical-align: middle;}
-#inputD{overflow:auto; background-color:#ffff99; border:1px #cc9966 solid; padding:3px;}
-#inputR{overflow:auto; background-color:#ffffcc; border:1px #ffcc99 solid; padding:3px;}
-#inputC, #settingF, #inputD, #inputR, #outputD, #outputR, #diff, textarea{font-size:100%; font-family:'Bitstream vera sans mono', 'courier new', 'courier', monospace;}
-#outputD{overflow:auto; background-color: #99ffcc; border:1px #66cc99 solid; padding:3px;}
-#diff{overflow:auto; background-color: white; border:1px #dcdcdc solid; padding:3px;}
-#outputR{overflow:auto; background-color: #ccffcc; border:1px #99cc99 solid; padding:3px;} 
-span.cmtcdata{color: orange;}
-span.ctag{color:red;}
-span.ent{border-bottom:1px dotted #999999;}
-span.etag{color:purple;}
-span.help{color:#999999;}
-span.newline{color:#dcdcdc;}
-span.notice{color:green;}
-span.otag{color:blue;}
-#topmost{margin:auto; width:98%;}
-/*]]>*/--></style>
-<script type="text/javascript"><!--//--><![CDATA[//><!-- 
-window.name = 'hlmain';
-function hl(i){
- <?php if(!$_hilite){echo 'return;'; }?>
- var e = document.getElementById(i);
- if(!e){return;}
- run(e, '</[a-z1-6]+>', 'ctag');
- run(e, '<[a-z]+(?:[^>]*)/>', 'etag');
- run(e, '<[a-z1-6]+(?:[^>]*)>', 'otag');
- run(e, '&[#a-z0-9]+;', 'ent');
- run(e, '<!(?:(?:--(?:.|\n)*?--)|(?:\\[CDATA\\[(?:.|\n)*?\\]\\]))>', 'cmtcdata');
-}
-function sndProc(){
- var f = document.getElementById('testform');
- if(!f){return;}
- var e = document.createElement('input');
- e.type = 'hidden';
- e.name = '<?php echo htmlspecialchars($_sid); ?>';
- e.id = '<?php echo htmlspecialchars($_sid); ?>';
- e.value = readCookie('<?php echo htmlspecialchars($_sid); ?>');
- f.appendChild(e);
- f.submit();
-}
-function readCookie(n){
- var ne = n + '=';
- var ca = document.cookie.split(';');
- for(var i=0;i < ca.length;i++){
-  var c = ca[i];
-  while(c.charAt(0)==' '){
-   c = c.substring(1,c.length);
-  }
-  if(c.indexOf(ne) == 0){
-   return c.substring(ne.length,c.length);
-  }
- }
- return null;
-}
-function run(e, q, c){
- var q = new RegExp(q);
- if(e.firstChild == null){
-  var m = q.exec(e.data);
-  if(m){
-   var v = m[0];
-   var k2 = e.splitText(m.index);
-   var k3 = k2.splitText(v.length);
-   var s = e.ownerDocument.createElement('span');
-   e.parentNode.replaceChild(s, k2);
-   s.className = c; s.appendChild(k2);
-  }
- }
- for(var k = e.firstChild; k != null; k = k.nextSibling){
-  if(k.nodeType == 3){     
-   var m = q.exec(k.data);
-   if(m){
-    var v = m[0];
-    var k2 = k.splitText(m.index);
-    var k3 = k2.splitText(v.length);
-    var s = k.ownerDocument.createElement('span');
-    k.parentNode.replaceChild(s, k2);
-    s.className = c; s.appendChild(k2);
-   }
-  }
-  else if(c == 'ent' && k.nodeType == 1){
-   var d = k.firstChild;
-   if(d){
-    var m = q.exec(d.data);
-    if(m){
-     var v = m[0];
-     var d2 = d.splitText(m.index);
-     var d3 = d2.splitText(v.length);
-     var s = d.ownerDocument.createElement('span');
-     d.parentNode.replaceChild(s, d2);
-     s.className = c; s.appendChild(d2);
-    }
-   }
-  }
- }
-}
-function toggle(i){  
- var e = document.getElementById(i);  
- if(!e){return;}
- if(e.style){
-  var a = e.style.display;   
-  if(a == 'block'){e.style.display = 'none'; return;}
-  if(a == 'none'){e.style.display = 'block';}
-  else{e.style.display = 'none';}
-  return;   
- }
- var a = e.visibility;
- if(a == 'hidden'){e.visibility = 'show'; return;}
- if(a == 'show'){e.visibility = 'hidden';}
-}
-function sndProc2(){
- var i = document.getElementById('text2');
- if(!i){return;}
- i = i.value;
- var w = window.open('htmLawedTest.php?pre=1', 'hlposthtm');
- var f = document.createElement('form');
- f.enctype = 'application/x-www-form-urlencoded';
- f.method = 'post';
- f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';
- if(f.style){f.style.display = 'none';}
- else{f.visibility = 'hidden';}
- f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="token" id="token" value="<?php echo $token; ?>" /><input style="display:none;" type="hidden" name="<?php echo htmlspecialchars($_sid); ?>" id="<?php echo htmlspecialchars($_sid); ?>" value="' + readCookie('<?php echo htmlspecialchars($_sid); ?>') + '" /></p>';
- f.action = 'htmLawedTest.php?pre=1';
- f.target = 'hlposthtm';
- f.method = 'post';
- var t = document.createElement('textarea');
- t.name = 'outputH';
- t.value = i;
- f.appendChild(t);
- var b = document.getElementsByTagName('body')[0];
- b.appendChild(f);
- f.submit();
- w.focus;
-}
-function sndUnproc(){
- var i = document.getElementById('text');
- if(!i){return;}
- i = i.value;
- var w = window.open('htmLawedTest.php?pre=1', 'hlprehtm');
- var f = document.createElement('form');
- f.enctype = 'application/x-www-form-urlencoded';
- f.method = 'post';
- f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';
- if(f.style){f.style.display = 'none';}
- else{f.visibility = 'hidden';}
- f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="token" id="token" value="<?php echo $token; ?>" /><input style="display:none;" type="hidden" name="<?php echo htmlspecialchars($_sid); ?>" id="<?php echo htmlspecialchars($_sid); ?>" value="' + readCookie('<?php echo htmlspecialchars($_sid); ?>') + '" /></p>';
- f.action = 'htmLawedTest.php?pre=1';
- f.target = 'hlprehtm';
- f.method = 'post';
- var t = document.createElement('textarea');
- t.name = 'inputH';
- t.value = i;
- f.appendChild(t);
- var b = document.getElementsByTagName('body')[0];
- b.appendChild(f);
- f.submit();
- w.focus;
-}
-function sndValidn(id, type){
- var i = document.getElementById(id);
- if(!i){return;}
- i = i.value;
- var w = window.open('http://validator.w3.org/check', 'validate'+id+type);
- var f = document.createElement('form');
- f.enctype = 'application/x-www-form-urlencoded';
- f.method = 'post';
- f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';
- if(f.style){f.style.display = 'none';}
- else{f.visibility = 'hidden';}
- f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="prefill" id="prefill" value="1" /><input style="display:none;" type="hidden" name="prefill_doctype" id="prefill_doctype" value="'+ type+ '" /><input style="display:none;" type="hidden" name="group" id="group" value="1" /><input type="hidden" name="ss" id="ss" value="1" /></p>';
- f.action = 'http://validator.w3.org/check';
- f.target = 'validate'+id+type;
- var t = document.createElement('textarea');
- t.name = 'fragment';
- t.value = i;
- f.appendChild(t);
- var b = document.getElementsByTagName('body')[0];
- b.appendChild(f);
- f.submit();
- w.focus;
-}
-tRs = {
- formEl: null,
- resizeClass: 'textarea',
- adEv: function(t,ev,fn){
-  if(typeof document.addEventListener != 'undefined'){
-   t.addEventListener(ev,fn,false);
-  }else{
-   t.attachEvent('on' + ev, fn);
-  }
- },
- rmEv: function(t,ev,fn){
-  if(typeof document.removeEventListener != 'undefined'){
-   t.removeEventListener(ev,fn,false);
-  }else
-  {
-   t.detachEvent('on' + ev, fn);
-  }
- },
- adBtn: function(){
-  var textareas = document.getElementsByTagName('textarea');
-  for(var i = 0; i < textareas.length; i++){    
-   var txtclass=textareas[i].className;
-   if(txtclass.substring(0,tRs.resizeClass.length)==tRs.resizeClass ||
-   txtclass.substring(txtclass.length -tRs.resizeClass.length)==tRs.resizeClass){
-    var a = document.createElement('a');
-    a.appendChild(document.createTextNode("\u2195"));
-    a.style.cursor = 'n-resize';
-    a.className= 'resizer';
-    a.title = 'click-drag to resize textarea'
-    tRs.adEv(a, 'mousedown', tRs.initResize);
-    textareas[i].parentNode.appendChild(a);
-   }    
-  }
- },
- initResize: function(event){
-  if(typeof event == 'undefined'){
-   event = window.event;
-  }
-  if(event.srcElement){
-   var target = event.srcElement.previousSibling;
-  }else{
-   var target = event.target.previousSibling;
-  }
-  if(target.nodeName.toLowerCase() == 'textarea' || (target.nodeName.toLowerCase() == 'input' && target.type == 'text')){
-   tRs.formEl = target;
-   tRs.formEl.startHeight = tRs.formEl.clientHeight;
-   tRs.formEl.startY = event.clientY;
-   tRs.adEv(document, 'mousemove', tRs.resize);
-   tRs.adEv(document, 'mouseup', tRs.stopResize);
-   tRs.formEl.parentNode.style.cursor = 'n-resize';
-   tRs.formEl.style.cursor = 'n-resize';
-   try{
-    event.preventDefault();
-   }catch(e){
-   }
-  }
- },
- resize: function(event){
-  if(typeof event == 'undefined'){
-   event = window.event;
-  }
-        if(tRs.formEl.nodeName.toLowerCase() == 'textarea'){
-   tRs.formEl.style.height = event.clientY - tRs.formEl.startY + tRs.formEl.startHeight + 'px';
-  }
- },
- stopResize: function(event){
-  tRs.rmEv(document, 'mousedown', tRs.initResize);
-  tRs.rmEv(document, 'mousemove', tRs.resize);
-  tRs.formEl.style.cursor = 'text';
-  tRs.formEl.parentNode.style.cursor = 'auto';
-  return false;
- }
-};
-tRs.adEv(window, 'load', tRs.adBtn);
-// Diff Match and Patch javascript code by Neil Fraser; Apache license 2.0; http://code.google.com/p/google-diff-match-patch/
-(function(){function diff_match_patch(){this.Diff_Timeout=1;this.Diff_EditCost=4;this.Match_Threshold=0.5;this.Match_Distance=1E3;this.Patch_DeleteThreshold=0.5;this.Patch_Margin=4;this.Match_MaxBits=32}
-diff_match_patch.prototype.diff_main=function(a,b,c,d){"undefined"==typeof d&&(d=0>=this.Diff_Timeout?Number.MAX_VALUE:(new Date).getTime()+1E3*this.Diff_Timeout);if(null==a||null==b)throw Error("Null input. (diff_main)");if(a==b)return a?[[0,a]]:[];"undefined"==typeof c&&(c=!0);var e=c,f=this.diff_commonPrefix(a,b),c=a.substring(0,f),a=a.substring(f),b=b.substring(f),f=this.diff_commonSuffix(a,b),g=a.substring(a.length-f),a=a.substring(0,a.length-f),b=b.substring(0,b.length-f),a=this.diff_compute_(a,
-b,e,d);c&&a.unshift([0,c]);g&&a.push([0,g]);this.diff_cleanupMerge(a);return a};
-diff_match_patch.prototype.diff_compute_=function(a,b,c,d){if(!a)return[[1,b]];if(!b)return[[-1,a]];var e=a.length>b.length?a:b,f=a.length>b.length?b:a,g=e.indexOf(f);if(-1!=g)return c=[[1,e.substring(0,g)],[0,f],[1,e.substring(g+f.length)]],a.length>b.length&&(c[0][0]=c[2][0]=-1),c;if(1==f.length)return[[-1,a],[1,b]];return(e=this.diff_halfMatch_(a,b))?(f=e[0],a=e[1],g=e[2],b=e[3],e=e[4],f=this.diff_main(f,g,c,d),c=this.diff_main(a,b,c,d),f.concat([[0,e]],c)):c&&100<a.length&&100<b.length?this.diff_lineMode_(a,
-b,d):this.diff_bisect_(a,b,d)};
-diff_match_patch.prototype.diff_lineMode_=function(a,b,c){var d=this.diff_linesToChars_(a,b),a=d.chars1,b=d.chars2,d=d.lineArray,a=this.diff_main(a,b,!1,c);this.diff_charsToLines_(a,d);this.diff_cleanupSemantic(a);a.push([0,""]);for(var e=d=b=0,f="",g="";b<a.length;){switch(a[b][0]){case 1:e++;g+=a[b][1];break;case -1:d++;f+=a[b][1];break;case 0:if(1<=d&&1<=e){a.splice(b-d-e,d+e);b=b-d-e;d=this.diff_main(f,g,!1,c);for(e=d.length-1;0<=e;e--)a.splice(b,0,d[e]);b+=d.length}d=e=0;g=f=""}b++}a.pop();return a};
-diff_match_patch.prototype.diff_bisect_=function(a,b,c){for(var d=a.length,e=b.length,f=Math.ceil((d+e)/2),g=f,h=2*f,j=Array(h),i=Array(h),k=0;k<h;k++)j[k]=-1,i[k]=-1;j[g+1]=0;i[g+1]=0;for(var k=d-e,p=0!=k%2,q=0,s=0,o=0,v=0,u=0;u<f&&!((new Date).getTime()>c);u++){for(var n=-u+q;n<=u-s;n+=2){var l=g+n,m;m=n==-u||n!=u&&j[l-1]<j[l+1]?j[l+1]:j[l-1]+1;for(var r=m-n;m<d&&r<e&&a.charAt(m)==b.charAt(r);)m++,r++;j[l]=m;if(m>d)s+=2;else if(r>e)q+=2;else if(p&&(l=g+k-n,0<=l&&l<h&&-1!=i[l])){var t=d-i[l];if(m>=
-t)return this.diff_bisectSplit_(a,b,m,r,c)}}for(n=-u+o;n<=u-v;n+=2){l=g+n;t=n==-u||n!=u&&i[l-1]<i[l+1]?i[l+1]:i[l-1]+1;for(m=t-n;t<d&&m<e&&a.charAt(d-t-1)==b.charAt(e-m-1);)t++,m++;i[l]=t;if(t>d)v+=2;else if(m>e)o+=2;else if(!p&&(l=g+k-n,0<=l&&l<h&&-1!=j[l]&&(m=j[l],r=g+m-l,t=d-t,m>=t)))return this.diff_bisectSplit_(a,b,m,r,c)}}return[[-1,a],[1,b]]};
-diff_match_patch.prototype.diff_bisectSplit_=function(a,b,c,d,e){var f=a.substring(0,c),g=b.substring(0,d),a=a.substring(c),b=b.substring(d),f=this.diff_main(f,g,!1,e),e=this.diff_main(a,b,!1,e);return f.concat(e)};
-diff_match_patch.prototype.diff_linesToChars_=function(a,b){function c(a){for(var b="",c=0,f=-1,g=d.length;f<a.length-1;){f=a.indexOf("\n",c);-1==f&&(f=a.length-1);var q=a.substring(c,f+1),c=f+1;(e.hasOwnProperty?e.hasOwnProperty(q):void 0!==e[q])?b+=String.fromCharCode(e[q]):(b+=String.fromCharCode(g),e[q]=g,d[g++]=q)}return b}var d=[],e={};d[0]="";var f=c(a),g=c(b);return{chars1:f,chars2:g,lineArray:d}};
-diff_match_patch.prototype.diff_charsToLines_=function(a,b){for(var c=0;c<a.length;c++){for(var d=a[c][1],e=[],f=0;f<d.length;f++)e[f]=b[d.charCodeAt(f)];a[c][1]=e.join("")}};diff_match_patch.prototype.diff_commonPrefix=function(a,b){if(!a||!b||a.charAt(0)!=b.charAt(0))return 0;for(var c=0,d=Math.min(a.length,b.length),e=d,f=0;c<e;)a.substring(f,e)==b.substring(f,e)?f=c=e:d=e,e=Math.floor((d-c)/2+c);return e};
-diff_match_patch.prototype.diff_commonSuffix=function(a,b){if(!a||!b||a.charAt(a.length-1)!=b.charAt(b.length-1))return 0;for(var c=0,d=Math.min(a.length,b.length),e=d,f=0;c<e;)a.substring(a.length-e,a.length-f)==b.substring(b.length-e,b.length-f)?f=c=e:d=e,e=Math.floor((d-c)/2+c);return e};
-diff_match_patch.prototype.diff_commonOverlap_=function(a,b){var c=a.length,d=b.length;if(0==c||0==d)return 0;c>d?a=a.substring(c-d):c<d&&(b=b.substring(0,c));c=Math.min(c,d);if(a==b)return c;for(var d=0,e=1;;){var f=a.substring(c-e),f=b.indexOf(f);if(-1==f)return d;e+=f;if(0==f||a.substring(c-e)==b.substring(0,e))d=e,e++}};
-diff_match_patch.prototype.diff_halfMatch_=function(a,b){function c(a,b,c){for(var d=a.substring(c,c+Math.floor(a.length/4)),e=-1,g="",h,j,n,l;-1!=(e=b.indexOf(d,e+1));){var m=f.diff_commonPrefix(a.substring(c),b.substring(e)),r=f.diff_commonSuffix(a.substring(0,c),b.substring(0,e));g.length<r+m&&(g=b.substring(e-r,e)+b.substring(e,e+m),h=a.substring(0,c-r),j=a.substring(c+m),n=b.substring(0,e-r),l=b.substring(e+m))}return 2*g.length>=a.length?[h,j,n,l,g]:null}if(0>=this.Diff_Timeout)return null;
-var d=a.length>b.length?a:b,e=a.length>b.length?b:a;if(4>d.length||2*e.length<d.length)return null;var f=this,g=c(d,e,Math.ceil(d.length/4)),d=c(d,e,Math.ceil(d.length/2)),h;if(!g&&!d)return null;h=d?g?g[4].length>d[4].length?g:d:d:g;var j;a.length>b.length?(g=h[0],d=h[1],e=h[2],j=h[3]):(e=h[0],j=h[1],g=h[2],d=h[3]);h=h[4];return[g,d,e,j,h]};
-diff_match_patch.prototype.diff_cleanupSemantic=function(a){for(var b=!1,c=[],d=0,e=null,f=0,g=0,h=0,j=0,i=0;f<a.length;)0==a[f][0]?(c[d++]=f,g=j,h=i,i=j=0,e=a[f][1]):(1==a[f][0]?j+=a[f][1].length:i+=a[f][1].length,e&&e.length<=Math.max(g,h)&&e.length<=Math.max(j,i)&&(a.splice(c[d-1],0,[-1,e]),a[c[d-1]+1][0]=1,d--,d--,f=0<d?c[d-1]:-1,i=j=h=g=0,e=null,b=!0)),f++;b&&this.diff_cleanupMerge(a);this.diff_cleanupSemanticLossless(a);for(f=1;f<a.length;){if(-1==a[f-1][0]&&1==a[f][0]){b=a[f-1][1];c=a[f][1];
-d=this.diff_commonOverlap_(b,c);e=this.diff_commonOverlap_(c,b);if(d>=e){if(d>=b.length/2||d>=c.length/2)a.splice(f,0,[0,c.substring(0,d)]),a[f-1][1]=b.substring(0,b.length-d),a[f+1][1]=c.substring(d),f++}else if(e>=b.length/2||e>=c.length/2)a.splice(f,0,[0,b.substring(0,e)]),a[f-1][0]=1,a[f-1][1]=c.substring(0,c.length-e),a[f+1][0]=-1,a[f+1][1]=b.substring(e),f++;f++}f++}};
-diff_match_patch.prototype.diff_cleanupSemanticLossless=function(a){function b(a,b){if(!a||!b)return 6;var c=a.charAt(a.length-1),d=b.charAt(0),e=c.match(diff_match_patch.nonAlphaNumericRegex_),f=d.match(diff_match_patch.nonAlphaNumericRegex_),g=e&&c.match(diff_match_patch.whitespaceRegex_),h=f&&d.match(diff_match_patch.whitespaceRegex_),c=g&&c.match(diff_match_patch.linebreakRegex_),d=h&&d.match(diff_match_patch.linebreakRegex_),i=c&&a.match(diff_match_patch.blanklineEndRegex_),j=d&&b.match(diff_match_patch.blanklineStartRegex_);
-return i||j?5:c||d?4:e&&!g&&h?3:g||h?2:e||f?1:0}for(var c=1;c<a.length-1;){if(0==a[c-1][0]&&0==a[c+1][0]){var d=a[c-1][1],e=a[c][1],f=a[c+1][1],g=this.diff_commonSuffix(d,e);if(g)var h=e.substring(e.length-g),d=d.substring(0,d.length-g),e=h+e.substring(0,e.length-g),f=h+f;for(var g=d,h=e,j=f,i=b(d,e)+b(e,f);e.charAt(0)===f.charAt(0);){var d=d+e.charAt(0),e=e.substring(1)+f.charAt(0),f=f.substring(1),k=b(d,e)+b(e,f);k>=i&&(i=k,g=d,h=e,j=f)}a[c-1][1]!=g&&(g?a[c-1][1]=g:(a.splice(c-1,1),c--),a[c][1]=
-h,j?a[c+1][1]=j:(a.splice(c+1,1),c--))}c++}};diff_match_patch.nonAlphaNumericRegex_=/[^a-zA-Z0-9]/;diff_match_patch.whitespaceRegex_=/\s/;diff_match_patch.linebreakRegex_=/[\r\n]/;diff_match_patch.blanklineEndRegex_=/\n\r?\n$/;diff_match_patch.blanklineStartRegex_=/^\r?\n\r?\n/;
-diff_match_patch.prototype.diff_cleanupEfficiency=function(a){for(var b=!1,c=[],d=0,e=null,f=0,g=!1,h=!1,j=!1,i=!1;f<a.length;){if(0==a[f][0])a[f][1].length<this.Diff_EditCost&&(j||i)?(c[d++]=f,g=j,h=i,e=a[f][1]):(d=0,e=null),j=i=!1;else if(-1==a[f][0]?i=!0:j=!0,e&&(g&&h&&j&&i||e.length<this.Diff_EditCost/2&&3==g+h+j+i))a.splice(c[d-1],0,[-1,e]),a[c[d-1]+1][0]=1,d--,e=null,g&&h?(j=i=!0,d=0):(d--,f=0<d?c[d-1]:-1,j=i=!1),b=!0;f++}b&&this.diff_cleanupMerge(a)};
-diff_match_patch.prototype.diff_cleanupMerge=function(a){a.push([0,""]);for(var b=0,c=0,d=0,e="",f="",g;b<a.length;)switch(a[b][0]){case 1:d++;f+=a[b][1];b++;break;case -1:c++;e+=a[b][1];b++;break;case 0:1<c+d?(0!==c&&0!==d&&(g=this.diff_commonPrefix(f,e),0!==g&&(0<b-c-d&&0==a[b-c-d-1][0]?a[b-c-d-1][1]+=f.substring(0,g):(a.splice(0,0,[0,f.substring(0,g)]),b++),f=f.substring(g),e=e.substring(g)),g=this.diff_commonSuffix(f,e),0!==g&&(a[b][1]=f.substring(f.length-g)+a[b][1],f=f.substring(0,f.length-
-g),e=e.substring(0,e.length-g))),0===c?a.splice(b-d,c+d,[1,f]):0===d?a.splice(b-c,c+d,[-1,e]):a.splice(b-c-d,c+d,[-1,e],[1,f]),b=b-c-d+(c?1:0)+(d?1:0)+1):0!==b&&0==a[b-1][0]?(a[b-1][1]+=a[b][1],a.splice(b,1)):b++,c=d=0,f=e=""}""===a[a.length-1][1]&&a.pop();c=!1;for(b=1;b<a.length-1;)0==a[b-1][0]&&0==a[b+1][0]&&(a[b][1].substring(a[b][1].length-a[b-1][1].length)==a[b-1][1]?(a[b][1]=a[b-1][1]+a[b][1].substring(0,a[b][1].length-a[b-1][1].length),a[b+1][1]=a[b-1][1]+a[b+1][1],a.splice(b-1,1),c=!0):a[b][1].substring(0,
-a[b+1][1].length)==a[b+1][1]&&(a[b-1][1]+=a[b+1][1],a[b][1]=a[b][1].substring(a[b+1][1].length)+a[b+1][1],a.splice(b+1,1),c=!0)),b++;c&&this.diff_cleanupMerge(a)};diff_match_patch.prototype.diff_xIndex=function(a,b){var c=0,d=0,e=0,f=0,g;for(g=0;g<a.length;g++){1!==a[g][0]&&(c+=a[g][1].length);-1!==a[g][0]&&(d+=a[g][1].length);if(c>b)break;e=c;f=d}return a.length!=g&&-1===a[g][0]?f:f+(b-e)};
-diff_match_patch.prototype.diff_prettyHtml=function(a){for(var b=[],c=/&/g,d=/</g,e=/>/g,f=/\n/g,g=0;g<a.length;g++){var h=a[g][0],j=a[g][1],j=j.replace(c,"&amp;").replace(d,"&lt;").replace(e,"&gt;").replace(f,"<span style=\"color: #dcdcdc;\">&not;</span><br>");switch(h){case 1:b[g]='<ins style="background:#ccffcc; text-decoration: none;">'+j+"</ins>";break;case -1:b[g]='<del style="background:#ffffcc; text-decoration: line-through; color: orange;">'+j+"</del>";break;case 0:b[g]="<span>"+j+"</span>"}}return b.join("")};
-diff_match_patch.prototype.diff_text1=function(a){for(var b=[],c=0;c<a.length;c++)1!==a[c][0]&&(b[c]=a[c][1]);return b.join("")};diff_match_patch.prototype.diff_text2=function(a){for(var b=[],c=0;c<a.length;c++)-1!==a[c][0]&&(b[c]=a[c][1]);return b.join("")};diff_match_patch.prototype.diff_levenshtein=function(a){for(var b=0,c=0,d=0,e=0;e<a.length;e++){var f=a[e][0],g=a[e][1];switch(f){case 1:c+=g.length;break;case -1:d+=g.length;break;case 0:b+=Math.max(c,d),d=c=0}}return b+=Math.max(c,d)};
-diff_match_patch.prototype.diff_toDelta=function(a){for(var b=[],c=0;c<a.length;c++)switch(a[c][0]){case 1:b[c]="+"+encodeURI(a[c][1]);break;case -1:b[c]="-"+a[c][1].length;break;case 0:b[c]="="+a[c][1].length}return b.join("\t").replace(/%20/g," ")};
-diff_match_patch.prototype.diff_fromDelta=function(a,b){for(var c=[],d=0,e=0,f=b.split(/\t/g),g=0;g<f.length;g++){var h=f[g].substring(1);switch(f[g].charAt(0)){case "+":try{c[d++]=[1,decodeURI(h)]}catch(j){throw Error("Illegal escape in diff_fromDelta: "+h);}break;case "-":case "=":var i=parseInt(h,10);if(isNaN(i)||0>i)throw Error("Invalid number in diff_fromDelta: "+h);h=a.substring(e,e+=i);"="==f[g].charAt(0)?c[d++]=[0,h]:c[d++]=[-1,h];break;default:if(f[g])throw Error("Invalid diff operation in diff_fromDelta: "+
-f[g]);}}if(e!=a.length)throw Error("Delta length ("+e+") does not equal source text length ("+a.length+").");return c};diff_match_patch.prototype.match_main=function(a,b,c){if(null==a||null==b||null==c)throw Error("Null input. (match_main)");c=Math.max(0,Math.min(c,a.length));return a==b?0:a.length?a.substring(c,c+b.length)==b?c:this.match_bitap_(a,b,c):-1};
-diff_match_patch.prototype.match_bitap_=function(a,b,c){function d(a,d){var e=a/b.length,g=Math.abs(c-d);return!f.Match_Distance?g?1:e:e+g/f.Match_Distance}if(b.length>this.Match_MaxBits)throw Error("Pattern too long for this browser.");var e=this.match_alphabet_(b),f=this,g=this.Match_Threshold,h=a.indexOf(b,c);-1!=h&&(g=Math.min(d(0,h),g),h=a.lastIndexOf(b,c+b.length),-1!=h&&(g=Math.min(d(0,h),g)));for(var j=1<<b.length-1,h=-1,i,k,p=b.length+a.length,q,s=0;s<b.length;s++){i=0;for(k=p;i<k;)d(s,c+
-k)<=g?i=k:p=k,k=Math.floor((p-i)/2+i);p=k;i=Math.max(1,c-k+1);var o=Math.min(c+k,a.length)+b.length;k=Array(o+2);for(k[o+1]=(1<<s)-1;o>=i;o--){var v=e[a.charAt(o-1)];k[o]=0===s?(k[o+1]<<1|1)&v:(k[o+1]<<1|1)&v|(q[o+1]|q[o])<<1|1|q[o+1];if(k[o]&j&&(v=d(s,o-1),v<=g))if(g=v,h=o-1,h>c)i=Math.max(1,2*c-h);else break}if(d(s+1,c)>g)break;q=k}return h};
-diff_match_patch.prototype.match_alphabet_=function(a){for(var b={},c=0;c<a.length;c++)b[a.charAt(c)]=0;for(c=0;c<a.length;c++)b[a.charAt(c)]|=1<<a.length-c-1;return b};
-diff_match_patch.prototype.patch_addContext_=function(a,b){if(0!=b.length){for(var c=b.substring(a.start2,a.start2+a.length1),d=0;b.indexOf(c)!=b.lastIndexOf(c)&&c.length<this.Match_MaxBits-this.Patch_Margin-this.Patch_Margin;)d+=this.Patch_Margin,c=b.substring(a.start2-d,a.start2+a.length1+d);d+=this.Patch_Margin;(c=b.substring(a.start2-d,a.start2))&&a.diffs.unshift([0,c]);(d=b.substring(a.start2+a.length1,a.start2+a.length1+d))&&a.diffs.push([0,d]);a.start1-=c.length;a.start2-=c.length;a.length1+=
-c.length+d.length;a.length2+=c.length+d.length}};
-diff_match_patch.prototype.patch_make=function(a,b,c){var d;if("string"==typeof a&&"string"==typeof b&&"undefined"==typeof c)d=a,b=this.diff_main(d,b,!0),2<b.length&&(this.diff_cleanupSemantic(b),this.diff_cleanupEfficiency(b));else if(a&&"object"==typeof a&&"undefined"==typeof b&&"undefined"==typeof c)b=a,d=this.diff_text1(b);else if("string"==typeof a&&b&&"object"==typeof b&&"undefined"==typeof c)d=a;else if("string"==typeof a&&"string"==typeof b&&c&&"object"==typeof c)d=a,b=c;else throw Error("Unknown call format to patch_make.");
-if(0===b.length)return[];for(var c=[],a=new diff_match_patch.patch_obj,e=0,f=0,g=0,h=d,j=0;j<b.length;j++){var i=b[j][0],k=b[j][1];if(!e&&0!==i)a.start1=f,a.start2=g;switch(i){case 1:a.diffs[e++]=b[j];a.length2+=k.length;d=d.substring(0,g)+k+d.substring(g);break;case -1:a.length1+=k.length;a.diffs[e++]=b[j];d=d.substring(0,g)+d.substring(g+k.length);break;case 0:k.length<=2*this.Patch_Margin&&e&&b.length!=j+1?(a.diffs[e++]=b[j],a.length1+=k.length,a.length2+=k.length):k.length>=2*this.Patch_Margin&&
-e&&(this.patch_addContext_(a,h),c.push(a),a=new diff_match_patch.patch_obj,e=0,h=d,f=g)}1!==i&&(f+=k.length);-1!==i&&(g+=k.length)}e&&(this.patch_addContext_(a,h),c.push(a));return c};diff_match_patch.prototype.patch_deepCopy=function(a){for(var b=[],c=0;c<a.length;c++){var d=a[c],e=new diff_match_patch.patch_obj;e.diffs=[];for(var f=0;f<d.diffs.length;f++)e.diffs[f]=d.diffs[f].slice();e.start1=d.start1;e.start2=d.start2;e.length1=d.length1;e.length2=d.length2;b[c]=e}return b};
-diff_match_patch.prototype.patch_apply=function(a,b){if(0==a.length)return[b,[]];var a=this.patch_deepCopy(a),c=this.patch_addPadding(a),b=c+b+c;this.patch_splitMax(a);for(var d=0,e=[],f=0;f<a.length;f++){var g=a[f].start2+d,h=this.diff_text1(a[f].diffs),j,i=-1;if(h.length>this.Match_MaxBits){if(j=this.match_main(b,h.substring(0,this.Match_MaxBits),g),-1!=j&&(i=this.match_main(b,h.substring(h.length-this.Match_MaxBits),g+h.length-this.Match_MaxBits),-1==i||j>=i))j=-1}else j=this.match_main(b,h,g);
-if(-1==j)e[f]=!1,d-=a[f].length2-a[f].length1;else if(e[f]=!0,d=j-g,g=-1==i?b.substring(j,j+h.length):b.substring(j,i+this.Match_MaxBits),h==g)b=b.substring(0,j)+this.diff_text2(a[f].diffs)+b.substring(j+h.length);else if(g=this.diff_main(h,g,!1),h.length>this.Match_MaxBits&&this.diff_levenshtein(g)/h.length>this.Patch_DeleteThreshold)e[f]=!1;else{this.diff_cleanupSemanticLossless(g);for(var h=0,k,i=0;i<a[f].diffs.length;i++){var p=a[f].diffs[i];0!==p[0]&&(k=this.diff_xIndex(g,h));1===p[0]?b=b.substring(0,
-j+k)+p[1]+b.substring(j+k):-1===p[0]&&(b=b.substring(0,j+k)+b.substring(j+this.diff_xIndex(g,h+p[1].length)));-1!==p[0]&&(h+=p[1].length)}}}b=b.substring(c.length,b.length-c.length);return[b,e]};
-diff_match_patch.prototype.patch_addPadding=function(a){for(var b=this.Patch_Margin,c="",d=1;d<=b;d++)c+=String.fromCharCode(d);for(d=0;d<a.length;d++)a[d].start1+=b,a[d].start2+=b;var d=a[0],e=d.diffs;if(0==e.length||0!=e[0][0])e.unshift([0,c]),d.start1-=b,d.start2-=b,d.length1+=b,d.length2+=b;else if(b>e[0][1].length){var f=b-e[0][1].length;e[0][1]=c.substring(e[0][1].length)+e[0][1];d.start1-=f;d.start2-=f;d.length1+=f;d.length2+=f}d=a[a.length-1];e=d.diffs;0==e.length||0!=e[e.length-1][0]?(e.push([0,
-c]),d.length1+=b,d.length2+=b):b>e[e.length-1][1].length&&(f=b-e[e.length-1][1].length,e[e.length-1][1]+=c.substring(0,f),d.length1+=f,d.length2+=f);return c};
-diff_match_patch.prototype.patch_splitMax=function(a){for(var b=this.Match_MaxBits,c=0;c<a.length;c++)if(!(a[c].length1<=b)){var d=a[c];a.splice(c--,1);for(var e=d.start1,f=d.start2,g="";0!==d.diffs.length;){var h=new diff_match_patch.patch_obj,j=!0;h.start1=e-g.length;h.start2=f-g.length;if(""!==g)h.length1=h.length2=g.length,h.diffs.push([0,g]);for(;0!==d.diffs.length&&h.length1<b-this.Patch_Margin;){var g=d.diffs[0][0],i=d.diffs[0][1];1===g?(h.length2+=i.length,f+=i.length,h.diffs.push(d.diffs.shift()),
-j=!1):-1===g&&1==h.diffs.length&&0==h.diffs[0][0]&&i.length>2*b?(h.length1+=i.length,e+=i.length,j=!1,h.diffs.push([g,i]),d.diffs.shift()):(i=i.substring(0,b-h.length1-this.Patch_Margin),h.length1+=i.length,e+=i.length,0===g?(h.length2+=i.length,f+=i.length):j=!1,h.diffs.push([g,i]),i==d.diffs[0][1]?d.diffs.shift():d.diffs[0][1]=d.diffs[0][1].substring(i.length))}g=this.diff_text2(h.diffs);g=g.substring(g.length-this.Patch_Margin);i=this.diff_text1(d.diffs).substring(0,this.Patch_Margin);""!==i&&
-(h.length1+=i.length,h.length2+=i.length,0!==h.diffs.length&&0===h.diffs[h.diffs.length-1][0]?h.diffs[h.diffs.length-1][1]+=i:h.diffs.push([0,i]));j||a.splice(++c,0,h)}}};diff_match_patch.prototype.patch_toText=function(a){for(var b=[],c=0;c<a.length;c++)b[c]=a[c];return b.join("")};
-diff_match_patch.prototype.patch_fromText=function(a){var b=[];if(!a)return b;for(var a=a.split("\n"),c=0,d=/^@@ -(\d+),?(\d*) \+(\d+),?(\d*) @@$/;c<a.length;){var e=a[c].match(d);if(!e)throw Error("Invalid patch string: "+a[c]);var f=new diff_match_patch.patch_obj;b.push(f);f.start1=parseInt(e[1],10);""===e[2]?(f.start1--,f.length1=1):"0"==e[2]?f.length1=0:(f.start1--,f.length1=parseInt(e[2],10));f.start2=parseInt(e[3],10);""===e[4]?(f.start2--,f.length2=1):"0"==e[4]?f.length2=0:(f.start2--,f.length2=
-parseInt(e[4],10));for(c++;c<a.length;){e=a[c].charAt(0);try{var g=decodeURI(a[c].substring(1))}catch(h){throw Error("Illegal escape in patch_fromText: "+g);}if("-"==e)f.diffs.push([-1,g]);else if("+"==e)f.diffs.push([1,g]);else if(" "==e)f.diffs.push([0,g]);else if("@"==e)break;else if(""!==e)throw Error('Invalid patch mode "'+e+'" in: '+g);c++}}return b};diff_match_patch.patch_obj=function(){this.diffs=[];this.start2=this.start1=null;this.length2=this.length1=0};
-diff_match_patch.patch_obj.prototype.toString=function(){var a,b;a=0===this.length1?this.start1+",0":1==this.length1?this.start1+1:this.start1+1+","+this.length1;b=0===this.length2?this.start2+",0":1==this.length2?this.start2+1:this.start2+1+","+this.length2;a=["@@ -"+a+" +"+b+" @@\n"];var c;for(b=0;b<this.diffs.length;b++){switch(this.diffs[b][0]){case 1:c="+";break;case -1:c="-";break;case 0:c=" "}a[b+1]=c+encodeURI(this.diffs[b][1])+"\n"}return a.join("").replace(/%20/g," ")};
-this.diff_match_patch=diff_match_patch;this.DIFF_DELETE=-1;this.DIFF_INSERT=1;this.DIFF_EQUAL=0;})()
-var dmp = new diff_match_patch(); function diffLaunch(){var text1 = document.getElementById('text').value; var text2 = document.getElementById('text2').value; dmp.Diff_Timeout = 0; dmp.Diff_EditCost = 4; var d = dmp.diff_main(text1, text2); var ds = dmp.diff_prettyHtml(d); document.getElementById('diff').innerHTML = ds;
-}
-//--><!]]></script>
-<title>htmLawed (<?php echo hl_version();?>) test</title>
-</head>
-<body>
-<div id="topmost">
-
-<h5 style="float: left; display: inline; margin-top: 0; margin-bottom: 5px;"><a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php" title="htmLawed home">HTM<big><big>L</big></big>AWED</a> <?php echo hl_version();?> <a href="htmLawedTest.php" title="test home">TEST</a></h5>
-<span style="float: right;" class="help"><a href="htmLawed_README.htm"><span class="notice">htm</span></a> / <a href="htmLawed_README.txt"><span class="notice">txt</span></a> documentation</span><br style="clear:both;" />
-
-<a href="htmLawedTest.php" title="[toggle visibility] type or copy-paste" onclick="javascript:toggle('inputF'); return false;"><span class="notice">Input &raquo;</span> <span class="help" title="limit lower with multibyte characters<?php echo (($_hlimit < $_limit && $_hlimit)? '; limit is '. $_hlimit. ' for viewing binaries' : ''); ?>"><small>(max. <?php echo htmlspecialchars($_limit);?> chars)</small></span></a>
-
-<form id="testform" name="testform" action="htmLawedTest.php" method="post" accept-charset="<?php echo htmlspecialchars($_POST['enc']); ?>" style="padding:0; margin: 0; display:inline;">
-
-<div id="inputF" style="display: block;">
-
-<input type="hidden" name="token" id="token" value="<?php echo $token; ?>" />
-<div><textarea id="text" class="textarea" name="text" rows="5" cols="100" style="width: 100%;"><?php echo htmlspecialchars($_POST['text']);?></textarea></div>
-<input type="submit" id="submitF" name="submitF" value="Process" style="float:left;" title="filter using htmLawed" onclick="javascript: sndProc(); return false;" onkeypress="javascript: sndProc(); return false;" />
-
-<?php
-if($do){
- if($validation){
-  echo '<input type="hidden" value="1" name="w3c_validate" id="w3c_validate" />';
- }
-?>
- 
-<button type="button" title="Raw input rendered as web-page without a doctype or charset declaration" style="float: right;" onclick="javascript: sndUnproc(); return false;" onkeypress="javascript: sndUnproc(); return false;">Render in webpage</button>
-<button type="button" onclick="javascript:document.getElementById('text').focus();document.getElementById('text').select()" title="select all to copy" style="float:right;">Select all</button>
-
-<?php
-if($_w3c_validate && $validation){
-?>
-  
-<button type="button" title="HTML 4.01 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text', 'html401'); return false;" onkeypress="javascript: sndValidn('text', 'html401'); return false;">Check HTML</button>
-<button type="button" title="XHTML 1.1 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text', 'xhtml110'); return false;" onkeypress="javascript: sndValidn('text', 'xhtml110'); return false;">Check XHTML</button>
-  
-<?php
- }
-}
-else{
- if($_w3c_validate){
-  echo '<span style="float: right;" class="help" title="for direct submission of input or output code to W3C validator for (X)HTML validation"><span style="font-size: 85%;">&nbsp;Validator tools: </span><input type="checkbox" value="1" name="w3c_validate" id="w3c_validate" style="vertical-align: middle;"', ($validation ? ' checked="checked"' : ''), ' /></span>';
- }
-}
-?>
-
-<span style="float:right;" class="help" title="IANA-recognized name of the input character-set; can be multiple ;- or space-separated values; may not work in some browsers"><span style="font-size: 85%;">Encoding: </span><input type="text" size="8" id="enc" name="enc" style="vertical-align: middle;" value="<?php echo htmlspecialchars($_POST['enc']); ?>" /></span>
-
-</div>
-<br style="clear:both;" />
-
-<?php
-if($limit_exceeded){
- echo '<br /><strong>Input text is too long!</strong><br />';
-}
-?>
-
-<br />
-
-<a href="htmLawedTest.php" title="[toggle visibility] htmLawed configuration" onclick="javascript:toggle('inputC'); return false;"><span class="notice">Settings &raquo;</span></a>
-
-<div id="inputC" style="display: none;">
-<table summary="none">
-<tr>
-<td><span class="help" title="$config argument">Config:</span></td>
-<td><ul>
- 
-<?php
-$cfg = array(
-'abs_url'=>array('3', '0', 'absolute/relative URL conversion', '-1'),
-'and_mark'=>array('2', '0', 'mark original <em>&amp;</em> chars', '0', 'd'=>1), // 'd' to disable
-'anti_link_spam'=>array('1', '0', 'modify <em>href</em> values as an anti-link spam measure', '0', array(array('30', '1', '', 'regex for extra <em>rel</em>'), array('30', '2', '', 'regex for no <em>href</em>'))),
-'anti_mail_spam'=>array('1', '0', 'replace <em>@</em> in <em>mailto:</em> URLs', '0', '8', 'NO@SPAM', 'replacement'),
-'balance'=>array('2', '1', 'fix nestings and balance tags', '0'),
-'base_url'=>array('', '', 'base URL', '25'),
-'cdata'=>array('4', 'nil', 'allow <em>CDATA</em> sections', 'nil'),
-'clean_ms_char'=>array('3', '0', 'replace bad characters introduced by Microsoft apps. like <em>Word</em>', '0'),
-'comment'=>array('4', 'nil', 'allow HTML comments', 'nil'),
-'css_expression'=>array('2', 'nil', 'allow dynamic expressions in CSS style properties', 'nil'),
-'deny_attribute'=>array('1', '0', 'denied attributes', '0', '50', '', 'these'),
-'direct_list_nest'=>array('2', 'nil', 'allow direct nesting of a list within another without requiring it to be a list item', 'nil'),
-'elements'=>array('', '', 'allowed elements', '50'),
-'hexdec_entity'=>array('3', '1', 'convert hexadecimal numeric entities to decimal ones, or vice versa', '0'),
-'hook'=>array('', '', 'name of hook function', '25'),
-'hook_tag'=>array('', '', 'name of custom function to further check attribute values', '25'),
-'keep_bad'=>array('7', '6', 'keep, or remove <em>bad</em> tag content', '0'),
-'lc_std_val'=>array('2', '1', 'lower-case std. attribute values like <em>radio</em>', '0'),
-'make_tag_strict'=>array('3', 'nil', 'transform deprecated elements', 'nil'),
-'named_entity'=>array('2', '1', 'allow named entities, or convert numeric ones', '0'),
-'no_deprecated_attr'=>array('3', '1', 'allow deprecated attributes, or transform them', '0'),
-'parent'=>array('', 'div', 'name of parent element', '25'),
-'safe'=>array('2', '0', 'for most <em>safe</em> HTML', '0'),
-'schemes'=>array('', 'href: aim, app, feed, file, ftp, gopher, http, https, irc, javascript, mailto, news, nntp, sftp, ssh, telnet, tel; *:data, file, http, https, javascript', 'allowed URL protocols', '50'),
-'show_setting'=>array('', 'htmLawed_setting', 'variable name to record <em>finalized</em> htmLawed settings', '25', 'd'=>1),
-'style_pass'=>array('2', 'nil', 'do not look at <em>style</em> attribute values', 'nil'),
-'tidy'=>array('3', '0', 'beautify/compact', '-1', '8', '1t1', 'format'),
-'unique_ids'=>array('2', '1', 'unique <em>id</em> values', '0', '8', 'my_', 'prefix'),
-'valid_xhtml'=>array('2', 'nil', 'auto-set various parameters for most valid XHTML', 'nil'),
-'xml:lang'=>array('3', 'nil', 'auto-add <em>xml:lang</em> attribute', '0'),
-);
-foreach($cfg as $k=>$v){
- echo '<li>', $k, ': ';
- if(!empty($v[0])){ // input radio
-  $j = $v[3];
-  for($i = $j-1; ++$i < $v[0]+$v[3];++$j){
-   echo '<input type="radio" name="h', $k, '" value="', $i, '"', (!isset($_POST['h'. $k]) ? ($v[1] == $i ? ' checked="checked"' : '') : ($_POST['h'. $k] == $i ? ' checked="checked"' : '')), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />', $i, ' ';
-  }
-  if($v[1] == 'nil'){
-   echo '<input type="radio" name="h', $k, '" value="nil"', ((!isset($_POST['h'. $k]) or $_POST['h'. $k] == 'nil') ? ' checked="checked"' : ''), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />not set ';
-  }
-  if(!empty($v[4])){ // + input text box
-   echo '<input type="radio" name="h', $k, '" value="', $j, '"', (((isset($_POST['h'. $k]) && $_POST['h'. $k] == $j) or (!isset($_POST['h'. $k]) && $j == $v[1])) ? ' checked="checked"' : ''), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';
-   if(!is_array($v[4])){
-    echo $v[6], ': <input type="text" size="', $v[4], '" name="h', $k. $j, '" value="', htmlspecialchars(isset($_POST['h'. $k. $j][0]) ? $_POST['h'. $k. $j] : $v[5]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';
-   }
-   else{
-    foreach($v[4] as $z){
-     echo ' ', $z[3], ': <input type="text" size="', $z[0], '" name="h', $k. $j. $z[1], '" value="', htmlspecialchars(isset($_POST['h'. $k. $j. $z[1]][0]) ? $_POST['h'. $k. $j. $z[1]] : $z[2]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';
-    }    
-   }
-  }
- }
- elseif(ctype_digit($v[3])){ // input text
-  echo '<input type="text" size="', $v[3], '" name="h', $k, '" value="', htmlspecialchars(isset($_POST['h'. $k][0]) ? $_POST['h'. $k] : $v[1]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';  
- }
- else{} // text-area
- echo ' <span class="help">', $v[2], '</span></li>';
-}
-echo '</ul></td></tr><tr><td><span style="vertical-align: top;" class="help" title="$spec argument: element-specific attribute rules">Spec:</span></td><td><textarea name="spec" id="spec" cols="70" rows="3" style="width:80%;">', htmlspecialchars((isset($_POST['spec']) ? $_POST['spec'] : '')), '</textarea></td></tr></table>';
-?>
-
-</div>
-</form>
-
-<?php
-if($do){
- $cfg = array();
- foreach($_POST as $k=>$v){
-  if($k[0] == 'h' && $v != 'nil'){
-   $cfg[substr($k, 1)] = $v;
-  }
- }
-
- if(isset($cfg['anti_link_spam']) && $cfg['anti_link_spam'] && (!empty($cfg['anti_link_spam11']) or !empty($cfg['anti_link_spam12']))){
-  $cfg['anti_link_spam'] = array($cfg['anti_link_spam11'], $cfg['anti_link_spam12']);
- }
- unset($cfg['anti_link_spam11'], $cfg['anti_link_spam12']);
- if(isset($cfg['anti_mail_spam']) && $cfg['anti_mail_spam'] == 1){
-  $cfg['anti_mail_spam'] = isset($cfg['anti_mail_spam1'][0]) ? $cfg['anti_mail_spam1'] : 0;
- }
- unset($cfg['anti_mail_spam11']);
- if(isset($cfg['deny_attribute']) && $cfg['deny_attribute'] == 1){
-  $cfg['deny_attribute'] = isset($cfg['deny_attribute1'][0]) ? $cfg['deny_attribute1'] : 0;
- }
- unset($cfg['deny_attribute1']);
- if(isset($cfg['tidy']) && $cfg['tidy'] == 2){
-  $cfg['tidy'] = isset($cfg['tidy2'][0]) ? $cfg['tidy2'] : 0;
- }
- unset($cfg['tidy2']);
- if(isset($cfg['unique_ids']) && $cfg['unique_ids'] == 2){
-  $cfg['unique_ids'] = isset($cfg['unique_ids2'][0]) ? $cfg['unique_ids2'] : 1;
- }
- unset($cfg['unique_ids2']);
- unset($cfg['and_mark']); // disabling and_mark
-
- $cfg['show_setting'] = 'hlcfg';
- $st = microtime(); 
- $out = htmLawed($_POST['text'], $cfg, $_POST['spec']);
- $et = microtime();
- echo '<br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'inputR\'); return false;"><span class="notice">Input code &raquo;</span></a> <span class="help" title="tags estimated as half of total &gt; and &lt; chars; values may be inaccurate for non-ASCII text"><small><big>', strlen($_POST['text']), '</big> chars, ~<big>', ($tag = round((substr_count($_POST['text'], '>') + substr_count($_POST['text'], '<'))/2)), '</big> tag', ($tag > 1 ? 's' : ''), '</small>&nbsp;</span><div id="inputR" style="display: none;">', format($_POST['text']), '</div><script type="text/javascript">hl(\'inputR\');</script>', (!isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'inputD\'); return false;"><span class="notice">Input binary &raquo;&nbsp;</span></a><div id="inputD" style="display: none;">'. hexdump($_POST['text']). '</div>' : ''), ' <a href="htmLawedTest.php" title="[toggle visibility] finalized internal settings as interpreted by htmLawed; for developers" onclick="javascript:toggle(\'settingF\'); return false;"><span class="notice">Finalized internal settings &raquo;&nbsp;</span></a> <div id="settingF" style="display: none;">$config: ', str_replace(array('    ', "\t", '  '), array('  ', '&nbsp;  ', '&nbsp; '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['config'], true)))), '<br />$spec: ', str_replace(array('    ', "\t", '  '), array('  ', '&nbsp;  ', '&nbsp; '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['spec'], true)))), '</div><script type="text/javascript">hl(\'settingF\');</script>', '<br /><a href="htmLawedTest.php" title="[toggle visibility] suitable for copy-paste" onclick="javascript:toggle(\'outputF\'); return false;"><span class="notice">Output &raquo;</span></a> <span class="help" title="approx., server-specific value excluding the \'include()\' call"><small>htmLawed processing time <big>', number_format(((substr($et,0,9)) + (substr($et,-10)) - (substr($st,0,9)) - (substr($st,-10))),4), '</big> s</small></span>', (($mem = memory_get_peak_usage()) !== false ? '<span class="help"><small>, peak memory usage <big>'. round(($mem-$pre_mem)/1048576, 2). '</big> <small>MB</small>' : ''), '</small></span><div id="outputF"  style="display: block;"><div><textarea id="text2" class="textarea" name="text2" rows="5" cols="100" style="width: 100%;">', htmlspecialchars($out), '</textarea></div><button type="button" title="Filtered input rendered as web-page without a doctype or charset declaration" style="float: right;" onclick="javascript: sndProc2(); return false;" onkeypress="javascript: sndProc2(); return false;">Render in webpage</button><button type="button" onclick="javascript:document.getElementById(\'text2\').focus();document.getElementById(\'text2\').select()" title="select all to copy" style="float:right;">Select all</button>';
- if($_w3c_validate && $validation)
- {
-?>
-  
-<button type="button" title="HTML 4.01 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'html401'); return false;" onkeypress="javascript: sndValidn('text2', 'html401'); return false;">Check HTML</button>
-<button type="button" title="XHTML 1.1 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'xhtml110'); return false;" onkeypress="javascript: sndValidn('text2', 'xhtml110'); return false;">Check XHTML</button>
-  
-<?php
- }
- echo '</div><br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'outputR\'); return false;"><span class="notice">Output code &raquo;</span></a><div id="outputR" style="display: block;">', format($out), '</div><script type="text/javascript">hl(\'outputR\');</script>', (!isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'outputD\'); return false;"><span class="notice">Output binary &raquo;</span></a><div id="outputD" style="display: none;">'. hexdump($out). '</div>' : ''), ' <a href="htmLawedTest.php" title="[toggle visibility] inline output-input diff; might not be perfectly accurate, semantically or otherwise " onclick="javascript:toggle(\'diff\'); diffLaunch(); return false;"><span class="notice">Diff &raquo;</span></a> <div id="diff" style="display: none;"></div><br /><a href="htmLawedTest.php" title="[toggle visibility] XHTML 1 Transitional doctype" onclick="javascript:toggle(\'outputH\'); return false;">';
-}
-else{
-?>
-
-<br />
-
-<div class="help">Use with a Javascript- and cookie-enabled, relatively new version of a common browser.
-
-<?php echo (file_exists('./htmLawed_TESTCASE.txt') ? '<br /><br />You can use text from <a href="htmLawed_TESTCASE.txt"><span class="notice">this collection of test-cases</span></a> in the input. Set the character encoding of the browser to Unicode/utf-8 before copying.' : ''); ?>
-
-<br /><br />For anti-XSS tests, try the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawedSafeModeTest.php"><span class="notice">special test-page</span></a> or see <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm"><span class="notice">these results</span></a>.
-
-<br /><br /><small>Change <em>Encoding</em> to reflect the character encoding of the input text. Even then, it may not work or some characters may not display properly because of variable browser support and because of the form interface. Developers can write some PHP code to capture the filtered input to a file if this is important.
-<br /><br />Refer to the htmLawed documentation (<a href="htmLawed_README.htm"><span class="notice">htm</span></a>/<a href="htmLawed_README.txt"><span class="notice">txt</span></a>) for details about <em>Settings</em>, and htmLawed's behavior and limitations. For <em>Settings</em>, incorrectly-specified values like regular expressions are silently ignored. One or more settings form-fields may have been disabled. Some characters are not allowed in the <em>Spec</em> field.
-
-
-<br /><br />Hovering the mouse over some of the text can provide additional information in some browsers.</small>
-
-<?php
-if($_w3c_validate){
-?>
-
-<small><br /><br />Because of character-encoding issues, the W3C validator (anyway not perfect) may reject validation requests or invalidate otherwise-valid code, esp. if text was copy-pasted in the input box. Local applications like the <em>HTML Validator</em> Firefox browser add-on may be useful in such cases.</small>
-
-<?php
-}
-?>
-
-</div>
-
-<?php
-}
-?>
-
-</div>
-</body>
-</html>
+<?php

+

+/*

+htmLawedTest.php, 17 May 2017

+To test htmLawed

+Copyright Santosh Patnaik

+Dual licensed with LGPL 3 and GPL 2+

+A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed

+

+Test htmLawed; user provides text input; input and processed input are shown as highlighted code and rendered HTML; also shown are execution time and peak memory usage

+*/

+

+// config

+$_errs = 0; // display PHP errors

+$_limit = 12000; // input character limit

+$_hlimit = 2000; // input character limit for showing hexdumps

+$_hilite = 1; // 0 turns off slow Javascript-based code-highlighting, e.g., if $_limit is high

+$_w3c_validate = 1; // 1 to show buttons to send input/output to w3c validator

+$_sid = 'sid'; // session name; alphanum.

+$_slife = 30; // session life in min.

+

+// errors

+error_reporting(E_ALL | (defined('E_STRICT') ? E_STRICT : 0));

+ini_set('display_errors', $_errs);

+

+// session

+session_name($_sid);

+session_cache_limiter('private');

+session_cache_expire($_slife);

+ini_set('session.gc_maxlifetime', $_slife * 60);

+ini_set('session.use_only_cookies', 1);

+ini_set('session.cookie_lifetime', 0);

+session_start();

+if(!isset($_SESSION['token'])){

+ $_SESSION['token'] = md5(uniqid(rand(), 1));

+}

+

+// slashes

+if(get_magic_quotes_gpc()){

+ foreach($_POST as $k => $v){

+  $_POST[$k] = stripslashes($v);

+ }

+ ini_set('magic_quotes_gpc', 0);

+}

+if(get_magic_quotes_runtime()){

+ set_magic_quotes_runtime(0);

+}

+

+$_POST['enc'] = (isset($_POST['enc']) and preg_match('`^[-\w]+$`', $_POST['enc'])) ? $_POST['enc'] : 'utf-8';

+

+// token for anti-CSRF

+if(count($_POST)){

+ if((empty($_GET['pre']) and ((!empty($_POST['token']) and !empty($_SESSION['token']) and $_POST['token'] != $_SESSION['token']) or empty($_POST[$_sid]) or $_POST[$_sid] != session_id() or empty($_COOKIE[$_sid]) or $_COOKIE[$_sid] != session_id())) or ($_POST[$_sid] != session_id())){

+  $_POST = array('enc'=>'utf-8');

+ }

+}

+if(empty($_GET['pre'])){

+ $_SESSION['token'] = md5(uniqid(rand(), 1));

+ $token = $_SESSION['token'];

+ session_regenerate_id(1);

+}

+

+// compress

+if(function_exists('gzencode') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && preg_match('`gzip|deflate`i', $_SERVER['HTTP_ACCEPT_ENCODING']) && !ini_get('zlib.output_compression')){

+ ob_start('ob_gzhandler');

+}

+

+// HTM for unprocessed

+if(isset($_POST['inputH'])){

+ echo '<html><head><title>htmLawed test: HTML view of unprocessed input</title></head><body style="margin:0; padding: 0;"><p style="background-color: black; color: white; padding: 2px;">&nbsp; Rendering of raw/unprocessed input without an HTML doctype or charset declaration &nbsp; &nbsp; <small><a style="color: white; text-decoration: none;" href="1" onclick="javascript:window.close(this); return false;">close window</a> | <a style="color: white; text-decoration: none;" href="htmLawedTest.php" onclick="javascript: window.open(\'htmLawedTest.php\', \'hlmain\'); window.close(this); return false;">htmLawed test page</a></small></p><div>', $_POST['inputH'], '</div></body></html>';

+ exit;

+}

+

+// HTM for processed

+if(isset($_POST['outputH'])){

+ echo '<html><head><title>htmLawed test: HTML view of unprocessed input</title></head><body style="margin:0; padding: 0;"><p style="background-color: black; color: white; padding: 2px;">&nbsp; Rendering of filtered/processed input without an HTML doctype or charset declaration &nbsp; &nbsp; <small><a style="color: white; text-decoration: none;" href="1" onclick="javascript:window.close(this); return false;">close window</a> | <a style="color: white; text-decoration: none;" href="htmLawedTest.php" onclick="javascript: window.open(\'htmLawedTest.php\', \'hlmain\'); window.close(this); return false;">htmLawed test page</a></small></p><div>', $_POST['outputH'], '</div></body></html>';

+ exit;

+}

+

+// main

+$_POST['text'] = isset($_POST['text']) ? $_POST['text'] : 'text to process; < '. $_limit. ' characters'. ($_hlimit ? ' (for binary hexdump view, < '. $_hlimit. ')' : '');

+$do = (!empty($_POST[$_sid]) && isset($_POST['text'][0]) && !isset($_POST['text'][$_limit])) ? 1 : 0;

+$limit_exceeded = isset($_POST['text'][$_limit]) ? 1 : 0;

+$pre_mem = memory_get_usage();

+$validation = (!empty($_POST[$_sid]) and isset($_POST['w3c_validate'][0])) ? 1 : 0;

+include './htmLawed.php';

+

+function format($t){

+ $t = "\n". str_replace(array("\t", "\r\n", "\r", '&', '<', '>', "\n"), array('    ', "\n", "\n", '&amp;', '&lt;', '&gt;', "<span class=\"newline\">&#172;</span><br />\n"), $t);

+ return str_replace(array('<br />', "\n ", '  '), array("\n<br />\n", "\n&nbsp;", ' &nbsp;'), $t);

+}

+

+function hexdump($d){

+// Mainly by Aidan Lister <aidan@php.net>, Peter Waller <iridum@php.net>

+ $hexi = '';

+ $ascii = '';

+ ob_start();

+ echo '<pre>';

+ $offset = 0;

+ $len = strlen($d);

+ for($i=$j=0; $i<$len; $i++)

+ {

+  // Convert to hexidecimal

+  $hexi .= sprintf("%02X ", ord($d[$i]));

+  // Replace non-viewable bytes with '.'

+  if(ord($d[$i]) >= 32){

+   $ascii .= htmlspecialchars($d[$i]);

+  }else{

+   $ascii .= '.';

+  } 

+  // Add extra column spacing

+  if($j == 7){

+   $hexi .= ' ';

+   $ascii .= '  ';

+  }

+  // Add row

+  if(++$j == 16 || $i == $len-1){

+   // Join the hexi / ascii output

+   echo sprintf("%04X   %-49s   %s", $offset, $hexi, $ascii);   

+   // Reset vars

+   $hexi = $ascii = '';

+   $offset += 16;

+   $j = 0;  

+   // Add newline   

+   if ($i !== $len-1){

+    echo "\n";

+   }

+  }

+ }

+ echo '</pre>';

+ $o = ob_get_contents();

+ ob_end_clean();

+ return $o;

+}

+?>

+

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html lang="en" xml:lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<meta name="description" content="htmLawed <?php echo hl_version();?> test page" />

+<style type="text/css"><!--/*--><![CDATA[/*><!--*/

+a, a.resizer{text-decoration:none;}

+a:hover, a.resizer:hover{color:red;}

+a.resizer{color:green; float:right;}

+body{background-color:#efefef;}

+body, button, div, html, input, p{font-size:13px; font-family:'Lucida grande', Verdana, Arial, Helvetica, sans-serif;}

+button, input{font-size: 85%;}

+div.help{border-top: 1px dotted gray; margin-top: 15px; padding-top: 15px; color:#999999;}

+#inputC, #inputD, #inputF, #inputR, #outputD, #outputF, #outputR, #settingF, #diff{display:block;}

+#inputC, #settingF{background-color:white; border:1px gray solid; padding:3px;}

+#inputC li{margin: 0; padding: 0;}

+#inputC ul{margin: 0; padding: 0; margin-left: 14px;}

+#inputC input{margin: 0; margin-left: 2px; margin-right: 2px; padding: 1px; vertical-align: middle;}

+#inputD{overflow:auto; background-color:#ffff99; border:1px #cc9966 solid; padding:3px;}

+#inputR{overflow:auto; background-color:#ffffcc; border:1px #ffcc99 solid; padding:3px;}

+#inputC, #settingF, #inputD, #inputR, #outputD, #outputR, #diff, textarea{font-size:100%; font-family:'Bitstream vera sans mono', 'courier new', 'courier', monospace;}

+#outputD{overflow:auto; background-color: #99ffcc; border:1px #66cc99 solid; padding:3px;}

+#diff{overflow:auto; background-color: white; border:1px #dcdcdc solid; padding:3px;}

+#outputR{overflow:auto; background-color: #ccffcc; border:1px #99cc99 solid; padding:3px;} 

+span.cmtcdata{color: orange;}

+span.ctag{color:red;}

+span.ent{border-bottom:1px dotted #999999;}

+span.etag{color:purple;}

+span.help{color:#999999;}

+span.newline{color:#dcdcdc;}

+span.notice{color:green;}

+span.otag{color:blue;}

+#topmost{margin:auto; width:98%;}

+/*]]>*/--></style>

+<script type="text/javascript"><!--//--><![CDATA[//><!-- 

+window.name = 'hlmain';

+function hl(i){

+ <?php if(!$_hilite){echo 'return;'; }?>

+ var e = document.getElementById(i);

+ if(!e){return;}

+ run(e, '</[a-z1-6]+>', 'ctag');

+ run(e, '<[a-z]+(?:[^>]*)/>', 'etag');

+ run(e, '<[a-z1-6]+(?:[^>]*)>', 'otag');

+ run(e, '&[#a-z0-9]+;', 'ent');

+ run(e, '<!(?:(?:--(?:.|\n)*?--)|(?:\\[CDATA\\[(?:.|\n)*?\\]\\]))>', 'cmtcdata');

+}

+function sndProc(){

+ var f = document.getElementById('testform');

+ if(!f){return;}

+ var e = document.createElement('input');

+ e.type = 'hidden';

+ e.name = '<?php echo htmlspecialchars($_sid); ?>';

+ e.id = '<?php echo htmlspecialchars($_sid); ?>';

+ e.value = readCookie('<?php echo htmlspecialchars($_sid); ?>');

+ f.appendChild(e);

+ f.submit();

+}

+function readCookie(n){

+ var ne = n + '=';

+ var ca = document.cookie.split(';');

+ for(var i=0;i < ca.length;i++){

+  var c = ca[i];

+  while(c.charAt(0)==' '){

+   c = c.substring(1,c.length);

+  }

+  if(c.indexOf(ne) == 0){

+   return c.substring(ne.length,c.length);

+  }

+ }

+ return null;

+}

+function run(e, q, c){

+ var q = new RegExp(q);

+ if(e.firstChild == null){

+  var m = q.exec(e.data);

+  if(m){

+   var v = m[0];

+   var k2 = e.splitText(m.index);

+   var k3 = k2.splitText(v.length);

+   var s = e.ownerDocument.createElement('span');

+   e.parentNode.replaceChild(s, k2);

+   s.className = c; s.appendChild(k2);

+  }

+ }

+ for(var k = e.firstChild; k != null; k = k.nextSibling){

+  if(k.nodeType == 3){     

+   var m = q.exec(k.data);

+   if(m){

+    var v = m[0];

+    var k2 = k.splitText(m.index);

+    var k3 = k2.splitText(v.length);

+    var s = k.ownerDocument.createElement('span');

+    k.parentNode.replaceChild(s, k2);

+    s.className = c; s.appendChild(k2);

+   }

+  }

+  else if(c == 'ent' && k.nodeType == 1){

+   var d = k.firstChild;

+   if(d){

+    var m = q.exec(d.data);

+    if(m){

+     var v = m[0];

+     var d2 = d.splitText(m.index);

+     var d3 = d2.splitText(v.length);

+     var s = d.ownerDocument.createElement('span');

+     d.parentNode.replaceChild(s, d2);

+     s.className = c; s.appendChild(d2);

+    }

+   }

+  }

+ }

+}

+function toggle(i){  

+ var e = document.getElementById(i);  

+ if(!e){return;}

+ if(e.style){

+  var a = e.style.display;   

+  if(a == 'block'){e.style.display = 'none'; return;}

+  if(a == 'none'){e.style.display = 'block';}

+  else{e.style.display = 'none';}

+  return;   

+ }

+ var a = e.visibility;

+ if(a == 'hidden'){e.visibility = 'show'; return;}

+ if(a == 'show'){e.visibility = 'hidden';}

+}

+function sndProc2(){

+ var i = document.getElementById('text2');

+ if(!i){return;}

+ i = i.value;

+ var w = window.open('htmLawedTest.php?pre=1', 'hlposthtm');

+ var f = document.createElement('form');

+ f.enctype = 'application/x-www-form-urlencoded';

+ f.method = 'post';

+ f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';

+ if(f.style){f.style.display = 'none';}

+ else{f.visibility = 'hidden';}

+ f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="token" id="token" value="<?php echo $token; ?>" /><input style="display:none;" type="hidden" name="<?php echo htmlspecialchars($_sid); ?>" id="<?php echo htmlspecialchars($_sid); ?>" value="' + readCookie('<?php echo htmlspecialchars($_sid); ?>') + '" /></p>';

+ f.action = 'htmLawedTest.php?pre=1';

+ f.target = 'hlposthtm';

+ f.method = 'post';

+ var t = document.createElement('textarea');

+ t.name = 'outputH';

+ t.value = i;

+ f.appendChild(t);

+ var b = document.getElementsByTagName('body')[0];

+ b.appendChild(f);

+ f.submit();

+ w.focus;

+}

+function sndUnproc(){

+ var i = document.getElementById('text');

+ if(!i){return;}

+ i = i.value;

+ var w = window.open('htmLawedTest.php?pre=1', 'hlprehtm');

+ var f = document.createElement('form');

+ f.enctype = 'application/x-www-form-urlencoded';

+ f.method = 'post';

+ f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';

+ if(f.style){f.style.display = 'none';}

+ else{f.visibility = 'hidden';}

+ f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="token" id="token" value="<?php echo $token; ?>" /><input style="display:none;" type="hidden" name="<?php echo htmlspecialchars($_sid); ?>" id="<?php echo htmlspecialchars($_sid); ?>" value="' + readCookie('<?php echo htmlspecialchars($_sid); ?>') + '" /></p>';

+ f.action = 'htmLawedTest.php?pre=1';

+ f.target = 'hlprehtm';

+ f.method = 'post';

+ var t = document.createElement('textarea');

+ t.name = 'inputH';

+ t.value = i;

+ f.appendChild(t);

+ var b = document.getElementsByTagName('body')[0];

+ b.appendChild(f);

+ f.submit();

+ w.focus;

+}

+function sndValidn(id, type){

+ var i = document.getElementById(id);

+ if(!i){return;}

+ i = i.value;

+ var w = window.open('http://validator.w3.org/check', 'validate'+id+type);

+ var f = document.createElement('form');

+ f.enctype = 'application/x-www-form-urlencoded';

+ f.method = 'post';

+ f.acceptCharset = '<?php echo htmlspecialchars($_POST['enc']); ?>';

+ if(f.style){f.style.display = 'none';}

+ else{f.visibility = 'hidden';}

+ f.innerHTML = '<p style="display:none;"><input style="display:none;" type="hidden" name="prefill" id="prefill" value="1" /><input style="display:none;" type="hidden" name="prefill_doctype" id="prefill_doctype" value="'+ type+ '" /><input style="display:none;" type="hidden" name="group" id="group" value="1" /><input type="hidden" name="ss" id="ss" value="1" /></p>';

+ f.action = 'http://validator.w3.org/check';

+ f.target = 'validate'+id+type;

+ var t = document.createElement('textarea');

+ t.name = 'fragment';

+ t.value = i;

+ f.appendChild(t);

+ var b = document.getElementsByTagName('body')[0];

+ b.appendChild(f);

+ f.submit();

+ w.focus;

+}

+tRs = {

+ formEl: null,

+ resizeClass: 'textarea',

+ adEv: function(t,ev,fn){

+  if(typeof document.addEventListener != 'undefined'){

+   t.addEventListener(ev,fn,false);

+  }else{

+   t.attachEvent('on' + ev, fn);

+  }

+ },

+ rmEv: function(t,ev,fn){

+  if(typeof document.removeEventListener != 'undefined'){

+   t.removeEventListener(ev,fn,false);

+  }else

+  {

+   t.detachEvent('on' + ev, fn);

+  }

+ },

+ adBtn: function(){

+  var textareas = document.getElementsByTagName('textarea');

+  for(var i = 0; i < textareas.length; i++){    

+   var txtclass=textareas[i].className;

+   if(txtclass.substring(0,tRs.resizeClass.length)==tRs.resizeClass ||

+   txtclass.substring(txtclass.length -tRs.resizeClass.length)==tRs.resizeClass){

+    var a = document.createElement('a');

+    a.appendChild(document.createTextNode("\u2195"));

+    a.style.cursor = 'n-resize';

+    a.className= 'resizer';

+    a.title = 'click-drag to resize textarea'

+    tRs.adEv(a, 'mousedown', tRs.initResize);

+    textareas[i].parentNode.appendChild(a);

+   }    

+  }

+ },

+ initResize: function(event){

+  if(typeof event == 'undefined'){

+   event = window.event;

+  }

+  if(event.srcElement){

+   var target = event.srcElement.previousSibling;

+  }else{

+   var target = event.target.previousSibling;

+  }

+  if(target.nodeName.toLowerCase() == 'textarea' || (target.nodeName.toLowerCase() == 'input' && target.type == 'text')){

+   tRs.formEl = target;

+   tRs.formEl.startHeight = tRs.formEl.clientHeight;

+   tRs.formEl.startY = event.clientY;

+   tRs.adEv(document, 'mousemove', tRs.resize);

+   tRs.adEv(document, 'mouseup', tRs.stopResize);

+   tRs.formEl.parentNode.style.cursor = 'n-resize';

+   tRs.formEl.style.cursor = 'n-resize';

+   try{

+    event.preventDefault();

+   }catch(e){

+   }

+  }

+ },

+ resize: function(event){

+  if(typeof event == 'undefined'){

+   event = window.event;

+  }

+        if(tRs.formEl.nodeName.toLowerCase() == 'textarea'){

+   tRs.formEl.style.height = event.clientY - tRs.formEl.startY + tRs.formEl.startHeight + 'px';

+  }

+ },

+ stopResize: function(event){

+  tRs.rmEv(document, 'mousedown', tRs.initResize);

+  tRs.rmEv(document, 'mousemove', tRs.resize);

+  tRs.formEl.style.cursor = 'text';

+  tRs.formEl.parentNode.style.cursor = 'auto';

+  return false;

+ }

+};

+tRs.adEv(window, 'load', tRs.adBtn);

+// Diff Match and Patch javascript code by Neil Fraser; Apache license 2.0; http://code.google.com/p/google-diff-match-patch/

+(function(){function diff_match_patch(){this.Diff_Timeout=1;this.Diff_EditCost=4;this.Match_Threshold=0.5;this.Match_Distance=1E3;this.Patch_DeleteThreshold=0.5;this.Patch_Margin=4;this.Match_MaxBits=32}

+diff_match_patch.prototype.diff_main=function(a,b,c,d){"undefined"==typeof d&&(d=0>=this.Diff_Timeout?Number.MAX_VALUE:(new Date).getTime()+1E3*this.Diff_Timeout);if(null==a||null==b)throw Error("Null input. (diff_main)");if(a==b)return a?[[0,a]]:[];"undefined"==typeof c&&(c=!0);var e=c,f=this.diff_commonPrefix(a,b),c=a.substring(0,f),a=a.substring(f),b=b.substring(f),f=this.diff_commonSuffix(a,b),g=a.substring(a.length-f),a=a.substring(0,a.length-f),b=b.substring(0,b.length-f),a=this.diff_compute_(a,

+b,e,d);c&&a.unshift([0,c]);g&&a.push([0,g]);this.diff_cleanupMerge(a);return a};

+diff_match_patch.prototype.diff_compute_=function(a,b,c,d){if(!a)return[[1,b]];if(!b)return[[-1,a]];var e=a.length>b.length?a:b,f=a.length>b.length?b:a,g=e.indexOf(f);if(-1!=g)return c=[[1,e.substring(0,g)],[0,f],[1,e.substring(g+f.length)]],a.length>b.length&&(c[0][0]=c[2][0]=-1),c;if(1==f.length)return[[-1,a],[1,b]];return(e=this.diff_halfMatch_(a,b))?(f=e[0],a=e[1],g=e[2],b=e[3],e=e[4],f=this.diff_main(f,g,c,d),c=this.diff_main(a,b,c,d),f.concat([[0,e]],c)):c&&100<a.length&&100<b.length?this.diff_lineMode_(a,

+b,d):this.diff_bisect_(a,b,d)};

+diff_match_patch.prototype.diff_lineMode_=function(a,b,c){var d=this.diff_linesToChars_(a,b),a=d.chars1,b=d.chars2,d=d.lineArray,a=this.diff_main(a,b,!1,c);this.diff_charsToLines_(a,d);this.diff_cleanupSemantic(a);a.push([0,""]);for(var e=d=b=0,f="",g="";b<a.length;){switch(a[b][0]){case 1:e++;g+=a[b][1];break;case -1:d++;f+=a[b][1];break;case 0:if(1<=d&&1<=e){a.splice(b-d-e,d+e);b=b-d-e;d=this.diff_main(f,g,!1,c);for(e=d.length-1;0<=e;e--)a.splice(b,0,d[e]);b+=d.length}d=e=0;g=f=""}b++}a.pop();return a};

+diff_match_patch.prototype.diff_bisect_=function(a,b,c){for(var d=a.length,e=b.length,f=Math.ceil((d+e)/2),g=f,h=2*f,j=Array(h),i=Array(h),k=0;k<h;k++)j[k]=-1,i[k]=-1;j[g+1]=0;i[g+1]=0;for(var k=d-e,p=0!=k%2,q=0,s=0,o=0,v=0,u=0;u<f&&!((new Date).getTime()>c);u++){for(var n=-u+q;n<=u-s;n+=2){var l=g+n,m;m=n==-u||n!=u&&j[l-1]<j[l+1]?j[l+1]:j[l-1]+1;for(var r=m-n;m<d&&r<e&&a.charAt(m)==b.charAt(r);)m++,r++;j[l]=m;if(m>d)s+=2;else if(r>e)q+=2;else if(p&&(l=g+k-n,0<=l&&l<h&&-1!=i[l])){var t=d-i[l];if(m>=

+t)return this.diff_bisectSplit_(a,b,m,r,c)}}for(n=-u+o;n<=u-v;n+=2){l=g+n;t=n==-u||n!=u&&i[l-1]<i[l+1]?i[l+1]:i[l-1]+1;for(m=t-n;t<d&&m<e&&a.charAt(d-t-1)==b.charAt(e-m-1);)t++,m++;i[l]=t;if(t>d)v+=2;else if(m>e)o+=2;else if(!p&&(l=g+k-n,0<=l&&l<h&&-1!=j[l]&&(m=j[l],r=g+m-l,t=d-t,m>=t)))return this.diff_bisectSplit_(a,b,m,r,c)}}return[[-1,a],[1,b]]};

+diff_match_patch.prototype.diff_bisectSplit_=function(a,b,c,d,e){var f=a.substring(0,c),g=b.substring(0,d),a=a.substring(c),b=b.substring(d),f=this.diff_main(f,g,!1,e),e=this.diff_main(a,b,!1,e);return f.concat(e)};

+diff_match_patch.prototype.diff_linesToChars_=function(a,b){function c(a){for(var b="",c=0,f=-1,g=d.length;f<a.length-1;){f=a.indexOf("\n",c);-1==f&&(f=a.length-1);var q=a.substring(c,f+1),c=f+1;(e.hasOwnProperty?e.hasOwnProperty(q):void 0!==e[q])?b+=String.fromCharCode(e[q]):(b+=String.fromCharCode(g),e[q]=g,d[g++]=q)}return b}var d=[],e={};d[0]="";var f=c(a),g=c(b);return{chars1:f,chars2:g,lineArray:d}};

+diff_match_patch.prototype.diff_charsToLines_=function(a,b){for(var c=0;c<a.length;c++){for(var d=a[c][1],e=[],f=0;f<d.length;f++)e[f]=b[d.charCodeAt(f)];a[c][1]=e.join("")}};diff_match_patch.prototype.diff_commonPrefix=function(a,b){if(!a||!b||a.charAt(0)!=b.charAt(0))return 0;for(var c=0,d=Math.min(a.length,b.length),e=d,f=0;c<e;)a.substring(f,e)==b.substring(f,e)?f=c=e:d=e,e=Math.floor((d-c)/2+c);return e};

+diff_match_patch.prototype.diff_commonSuffix=function(a,b){if(!a||!b||a.charAt(a.length-1)!=b.charAt(b.length-1))return 0;for(var c=0,d=Math.min(a.length,b.length),e=d,f=0;c<e;)a.substring(a.length-e,a.length-f)==b.substring(b.length-e,b.length-f)?f=c=e:d=e,e=Math.floor((d-c)/2+c);return e};

+diff_match_patch.prototype.diff_commonOverlap_=function(a,b){var c=a.length,d=b.length;if(0==c||0==d)return 0;c>d?a=a.substring(c-d):c<d&&(b=b.substring(0,c));c=Math.min(c,d);if(a==b)return c;for(var d=0,e=1;;){var f=a.substring(c-e),f=b.indexOf(f);if(-1==f)return d;e+=f;if(0==f||a.substring(c-e)==b.substring(0,e))d=e,e++}};

+diff_match_patch.prototype.diff_halfMatch_=function(a,b){function c(a,b,c){for(var d=a.substring(c,c+Math.floor(a.length/4)),e=-1,g="",h,j,n,l;-1!=(e=b.indexOf(d,e+1));){var m=f.diff_commonPrefix(a.substring(c),b.substring(e)),r=f.diff_commonSuffix(a.substring(0,c),b.substring(0,e));g.length<r+m&&(g=b.substring(e-r,e)+b.substring(e,e+m),h=a.substring(0,c-r),j=a.substring(c+m),n=b.substring(0,e-r),l=b.substring(e+m))}return 2*g.length>=a.length?[h,j,n,l,g]:null}if(0>=this.Diff_Timeout)return null;

+var d=a.length>b.length?a:b,e=a.length>b.length?b:a;if(4>d.length||2*e.length<d.length)return null;var f=this,g=c(d,e,Math.ceil(d.length/4)),d=c(d,e,Math.ceil(d.length/2)),h;if(!g&&!d)return null;h=d?g?g[4].length>d[4].length?g:d:d:g;var j;a.length>b.length?(g=h[0],d=h[1],e=h[2],j=h[3]):(e=h[0],j=h[1],g=h[2],d=h[3]);h=h[4];return[g,d,e,j,h]};

+diff_match_patch.prototype.diff_cleanupSemantic=function(a){for(var b=!1,c=[],d=0,e=null,f=0,g=0,h=0,j=0,i=0;f<a.length;)0==a[f][0]?(c[d++]=f,g=j,h=i,i=j=0,e=a[f][1]):(1==a[f][0]?j+=a[f][1].length:i+=a[f][1].length,e&&e.length<=Math.max(g,h)&&e.length<=Math.max(j,i)&&(a.splice(c[d-1],0,[-1,e]),a[c[d-1]+1][0]=1,d--,d--,f=0<d?c[d-1]:-1,i=j=h=g=0,e=null,b=!0)),f++;b&&this.diff_cleanupMerge(a);this.diff_cleanupSemanticLossless(a);for(f=1;f<a.length;){if(-1==a[f-1][0]&&1==a[f][0]){b=a[f-1][1];c=a[f][1];

+d=this.diff_commonOverlap_(b,c);e=this.diff_commonOverlap_(c,b);if(d>=e){if(d>=b.length/2||d>=c.length/2)a.splice(f,0,[0,c.substring(0,d)]),a[f-1][1]=b.substring(0,b.length-d),a[f+1][1]=c.substring(d),f++}else if(e>=b.length/2||e>=c.length/2)a.splice(f,0,[0,b.substring(0,e)]),a[f-1][0]=1,a[f-1][1]=c.substring(0,c.length-e),a[f+1][0]=-1,a[f+1][1]=b.substring(e),f++;f++}f++}};

+diff_match_patch.prototype.diff_cleanupSemanticLossless=function(a){function b(a,b){if(!a||!b)return 6;var c=a.charAt(a.length-1),d=b.charAt(0),e=c.match(diff_match_patch.nonAlphaNumericRegex_),f=d.match(diff_match_patch.nonAlphaNumericRegex_),g=e&&c.match(diff_match_patch.whitespaceRegex_),h=f&&d.match(diff_match_patch.whitespaceRegex_),c=g&&c.match(diff_match_patch.linebreakRegex_),d=h&&d.match(diff_match_patch.linebreakRegex_),i=c&&a.match(diff_match_patch.blanklineEndRegex_),j=d&&b.match(diff_match_patch.blanklineStartRegex_);

+return i||j?5:c||d?4:e&&!g&&h?3:g||h?2:e||f?1:0}for(var c=1;c<a.length-1;){if(0==a[c-1][0]&&0==a[c+1][0]){var d=a[c-1][1],e=a[c][1],f=a[c+1][1],g=this.diff_commonSuffix(d,e);if(g)var h=e.substring(e.length-g),d=d.substring(0,d.length-g),e=h+e.substring(0,e.length-g),f=h+f;for(var g=d,h=e,j=f,i=b(d,e)+b(e,f);e.charAt(0)===f.charAt(0);){var d=d+e.charAt(0),e=e.substring(1)+f.charAt(0),f=f.substring(1),k=b(d,e)+b(e,f);k>=i&&(i=k,g=d,h=e,j=f)}a[c-1][1]!=g&&(g?a[c-1][1]=g:(a.splice(c-1,1),c--),a[c][1]=

+h,j?a[c+1][1]=j:(a.splice(c+1,1),c--))}c++}};diff_match_patch.nonAlphaNumericRegex_=/[^a-zA-Z0-9]/;diff_match_patch.whitespaceRegex_=/\s/;diff_match_patch.linebreakRegex_=/[\r\n]/;diff_match_patch.blanklineEndRegex_=/\n\r?\n$/;diff_match_patch.blanklineStartRegex_=/^\r?\n\r?\n/;

+diff_match_patch.prototype.diff_cleanupEfficiency=function(a){for(var b=!1,c=[],d=0,e=null,f=0,g=!1,h=!1,j=!1,i=!1;f<a.length;){if(0==a[f][0])a[f][1].length<this.Diff_EditCost&&(j||i)?(c[d++]=f,g=j,h=i,e=a[f][1]):(d=0,e=null),j=i=!1;else if(-1==a[f][0]?i=!0:j=!0,e&&(g&&h&&j&&i||e.length<this.Diff_EditCost/2&&3==g+h+j+i))a.splice(c[d-1],0,[-1,e]),a[c[d-1]+1][0]=1,d--,e=null,g&&h?(j=i=!0,d=0):(d--,f=0<d?c[d-1]:-1,j=i=!1),b=!0;f++}b&&this.diff_cleanupMerge(a)};

+diff_match_patch.prototype.diff_cleanupMerge=function(a){a.push([0,""]);for(var b=0,c=0,d=0,e="",f="",g;b<a.length;)switch(a[b][0]){case 1:d++;f+=a[b][1];b++;break;case -1:c++;e+=a[b][1];b++;break;case 0:1<c+d?(0!==c&&0!==d&&(g=this.diff_commonPrefix(f,e),0!==g&&(0<b-c-d&&0==a[b-c-d-1][0]?a[b-c-d-1][1]+=f.substring(0,g):(a.splice(0,0,[0,f.substring(0,g)]),b++),f=f.substring(g),e=e.substring(g)),g=this.diff_commonSuffix(f,e),0!==g&&(a[b][1]=f.substring(f.length-g)+a[b][1],f=f.substring(0,f.length-

+g),e=e.substring(0,e.length-g))),0===c?a.splice(b-d,c+d,[1,f]):0===d?a.splice(b-c,c+d,[-1,e]):a.splice(b-c-d,c+d,[-1,e],[1,f]),b=b-c-d+(c?1:0)+(d?1:0)+1):0!==b&&0==a[b-1][0]?(a[b-1][1]+=a[b][1],a.splice(b,1)):b++,c=d=0,f=e=""}""===a[a.length-1][1]&&a.pop();c=!1;for(b=1;b<a.length-1;)0==a[b-1][0]&&0==a[b+1][0]&&(a[b][1].substring(a[b][1].length-a[b-1][1].length)==a[b-1][1]?(a[b][1]=a[b-1][1]+a[b][1].substring(0,a[b][1].length-a[b-1][1].length),a[b+1][1]=a[b-1][1]+a[b+1][1],a.splice(b-1,1),c=!0):a[b][1].substring(0,

+a[b+1][1].length)==a[b+1][1]&&(a[b-1][1]+=a[b+1][1],a[b][1]=a[b][1].substring(a[b+1][1].length)+a[b+1][1],a.splice(b+1,1),c=!0)),b++;c&&this.diff_cleanupMerge(a)};diff_match_patch.prototype.diff_xIndex=function(a,b){var c=0,d=0,e=0,f=0,g;for(g=0;g<a.length;g++){1!==a[g][0]&&(c+=a[g][1].length);-1!==a[g][0]&&(d+=a[g][1].length);if(c>b)break;e=c;f=d}return a.length!=g&&-1===a[g][0]?f:f+(b-e)};

+diff_match_patch.prototype.diff_prettyHtml=function(a){for(var b=[],c=/&/g,d=/</g,e=/>/g,f=/\n/g,g=0;g<a.length;g++){var h=a[g][0],j=a[g][1],j=j.replace(c,"&amp;").replace(d,"&lt;").replace(e,"&gt;").replace(f,"<span style=\"color: #dcdcdc;\">&not;</span><br>");switch(h){case 1:b[g]='<ins style="background:#ccffcc; text-decoration: none;">'+j+"</ins>";break;case -1:b[g]='<del style="background:#ffffcc; text-decoration: line-through; color: orange;">'+j+"</del>";break;case 0:b[g]="<span>"+j+"</span>"}}return b.join("")};

+diff_match_patch.prototype.diff_text1=function(a){for(var b=[],c=0;c<a.length;c++)1!==a[c][0]&&(b[c]=a[c][1]);return b.join("")};diff_match_patch.prototype.diff_text2=function(a){for(var b=[],c=0;c<a.length;c++)-1!==a[c][0]&&(b[c]=a[c][1]);return b.join("")};diff_match_patch.prototype.diff_levenshtein=function(a){for(var b=0,c=0,d=0,e=0;e<a.length;e++){var f=a[e][0],g=a[e][1];switch(f){case 1:c+=g.length;break;case -1:d+=g.length;break;case 0:b+=Math.max(c,d),d=c=0}}return b+=Math.max(c,d)};

+diff_match_patch.prototype.diff_toDelta=function(a){for(var b=[],c=0;c<a.length;c++)switch(a[c][0]){case 1:b[c]="+"+encodeURI(a[c][1]);break;case -1:b[c]="-"+a[c][1].length;break;case 0:b[c]="="+a[c][1].length}return b.join("\t").replace(/%20/g," ")};

+diff_match_patch.prototype.diff_fromDelta=function(a,b){for(var c=[],d=0,e=0,f=b.split(/\t/g),g=0;g<f.length;g++){var h=f[g].substring(1);switch(f[g].charAt(0)){case "+":try{c[d++]=[1,decodeURI(h)]}catch(j){throw Error("Illegal escape in diff_fromDelta: "+h);}break;case "-":case "=":var i=parseInt(h,10);if(isNaN(i)||0>i)throw Error("Invalid number in diff_fromDelta: "+h);h=a.substring(e,e+=i);"="==f[g].charAt(0)?c[d++]=[0,h]:c[d++]=[-1,h];break;default:if(f[g])throw Error("Invalid diff operation in diff_fromDelta: "+

+f[g]);}}if(e!=a.length)throw Error("Delta length ("+e+") does not equal source text length ("+a.length+").");return c};diff_match_patch.prototype.match_main=function(a,b,c){if(null==a||null==b||null==c)throw Error("Null input. (match_main)");c=Math.max(0,Math.min(c,a.length));return a==b?0:a.length?a.substring(c,c+b.length)==b?c:this.match_bitap_(a,b,c):-1};

+diff_match_patch.prototype.match_bitap_=function(a,b,c){function d(a,d){var e=a/b.length,g=Math.abs(c-d);return!f.Match_Distance?g?1:e:e+g/f.Match_Distance}if(b.length>this.Match_MaxBits)throw Error("Pattern too long for this browser.");var e=this.match_alphabet_(b),f=this,g=this.Match_Threshold,h=a.indexOf(b,c);-1!=h&&(g=Math.min(d(0,h),g),h=a.lastIndexOf(b,c+b.length),-1!=h&&(g=Math.min(d(0,h),g)));for(var j=1<<b.length-1,h=-1,i,k,p=b.length+a.length,q,s=0;s<b.length;s++){i=0;for(k=p;i<k;)d(s,c+

+k)<=g?i=k:p=k,k=Math.floor((p-i)/2+i);p=k;i=Math.max(1,c-k+1);var o=Math.min(c+k,a.length)+b.length;k=Array(o+2);for(k[o+1]=(1<<s)-1;o>=i;o--){var v=e[a.charAt(o-1)];k[o]=0===s?(k[o+1]<<1|1)&v:(k[o+1]<<1|1)&v|(q[o+1]|q[o])<<1|1|q[o+1];if(k[o]&j&&(v=d(s,o-1),v<=g))if(g=v,h=o-1,h>c)i=Math.max(1,2*c-h);else break}if(d(s+1,c)>g)break;q=k}return h};

+diff_match_patch.prototype.match_alphabet_=function(a){for(var b={},c=0;c<a.length;c++)b[a.charAt(c)]=0;for(c=0;c<a.length;c++)b[a.charAt(c)]|=1<<a.length-c-1;return b};

+diff_match_patch.prototype.patch_addContext_=function(a,b){if(0!=b.length){for(var c=b.substring(a.start2,a.start2+a.length1),d=0;b.indexOf(c)!=b.lastIndexOf(c)&&c.length<this.Match_MaxBits-this.Patch_Margin-this.Patch_Margin;)d+=this.Patch_Margin,c=b.substring(a.start2-d,a.start2+a.length1+d);d+=this.Patch_Margin;(c=b.substring(a.start2-d,a.start2))&&a.diffs.unshift([0,c]);(d=b.substring(a.start2+a.length1,a.start2+a.length1+d))&&a.diffs.push([0,d]);a.start1-=c.length;a.start2-=c.length;a.length1+=

+c.length+d.length;a.length2+=c.length+d.length}};

+diff_match_patch.prototype.patch_make=function(a,b,c){var d;if("string"==typeof a&&"string"==typeof b&&"undefined"==typeof c)d=a,b=this.diff_main(d,b,!0),2<b.length&&(this.diff_cleanupSemantic(b),this.diff_cleanupEfficiency(b));else if(a&&"object"==typeof a&&"undefined"==typeof b&&"undefined"==typeof c)b=a,d=this.diff_text1(b);else if("string"==typeof a&&b&&"object"==typeof b&&"undefined"==typeof c)d=a;else if("string"==typeof a&&"string"==typeof b&&c&&"object"==typeof c)d=a,b=c;else throw Error("Unknown call format to patch_make.");

+if(0===b.length)return[];for(var c=[],a=new diff_match_patch.patch_obj,e=0,f=0,g=0,h=d,j=0;j<b.length;j++){var i=b[j][0],k=b[j][1];if(!e&&0!==i)a.start1=f,a.start2=g;switch(i){case 1:a.diffs[e++]=b[j];a.length2+=k.length;d=d.substring(0,g)+k+d.substring(g);break;case -1:a.length1+=k.length;a.diffs[e++]=b[j];d=d.substring(0,g)+d.substring(g+k.length);break;case 0:k.length<=2*this.Patch_Margin&&e&&b.length!=j+1?(a.diffs[e++]=b[j],a.length1+=k.length,a.length2+=k.length):k.length>=2*this.Patch_Margin&&

+e&&(this.patch_addContext_(a,h),c.push(a),a=new diff_match_patch.patch_obj,e=0,h=d,f=g)}1!==i&&(f+=k.length);-1!==i&&(g+=k.length)}e&&(this.patch_addContext_(a,h),c.push(a));return c};diff_match_patch.prototype.patch_deepCopy=function(a){for(var b=[],c=0;c<a.length;c++){var d=a[c],e=new diff_match_patch.patch_obj;e.diffs=[];for(var f=0;f<d.diffs.length;f++)e.diffs[f]=d.diffs[f].slice();e.start1=d.start1;e.start2=d.start2;e.length1=d.length1;e.length2=d.length2;b[c]=e}return b};

+diff_match_patch.prototype.patch_apply=function(a,b){if(0==a.length)return[b,[]];var a=this.patch_deepCopy(a),c=this.patch_addPadding(a),b=c+b+c;this.patch_splitMax(a);for(var d=0,e=[],f=0;f<a.length;f++){var g=a[f].start2+d,h=this.diff_text1(a[f].diffs),j,i=-1;if(h.length>this.Match_MaxBits){if(j=this.match_main(b,h.substring(0,this.Match_MaxBits),g),-1!=j&&(i=this.match_main(b,h.substring(h.length-this.Match_MaxBits),g+h.length-this.Match_MaxBits),-1==i||j>=i))j=-1}else j=this.match_main(b,h,g);

+if(-1==j)e[f]=!1,d-=a[f].length2-a[f].length1;else if(e[f]=!0,d=j-g,g=-1==i?b.substring(j,j+h.length):b.substring(j,i+this.Match_MaxBits),h==g)b=b.substring(0,j)+this.diff_text2(a[f].diffs)+b.substring(j+h.length);else if(g=this.diff_main(h,g,!1),h.length>this.Match_MaxBits&&this.diff_levenshtein(g)/h.length>this.Patch_DeleteThreshold)e[f]=!1;else{this.diff_cleanupSemanticLossless(g);for(var h=0,k,i=0;i<a[f].diffs.length;i++){var p=a[f].diffs[i];0!==p[0]&&(k=this.diff_xIndex(g,h));1===p[0]?b=b.substring(0,

+j+k)+p[1]+b.substring(j+k):-1===p[0]&&(b=b.substring(0,j+k)+b.substring(j+this.diff_xIndex(g,h+p[1].length)));-1!==p[0]&&(h+=p[1].length)}}}b=b.substring(c.length,b.length-c.length);return[b,e]};

+diff_match_patch.prototype.patch_addPadding=function(a){for(var b=this.Patch_Margin,c="",d=1;d<=b;d++)c+=String.fromCharCode(d);for(d=0;d<a.length;d++)a[d].start1+=b,a[d].start2+=b;var d=a[0],e=d.diffs;if(0==e.length||0!=e[0][0])e.unshift([0,c]),d.start1-=b,d.start2-=b,d.length1+=b,d.length2+=b;else if(b>e[0][1].length){var f=b-e[0][1].length;e[0][1]=c.substring(e[0][1].length)+e[0][1];d.start1-=f;d.start2-=f;d.length1+=f;d.length2+=f}d=a[a.length-1];e=d.diffs;0==e.length||0!=e[e.length-1][0]?(e.push([0,

+c]),d.length1+=b,d.length2+=b):b>e[e.length-1][1].length&&(f=b-e[e.length-1][1].length,e[e.length-1][1]+=c.substring(0,f),d.length1+=f,d.length2+=f);return c};

+diff_match_patch.prototype.patch_splitMax=function(a){for(var b=this.Match_MaxBits,c=0;c<a.length;c++)if(!(a[c].length1<=b)){var d=a[c];a.splice(c--,1);for(var e=d.start1,f=d.start2,g="";0!==d.diffs.length;){var h=new diff_match_patch.patch_obj,j=!0;h.start1=e-g.length;h.start2=f-g.length;if(""!==g)h.length1=h.length2=g.length,h.diffs.push([0,g]);for(;0!==d.diffs.length&&h.length1<b-this.Patch_Margin;){var g=d.diffs[0][0],i=d.diffs[0][1];1===g?(h.length2+=i.length,f+=i.length,h.diffs.push(d.diffs.shift()),

+j=!1):-1===g&&1==h.diffs.length&&0==h.diffs[0][0]&&i.length>2*b?(h.length1+=i.length,e+=i.length,j=!1,h.diffs.push([g,i]),d.diffs.shift()):(i=i.substring(0,b-h.length1-this.Patch_Margin),h.length1+=i.length,e+=i.length,0===g?(h.length2+=i.length,f+=i.length):j=!1,h.diffs.push([g,i]),i==d.diffs[0][1]?d.diffs.shift():d.diffs[0][1]=d.diffs[0][1].substring(i.length))}g=this.diff_text2(h.diffs);g=g.substring(g.length-this.Patch_Margin);i=this.diff_text1(d.diffs).substring(0,this.Patch_Margin);""!==i&&

+(h.length1+=i.length,h.length2+=i.length,0!==h.diffs.length&&0===h.diffs[h.diffs.length-1][0]?h.diffs[h.diffs.length-1][1]+=i:h.diffs.push([0,i]));j||a.splice(++c,0,h)}}};diff_match_patch.prototype.patch_toText=function(a){for(var b=[],c=0;c<a.length;c++)b[c]=a[c];return b.join("")};

+diff_match_patch.prototype.patch_fromText=function(a){var b=[];if(!a)return b;for(var a=a.split("\n"),c=0,d=/^@@ -(\d+),?(\d*) \+(\d+),?(\d*) @@$/;c<a.length;){var e=a[c].match(d);if(!e)throw Error("Invalid patch string: "+a[c]);var f=new diff_match_patch.patch_obj;b.push(f);f.start1=parseInt(e[1],10);""===e[2]?(f.start1--,f.length1=1):"0"==e[2]?f.length1=0:(f.start1--,f.length1=parseInt(e[2],10));f.start2=parseInt(e[3],10);""===e[4]?(f.start2--,f.length2=1):"0"==e[4]?f.length2=0:(f.start2--,f.length2=

+parseInt(e[4],10));for(c++;c<a.length;){e=a[c].charAt(0);try{var g=decodeURI(a[c].substring(1))}catch(h){throw Error("Illegal escape in patch_fromText: "+g);}if("-"==e)f.diffs.push([-1,g]);else if("+"==e)f.diffs.push([1,g]);else if(" "==e)f.diffs.push([0,g]);else if("@"==e)break;else if(""!==e)throw Error('Invalid patch mode "'+e+'" in: '+g);c++}}return b};diff_match_patch.patch_obj=function(){this.diffs=[];this.start2=this.start1=null;this.length2=this.length1=0};

+diff_match_patch.patch_obj.prototype.toString=function(){var a,b;a=0===this.length1?this.start1+",0":1==this.length1?this.start1+1:this.start1+1+","+this.length1;b=0===this.length2?this.start2+",0":1==this.length2?this.start2+1:this.start2+1+","+this.length2;a=["@@ -"+a+" +"+b+" @@\n"];var c;for(b=0;b<this.diffs.length;b++){switch(this.diffs[b][0]){case 1:c="+";break;case -1:c="-";break;case 0:c=" "}a[b+1]=c+encodeURI(this.diffs[b][1])+"\n"}return a.join("").replace(/%20/g," ")};

+this.diff_match_patch=diff_match_patch;this.DIFF_DELETE=-1;this.DIFF_INSERT=1;this.DIFF_EQUAL=0;})()

+var dmp = new diff_match_patch(); function diffLaunch(){var text1 = document.getElementById('text').value; var text2 = document.getElementById('text2').value; dmp.Diff_Timeout = 0; dmp.Diff_EditCost = 4; var d = dmp.diff_main(text1, text2); var ds = dmp.diff_prettyHtml(d); document.getElementById('diff').innerHTML = ds;

+}

+//--><!]]></script>

+<title>htmLawed (<?php echo hl_version();?>) test</title>

+</head>

+<body>

+<div id="topmost">

+

+<h5 style="float: left; display: inline; margin-top: 0; margin-bottom: 5px;"><a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php" title="htmLawed home">HTM<big><big>L</big></big>AWED</a> <?php echo hl_version();?> <a href="htmLawedTest.php" title="test home">TEST</a></h5>

+<span style="float: right;" class="help"><a href="htmLawed_README.htm"><span class="notice">htm</span></a> / <a href="htmLawed_README.txt"><span class="notice">txt</span></a> documentation</span><br style="clear:both;" />

+

+<a href="htmLawedTest.php" title="[toggle visibility] type or copy-paste" onclick="javascript:toggle('inputF'); return false;"><span class="notice">Input &raquo;</span> <span class="help" title="limit lower with multibyte characters<?php echo (($_hlimit < $_limit && $_hlimit)? '; limit is '. $_hlimit. ' for viewing binaries' : ''); ?>"><small>(max. <?php echo htmlspecialchars($_limit);?> chars)</small></span></a>

+

+<form id="testform" name="testform" action="htmLawedTest.php" method="post" accept-charset="<?php echo htmlspecialchars($_POST['enc']); ?>" style="padding:0; margin: 0; display:inline;">

+

+<div id="inputF" style="display: block;">

+

+<input type="hidden" name="token" id="token" value="<?php echo $token; ?>" />

+<div><textarea id="text" class="textarea" name="text" rows="5" cols="100" style="width: 100%;"><?php echo htmlspecialchars($_POST['text']);?></textarea></div>

+<input type="submit" id="submitF" name="submitF" value="Process" style="float:left;" title="filter using htmLawed" onclick="javascript: sndProc(); return false;" onkeypress="javascript: sndProc(); return false;" />

+

+<?php

+if($do){

+ if($validation){

+  echo '<input type="hidden" value="1" name="w3c_validate" id="w3c_validate" />';

+ }

+?>

+ 

+<button type="button" title="Raw input rendered as web-page without a doctype or charset declaration" style="float: right;" onclick="javascript: sndUnproc(); return false;" onkeypress="javascript: sndUnproc(); return false;">Render in webpage</button>

+<button type="button" onclick="javascript:document.getElementById('text').focus();document.getElementById('text').select()" title="select all to copy" style="float:right;">Select all</button>

+

+<?php

+if($_w3c_validate && $validation){

+?>

+  

+<button type="button" title="HTML 4.01 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text', 'html401'); return false;" onkeypress="javascript: sndValidn('text', 'html401'); return false;">Check HTML</button>

+<button type="button" title="XHTML 1.1 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text', 'xhtml110'); return false;" onkeypress="javascript: sndValidn('text', 'xhtml110'); return false;">Check XHTML</button>

+  

+<?php

+ }

+}

+else{

+ if($_w3c_validate){

+  echo '<span style="float: right;" class="help" title="for direct submission of input or output code to W3C validator for (X)HTML validation"><span style="font-size: 85%;">&nbsp;Validator tools: </span><input type="checkbox" value="1" name="w3c_validate" id="w3c_validate" style="vertical-align: middle;"', ($validation ? ' checked="checked"' : ''), ' /></span>';

+ }

+}

+?>

+

+<span style="float:right;" class="help" title="IANA-recognized name of the input character-set; can be multiple ;- or space-separated values; may not work in some browsers"><span style="font-size: 85%;">Encoding: </span><input type="text" size="8" id="enc" name="enc" style="vertical-align: middle;" value="<?php echo htmlspecialchars($_POST['enc']); ?>" /></span>

+

+</div>

+<br style="clear:both;" />

+

+<?php

+if($limit_exceeded){

+ echo '<br /><strong>Input text is too long!</strong><br />';

+}

+?>

+

+<br />

+

+<a href="htmLawedTest.php" title="[toggle visibility] htmLawed configuration" onclick="javascript:toggle('inputC'); return false;"><span class="notice">Settings &raquo;</span></a>

+

+<div id="inputC" style="display: none;">

+<table summary="none">

+<tr>

+<td><span class="help" title="$config argument">Config:</span></td>

+<td><ul>

+ 

+<?php

+$cfg = array(

+'abs_url'=>array('3', '0', 'absolute/relative URL conversion', '-1'),

+'and_mark'=>array('2', '0', 'mark original <em>&amp;</em> chars', '0', 'd'=>1), // 'd' to disable

+'anti_link_spam'=>array('1', '0', 'modify <em>href</em> values as an anti-link spam measure', '0', array(array('30', '1', '', 'regex for extra <em>rel</em>'), array('30', '2', '', 'regex for no <em>href</em>'))),

+'anti_mail_spam'=>array('1', '0', 'replace <em>@</em> in <em>mailto:</em> URLs', '0', '8', 'NO@SPAM', 'replacement'),

+'balance'=>array('2', '1', 'fix nestings and balance tags', '0'),

+'base_url'=>array('', '', 'base URL', '25'),

+'cdata'=>array('4', 'nil', 'allow <em>CDATA</em> sections', 'nil'),

+'clean_ms_char'=>array('3', '0', 'replace bad characters introduced by Microsoft apps. like <em>Word</em>', '0'),

+'comment'=>array('4', 'nil', 'allow HTML comments', 'nil'),

+'css_expression'=>array('2', 'nil', 'allow dynamic expressions in CSS style properties', 'nil'),

+'deny_attribute'=>array('1', '0', 'denied attributes', '0', '50', '', 'these'),

+'direct_list_nest'=>array('2', 'nil', 'allow direct nesting of a list within another without requiring it to be a list item', 'nil'),

+'elements'=>array('', '', 'allowed elements', '50'),

+'hexdec_entity'=>array('3', '1', 'convert hexadecimal numeric entities to decimal ones, or vice versa', '0'),

+'hook'=>array('', '', 'name of hook function', '25'),

+'hook_tag'=>array('', '', 'name of custom function to further check attribute values', '25'),

+'keep_bad'=>array('7', '6', 'keep, or remove <em>bad</em> tag content', '0'),

+'lc_std_val'=>array('2', '1', 'lower-case std. attribute values like <em>radio</em>', '0'),

+'make_tag_strict'=>array('3', 'nil', 'transform deprecated elements', 'nil'),

+'named_entity'=>array('2', '1', 'allow named entities, or convert numeric ones', '0'),

+'no_deprecated_attr'=>array('3', '1', 'allow deprecated attributes, or transform them', '0'),

+'parent'=>array('', 'div', 'name of parent element', '25'),

+'safe'=>array('2', '0', 'for most <em>safe</em> HTML', '0'),

+'schemes'=>array('', 'href: aim, app, feed, file, ftp, gopher, http, https, irc, javascript, mailto, news, nntp, sftp, ssh, telnet, tel; *:data, file, http, https, javascript', 'allowed URL protocols', '50'),

+'show_setting'=>array('', 'htmLawed_setting', 'variable name to record <em>finalized</em> htmLawed settings', '25', 'd'=>1),

+'style_pass'=>array('2', 'nil', 'do not look at <em>style</em> attribute values', 'nil'),

+'tidy'=>array('3', '0', 'beautify/compact', '-1', '8', '1t1', 'format'),

+'unique_ids'=>array('2', '1', 'unique <em>id</em> values', '0', '8', 'my_', 'prefix'),

+'valid_xhtml'=>array('2', 'nil', 'auto-set various parameters for most valid XHTML', 'nil'),

+'xml:lang'=>array('3', 'nil', 'auto-add <em>xml:lang</em> attribute', '0'),

+);

+foreach($cfg as $k=>$v){

+ echo '<li>', $k, ': ';

+ if(!empty($v[0])){ // input radio

+  $j = $v[3];

+  for($i = $j-1; ++$i < $v[0]+$v[3];++$j){

+   echo '<input type="radio" name="h', $k, '" value="', $i, '"', (!isset($_POST['h'. $k]) ? ($v[1] == $i ? ' checked="checked"' : '') : ($_POST['h'. $k] == $i ? ' checked="checked"' : '')), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />', $i, ' ';

+  }

+  if($v[1] == 'nil'){

+   echo '<input type="radio" name="h', $k, '" value="nil"', ((!isset($_POST['h'. $k]) or $_POST['h'. $k] == 'nil') ? ' checked="checked"' : ''), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />not set ';

+  }

+  if(!empty($v[4])){ // + input text box

+   echo '<input type="radio" name="h', $k, '" value="', $j, '"', (((isset($_POST['h'. $k]) && $_POST['h'. $k] == $j) or (!isset($_POST['h'. $k]) && $j == $v[1])) ? ' checked="checked"' : ''), (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';

+   if(!is_array($v[4])){

+    echo $v[6], ': <input type="text" size="', $v[4], '" name="h', $k. $j, '" value="', htmlspecialchars(isset($_POST['h'. $k. $j][0]) ? $_POST['h'. $k. $j] : $v[5]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';

+   }

+   else{

+    foreach($v[4] as $z){

+     echo ' ', $z[3], ': <input type="text" size="', $z[0], '" name="h', $k. $j. $z[1], '" value="', htmlspecialchars(isset($_POST['h'. $k. $j. $z[1]][0]) ? $_POST['h'. $k. $j. $z[1]] : $z[2]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';

+    }    

+   }

+  }

+ }

+ elseif(ctype_digit($v[3])){ // input text

+  echo '<input type="text" size="', $v[3], '" name="h', $k, '" value="', htmlspecialchars(isset($_POST['h'. $k][0]) ? $_POST['h'. $k] : $v[1]), '"', (isset($v['d']) ? ' disabled="disabled"' : ''), ' />';  

+ }

+ else{} // text-area

+ echo ' <span class="help">', $v[2], '</span></li>';

+}

+echo '</ul></td></tr><tr><td><span style="vertical-align: top;" class="help" title="$spec argument: element-specific attribute rules">Spec:</span></td><td><textarea name="spec" id="spec" cols="70" rows="3" style="width:80%;">', htmlspecialchars((isset($_POST['spec']) ? $_POST['spec'] : '')), '</textarea></td></tr></table>';

+?>

+

+</div>

+</form>

+

+<?php

+if($do){

+ $cfg = array();

+ foreach($_POST as $k=>$v){

+  if($k[0] == 'h' && $v != 'nil'){

+   $cfg[substr($k, 1)] = $v;

+  }

+ }

+

+ if(isset($cfg['anti_link_spam']) && $cfg['anti_link_spam'] && (!empty($cfg['anti_link_spam11']) or !empty($cfg['anti_link_spam12']))){

+  $cfg['anti_link_spam'] = array($cfg['anti_link_spam11'], $cfg['anti_link_spam12']);

+ }

+ unset($cfg['anti_link_spam11'], $cfg['anti_link_spam12']);

+ if(isset($cfg['anti_mail_spam']) && $cfg['anti_mail_spam'] == 1){

+  $cfg['anti_mail_spam'] = isset($cfg['anti_mail_spam1'][0]) ? $cfg['anti_mail_spam1'] : 0;

+ }

+ unset($cfg['anti_mail_spam11']);

+ if(isset($cfg['deny_attribute']) && $cfg['deny_attribute'] == 1){

+  $cfg['deny_attribute'] = isset($cfg['deny_attribute1'][0]) ? $cfg['deny_attribute1'] : 0;

+ }

+ unset($cfg['deny_attribute1']);

+ if(isset($cfg['tidy']) && $cfg['tidy'] == 2){

+  $cfg['tidy'] = isset($cfg['tidy2'][0]) ? $cfg['tidy2'] : 0;

+ }

+ unset($cfg['tidy2']);

+ if(isset($cfg['unique_ids']) && $cfg['unique_ids'] == 2){

+  $cfg['unique_ids'] = isset($cfg['unique_ids2'][0]) ? $cfg['unique_ids2'] : 1;

+ }

+ unset($cfg['unique_ids2']);

+ unset($cfg['and_mark']); // disabling and_mark

+

+ $cfg['show_setting'] = 'hlcfg';

+ $st = microtime(); 

+ $out = htmLawed($_POST['text'], $cfg, $_POST['spec']);

+ $et = microtime();

+ echo '<br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'inputR\'); return false;"><span class="notice">Input code &raquo;</span></a> <span class="help" title="tags estimated as half of total &gt; and &lt; chars; values may be inaccurate for non-ASCII text"><small><big>', strlen($_POST['text']), '</big> chars, ~<big>', ($tag = round((substr_count($_POST['text'], '>') + substr_count($_POST['text'], '<'))/2)), '</big> tag', ($tag > 1 ? 's' : ''), '</small>&nbsp;</span><div id="inputR" style="display: none;">', format($_POST['text']), '</div><script type="text/javascript">hl(\'inputR\');</script>', (!isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'inputD\'); return false;"><span class="notice">Input binary &raquo;&nbsp;</span></a><div id="inputD" style="display: none;">'. hexdump($_POST['text']). '</div>' : ''), ' <a href="htmLawedTest.php" title="[toggle visibility] finalized internal settings as interpreted by htmLawed; for developers" onclick="javascript:toggle(\'settingF\'); return false;"><span class="notice">Finalized internal settings &raquo;&nbsp;</span></a> <div id="settingF" style="display: none;">$config: ', str_replace(array('    ', "\t", '  '), array('  ', '&nbsp;  ', '&nbsp; '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['config'], true)))), '<br />$spec: ', str_replace(array('    ', "\t", '  '), array('  ', '&nbsp;  ', '&nbsp; '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['spec'], true)))), '</div><script type="text/javascript">hl(\'settingF\');</script>', '<br /><a href="htmLawedTest.php" title="[toggle visibility] suitable for copy-paste" onclick="javascript:toggle(\'outputF\'); return false;"><span class="notice">Output &raquo;</span></a> <span class="help" title="approx., server-specific value excluding the \'include()\' call"><small>htmLawed processing time <big>', number_format(((substr($et,0,9)) + (substr($et,-10)) - (substr($st,0,9)) - (substr($st,-10))),4), '</big> s</small></span>', (($mem = memory_get_peak_usage()) !== false ? '<span class="help"><small>, peak memory usage <big>'. round(($mem-$pre_mem)/1048576, 2). '</big> <small>MB</small>' : ''), '</small></span><div id="outputF"  style="display: block;"><div><textarea id="text2" class="textarea" name="text2" rows="5" cols="100" style="width: 100%;">', htmlspecialchars($out), '</textarea></div><button type="button" title="Filtered input rendered as web-page without a doctype or charset declaration" style="float: right;" onclick="javascript: sndProc2(); return false;" onkeypress="javascript: sndProc2(); return false;">Render in webpage</button><button type="button" onclick="javascript:document.getElementById(\'text2\').focus();document.getElementById(\'text2\').select()" title="select all to copy" style="float:right;">Select all</button>';

+ if($_w3c_validate && $validation)

+ {

+?>

+  

+<button type="button" title="HTML 4.01 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'html401'); return false;" onkeypress="javascript: sndValidn('text2', 'html401'); return false;">Check HTML</button>

+<button type="button" title="XHTML 1.1 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'xhtml110'); return false;" onkeypress="javascript: sndValidn('text2', 'xhtml110'); return false;">Check XHTML</button>

+  

+<?php

+ }

+ echo '</div><br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'outputR\'); return false;"><span class="notice">Output code &raquo;</span></a><div id="outputR" style="display: block;">', format($out), '</div><script type="text/javascript">hl(\'outputR\');</script>', (!isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'outputD\'); return false;"><span class="notice">Output binary &raquo;</span></a><div id="outputD" style="display: none;">'. hexdump($out). '</div>' : ''), ' <a href="htmLawedTest.php" title="[toggle visibility] inline output-input diff; might not be perfectly accurate, semantically or otherwise " onclick="javascript:toggle(\'diff\'); diffLaunch(); return false;"><span class="notice">Diff &raquo;</span></a> <div id="diff" style="display: none;"></div><br /><a href="htmLawedTest.php" title="[toggle visibility] XHTML 1 Transitional doctype" onclick="javascript:toggle(\'outputH\'); return false;">';

+}

+else{

+?>

+

+<br />

+

+<div class="help">Use with a Javascript- and cookie-enabled, relatively new version of a common browser.

+

+<?php echo (file_exists('./htmLawed_TESTCASE.txt') ? '<br /><br />You can use text from <a href="htmLawed_TESTCASE.txt"><span class="notice">this collection of test-cases</span></a> in the input. Set the character encoding of the browser to Unicode/utf-8 before copying.' : ''); ?>

+

+<br /><br />For anti-XSS tests, try the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawedSafeModeTest.php"><span class="notice">special test-page</span></a> or see <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm"><span class="notice">these results</span></a>.

+

+<br /><br /><small>Change <em>Encoding</em> to reflect the character encoding of the input text. Even then, it may not work or some characters may not display properly because of variable browser support and because of the form interface. Developers can write some PHP code to capture the filtered input to a file if this is important.

+<br /><br />Refer to the htmLawed documentation (<a href="htmLawed_README.htm"><span class="notice">htm</span></a>/<a href="htmLawed_README.txt"><span class="notice">txt</span></a>) for details about <em>Settings</em>, and htmLawed's behavior and limitations. For <em>Settings</em>, incorrectly-specified values like regular expressions are silently ignored. One or more settings form-fields may have been disabled. Some characters are not allowed in the <em>Spec</em> field.

+

+

+<br /><br />Hovering the mouse over some of the text can provide additional information in some browsers.</small>

+

+<?php

+if($_w3c_validate){

+?>

+

+<small><br /><br />Because of character-encoding issues, the W3C validator (anyway not perfect) may reject validation requests or invalidate otherwise-valid code, esp. if text was copy-pasted in the input box. Local applications like the <em>HTML Validator</em> Firefox browser add-on may be useful in such cases.</small>

+

+<?php

+}

+?>

+

+</div>

+

+<?php

+}

+?>

+

+</div>

+</body>

+</html>

diff --git a/lib/htmlawed/htmLawed_README.htm b/lib/htmlawed/htmLawed_README.htm
index 42e4860..a63513b 100644
--- a/lib/htmlawed/htmLawed_README.htm
+++ b/lib/htmlawed/htmLawed_README.htm
@@ -1,2289 +1,2289 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta http-equiv="Content-Language" content="en" />
-<meta name="description" content="htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter - htmLawed_README.txt - presented with rTxt2htm, a PHP Labware utility" />
-<meta name="keywords" content="htmLawed, HTM, HTML, HTML5, HTML 5, XHTML, XHTML5, HTML Tidy, converter, filter, formatter, purifier, sanitizer, XSS, input, PHP, software, code, script, security, cross-site scripting, hack, sanitize, remove, standards, tags, attributes, elements, Aria, Ruby, data attributes, tidy, indent, auto-indent, prettify, pretty print, htmLawed_README.txt, rTxt2htm, PHP Labware" />
-<style type="text/css" media="all">
-<!--/*--><![CDATA[/*><!--*/
-a {text-decoration:none; color: blue;}
-a:hover {color: red;}
-a:visited {color: blue;}
-body {margin: 0; padding: 0;}
-body, div, html, p {font-family: Georgia, 'Times new roman', Times;}
-code.code {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}
-div.comment {padding: 5px; color: #999999; font-size: 80%;}
-div.comment a {color: #6699cc;}
-div#body {width: 70%; margin: 5px; padding: 5px;} /* holds non-toc content */
-div#toc {position: fixed; top: 5px; left: 73%; z-index: 2; margin-top: 5px; margin-left: 5px; border: 1px solid gray; padding: 5px; background-color: #ededed; width: 23%; overflow: auto; max-height:94%; font-size: 90%;} /* holds content table (toc) */
-div#top {font-size: 14px; margin: 5px; padding: 5px;} /* holds all content */
-div.monospace {overflow: auto; font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}
-div.sub-section {padding-left: 15px;}
-div.sub-sub-section {padding-left: 30px;}
-h1 {font-size: 22px; margin-top: 5px; margin-bottom: 5px;}
-h2 {font-size: 20px; float: left; margin-top: 15px; margin-bottom: 5px;}
-h3 {font-size: 18px; float: left; margin-top: 15px; margin-bottom: 5px;}
-h4 {font-size: 16px; float: left; margin-top: 15px; margin-bottom: 5px;}
-hr {margin-top: 15px; margin-bottom: 5px;}
-input, textarea {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}
-p.subtle {color: gray; padding: 0; padding-top: 10px; margin: 0;}
-p.subtle a, p.subtle a:visited {color: #6699cc;}
-span.item-no {color: black;}
-span.subtle {color: gray; margin: 0; padding:0;}
-span.subtle a, span.subtle a:visited {color: #6699cc;}
-span.term {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}
-span.toc-item {color: black;}
-span.totop {float: right; margin-top: 15px; margin-bottom: 5px;}
-span.totop a, span.totop a:visited {color: #6699cc;}
-@media screen { /* fixes for old IE */
- * html, * html body {overflow-y: auto!important; height: 100%; margin: 0; padding: 0;}
- * html div#body {height: 100%; overflow-y: auto; position: relative;}
- * html div#toc {position: absolute;}
-}
-/*]]>*/-->
-</style>
-<title>htmLawed documentation | htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter</title>
-</head>
-<body>
-<div id="top">
-<h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
-
-<div id="toc"><span class="toc-item"><a href="#s1"><span class="item-no">1</span>&#160; About htmLawed</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.1"><span class="item-no">1.1</span>&#160; Example uses</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.2"><span class="item-no">1.2</span>&#160; Features</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.3"><span class="item-no">1.3</span>&#160; History</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.4"><span class="item-no">1.4</span>&#160; License &amp; copyright</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.5"><span class="item-no">1.5</span>&#160; Terms used here</a></span><br />
-&#160; <span class="toc-item"><a href="#s1.6"><span class="item-no">1.6</span>&#160; Availability</a></span><br />
-<span class="toc-item"><a href="#s2"><span class="item-no">2</span>&#160; Usage</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.1"><span class="item-no">2.1</span>&#160; Simple</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.2"><span class="item-no">2.2</span>&#160; Configuring htmLawed using the <span class="term">$config</span>&#160;argument</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.3"><span class="item-no">2.3</span>&#160; Extra HTML specifications using the <span class="term">$spec</span>&#160;argument</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.4"><span class="item-no">2.4</span>&#160; Performance time &amp; memory usage</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.5"><span class="item-no">2.5</span>&#160; Some security risks to keep in mind</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.6"><span class="item-no">2.6</span>&#160; Use with <span class="term">kses()</span>&#160;code</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.7"><span class="item-no">2.7</span>&#160; Tolerance for ill-written HTML</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.8"><span class="item-no">2.8</span>&#160; Limitations &amp; work-arounds</a></span><br />
-&#160; <span class="toc-item"><a href="#s2.9"><span class="item-no">2.9</span>&#160; Examples of usage</a></span><br />
-<span class="toc-item"><a href="#s3"><span class="item-no">3</span>&#160; Details</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.1"><span class="item-no">3.1</span>&#160; Invalid/dangerous characters</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.2"><span class="item-no">3.2</span>&#160; Character references/entities</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.3"><span class="item-no">3.3</span>&#160; HTML elements</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.3.1"><span class="item-no">3.3.1</span>&#160; HTML comments &amp; <span class="term">CDATA</span>&#160;sections</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.3.2"><span class="item-no">3.3.2</span>&#160; Tag-transformation for better compliance with standards</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.3.3"><span class="item-no">3.3.3</span>&#160; Tag balancing &amp; proper nesting</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.3.4"><span class="item-no">3.3.4</span>&#160; Elements requiring child elements</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.3.5"><span class="item-no">3.3.5</span>&#160; Beautify or compact HTML</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.4"><span class="item-no">3.4</span>&#160; Attributes</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.1"><span class="item-no">3.4.1</span>&#160; Auto-addition of XHTML-required attributes</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.2"><span class="item-no">3.4.2</span>&#160; Duplicate/invalid <span class="term">id</span>&#160;values</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.3"><span class="item-no">3.4.3</span>&#160; URL schemes &amp; scripts in attribute values</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.4"><span class="item-no">3.4.4</span>&#160; Absolute &amp; relative URLs</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.5"><span class="item-no">3.4.5</span>&#160; Lower-cased, standard attribute values</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.6"><span class="item-no">3.4.6</span>&#160; Transformation of deprecated attributes</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.7"><span class="item-no">3.4.7</span>&#160; Anti-spam &amp; <span class="term">href</span></a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.8"><span class="item-no">3.4.8</span>&#160; Inline style properties</a></span><br />
-&#160; &#160; <span class="toc-item"><a href="#s3.4.9"><span class="item-no">3.4.9</span>&#160; Hook function for tag content</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.5"><span class="item-no">3.5</span>&#160; Simple configuration directive for most valid XHTML</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.6"><span class="item-no">3.6</span>&#160; Simple configuration directive for most <em>safe</em>&#160;HTML</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.7"><span class="item-no">3.7</span>&#160; Using a hook function</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.8"><span class="item-no">3.8</span>&#160; Obtaining <em>finalized</em>&#160;parameter values</a></span><br />
-&#160; <span class="toc-item"><a href="#s3.9"><span class="item-no">3.9</span>&#160; Retaining non-HTML tags in input with mixed markup</a></span><br />
-<span class="toc-item"><a href="#s4"><span class="item-no">4</span>&#160; Other</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.1"><span class="item-no">4.1</span>&#160; Support</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.2"><span class="item-no">4.2</span>&#160; Known issues</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.3"><span class="item-no">4.3</span>&#160; Change-log</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.4"><span class="item-no">4.4</span>&#160; Testing</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.5"><span class="item-no">4.5</span>&#160; Upgrade, &amp; old versions</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.6"><span class="item-no">4.6</span>&#160; Comparison with <span class="term">HTMLPurifier</span></a></span><br />
-&#160; <span class="toc-item"><a href="#s4.7"><span class="item-no">4.7</span>&#160; Use through application plug-ins/modules</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.8"><span class="item-no">4.8</span>&#160; Use in non-PHP applications</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.9"><span class="item-no">4.9</span>&#160; Donate</a></span><br />
-&#160; <span class="toc-item"><a href="#s4.10"><span class="item-no">4.10</span>&#160; Acknowledgements</a></span><br />
-<span class="toc-item"><a href="#s5"><span class="item-no">5</span>&#160; Appendices</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.1"><span class="item-no">5.1</span>&#160; Characters discouraged in HTML</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.2"><span class="item-no">5.2</span>&#160; Valid attribute-element combinations</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.3"><span class="item-no">5.3</span>&#160; CSS 2.1 properties accepting URLs</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.4"><span class="item-no">5.4</span>&#160; Microsoft Windows 1252 character replacements</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.5"><span class="item-no">5.5</span>&#160; URL format</a></span><br />
-&#160; <span class="toc-item"><a href="#s5.6"><span class="item-no">5.6</span>&#160; Brief on htmLawed code</a></span></div><!-- ended div toc -->
-
-<div id="body">
-<br />
-<div class="comment">htmLawed_README.txt, 24 September 2019<br />
-htmLawed 1.2.5, 24 September 2019<br />
-Copyright Santosh Patnaik<br />
-Dual licensed with LGPL 3 and GPL 2+<br />
-A PHP Labware internal utility &#45; <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a>&#160;</div>
-<br />
-
-<div class="section"><h2>
-<a name="s1" id="s1"></a><span class="item-no">1</span>&#160; About htmLawed
-</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed is a PHP script to process text with HTML markup to make it more compliant with HTML standards and with administrative policies. It works by making HTML well-formed with balanced and properly nested tags, neutralizing code that introduces a security vulnerability or is used for cross-site scripting (XSS) attacks, allowing only specified HTML tags and attributes, and so on. Such <em>lawing in</em>&#160;of HTML code ensures that it is in accordance with the aesthetics, safety and usability requirements set by administrators.<br />
-<br />
-&#160; htmLawed is highly customizable, and fast with low memory usage. Its free and open-source code is in one small file. It does not require extensions or libraries, and works in older versions of PHP as well. It is a good alternative to the HTML <a href="http://tidy.sourceforge.net">Tidy</a>&#160;application.<br />
-
-<div class="sub-section"><h3>
-<a name="s1.1" id="s1.1"></a><span class="item-no">1.1</span>&#160; Example uses
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; * &#160;Filtering of text submitted as comments on blogs to allow only certain HTML elements<br />
-<br />
-&#160; * &#160;Making RSS newsfeed items standard-compliant: often one uses an excerpt from an HTML document for the content, and with unbalanced tags, non-numerical entities, etc., such excerpts may not be XML-compliant<br />
-<br />
-&#160; * &#160;Beautifying or pretty-printing HTML code<br />
-<br />
-&#160; * &#160;Text processing for stricter XML standard-compliance: e.g., to have lowercased <span class="term">x</span>&#160;in hexadecimal numeric entities becomes necessary if an HTML document with MathML content needs to be served as <span class="term">application/xml</span><br />
-<br />
-&#160; * &#160;Scraping text from web-pages<br />
-<br />
-&#160; * &#160;Transforming an HTML element to another<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s1.2" id="s1.2"></a><span class="item-no">1.2</span>&#160; Features
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Key: <span class="term">&#42;</span>&#160;security feature, <span class="term">^</span>&#160;standard compliance, <span class="term">~</span>&#160;requires setting right options<br />
-<br />
-&#160; htmLawed:<br />
-<br />
-&#160; * &#160;makes input more <strong>secure</strong>&#160;and <strong>standard-compliant</strong>&#160;for HTML as well as generic <strong>XML</strong>&#160;documents &#160;^<br />
-&#160; * &#160;supports markup for <strong>HTML 5</strong>&#160;and <strong>microdata, ARIA, Ruby, custom attributes</strong>, etc. &#160;^<br />
-&#160; * &#160;can <strong>beautify</strong>&#160;or <strong>compact</strong>&#160;HTML &#160;~<br />
-&#160; * &#160;works with input of almost any <strong>character encoding</strong>&#160;and does not affect it<br />
-&#160; * &#160;has good <strong>tolerance for ill-written HTML</strong><br />
-<br />
-&#160; * &#160;can enforce <strong>restricted use of elements</strong>&#160; *~<br />
-&#160; * &#160;ensures proper closure of empty elements like <span class="term">img</span>&#160; ^<br />
-&#160; * &#160;<strong>transforms deprecated elements</strong>&#160;like <span class="term">font</span>&#160; ^~<br />
-&#160; * &#160;can permit HTML <strong>comments</strong>&#160;and <strong>CDATA</strong>&#160;sections &#160;^~<br />
-&#160; * &#160;can permit all elements, including <span class="term">script</span>, <span class="term">object</span>&#160;and <span class="term">form</span>&#160; ~<br />
-<br />
-&#160; * &#160;can <strong>restrict attributes by element</strong>&#160; ^~<br />
-&#160; * &#160;removes <strong>invalid attributes</strong>&#160; ^<br />
-&#160; * &#160;lower-cases element and attribute names &#160;^<br />
-&#160; * &#160;provides <strong>required attributes</strong>, like <span class="term">alt</span>&#160;for <span class="term">image</span>&#160; ^<br />
-&#160; * &#160;<strong>transforms deprecated attributes</strong>&#160; ^~<br />
-&#160; * &#160;ensures attributes are <strong>declared only once</strong>&#160; ^<br />
-&#160; * &#160;permits <strong>custom</strong>, non-standard attributes as well as custom rules for standard attributes &#160;~<br />
-<br />
-&#160; * &#160;declares value for <em>empty</em>&#160;(<em>minimized</em>&#160;or <em>boolean</em>) attributes like <span class="term">checked</span>&#160; ^<br />
-&#160; * &#160;checks for potentially dangerous attribute values &#160;*~<br />
-&#160; * &#160;ensures <strong>unique</strong>&#160;<span class="term">id</span>&#160;attribute values &#160;^~<br />
-&#160; * &#160;<strong>double-quotes</strong>&#160;attribute values &#160;^<br />
-&#160; * &#160;lower-cases <strong>standard attribute values</strong>&#160;like <span class="term">password</span>&#160; ^<br />
-<br />
-&#160; * &#160;can restrict <strong>URL protocol/scheme by attribute</strong>&#160; *~<br />
-&#160; * &#160;can disable <strong>dynamic expressions</strong>&#160;in <span class="term">style</span>&#160;values &#160;*~<br />
-<br />
-&#160; * &#160;neutralizes invalid named <strong>character entities</strong>&#160; ^<br />
-&#160; * &#160;converts hexadecimal numeric entities to decimal ones, or vice versa &#160;^~<br />
-&#160; * &#160;converts named entities to numeric ones for generic XML use &#160;^~<br />
-<br />
-&#160; * &#160;removes <strong>null</strong>&#160;characters &#160;*<br />
-&#160; * &#160;neutralizes potentially dangerous proprietary Netscape <strong>Javascript entities</strong>&#160; *<br />
-&#160; * &#160;replaces potentially dangerous <strong>soft-hyphen</strong>&#160;character in URL-accepting attribute values with spaces &#160;*<br />
-<br />
-&#160; * &#160;removes common <strong>invalid characters</strong>&#160;not allowed in HTML or XML &#160;^<br />
-&#160; * &#160;replaces <strong>characters from Microsoft applications</strong>&#160;like <span class="term">Word</span>&#160;that are discouraged in HTML or XML &#160;^~<br />
-&#160; * &#160;neutralize entities for characters invalid or discouraged in HTML or XML &#160;^<br />
-&#160; * &#160;appropriately neutralize <span class="term">&lt;</span>, <span class="term">&amp;</span>, <span class="term">"</span>, and <span class="term">&gt;</span>&#160;characters &#160;^*<br />
-<br />
-&#160; * &#160;understands improperly spaced tag content (e.g., spread over more than a line) and properly spaces them<br />
-&#160; * &#160;attempts to <strong>balance tags</strong>&#160;for well-formedness &#160;^~<br />
-&#160; * &#160;understands when <strong>omitable closing tags</strong>&#160;like <span class="term">&lt;/p&gt;</span>&#160;are missing &#160;^~<br />
-&#160; * &#160;attempts to permit only <strong>validly nested tags</strong>&#160; ^~<br />
-&#160; * &#160;can <strong>either remove or neutralize bad content</strong>&#160;^~<br />
-&#160; * &#160;attempts to <strong>rectify common errors of plain-text misplacement</strong>&#160;(e.g., directly inside <span class="term">blockquote</span>) ^~<br />
-<br />
-&#160; * &#160;has optional <strong>anti-spam</strong>&#160;measures such as addition of <span class="term">rel="nofollow"</span>&#160;and link-disabling &#160;~<br />
-&#160; * &#160;optionally makes <strong>relative URLs absolute</strong>, and vice versa &#160;~<br />
-<br />
-&#160; * &#160;optionally marks <span class="term">&amp;</span>&#160;to identify the entities for <span class="term">&amp;</span>, <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;introduced by it &#160;~<br />
-<br />
-&#160; * &#160;allows deployment of powerful <strong>hook functions</strong>&#160;to <strong>inject</strong>&#160;HTML, <strong>consolidate</strong>&#160;<span class="term">style</span>&#160;attributes to <span class="term">class</span>, finely check attribute values, etc. &#160;~<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s1.3" id="s1.3"></a><span class="item-no">1.3</span>&#160; History
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed was created in 2007 for use with <span class="term">LabWiki</span>, a wiki software developed at PHP Labware, as a suitable software could not be found. Existing PHP software like <span class="term">Kses</span>&#160;and <span class="term">HTMLPurifier</span>&#160;were deemed inadequate, slow, resource-intensive, or dependent on an extension or external application like <span class="term">HTML Tidy</span>. The core logic of htmLawed, that of identifying HTML elements and attributes, was based on the <span class="term">Kses</span>&#160;(version 0.2.2) HTML filter software of Ulf Harnhammar (it can still be used with code that uses <span class="term">Kses</span>; see <a href="#s2.6">section 2.6</a>.). Support for HTML version 5 was added in May 2013 in a beta and in February 2017 in a production release.<br />
-<br />
-&#160; See <a href="#s4.3">section 4.3</a>&#160;for a detailed log of changes in htmLawed over the years, and <a href="#s4.10">section 4.10</a>&#160;for acknowledgements.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s1.4" id="s1.4"></a><span class="item-no">1.4</span>&#160; License &amp; copyright
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed is free and open-source software, copyrighted by Santosh Patnaik, MD, PhD, and dual-licensed with LGPL version <a href="http://www.gnu.org/licenses/lgpl-3.0.txt">3</a>, and GPL version <a href="http://www.gnu.org/licenses/gpl-2.0.txt">2</a>&#160;(or later) licenses.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s1.5" id="s1.5"></a><span class="item-no">1.5</span>&#160; Terms used here
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; In this document, only HTML body-level elements are considered. htmLawed does not have support for head-level elements, <span class="term">body</span>, and the frame-level elements, <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>, and these elements are ignored here.<br />
-<br />
-&#160; * &#160;<em>administrator</em>&#160;- or admin; person setting up the code that utilizes htmLawed; also, <em>user</em><br />
-&#160; * &#160;<em>attributes</em>&#160;- name-value pairs like <span class="term">href="http&#58;//x.com"</span>&#160;in opening tags<br />
-&#160; * &#160;<em>author</em>&#160;- see <em>writer</em><br />
-&#160; * &#160;<em>character</em>&#160;- atomic unit of text; internally represented by a numeric <em>code-point</em>&#160;as specified by the <em>encoding</em>&#160;or <em>charset</em>&#160;in use<br />
-&#160; * &#160;<em>entity</em>&#160;- markup like <span class="term">&amp;gt;</span>&#160;and <span class="term">&amp;#160;</span>&#160;used to refer to a character<br />
-&#160; * &#160;<em>element</em>&#160;- HTML element like <span class="term">a</span>&#160;and <span class="term">img</span><br />
-&#160; * &#160;<em>element content</em>&#160;- &#160;content between the opening and closing tags of an element, like <span class="term">click</span>&#160;of the <span class="term">&lt;a href="x"&gt;click&lt;/a&gt;</span>&#160;element<br />
-&#160; * &#160;<em>HTML</em>&#160;- implies XHTML unless specified otherwise<br />
-&#160; * &#160;<em>HTML body</em>&#160;- content in the <em>body</em>&#160;container of an HTML document<br />
-&#160; * &#160;<em>input</em>&#160;- text given to htmLawed to process<br />
-&#160; * &#160;<em>legal</em>&#160;– standard-compliant; also, <em>valid</em><br />
-&#160; * &#160;<em>processing</em>&#160;- involves filtering, correction, etc., of input<br />
-&#160; * &#160;<em>safe</em>&#160;- absence or reduction of certain characters and HTML elements and attributes in HTML of text that can otherwise potentially, and circumstantially, expose text readers to security vulnerabilities like cross-site scripting attacks (XSS)<br />
-&#160; * &#160;<em>scheme</em>&#160;- a URL protocol like <span class="term">http</span>&#160;and <span class="term">ftp</span><br />
-&#160; * &#160;<em>specification</em>&#160;- detailed description including rules that define HTML<br />
-&#160; * &#160;<em>standard</em>&#160;– widely accepted specification<br />
-&#160; * &#160;<em>style property</em>&#160;- terms like <span class="term">border</span>&#160;and <span class="term">height</span>&#160;for which declarations are made in values for the <span class="term">style</span>&#160;attribute of elements<br />
-&#160; * &#160;<em>tag</em>&#160;- markers like <span class="term">&lt;a href="x"&gt;</span>&#160;and <span class="term">&lt;/a&gt;</span>&#160;delineating element content; the opening tag can contain attributes<br />
-&#160; * &#160;<em>tag content</em>&#160;- consists of tag markers <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, element names like <span class="term">div</span>, and possibly attributes<br />
-&#160; * &#160;<em>user</em>&#160;- administrator<br />
-&#160; * &#160;<em>valid</em>&#160;- see <em>legal</em><br />
-&#160; * &#160;<em>writer</em>&#160;- end-user like a blog commenter providing the input that is to be processed; also, <em>author</em><br />
-&#160; * &#160;<em>XHTML</em>&#160;- XML-compliant HTML; parsing rules for XHTML are more strict than for regular HTML<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s1.6" id="s1.6"></a><span class="item-no">1.6</span>&#160; Availability
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can be downloaded for free at its <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">website</a>. Besides the <span class="term">htmLawed.php</span>&#160;file, the download has the htmLawed documentation (this document) in plain <a href="htmLawed_README.txt">text</a>&#160;and <a href="htmLawed_README.htm">HTML</a>&#160;formats, a script for <a href="htmLawedTest.php">testing</a>, and a text file for <a href="htmLawed_TESTCASE.txt">test-cases</a>. htmLawed is also available as a PHP class (OOP code) at its website.<br />
-
-</div>
-</div>
-<div class="section"><h2>
-<a name="s2" id="s2"></a><span class="item-no">2</span>&#160; Usage
-</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed works in PHP version 4.4 or higher. Either <span class="term">include()</span>&#160;the <span class="term">htmLawed.php</span>&#160;file, or copy-paste the entire code.<br />
-<br />
-&#160; To use with PHP 4.3, have the following code included:<br />
-<br />
-
-<code class="code">&#160; &#160; if(!function_exists(&#39;ctype_digit&#39;)){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;function ctype_digit($var){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; return ((int) $var == $var);</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;}</code>
-<br />
-
-<code class="code">&#160; &#160; }</code>
-<br />
-
-<div class="sub-section"><h3>
-<a name="s2.1" id="s2.1"></a><span class="item-no">2.1</span>&#160; Simple
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; The input text to be processed, <span class="term">$text</span>, is passed as an argument of type string; <span class="term">htmLawed()</span>&#160;returns the processed string:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text);</code>
-<br />
-<br />
-&#160; With the <span class="term">htmLawed class</span>&#160;(<a href="#s1.6">section 1.6</a>), usage is:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed&#58;&#58;hl($text);</code>
-<br />
-<br />
-&#160; <strong>Notes</strong>: (1) If input is from a <span class="term">$_GET</span>&#160;or <span class="term">$_POST</span>&#160;value, and <span class="term">magic quotes</span>&#160;are enabled on the PHP setup, run <span class="term">stripslashes()</span>&#160;on the input before passing to htmLawed. (2) htmLawed does not have support for head-level elements, <span class="term">body</span>, and the frame-level elements, <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>.<br />
-<br />
-&#160; By default, htmLawed will process the text allowing all valid HTML elements/tags and commonly used URL schemes and CSS style properties. It will allow Javascript code, <span class="term">CDATA</span>&#160;sections and HTML comments, balance tags, and ensure proper nesting of elements. Such actions can be configured using two other optional arguments -- <span class="term">$config</span>&#160;and <span class="term">$spec</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text, $config, $spec);</code>
-<br />
-<br />
-&#160; The <span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;arguments are detailed below. Some examples are shown in <a href="#s2.9">section 2.9</a>. For maximum protection against <span class="term">XSS</span>&#160;and other security vulnerabilities, consider using the <span class="term">safe</span>&#160;parameter; see <a href="#s3.6">section 3.6</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.2" id="s2.2"></a><span class="item-no">2.2</span>&#160; Configuring htmLawed using the <span class="term">$config</span>&#160;argument
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; <span class="term">$config</span>&#160;instructs htmLawed on how to tackle certain tasks. When <span class="term">$config</span>&#160;is not specified, or not set as an array (e.g., <span class="term">$config = 1</span>), htmLawed will take default actions. One or many of the task-action or parameter-value pairs can be specified in <span class="term">$config</span>&#160;as array key-value pairs. If a parameter is not specified, htmLawed will use the default value for it, indicated further below. In PHP code, parameter values that are integers should not be quoted and should be used as numeric types (unless meant as string/text). Thus, for instance:<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;comment&#39;=&gt;0, &#39;cdata&#39;=&gt;1, &#39;elements&#39;=&gt;&#39;a, b, strong&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text, $config);</code>
-<br />
-<br />
-&#160; Below are the various parameters that can be specified in <span class="term">$config</span>.<br />
-<br />
-&#160; Key: <span class="term">&#42;</span>&#160;default, <span class="term">^</span>&#160;different from htmLawed versions below 1.2, <span class="term">~</span>&#160;different default when <span class="term">valid_xhtml</span>&#160;is set to <span class="term">1</span>&#160;(see <a href="#s3.5">section 3.5</a>), <span class="term">"</span>&#160;different default when <span class="term">safe</span>&#160;is set to <span class="term">1</span>&#160;(see <a href="#s3.6">section 3.6</a>)<br />
-<br />
-&#160; <strong>abs_url</strong><br />
-&#160; Make URLs absolute or relative; <span class="term">$config["base_url"]</span>&#160;needs to be set; see <a href="#s3.4.4">section 3.4.4</a><br />
-<br />
-&#160; <span class="term">-1</span>&#160;- make relative<br />
-&#160; <span class="term">0</span>&#160;- no action &#160;*<br />
-&#160; <span class="term">1</span>&#160;- make absolute<br />
-<br />
-&#160; <strong>and_mark</strong><br />
-&#160; Mark <span class="term">&amp;</span>&#160;characters in the original input; see <a href="#s3.2">section 3.2</a><br />
-<br />
-&#160; <strong>anti_link_spam</strong><br />
-&#160; Anti-link-spam measure; see <a href="#s3.4.7">section 3.4.7</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no measure taken &#160;*<br />
-&#160; <em>array("regex1", "regex2")</em>&#160;- will ensure a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;in its value in case the <span class="term">href</span>&#160;attribute value matches the regular expression pattern <span class="term">regex1</span>, and/or will remove <span class="term">href</span>&#160;if its value matches the regular expression pattern <span class="term">regex2</span>. E.g., <span class="term">array("/./", "/&#58;//\W&#42;(?!(abc\.com|xyz\.org))/")</span>; see <a href="#s3.4.7">section 3.4.7</a>&#160;for more.<br />
-<br />
-&#160; <strong>anti_mail_spam</strong><br />
-&#160; Anti-mail-spam measure; see <a href="#s3.4.7">section 3.4.7</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no measure taken &#160;*<br />
-&#160; <em>word</em>&#160;- <span class="term">@</span>&#160;in mail address in <span class="term">href</span>&#160;attribute value is replaced with specified <em>word</em><br />
-<br />
-&#160; <strong>balance</strong><br />
-&#160; Balance tags for well-formedness and proper nesting; see <a href="#s3.3.3">section 3.3.3</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no<br />
-&#160; <span class="term">1</span>&#160;- yes &#160;*<br />
-<br />
-&#160; <strong>base_url</strong><br />
-&#160; Base URL value that needs to be set if <span class="term">$config["abs_url"]</span>&#160;is not <span class="term">0</span>; see <a href="#s3.4.4">section 3.4.4</a><br />
-<br />
-&#160; <strong>cdata</strong><br />
-&#160; Handling of <span class="term">CDATA</span>&#160;sections; see <a href="#s3.3.1">section 3.3.1</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- don't consider <span class="term">CDATA</span>&#160;sections as markup and proceed as if plain text &#160;"<br />
-&#160; <span class="term">1</span>&#160;- remove<br />
-&#160; <span class="term">2</span>&#160;- allow, but neutralize any <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;inside by converting them to named entities<br />
-&#160; <span class="term">3</span>&#160;- allow &#160;*<br />
-<br />
-&#160; <strong>clean_ms_char</strong><br />
-&#160; Replace <em>discouraged</em>&#160;characters introduced by Microsoft Word, etc.; see <a href="#s3.1">section 3.1</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;- yes<br />
-&#160; <span class="term">2</span>&#160;- yes, but replace special single &amp; double quotes with ordinary ones<br />
-<br />
-&#160; <strong>comment</strong><br />
-&#160; Handling of HTML comments; see <a href="#s3.3.1">section 3.3.1</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- don't consider comments as markup and proceed as if plain text &#160;"<br />
-&#160; <span class="term">1</span>&#160;- remove<br />
-&#160; <span class="term">2</span>&#160;- allow, but neutralize any <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;inside by converting to named entities<br />
-&#160; <span class="term">3</span>&#160;- allow &#160;*<br />
-<br />
-&#160; <strong>css_expression</strong><br />
-&#160; Allow dynamic CSS expression by not removing the expression from CSS property values in <span class="term">style</span>&#160;attributes; see <a href="#s3.4.8">section 3.4.8</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- remove &#160;*<br />
-&#160; <span class="term">1</span>&#160;- allow<br />
-<br />
-&#160; <strong>deny_attribute</strong><br />
-&#160; Denied HTML attributes; see <a href="#s3.4">section 3.4</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- none &#160;*<br />
-&#160; <em>string</em>&#160;- dictated by values in <em>string</em><br />
-&#160; <span class="term">on&#42;</span>&#160;- on* event attributes like <span class="term">onfocus</span>&#160;not allowed &#160;"<br />
-<br />
-&#160; <strong>direct_nest_list</strong><br />
-&#160; Allow direct nesting of a list within another without requiring it to be a list item; see <a href="#s3.3.4">section 3.3.4</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;- yes<br />
-<br />
-&#160; <strong>elements</strong><br />
-&#160; Allowed HTML elements; see <a href="#s3.3">section 3.3</a><br />
-<br />
-&#160; <em>all</em>&#160;- *^<br />
-&#160; <span class="term">&#42; -acronym -big -center -dir -font -isindex -s -strike -tt</span>&#160;- &#160;~^<br />
-&#160; <em>applet, audio, canvas, embed, iframe, object, script, and video elements not allowed</em>&#160;- &#160;"^<br />
-<br />
-&#160; <strong>hexdec_entity</strong><br />
-&#160; Allow hexadecimal numeric entities and do not convert to the more widely accepted decimal ones, or convert decimal to hexadecimal ones; see <a href="#s3.2">section 3.2</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no<br />
-&#160; <span class="term">1</span>&#160;- yes &#160;*<br />
-&#160; <span class="term">2</span>&#160;- convert decimal to hexadecimal ones<br />
-<br />
-&#160; <strong>hook</strong><br />
-&#160; Name of an optional hook function to alter the input string, <span class="term">$config</span>&#160;or <span class="term">$spec</span>&#160;before htmLawed enters the main phase of its work; see <a href="#s3.7">section 3.7</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no hook function &#160;*<br />
-&#160; <em>name</em>&#160;- <em>name</em>&#160;is name of the hook function<br />
-<br />
-&#160; <strong>hook_tag</strong><br />
-&#160; Name of an optional hook function to alter tag content finalized by htmLawed; see <a href="#s3.4.9">section 3.4.9</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no hook function &#160;*<br />
-&#160; <em>name</em>&#160;- <em>name</em>&#160;is name of the hook function<br />
-<br />
-&#160; <strong>keep_bad</strong><br />
-&#160; Neutralize <em>bad</em>&#160;tags by converting their <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;characters to entities, or remove them; see <a href="#s3.3.3">section 3.3.3</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- remove<br />
-&#160; <span class="term">1</span>&#160;- neutralize both tags and element content<br />
-&#160; <span class="term">2</span>&#160;- remove tags but neutralize element content<br />
-&#160; <span class="term">3</span>&#160;and <span class="term">4</span>&#160;- like <span class="term">1</span>&#160;and <span class="term">2</span>&#160;but remove if text (<span class="term">pcdata</span>) is invalid in parent element<br />
-&#160; <span class="term">5</span>&#160;and <span class="term">6</span>&#160;* - &#160;like <span class="term">3</span>&#160;and <span class="term">4</span>&#160;but line-breaks, tabs and spaces are left<br />
-<br />
-&#160; <strong>lc_std_val</strong><br />
-&#160; For XHTML compliance, predefined, standard attribute values, like <span class="term">get</span>&#160;for the <span class="term">method</span>&#160;attribute of <span class="term">form</span>, must be lowercased; see <a href="#s3.4.5">section 3.4.5</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no<br />
-&#160; <span class="term">1</span>&#160;- yes &#160;*<br />
-<br />
-&#160; <strong>make_tag_strict</strong><br />
-&#160; Transform or remove these deprecated HTML elements, even if they are allowed by the admin: acronym, applet, big, center, dir, font, isindex, s, strike, tt; see <a href="#s3.3.2">section 3.3.2</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no<br />
-&#160; <span class="term">1</span>&#160;- yes, but leave <span class="term">applet</span>&#160;and <span class="term">isindex</span>&#160;that currently cannot be transformed &#160;*^<br />
-&#160; <span class="term">2</span>&#160;- yes, removing <span class="term">applet</span>&#160;and <span class="term">isindex</span>&#160;elements and their contents (nested elements remain) &#160;~^<br />
-<br />
-&#160; <strong>named_entity</strong><br />
-&#160; Allow non-universal named HTML entities, or convert to numeric ones; see <a href="#s3.2">section 3.2</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- convert<br />
-&#160; <span class="term">1</span>&#160;- allow &#160;*<br />
-<br />
-&#160; <strong>no_deprecated_attr</strong><br />
-&#160; Allow deprecated attributes or transform them; see <a href="#s3.4.6">section 3.4.6</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- allow<br />
-&#160; <span class="term">1</span>&#160;- transform, but <span class="term">name</span>&#160;attributes for <span class="term">a</span>&#160;and <span class="term">map</span>&#160;are retained &#160;*<br />
-&#160; <span class="term">2</span>&#160;- transform<br />
-<br />
-&#160; <strong>parent</strong><br />
-&#160; Name of the parent element, possibly imagined, that will hold the input; see <a href="#s3.3">section 3.3</a><br />
-<br />
-&#160; <strong>safe</strong><br />
-&#160; Magic parameter to make input the most secure against vulnerabilities like XSS without needing to specify other relevant <span class="term">$config</span>&#160;parameters; see <a href="#s3.6">section 3.6</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;- will auto-adjust other relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">"</span>&#160;in this list) &#160;^<br />
-<br />
-&#160; <strong>schemes</strong><br />
-&#160; Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or <span class="term">!</span>&#160;to <em>deny</em>&#160;any URL); <span class="term">&#42;</span>&#160;covers all unspecified attributes; see <a href="#s3.4.3">section 3.4.3</a><br />
-<br />
-&#160; <span class="term">href&#58; aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet; &#42;&#58;data, file, http, https, javascript</span>&#160; *^<br />
-&#160; <span class="term">href&#58; aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style&#58; !; &#42;&#58;file, http, https</span>&#160; "<br />
-<br />
-&#160; <strong>show_setting</strong><br />
-&#160; Name of a PHP variable to assign the <em>finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values; see <a href="#s3.8">section 3.8</a><br />
-<br />
-&#160; <strong>style_pass</strong><br />
-&#160; Ignore <span class="term">style</span>&#160;attribute values, letting them through without any alteration<br />
-<br />
-&#160; <span class="term">0</span>&#160;- no *<br />
-&#160; <span class="term">1</span>&#160;- htmLawed will let through any <span class="term">style</span>&#160;value; see <a href="#s3.4.8">section 3.4.8</a><br />
-<br />
-&#160; <strong>tidy</strong><br />
-&#160; Beautify or compact HTML code; see <a href="#s3.3.5">section 3.3.5</a><br />
-<br />
-&#160; <span class="term">-1</span>&#160;- compact<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;or <em>string</em>&#160;- beautify (custom format specified by <span class="term">string</span>)<br />
-<br />
-&#160; <strong>unique_ids</strong><br />
-&#160; <span class="term">id</span>&#160;attribute value checks; see <a href="#s3.4.2">section 3.4.2</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no<br />
-&#160; <span class="term">1</span>&#160;- remove duplicate and/or invalid ones &#160;*<br />
-&#160; <em>word</em>&#160;- remove invalid ones and replace duplicate ones with new and unique ones based on the <em>word</em>; the admin-specified <em>word</em>&#160;cannot contain a space character<br />
-<br />
-&#160; <strong>valid_xhtml</strong><br />
-&#160; Magic parameter to make input the most valid XHTML without needing to specify other relevant <span class="term">$config</span>&#160;parameters; see <a href="#s3.5">section 3.5</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;- will auto-adjust other relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">~</span>&#160;in this list)<br />
-<br />
-&#160; <strong>xml:lang</strong><br />
-&#160; Auto-add <span class="term">xml&#58;lang</span>&#160;attribute; see <a href="#s3.4.1">section 3.4.1</a><br />
-<br />
-&#160; <span class="term">0</span>&#160;- no &#160;*<br />
-&#160; <span class="term">1</span>&#160;- add if <span class="term">lang</span>&#160;attribute is present<br />
-&#160; <span class="term">2</span>&#160;- add if <span class="term">lang</span>&#160;attribute is present, and remove <span class="term">lang</span>&#160; ~<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.3" id="s2.3"></a><span class="item-no">2.3</span>&#160; Extra HTML specifications using the $spec parameter
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; The <span class="term">$spec</span>&#160;argument of htmLawed can be used to disallow an otherwise legal attribute for an element, or to restrict the attribute's values. This can also be helpful as a security measure (e.g., in certain versions of browsers, certain values can cause buffer overflows and denial of service attacks), or in enforcing admin policies. <span class="term">$spec</span>&#160;is specified as a string of text containing one or more <em>rules</em>, with multiple rules separated from each other by a semi-colon (<span class="term">;</span>). E.g.,<br />
-<br />
-
-<code class="code">&#160; &#160; $spec = &#39;i=-&#42;; td, tr=style, id, -&#42;; a=id(match="/[a-z][a-z\d.&#58;\-&#96;"]&#42;/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text, $config, $spec);</code>
-<br />
-<br />
-&#160; Or,<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text, $config, &#39;i=-&#42;; td, tr=style, id, -&#42;; a=id(match="/[a-z][a-z\d.&#58;\-&#96;"]&#42;/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt&#39;);</code>
-<br />
-<br />
-&#160; A rule begins with an HTML <strong>element</strong>&#160;name(s) (<em>rule-element</em>), for which the rule applies, followed by an equal-to (=) sign. A rule-element may represent multiple elements if comma (,)-separated element names are used. E.g., <span class="term">th,td,tr=</span>.<br />
-<br />
-&#160; Rest of the rule consists of comma-separated HTML <strong>attribute names</strong>. A minus (-) character before an attribute means that the attribute is not permitted inside the rule-element. E.g., <span class="term">-width</span>. To deny all attributes, <span class="term">-&#42;</span>&#160;can be used.<br />
-<br />
-&#160; Following shows examples of rule excerpts with rule-element <span class="term">a</span>&#160;and the attributes that are being permitted:<br />
-<br />
-&#160; * &#160;<span class="term">a=</span>&#160;- all<br />
-&#160; * &#160;<span class="term">a=id</span>&#160;- all<br />
-&#160; * &#160;<span class="term">a=href, title, -id, -onclick</span>&#160;- all except <span class="term">id</span>&#160;and <span class="term">onclick</span><br />
-&#160; * &#160;<span class="term">a=&#42;, id, -id</span>&#160;- all except <span class="term">id</span><br />
-&#160; * &#160;<span class="term">a=-&#42;</span>&#160;- none<br />
-&#160; * &#160;<span class="term">a=-&#42;, href, title</span>&#160;- none except <span class="term">href</span>&#160;and <span class="term">title</span><br />
-&#160; * &#160;<span class="term">a=-&#42;, -id, href, title</span>&#160;- none except <span class="term">href</span>&#160;and <span class="term">title</span><br />
-<br />
-&#160; Rules regarding <strong>attribute values</strong>&#160;are optionally specified inside round brackets after attribute names in solidus (/)-separated <em>parameter = value</em>&#160;pairs. E.g., <span class="term">title(maxlen=30/minlen=5)</span>. None or one or more of the following parameters may be specified:<br />
-<br />
-&#160; * &#160;<span class="term">oneof</span>&#160;- one or more choices separated by <span class="term">|</span>&#160;that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive<br />
-<br />
-&#160; * &#160;<span class="term">noneof</span>&#160;- one or more choices separated by <span class="term">|</span>&#160;that the value should not match; matching is case-sensitive<br />
-<br />
-&#160; * &#160;<span class="term">maxlen</span>&#160;and <span class="term">minlen</span>&#160;- upper and lower limits for the number of characters in the attribute value; specified in numbers<br />
-<br />
-&#160; * &#160;<span class="term">maxval</span>&#160;and <span class="term">minval</span>&#160;- upper and lower limits for the numerical value specified in the attribute value; specified in numbers<br />
-<br />
-&#160; * &#160;<span class="term">match</span>&#160;and <span class="term">nomatch</span>&#160;- pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)<br />
-<br />
-&#160; * &#160;<span class="term">default</span>&#160;- a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters<br />
-<br />
-&#160; If <span class="term">default</span>&#160;is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The <span class="term">default</span>&#160;value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., <span class="term">maxlen</span>&#160;to <span class="term">-1</span>).<br />
-<br />
-&#160; Examples with <em>input</em>&#160;<span class="term">&lt;input title="WIDTH" value="10em" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span>&#160;are shown below.<br />
-<br />
-&#160; <em>Rule</em>: <span class="term">input=title(maxlen=60/minlen=6), value</span><br />
-&#160; <em>Output</em>: <span class="term">&lt;input value="10em" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span><br />
-<br />
-&#160; <em>Rule</em>: <span class="term">input=title(), value(maxval=8/default=6)</span><br />
-&#160; <em>Output</em>: <span class="term">&lt;input title="WIDTH" value="6" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span><br />
-<br />
-&#160; <em>Rule</em>: <span class="term">input=title(nomatch=%w.d%i), value(match=%em%/default=6em)</span><br />
-&#160; <em>Output</em>: <span class="term">&lt;input value="10em" /&gt;&lt;input title="length" value="6em" class="ic1 ic2" /&gt;</span><br />
-<br />
-&#160; <em>Rule</em>: <span class="term">input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)</span><br />
-&#160; <em>Output</em>: <span class="term">&lt;input title="depth" value="10em" /&gt;&lt;input title="depth" class="ic1" /&gt;</span><br />
-<br />
-&#160; <strong>Special characters</strong>: The characters <span class="term">;</span>, <span class="term">,</span>, <span class="term">/</span>, <span class="term">(</span>, <span class="term">)</span>, <span class="term">|</span>, <span class="term">~</span>&#160;and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be <em>escaped</em>&#160;by enclosing in pairs of double-quotes (<span class="term">"</span>). A back-tick (<span class="term">&#96;</span>) can be used to escape a literal <span class="term">"</span>. An example rule illustrating this is <span class="term">input=value(maxlen=30/match="/^\w/"/default="your &#96;"ID&#96;"")</span>.<br />
-<br />
-&#160; <strong>Attributes that accept multiple values</strong>: If an attribute is <span class="term">accesskey</span>, <span class="term">class</span>, <span class="term">itemtype</span>&#160;or <span class="term">rel</span>, which can have multiple, space-separated values, or <span class="term">srcset</span>, which can have multiple, comma-separated values, htmLawed will parse the attribute value for such multiple values and will individually test each of them.<br />
-<br />
-&#160; <strong>Note</strong>: To deny an attribute for all elements for which it is legal, <span class="term">$config["deny_attribute"]</span>&#160;(see <a href="#s3.4">section 3.4</a>) can be used instead of <span class="term">$spec</span>. Also, attributes can be allowed element-specifically through <span class="term">$spec</span>&#160;while being denied globally through <span class="term">$config["deny_attribute"]</span>. The <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) can also be possibly used to implement a functionality like that achieved using <span class="term">$spec</span>&#160;functionality.<br />
-<br />
-&#160; <strong>Note</strong>: Attributes' specifications for an element may be set through multiple rules. In case of conflict, the attribute specification in the first rule will get precedence.<br />
-<br />
-&#160; <span class="term">$spec</span>&#160;can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of <span class="term">$spec</span>&#160;will permit the custom uses of the standard <span class="term">rel</span>&#160;attribute in <span class="term">input</span>&#160;(not permitted as per standards) and of a non-standard attribute, <span class="term">vFlag</span>, in <span class="term">img</span>.<br />
-<br />
-
-<code class="code">&#160; &#160; $spec = &#39;img=vFlag; input=rel&#39;</code>
-<br />
-<br />
-&#160; The attribute names must begin with an alphabet and cannot have space, equal-to (=) and solidus (/) characters.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.4" id="s2.4"></a><span class="item-no">2.4</span>&#160; Performance time &amp; memory usage
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; The time and memory consumed during text processing by htmLawed depends on its configuration, the size of the input, and the amount, nestedness and well-formedness of the HTML markup within the input. In particular, tag balancing and beautification each can increase the processing time by about a quarter.<br />
-<br />
-&#160; The htmLawed <a href="htmLawedTest.php">demo</a>&#160;can be used to evaluate the performance and effects of different types of input and <span class="term">$config</span>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.5" id="s2.5"></a><span class="item-no">2.5</span>&#160; Some security risks to keep in mind
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially <em>dangerous</em>&#160;HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permitted through htmLawed's setting should be considered. For example, following increase security risks:<br />
-<br />
-&#160; * &#160;Allowing <span class="term">script</span>, <span class="term">applet</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">canvas</span>, <span class="term">audio</span>, <span class="term">video</span>&#160;or <span class="term">object</span>&#160;elements, or certain of their attributes like <span class="term">allowscriptaccess</span><br />
-<br />
-&#160; * &#160;Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., <span class="term">&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert("xss");&lt;/script&gt;&lt;![endif]--&gt;</span><br />
-<br />
-&#160; * &#160;Allowing dynamic CSS expressions (some Internet Explorer versions are vulnerable)<br />
-<br />
-&#160; * &#160;Allowing the <span class="term">style</span>&#160;attribute<br />
-<br />
-&#160; To remove <em>unsecure</em>&#160;HTML, code-developers using htmLawed must set <span class="term">$config</span>&#160;appropriately. E.g., <span class="term">$config["elements"] = "&#42; -script"</span>&#160;to deny the <span class="term">script</span>&#160;element (<a href="#s3.3">section 3.3</a>), <span class="term">$config["safe"] = 1</span>&#160;to auto-configure ceratin htmLawed parameters for maximizing security (<a href="#s3.6">section 3.6</a>), etc.<br />
-<br />
-&#160; Permitting the <span class="term">&#42;style&#42;</span>&#160;attribute brings in risks of <em>click-jacking</em>, <em>phishing</em>, web-page overlays, etc., <em>even</em>&#160;when the <span class="term">safe</span>&#160;parameter is enabled (see <a href="#s3.6">section 3.6</a>). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's <span class="term">$spec</span>&#160;argument, and through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.8">section 3.4.8</a>&#160;for more). Disallowing <span class="term">style</span>&#160;completely and relying on CSS classes and stylesheet files is recommended.<br />
-<br />
-&#160; htmLawed does not check or correct the character <strong>encoding</strong>&#160;of the input it receives. In conjunction with permissive circumstances, such as when the character encoding is left undefined through HTTP headers or HTML <span class="term">meta</span>&#160;tags, this can allow for an exploit (like Google's <em>UTF-7/XSS</em>&#160;vulnerability of the past).<br />
-<br />
-&#160; Ocassionally, though very rarely, the default settings with which htmLawed runs may change between different versions of htmLawed. Admins should keep this in mind when upgrading htmLawed. Important changes in htmLawed's default behavior in new releases of the software are noted in <a href="#s4.5">section 4.5</a>&#160;on upgrades.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.6" id="s2.6"></a><span class="item-no">2.6</span>&#160; Use with <span class="term">kses()</span>&#160;code
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; The <span class="term">Kses</span>&#160;PHP script for HTML filtering is used by many applications (like <span class="term">WordPress</span>, as in year 2012). It is possible to have such applications use htmLawed instead, since it is compatible with code that calls the <span class="term">kses()</span>&#160;function declared in the <span class="term">Kses</span>&#160;file (usually named <span class="term">kses.php</span>). E.g., application code like this will continue to work after replacing <span class="term">Kses</span>&#160;with htmLawed:<br />
-<br />
-
-<code class="code">&#160; &#160; $comment_filtered = kses($comment_input, array(&#39;a&#39;=&gt;array(), &#39;b&#39;=&gt;array(), &#39;i&#39;=&gt;array()));</code>
-<br />
-<br />
-&#160; If the application uses a <span class="term">Kses</span>&#160;file that has the <span class="term">kses()</span>&#160;function declared, then, to have the application use htmLawed instead of <span class="term">Kses</span>, rename <span class="term">htmLawed.php</span>&#160;(to <span class="term">kses.php</span>, e.g.) and replace the <span class="term">Kses</span>&#160;file (or just replace the code in the <span class="term">Kses</span>&#160;file with the htmLawed code). If the <span class="term">kses()</span>&#160;function in the <span class="term">Kses</span>&#160;file had been renamed by the application developer (e.g., in <span class="term">WordPress</span>, it is named <span class="term">wp_kses()</span>), then appropriately rename the <span class="term">kses()</span>&#160;function in the htmLawed code. Then, add the following code (which was a part of htmLawed prior to version 1.2):<br />
-<br />
-
-<code class="code">&#160; &#160; // kses compatibility</code>
-<br />
-
-<code class="code">&#160; &#160; function kses($t, $h, $p=array(&#39;http&#39;, &#39;https&#39;, &#39;ftp&#39;, &#39;news&#39;, &#39;nntp&#39;, &#39;telnet&#39;, &#39;gopher&#39;, &#39;mailto&#39;)){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;foreach($h as $k=&gt;$v){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; $h[$k][&#39;n&#39;][&#39;&#42;&#39;] = 1;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;}</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$C[&#39;cdata&#39;] = $C[&#39;comment&#39;] = $C[&#39;make_tag_strict&#39;] = $C[&#39;no_deprecated_attr&#39;] = $C[&#39;unique_ids&#39;] = 0;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$C[&#39;keep_bad&#39;] = 1;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$C[&#39;elements&#39;] = count($h) ? strtolower(implode(&#39;,&#39;, array_keys($h))) &#58; &#39;-&#42;&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$C[&#39;hook&#39;] = &#39;kses_hook&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$C[&#39;schemes&#39;] = &#39;&#42;&#58;&#39;. implode(&#39;,&#39;, $p);</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;return htmLawed($t, $C, $h);</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;}</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; function kses_hook($t, &amp;$C, &amp;$S){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;return $t;</code>
-<br />
-
-<code class="code">&#160; &#160; }</code>
-<br />
-<br />
-&#160; If the <span class="term">Kses</span>&#160;file used by the application has been significantly altered by the application developers, then one may need a different approach. E.g., with <span class="term">WordPress</span>&#160;(as in the year 2012), it is best to copy the htmLawed code, along with the above-mentioned additions, to <span class="term">wp_includes/kses.php</span>, rename the newly added function <span class="term">kses()</span>&#160;to <span class="term">wp_kses()</span>, and delete the code for the original <span class="term">wp_kses()</span>&#160;function.<br />
-<br />
-&#160; If the <span class="term">Kses</span>&#160;code has a non-empty hook function (e.g., <span class="term">wp_kses_hook()</span>&#160;in case of <span class="term">WordPress</span>), then the code for htmLawed's <span class="term">kses_hook()</span>&#160;function should be appropriately edited. However, the requirement of the hook function should be re-evaluated considering that htmLawed has extra capabilities. With <span class="term">WordPress</span>, the hook function is an essential one. The following code is suggested for the htmLawed <span class="term">kses_hook()</span>&#160;in case of <span class="term">WordPress</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; // kses compatibility</code>
-<br />
-
-<code class="code">&#160; &#160; function kses_hook($string, &amp;$cf, &amp;$spec){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$allowed_html = $spec;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;$allowed_protocols = array();</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;foreach($cf[&#39;schemes&#39;] as $v){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; foreach($v as $k2=&gt;$v2){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;if(!in_array($k2, $allowed_protocols)){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; $allowed_protocols[] = $k2;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;}</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; }</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;}</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;return wp_kses_hook($string, $allowed_html, $allowed_protocols);</code>
-<br />
-
-<code class="code">&#160; &#160; }</code>
-<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.7" id="s2.7"></a><span class="item-no">2.7</span>&#160; Tolerance for ill-written HTML
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can work with ill-written HTML code in the input. However, HTML that is too ill-written may not be <em>read</em>&#160;as HTML, and may therefore get identified as mere plain text. Following statements indicate the degree of <em>looseness</em>&#160;that htmLawed can work with, and can be provided in instructions to writers:<br />
-<br />
-&#160; * &#160;Tags must be flanked by <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;with no <span class="term">&gt;</span>&#160;inside -- any needed <span class="term">&gt;</span>&#160;should be put in as <span class="term">&amp;gt;</span>. It is possible for tag content (element name and attributes) to be spread over many lines instead of being on one. A space may be present between the tag content and <span class="term">&gt;</span>, like <span class="term">&lt;div &gt;</span>&#160;and <span class="term">&lt;img / &gt;</span>, but not after the <span class="term">&lt;</span>.<br />
-<br />
-&#160; * &#160;Element and attribute names need not be lower-cased.<br />
-<br />
-&#160; * &#160;Attribute string of elements may be liberally spaced with tabs, line-breaks, etc.<br />
-<br />
-&#160; * &#160;Attribute values may be single- and not double-quoted.<br />
-<br />
-&#160; * &#160;Left-padding of numeric entities (like, <span class="term">&amp;#0160;</span>, <span class="term">&amp;x07ff;</span>) with <span class="term">0</span>&#160;is okay as long as the number of characters between between the <span class="term">&amp;</span>&#160;and the <span class="term">;</span>&#160;does not exceed 8. All entities must end with <span class="term">;</span>&#160;though.<br />
-<br />
-&#160; * &#160;Named character entities must be properly cased. Thus, <span class="term">&amp;Lt;</span>&#160;or <span class="term">&amp;TILDE;</span>&#160;will not be recognized as entities and will be <em>neutralized</em>.<br />
-<br />
-&#160; * &#160;HTML comments should not be inside element tags (they can be between tags), and should begin with <span class="term">&lt;!--</span>&#160;and end with <span class="term">--&gt;</span>. Characters like <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;may be allowed inside depending on <span class="term">$config</span>, but any <span class="term">--&gt;</span>&#160;inside should be put in as <span class="term">--&amp;gt;</span>. Any <span class="term">--</span>&#160;inside will be automatically converted to <span class="term">-</span>, and a space will be added before the <span class="term">--&gt;</span>&#160;comment-closing marker &#160;unless <span class="term">$config["comments"]</span>&#160;is set to <span class="term">4</span>&#160;(<a href="#s3.3.1">section 3.3.1</a>).<br />
-<br />
-&#160; * &#160;<span class="term">CDATA</span>&#160;sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with <span class="term">&lt;[CDATA[</span>&#160;and end with <span class="term">]]&gt;</span>. Characters like <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;may be allowed inside depending on <span class="term">$config</span>, but any <span class="term">]]&gt;</span>&#160;inside should be put in as <span class="term">]]&amp;gt;</span>.<br />
-<br />
-&#160; * &#160;For attribute values, character entities <span class="term">&amp;lt;</span>, <span class="term">&amp;gt;</span>&#160;and <span class="term">&amp;amp;</span>&#160;should be used instead of characters <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;(when <span class="term">&amp;</span>&#160;is not part of a character entity). This applies even for Javascript code in values of attributes like <span class="term">onclick</span>.<br />
-<br />
-&#160; * &#160;Characters <span class="term">&lt;</span>, <span class="term">&gt;</span>, <span class="term">&amp;</span>&#160;and <span class="term">"</span>&#160;that are part of actual Javascript, etc., code in <span class="term">script</span>&#160;elements should be used as such and not be put in as entities like <span class="term">&amp;gt;</span>. Otherwise, though the HTML will be valid, the code may fail to work. Further, if such characters have to be used, then they should be put inside <span class="term">CDATA</span>&#160;sections.<br />
-<br />
-&#160; * &#160;Simple instructions like "an opening tag cannot be present between two closing tags" and "nested elements should be closed in the reverse order of how they were opened" can help authors write balanced HTML. If tags are imbalanced, htmLawed will try to balance them, but in the process, depending on <span class="term">$config["keep_bad"]</span>, some code/text may be lost.<br />
-<br />
-&#160; * &#160;Input authors should be notified of admin-specified allowed elements, attributes, configuration values (like conversion of named entities to numeric ones), etc.<br />
-<br />
-&#160; * &#160;With <span class="term">$config["unique_ids"]</span>&#160;not <span class="term">0</span>&#160;and the <span class="term">id</span>&#160;attribute being permitted, writers should carefully avoid using duplicate or invalid <span class="term">id</span>&#160;values as even though htmLawed will correct/remove the values, the final output may not be the one desired. E.g., when <span class="term">&lt;a id="home"&gt;&lt;/a&gt;&lt;input id="home" /&gt;&lt;label for="home"&gt;&lt;/label&gt;</span>&#160;is processed into<br />
-<span class="term">&lt;a id="home"&gt;&lt;/a&gt;&lt;input id="prefix_home" /&gt;&lt;label for="home"&gt;&lt;/label&gt;</span>.<br />
-<br />
-&#160; * &#160;Even if intended HTML is lost from an ill-written input, the processed output will be more secure and standard-compliant.<br />
-<br />
-&#160; * &#160;For URLs, unless <span class="term">$config["scheme"]</span>&#160;is appropriately set, writers should avoid using escape characters or entities in schemes. E.g., <span class="term">htt&amp;#112;</span>&#160;(which many browsers will read as the harmless <span class="term">http</span>) may be considered bad by htmLawed.<br />
-<br />
-&#160; * &#160;htmLawed will attempt to put plain text present directly inside <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span>&#160;elements (illegal as per the specifications) inside auto-generated <span class="term">div</span>&#160;elements during tag balancing (<a href="#s3.3.3">section 3.3.3</a>).<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.8" id="s2.8"></a><span class="item-no">2.8</span>&#160; Limitations &amp; work-arounds
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed's main objective is to make the input text <em>more</em>&#160;standard-compliant, secure for readers, and free of HTML elements and attributes considered undesirable by the administrator. Some of its current limitations, regardless of this objective, are noted below along with possible work-arounds.<br />
-<br />
-&#160; It should be borne in mind that no browser application is 100% standard-compliant, standard specifications continue to evolve, and many browsers accept commonly used non-standard HTML. Regarding security, note that <em>unsafe</em>&#160;HTML code is not legally invalid per se.<br />
-<br />
-&#160; * &#160;By default, htmLawed will not strictly adhere to the <em>current</em>&#160;HTML standard. Admins can configure htmLawed to be more strict about standard compliance. Standard specification for HTML is continuously evolving. There are two bodies (<a href="http://www.w3c.org">W3C</a>&#160;and <a href="http://www.whatwg.org">WHATWG</a>) that specify the standard and their specifications are not identical. E.g., as in mid-2013, the <span class="term">border</span>&#160;attribute is valid in <span class="term">table</span>&#160;as per W3C but not WHATWG. Thus, htmLawed may not be fully compliant with the standard of a specific group. The HTML standards/rules that htmLawed uses in its logic are a mix of the W3C and WHATWG standards, and can be lax because of the laxity of HTML interpreters (browsers) regarding standards.<br />
-<br />
-&#160; * &#160;In general, htmLawed processes input to generate output that is most likely to be standard-compatible in most users' browsers. Thus, for example, it does not enforce the required value of <span class="term">0</span>&#160;on <span class="term">border</span>&#160;attribute of <span class="term">img</span>&#160;(an HTML version 5 specification).<br />
-<br />
-&#160; * &#160;htmLawed is meant for input that goes into the <span class="term">body</span>&#160;of HTML documents. HTML's head-level elements are not supported, nor are the frame-specific elements <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>. However, content of the latter elements can be individually filtered through htmLawed.<br />
-<br />
-&#160; * &#160;It cannot handle input that has non-HTML code like <span class="term">SVG</span>&#160;and <span class="term">MathML</span>. One way around is to break the input into pieces and passing only those without non-HTML code to htmLawed. Another is described in <a href="#s3.9">section 3.9</a>. A third way may be to some how take advantage of the <span class="term">$config["and_mark"]</span>&#160;parameter (see <a href="#s3.2">section 3.2</a>).<br />
-<br />
-&#160; * &#160;By default, htmLawed won't check many attribute values for standard compliance. E.g., <span class="term">width="20m"</span>&#160;with the dimension in non-standard <span class="term">m</span>&#160;is let through. Implementing universal and strict attribute value checks can make htmLawed slow and resource-intensive. Admins should look at the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) or <span class="term">$spec</span>&#160;to enforce finer checks on attribute values.<br />
-<br />
-&#160; * &#160;By default, htmLawed considers all ARIA, data-*, event and microdata attributes as global attributes and permits them in all elements. This is not strictly standard-compliant. E.g., the <span class="term">itemtype</span>&#160;microdata attribute is permitted only in elements that also have the <span class="term">itemscope</span>&#160;attribute. Admins can configure htmLawed to be more strict about this (<a href="#s2.3">section 2.3</a>).<br />
-<br />
-&#160; * &#160;The attributes, deprecated (which can be transformed too) or not, that it supports are largely those that are in the specifications. Only a few of the proprietary attributes are supported. However, <span class="term">$spec</span>&#160;can be used to allow custom attributes (<a href="#s2.3">section 2.3</a>).<br />
-<br />
-&#160; * &#160;Except for contained URLs and dynamic expressions (also optional), htmLawed does not check CSS style property values. Admins should look at using the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) or <span class="term">$spec</span>&#160;for finer checks. Perhaps the best option is to disallow <span class="term">style</span>&#160;but allow <span class="term">class</span>&#160;attributes with the right <span class="term">oneof</span>&#160;or <span class="term">match</span>&#160;values for <span class="term">class</span>, and have the various class style properties in <span class="term">.css</span>&#160;CSS stylesheet files.<br />
-<br />
-&#160; * &#160;htmLawed does not parse emoticons, decode <em>BBcode</em>, or <em>wikify</em>, auto-converting text to proper HTML. Similarly, it won't convert line-breaks to <span class="term">br</span>&#160;elements. Such functions are beyond its purview. Admins should use other code to pre- or post-process the input for such purposes.<br />
-<br />
-&#160; * &#160;htmLawed cannot be used to have links force-opened in new windows (by auto-adding appropriate <span class="term">target</span>&#160;and <span class="term">onclick</span>&#160;attributes to <span class="term">a</span>). Admins should look at Javascript-based DOM-modifying solutions for this. Admins may also be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; * &#160;Nesting-based checks are not possible. E.g., one cannot disallow <span class="term">p</span>&#160;elements specifically inside <span class="term">td</span>&#160;while permitting it elsewhere. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; * &#160;Except for optionally converting absolute or relative URLs to the other type, htmLawed will not alter URLs (e.g., to change the value of query strings or to convert <span class="term">http</span>&#160;to <span class="term">https</span>. Having absolute URLs may be a standard-requirement, e.g., when HTML is embedded in email messages, whereas altering URLs for other purposes is beyond htmLawed's goals. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; * &#160;Pairs of opening and closing tags that do not enclose any content (like <span class="term">&lt;em&gt;&lt;/em&gt;</span>) are not removed. This may be against the standard specification for certain elements (e.g., <span class="term">table</span>). However, presence of such standard-incompliant code will not break the display or layout of content. Admins can also use simple regex-based code to filter out such code.<br />
-<br />
-&#160; * &#160;htmLawed does not check for certain element orderings described in the standard specifications (e.g., in a <span class="term">table</span>, <span class="term">tbody</span>&#160;is allowed before <span class="term">tfoot</span>). Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; * &#160;htmLawed does not check the number of nested elements. E.g., it will allow two <span class="term">caption</span>&#160;elements in a <span class="term">table</span>&#160;element, illegal as per standard specifications. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; * &#160;There are multiple ways to interpret ill-written HTML. E.g., in <span class="term">&lt;small&gt;&lt;small&gt;text&lt;/small&gt;</span>, is it that the second closing tag for <span class="term">small</span>&#160;is missing or is it that the second opening tag for <span class="term">small</span>&#160;was put in by mistake? htmLawed corrects the HTML in the string assuming the former, while the user may have intended the string for the latter. This is an issue that is impossible to address perfectly.<br />
-<br />
-&#160; * &#160;htmLawed might convert certain entities to actual characters and remove backslashes and CSS comment-markers (<span class="term">/&#42;</span>) in <span class="term">style</span>&#160;attribute values in order to detect malicious HTML like crafted, Internet Explorer browser-specific dynamic expressions like <span class="term">&amp;#101;xpression...</span>. If this is too harsh, admins can allow CSS expressions through htmLawed core but then use a custom function through the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) to more specifically identify CSS expressions in the <span class="term">style</span>&#160;attribute values. Also, using <span class="term">$config["style_pass"]</span>, it is possible to have htmLawed pass <span class="term">style</span>&#160;attribute values without even looking at them (<a href="#s3.4.8">section 3.4.8</a>).<br />
-<br />
-&#160; * &#160;htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., <span class="term">&lt;a href="http&#58;//x%22+style=%22background-image&#58;xss"&gt;x&lt;/a&gt;</span>). These arise when browsers mis-identify markup in <em>escaped</em>&#160;text, defeating the very purpose of escaping text (a bad browser will read the given example as <span class="term">&lt;a href="http&#58;//x" style="background-image&#58;xss"&gt;x&lt;/a&gt;</span>).<br />
-<br />
-&#160; * &#160;Because of poor Unicode support in PHP, htmLawed does not remove the <em>high value</em>&#160;HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see <a href="#s3.1">section 3.1</a>).<br />
-<br />
-&#160; * &#160;htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML <span class="term">meta</span>&#160;tags, this can permit an exploit (like Google's <em>UTF-7/XSS</em>&#160;vulnerability of the past). Also, htmLawed can mangle input text if it is not well-formed in terms of character encoding. Administrators can consider using code available elsewhere to check well-formedness of input text characters to correct any defect.<br />
-<br />
-&#160; * &#160;htmLawed is expected to work with input texts in ASCII standard-compatible single-byte encodings such as national variants of ASCII (like ISO-646-DE/German of the ISO 646 standard), extended ASCII variants (like ISO 8859-10/Turkish of the ISO 8859/ISO Latin standard), ISO 8859-based Windows variants (like Windows 1252), EBCDIC, Shift JIS (Japanese), GB-Roman (Chinese), and KS-Roman (Korean). It should also properly handle texts with variable-byte encodings like UTF-7 (Unicode) and UTF-8 (Unicode). However, htmLawed may mangle input texts with double-byte encodings like UTF-16 (Unicode), JIS X 0208:1997 (Japanese) and K SX 1001:1992 (Korean), or the UTF-32 (Unicode) quadruple-byte encoding. If an input text has such an encoding, administrators can use PHP's <a href="http://php.net/manual/en/book.iconv.php">iconv</a>&#160;functions, or some other mean, to convert text to UTF-8 before passing it to htmLawed.<br />
-<br />
-&#160; * &#160;Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s2.9" id="s2.9"></a><span class="item-no">2.9</span>&#160; Examples of usage
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Safest, allowing only <em>safe</em>&#160;HTML markup --<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;safe&#39;=&gt;1);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Simplest, allowing all valid HTML markup including Javascript --<br />
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in);</code>
-<br />
-<br />
-&#160; Allowing all valid HTML markup but restricting URL schemes in <span class="term">src</span>&#160;attribute values to <span class="term">http</span>&#160;and <span class="term">https</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;schemes&#39;=&gt;&#39;&#42;&#58;&#42;; src&#58;http, https&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Allowing only <span class="term">safe</span>&#160;HTML and the elements <span class="term">a</span>, <span class="term">em</span>, and <span class="term">strong</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;safe&#39;=&gt;1, &#39;elements&#39;=&gt;&#39;a, em, strong&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Not allowing elements <span class="term">script</span>&#160;and <span class="term">object</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;elements&#39;=&gt;&#39;&#42; -script -object&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Not allowing attributes <span class="term">id</span>&#160;and <span class="term">style</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;id, style&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Permitting only attributes <span class="term">title</span>&#160;and <span class="term">href</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;&#42; -title -href&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Remove bad/disallowed tags altogether instead of converting them to entities --<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;keep_bad&#39;=&gt;0);</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>
-<br />
-<br />
-&#160; Allowing attribute <span class="term">title</span>&#160;only in <span class="term">a</span>&#160;and not allowing attributes <span class="term">id</span>, <span class="term">style</span>, or scriptable <em>on*</em>&#160;attributes like <span class="term">onclick</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;title, id, style, on&#42;&#39;);</code>
-<br />
-
-<code class="code">&#160; &#160; $spec = &#39;a=title&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config, $spec);</code>
-<br />
-<br />
-&#160; Allowing a custom attribute, <span class="term">vFlag</span>, in <span class="term">img</span>&#160;and permitting custom use of the standard attribute, <span class="term">rel</span>, in <span class="term">input</span>&#160;--<br />
-<br />
-
-<code class="code">&#160; &#160; $spec = &#39;img=vFlag; input=rel&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; $out = htmLawed($in, $config, $spec);</code>
-<br />
-<br />
-&#160; Some case-studies are presented below.<br />
-<br />
-&#160; <strong>1.</strong>&#160;A blog administrator wants to allow only <span class="term">a</span>, <span class="term">em</span>, <span class="term">strike</span>, <span class="term">strong</span>&#160;and <span class="term">u</span>&#160;in comments, but needs <span class="term">strike</span>&#160;and <span class="term">u</span>&#160;transformed to <span class="term">span</span>&#160;for better XHTML 1-strict compliance, and, he wants the <span class="term">a</span>&#160;links to point only to <span class="term">http</span>&#160;or <span class="term">https</span>&#160;resources:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;elements&#39;=&gt;&#39;a, em, strike, strong, u&#39;, &#39;make_tag_strict&#39;=&gt;1, &#39;safe&#39;=&gt;1, &#39;schemes&#39;=&gt;&#39;&#42;&#58;http, https&#39;), &#39;a=href&#39;);</code>
-<br />
-<br />
-&#160; <strong>2.</strong>&#160;An author uses a custom-made web application to load content on his website. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional <em>bad</em>&#160;characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;css_expression&#39;=&gt;1, &#39;keep_bad&#39;=&gt;1, &#39;make_tag_strict&#39;=&gt;1, &#39;schemes&#39;=&gt;&#39;&#42;&#58;&#42;&#39;, &#39;valid_xhtml&#39;=&gt;1));</code>
-<br />
-<br />
-&#160; For the final submission process, <span class="term">keep_bad</span>&#160;is set to <span class="term">6</span>. A value of <span class="term">1</span>&#160;for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.<br />
-<br />
-&#160; <strong>3.</strong>&#160;A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;elements&#39;=&gt;&#39;tr, td&#39;, &#39;tidy&#39;=&gt;-1), &#39;tr, td =&#39;);</code>
-<br />
-
-</div>
-</div>
-<div class="section"><h2>
-<a name="s3" id="s3"></a><span class="item-no">3</span>&#160; Details
-</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<div class="sub-section"><h3>
-<a name="s3.1" id="s3.1"></a><span class="item-no">3.1</span>&#160; Invalid/dangerous characters
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Valid characters (more correctly, their code-points) in HTML or XML are, hexadecimally, <span class="term">9</span>, <span class="term">a</span>, <span class="term">d</span>, <span class="term">20</span>&#160;to <span class="term">d7ff</span>, and <span class="term">e000</span>&#160;to <span class="term">10ffff</span>, except <span class="term">fffe</span>&#160;and <span class="term">ffff</span>&#160;(decimally, <span class="term">9</span>, <span class="term">10</span>, <span class="term">13</span>, <span class="term">32</span>&#160;to <span class="term">55295</span>, and <span class="term">57344</span>&#160;to <span class="term">1114111</span>, except <span class="term">65534</span>&#160;and <span class="term">65535</span>). htmLawed removes the invalid characters <span class="term">0</span>&#160;to <span class="term">8</span>, <span class="term">b</span>, <span class="term">c</span>, and <span class="term">e</span>&#160;to <span class="term">1f</span>.<br />
-<br />
-&#160; Because of PHP's poor native support for multi-byte characters, htmLawed cannot check for the remaining invalid code-points. However, for various reasons, it is very unlikely for any of those characters to be in the input.<br />
-<br />
-&#160; Characters that are discouraged (see <a href="#s5.1">section 5.1</a>) but not invalid are not removed by htmLawed.<br />
-<br />
-&#160; It (function <span class="term">hl_tag()</span>) also replaces the potentially dangerous (in some Mozilla [Firefox] and Opera browsers) soft-hyphen character (code-point, hexadecimally, <span class="term">ad</span>, or decimally, <span class="term">173</span>) in attribute values with spaces. Where required, the characters <span class="term">&lt;</span>, <span class="term">&gt;</span>, <span class="term">&amp;</span>, and <span class="term">"</span>&#160;are converted to entities.<br />
-<br />
-&#160; With <span class="term">$config["clean_ms_char"]</span>&#160;set as <span class="term">1</span>&#160;or <span class="term">2</span>, many of the discouraged characters (decimal code-points <span class="term">127</span>&#160;to <span class="term">159</span>&#160;except <span class="term">133</span>) that many Microsoft applications incorrectly use (as per the <span class="term">Windows 1252</span>&#160;[<span class="term">Cp-1252</span>] or a similar encoding system), and the character for decimal code-point <span class="term">133</span>, are converted to appropriate decimal numerical entities (or removed for a few cases)-- see appendix in <a href="#s5.4">section 5.4</a>. This can help avoid some display issues arising from copying-pasting of content.<br />
-<br />
-&#160; With <span class="term">$config["clean_ms_char"]</span>&#160;set as <span class="term">2</span>, characters for the hexadecimal code-points <span class="term">82</span>, <span class="term">91</span>, and <span class="term">92</span>&#160;(for special single-quotes), and <span class="term">84</span>, <span class="term">93</span>, and <span class="term">94</span>&#160;(for special double-quotes) are converted to ordinary single and double quotes respectively and not to entities.<br />
-<br />
-&#160; The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.<br />
-<br />
-&#160; The <span class="term">$config["clean_ms_char"]</span>&#160;parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the <span class="term">Windows 1252</span>&#160;(<span class="term">Cp-1252</span>) or a similar encoding like <span class="term">Cp-1251</span>&#160;(otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.2" id="s3.2"></a><span class="item-no">3.2</span>&#160; Character references/entities
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Valid character entities take the form <span class="term">&amp;&#42;;</span>&#160;where <span class="term">&#42;</span>&#160;is <span class="term">#x</span>&#160;followed by a hexadecimal number (hexadecimal numeric entity; like <span class="term">&amp;#xA0;</span>&#160;for non-breaking space), or alphanumeric like <span class="term">gt</span>&#160;(external or named entity; like <span class="term">&amp;nbsp;</span>&#160;for non-breaking space), or <span class="term">#</span>&#160;followed by a number (decimal numeric entity; like <span class="term">&amp;#160;</span>&#160;for non-breaking space). Character entities referring to the soft-hyphen character (the <span class="term">&amp;shy;</span>&#160;or <span class="term">\xad</span>&#160;character; hexadecimal code-point <span class="term">ad</span>&#160;[decimal <span class="term">173</span>]) in URL-accepting attribute values are always replaced with spaces; soft-hyphens in attribute values introduce vulnerabilities in some older versions of the Opera and Mozilla [Firefox] browsers.<br />
-<br />
-&#160; htmLawed (function <span class="term">hl_ent()</span>):<br />
-<br />
-&#160; * &#160;Neutralizes entities with multiple leading zeroes or missing semi-colons (potentially dangerous)<br />
-<br />
-&#160; * &#160;Lowercases the <span class="term">X</span>&#160;(for XML-compliance) and <span class="term">A-F</span>&#160;of hexadecimal numeric entities<br />
-<br />
-&#160; * &#160;Neutralizes entities referring to characters that are HTML-invalid (see <a href="#s3.1">section 3.1</a>)<br />
-<br />
-&#160; * &#160;Neutralizes entities referring to characters that are HTML-discouraged (code-points, hexadecimally, <span class="term">7f</span>&#160;to <span class="term">84</span>, <span class="term">86</span>&#160;to <span class="term">9f</span>, and <span class="term">fdd0</span>&#160;to <span class="term">fddf</span>, or decimally, <span class="term">127</span>&#160;to <span class="term">132</span>, <span class="term">134</span>&#160;to <span class="term">159</span>, and <span class="term">64991</span>&#160;to <span class="term">64976</span>). Entities referring to the remaining discouraged characters (see <a href="#s5.1">section 5.1</a>&#160;for a full list) are let through.<br />
-<br />
-&#160; * &#160;Neutralizes named entities that are not in the specifications<br />
-<br />
-&#160; * &#160;Optionally converts valid HTML-specific named entities except <span class="term">&amp;gt;</span>, <span class="term">&amp;lt;</span>, <span class="term">&amp;quot;</span>, and <span class="term">&amp;amp;</span>&#160;to decimal numeric ones (hexadecimal if $config["hexdec_entity"] is <span class="term">2</span>) for generic XML-compliance. For this, <span class="term">$config["named_entity"]</span>&#160;should be <span class="term">1</span>.<br />
-<br />
-&#160; * &#160;Optionally converts hexadecimal numeric entities to the more widely supported decimal ones. For this, <span class="term">$config["hexdec_entity"]</span>&#160;should be <span class="term">0</span>.<br />
-<br />
-&#160; * &#160;Optionally converts decimal numeric entities to the hexadecimal ones. For this, <span class="term">$config["hexdec_entity"]</span>&#160;should be <span class="term">2</span>.<br />
-<br />
-&#160; <em>Neutralization</em>&#160;refers to the <em>entitification</em>&#160;of <span class="term">&amp;</span>&#160;to <span class="term">&amp;amp;</span>.<br />
-<br />
-&#160; <strong>Note</strong>: htmLawed does not convert entities to the actual characters represented by them; one can pass the htmLawed output through PHP's <span class="term">html_entity_decode</span>&#160;<a href="http://www.php.net/html_entity_decode">function</a>&#160;for that.<br />
-<br />
-&#160; <strong>Note</strong>: If <span class="term">$config["and_mark"]</span>&#160;is set, and set to a value other than <span class="term">0</span>, then the <span class="term">&amp;</span>&#160;characters in the original input are replaced with the control character for the hexadecimal code-point <span class="term">6</span>&#160;(<span class="term">\x06</span>; <span class="term">&amp;</span>&#160;characters introduced by htmLawed, e.g., after converting <span class="term">&lt;</span>&#160;to <span class="term">&amp;lt;</span>, are not affected). This allows one to distinguish, say, an <span class="term">&amp;gt;</span>&#160;introduced by htmLawed and an <span class="term">&amp;gt;</span>&#160;put in by the input writer, and can be helpful in further processing of the htmLawed-processed text (e.g., to identify the character sequence <span class="term">o(&gt;&lt;)o</span>&#160;to generate an emoticon image). When this feature is active, admins should ensure that the htmLawed output is not directly used in web pages or XML documents as the presence of the <span class="term">\x06</span>&#160;can break documents. Before use in such documents, and preferably before any storage, any remaining <span class="term">\x06</span>&#160;should be changed back to <span class="term">&amp;</span>, e.g., with:<br />
-<br />
-
-<code class="code">&#160; &#160; $final = str_replace("\x06", &#39;&amp;&#39;, $prelim);</code>
-<br />
-<br />
-&#160; Also, see <a href="#s3.9">section 3.9</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.3" id="s3.3"></a><span class="item-no">3.3</span>&#160; HTML elements
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can be configured to allow only certain HTML elements (tags) in the input. Disallowed elements (just tag-content, and not element-content), based on <span class="term">$config["keep_bad"]</span>, are either <em>neutralized</em>&#160;(converted to plain text by entitification of <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>) or removed.<br />
-<br />
-&#160; E.g., with only <span class="term">em</span>&#160;permitted:<br />
-<br />
-&#160; Input:<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is &lt;a href="http&#58;//a.com&gt;a.com&lt;/a&gt;.</code>
-<br />
-<br />
-&#160; Output, with <span class="term">$config["keep_bad"] = 0</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is a.com.</code>
-<br />
-<br />
-&#160; Output, with <span class="term">$config["keep_bad"]</span>&#160;not <span class="term">0</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is &amp;lt;a href=""&amp;gt;a.com&amp;lt;/a&amp;gt;.</code>
-<br />
-<br />
-&#160; See <a href="#s3.3.3">section 3.3.3</a>&#160;for differences between the various non-zero <span class="term">$config["keep_bad"]</span>&#160;values.<br />
-<br />
-&#160; htmLawed by default permits these 118 HTML elements:<br />
-<br />
-
-<code class="code">&#160; &#160; a, abbr, acronym, address, applet, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, embed, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, isindex, kbd, keygen, label, legend, li, link, main, map, mark, menu, meta, meter, nav, noscript, object, ol, optgroup, option, output, p, param, pre, progress, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, section, select, small, source, span, strike, strong, style, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr</code>
-<br />
-<br />
-&#160; The HTML version 4 elements <span class="term">acronym</span>, <span class="term">applet</span>, <span class="term">big</span>, <span class="term">center</span>, <span class="term">dir</span>, <span class="term">font</span>, <span class="term">strike</span>, and <span class="term">tt</span>&#160;are obsolete/deprecated in HTML version 5. On the other hand, the obsolete/deprecated HTML 4 elements <span class="term">embed</span>, <span class="term">menu</span>&#160;and <span class="term">u</span>&#160;are no longer so in HTML 5. Elements new to HTML 5 are <span class="term">article</span>, <span class="term">aside</span>, <span class="term">audio</span>, <span class="term">bdi</span>, <span class="term">canvas</span>, <span class="term">command</span>, <span class="term">data</span>, <span class="term">datalist</span>, <span class="term">details</span>, <span class="term">figure</span>, <span class="term">figcaption</span>, <span class="term">footer</span>, <span class="term">header</span>, <span class="term">hgroup</span>, <span class="term">keygen</span>, <span class="term">link</span>, <span class="term">main</span>, <span class="term">mark</span>, <span class="term">meta</span>, <span class="term">meter</span>, <span class="term">nav</span>, <span class="term">output</span>, <span class="term">progress</span>, <span class="term">section</span>, <span class="term">source</span>, <span class="term">style</span>, <span class="term">summary</span>, <span class="term">time</span>, <span class="term">track</span>, <span class="term">video</span>, and <span class="term">wbr</span>. The <span class="term">link</span>, <span class="term">meta</span>&#160;and <span class="term">style</span>&#160;elements exist in HTML 4 but are not allowed in the HTML body. These 16 elements are <em>empty</em>&#160;elements that have an opening tag with possible content but no element content (thus, no closing tag): <span class="term">area</span>, <span class="term">br</span>, <span class="term">col</span>, <span class="term">command</span>, <span class="term">embed</span>, <span class="term">hr</span>, <span class="term">img</span>, <span class="term">input</span>, <span class="term">isindex</span>, <span class="term">keygen</span>, <span class="term">link</span>, <span class="term">meta</span>, <span class="term">param</span>, <span class="term">source</span>, <span class="term">track</span>, and <span class="term">wbr</span>.<br />
-<br />
-&#160; With <span class="term">$config["safe"] = 1</span>, the default set will exclude <span class="term">applet</span>, <span class="term">audio</span>, <span class="term">canvas</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">object</span>, <span class="term">script</span>&#160;and <span class="term">video</span>; see <a href="#s3.6">section 3.6</a>.<br />
-<br />
-&#160; When <span class="term">$config["elements"]</span>, which specifies allowed elements, is <em>properly</em>&#160;defined, and neither empty nor set to <span class="term">0</span>&#160;or <span class="term">&#42;</span>, the default set is not used. To have elements added to or removed from the default set, a <span class="term">+/-</span>&#160;notation is used. E.g., <span class="term">&#42;-script-object</span>&#160;implies that only <span class="term">script</span>&#160;and <span class="term">object</span>&#160;are disallowed, whereas <span class="term">&#42;+embed</span>&#160;means that <span class="term">noembed</span>&#160;is also allowed. Elements can also be specified as comma separated names. E.g., <span class="term">a, b, i</span>&#160;means only <span class="term">a</span>, <span class="term">b</span>&#160;and <span class="term">i</span>&#160;are permitted. In this notation, <span class="term">&#42;</span>, <span class="term">+</span>&#160;and <span class="term">-</span>&#160;have no significance and can actually cause a mis-reading.<br />
-<br />
-&#160; Some more examples of <span class="term">$config["elements"]</span>&#160;values indicating permitted elements (note that empty spaces are liberally allowed for clarity):<br />
-<br />
-&#160; * &#160;<span class="term">a, blockquote, code, em, strong</span>&#160;-- only <span class="term">a</span>, <span class="term">blockquote</span>, <span class="term">code</span>, <span class="term">em</span>, and <span class="term">strong</span><br />
-&#160; * &#160;<span class="term">&#42;-script</span>&#160;-- all excluding <span class="term">script</span><br />
-&#160; * &#160;<span class="term">&#42; -acronym -big -center -dir -font -isindex -s -strike -tt</span>&#160;-- only non-obsolete/deprecated elements of HTML5<br />
-&#160; * &#160;<span class="term">&#42;+noembed-script</span>&#160;-- all including <span class="term">noembed</span>&#160;excluding <span class="term">script</span><br />
-<br />
-&#160; Some mis-usages (and the resulting permitted elements) that can be avoided:<br />
-<br />
-&#160; * &#160;<span class="term">-&#42;</span>&#160;-- none; instead of htmLawed, one might just use, e.g., the <span class="term">htmlspecialchars()</span>&#160;PHP function<br />
-&#160; * &#160;<span class="term">&#42;, -script</span>&#160;-- all except <span class="term">script</span>; admin probably meant <span class="term">&#42;-script</span><br />
-&#160; * &#160;<span class="term">-&#42;, a, em, strong</span>&#160;-- all; admin probably meant <span class="term">a, em, strong</span><br />
-&#160; * &#160;<span class="term">&#42;</span>&#160;-- all; admin need not have set <span class="term">elements</span><br />
-&#160; * &#160;<span class="term">&#42;-form+form</span>&#160;-- all; a <span class="term">+</span>&#160;will always over-ride any <span class="term">-</span><br />
-&#160; * &#160;<span class="term">&#42;, noembed</span>&#160;-- only <span class="term">noembed</span>; admin probably meant <span class="term">&#42;+noembed</span><br />
-&#160; * &#160;<span class="term">a, +b, i</span>&#160;-- only <span class="term">a</span>&#160;and <span class="term">i</span>; admin probably meant <span class="term">a, b, i</span><br />
-<br />
-&#160; Basically, when using the <span class="term">+/-</span>&#160;notation, commas (<span class="term">,</span>) should not be used, and vice versa, and <span class="term">&#42;</span>&#160;should be used with the former but not the latter.<br />
-<br />
-&#160; <strong>Note</strong>: Even if an element that is not in the default set is allowed through <span class="term">$config["elements"]</span>, like <span class="term">noembed</span>&#160;in the last example, it will eventually be removed during tag balancing unless such balancing is turned off (<span class="term">$config["balance"]</span>&#160;set to <span class="term">0</span>). Currently, the only way around this, which actually is simple, is to edit htmLawed's PHP code which define various arrays in the function <span class="term">hl_bal()</span>&#160;to accommodate the element and its nesting properties.<br />
-<br />
-&#160; A possible second way to specify allowed elements is to set <span class="term">$config["parent"]</span>&#160;to an element name that supposedly will hold the input, and to set <span class="term">$config["balance"]</span>&#160;to <span class="term">1</span>. During tag balancing (see <a href="#s3.3.3">section 3.3.3</a>), all elements that cannot legally nest inside the parent element will be removed. The parent element is auto-reset to <span class="term">div</span>&#160;if <span class="term">$config["parent"]</span>&#160;is empty, <span class="term">body</span>, or an element not in htmLawed's default set of 118 elements.<br />
-<br />
-&#160; <em>Tag transformation</em>&#160;is possible for improving compliance with HTML standards -- most of the obsolete/deprecated elements of HTML version 5 are converted to valid &#160;ones; see <a href="#s3.3.2">section 3.3.2</a>.<br />
-
-<div class="sub-sub-section"><h4>
-<a name="s3.3.1" id="s3.3.1"></a><span class="item-no">3.3.1</span>&#160; Handling of comments &amp; CDATA sections
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; <span class="term">CDATA</span>&#160;sections have the format <span class="term">&lt;![CDATA[...anything but not "]]&gt;"...]]&gt;</span>, and HTML comments, <span class="term">&lt;!--...anything but not "--&gt;"... --&gt;</span>. Neither HTML comments nor <span class="term">CDATA</span>&#160;sections can reside inside tags. HTML comments can exist anywhere else, but <span class="term">CDATA</span>&#160;sections can exist only where plain text is allowed (e.g., immediately inside <span class="term">td</span>&#160;element content but not immediately inside <span class="term">tr</span>&#160;element content).<br />
-<br />
-&#160; htmLawed (function <span class="term">hl_cmtcd()</span>) handles HTML comments or <span class="term">CDATA</span>&#160;sections depending on the values of <span class="term">$config["comment"]</span>&#160;or <span class="term">$config["cdata"]</span>. If <span class="term">0</span>, such markup is not looked for and the text is processed like plain text. If <span class="term">1</span>, it is removed completely. If <span class="term">2</span>, it is preserved but any <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;inside are changed to entities. If <span class="term">3</span>&#160;for <span class="term">$config["cdata"]</span>, or <span class="term">3</span>&#160;or <span class="term">4</span>&#160;for <span class="term">$config["comment"]</span>, they are left as such. When <span class="term">$config["comment"]</span>&#160;is set to <span class="term">4</span>, htmLawed will not force a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).<br />
-<br />
-&#160; Note that for the last two cases, HTML comments and <span class="term">CDATA</span>&#160;sections will always be removed from tag content (function <span class="term">hl_tag()</span>).<br />
-<br />
-&#160; Examples:<br />
-<br />
-&#160; Input:<br />
-
-<code class="code">&#160; &#160; &lt;!-- home link--&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 0, $config["cdata"] = 2</span>):<br />
-
-<code class="code">&#160; &#160; &amp;lt;-- home link--&amp;gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 1, $config["cdata"] = 2</span>):<br />
-
-<code class="code">&#160; &#160; &lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 2, $config["cdata"] = 2</span>):<br />
-
-<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 2, $config["cdata"] = 1</span>):<br />
-
-<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 3, $config["cdata"] = 3</span>):<br />
-
-<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-&#160; Output (<span class="term">$config["comment"] = 4, $config["cdata"] = 3</span>):<br />
-
-<code class="code">&#160; &#160; &lt;!-- home link--&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>
-<br />
-<br />
-&#160; For standard-compliance, comments are given the form <span class="term">&lt;!--comment --&gt;</span>, and any <span class="term">--</span>&#160;in the content is made <span class="term">-</span>. When <span class="term">$config["comment"]</span>&#160;is set to <span class="term">4</span>, htmLawed will not force a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker.<br />
-<br />
-&#160; When <span class="term">$config["safe"] = 1</span>, CDATA sections and comments are considered plain text unless <span class="term">$config["comment"]</span>&#160;or <span class="term">$config["cdata"]</span>&#160;is explicitly specified; see <a href="#s3.6">section 3.6</a>.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.3.2" id="s3.3.2"></a><span class="item-no">3.3.2</span>&#160; Tag-transformation for better compliance with standards
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["make_tag_strict"]</span>&#160;is set and not <span class="term">0</span>, following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function <span class="term">hl_tag2()</span>):<br />
-<br />
-&#160; * &#160;acronym - <span class="term">abbr</span><br />
-&#160; * &#160;applet - based on <span class="term">$config["make_tag_strict"]</span>, unchanged (<span class="term">1</span>) or removed (<span class="term">2</span>)<br />
-&#160; * &#160;big - <span class="term">span style="font-size&#58; larger;"</span><br />
-&#160; * &#160;center - <span class="term">div style="text-align&#58; center;"</span><br />
-&#160; * &#160;dir - <span class="term">ul</span><br />
-&#160; * &#160;font (face, size, color) - &#160; &#160;<span class="term">span style="font-family&#58; ; font-size&#58; ; color&#58; ;"</span>&#160;(size transformation <a href="http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html">reference</a>)<br />
-&#160; * &#160;isindex - based on <span class="term">$config["make_tag_strict"]</span>, unchanged (<span class="term">1</span>) or removed (<span class="term">2</span>)<br />
-&#160; * &#160;s - <span class="term">span style="text-decoration&#58; line-through;"</span><br />
-&#160; * &#160;strike - <span class="term">span style="text-decoration&#58; line-through;"</span><br />
-&#160; * &#160;tt - <span class="term">code</span><br />
-<br />
-&#160; For an element with a pre-existing <span class="term">style</span>&#160;attribute value, the extra style properties are appended.<br />
-<br />
-&#160; Example input:<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;center&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;The PHP &lt;s&gt;software&lt;/s&gt; script used for this &lt;strike&gt;web-page&lt;/strike&gt; web-page is &lt;font style="font-weight&#58; bold " face=arial size=&#39;+3&#39; color &#160; = &#160;"red &#160;"&gt;htmLawedTest.php&lt;/font&gt;, from &lt;u style= &#39;color&#58;green&#39;&gt;PHP Labware&lt;/u&gt;.</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;/center&gt;</code>
-<br />
-<br />
-&#160; The output:<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;div style="text-align&#58; center;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;The PHP &lt;span style="text-decoration&#58; line-through;"&gt;software&lt;/span&gt; script used for this &lt;span style="text-decoration&#58; line-through;"&gt;web-page&lt;/span&gt; web-page is &lt;span style="font-weight&#58; bold; font-size&#58; 200%; color&#58; red; font-family&#58; arial;"&gt;htmLawedTest.php&lt;/span&gt;, from &lt;u style="color&#58;green"&gt;PHP Labware&lt;/u&gt;.</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;/div&gt;</code>
-<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.3.3" id="s3.3.3"></a><span class="item-no">3.3.3</span>&#160; Tag balancing &amp; proper nesting
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["balance"]</span>&#160;is set to <span class="term">1</span>, htmLawed (function <span class="term">hl_bal()</span>) checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).<br />
-<br />
-&#160; Depending on the value of <span class="term">$config["keep_bad"]</span>&#160;(see <a href="#s2.2">section 2.2</a>&#160;and <a href="#s3.3">section 3.3</a>), illegal content may be removed or neutralized to plain text by converting &lt; and &gt; to entities:<br />
-<br />
-&#160; <span class="term">0</span>&#160;- remove; this option is available only to maintain Kses-compatibility and should not be used otherwise (see <a href="#s2.6">section 2.6</a>)<br />
-&#160; <span class="term">1</span>&#160;- neutralize tags and keep element content<br />
-&#160; <span class="term">2</span>&#160;- remove tags but keep element content<br />
-&#160; <span class="term">3</span>&#160;and <span class="term">4</span>&#160;- like <span class="term">1</span>&#160;and <span class="term">2</span>, but keep element content only if text (<span class="term">pcdata</span>) is valid in parent element as per specs<br />
-&#160; <span class="term">5</span>&#160;and <span class="term">6</span>&#160;- &#160;like <span class="term">3</span>&#160;and <span class="term">4</span>, but line-breaks, tabs and spaces are left<br />
-<br />
-&#160; Example input (disallowing the <span class="term">p</span>&#160;element):<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;&#42;&gt; Pseudo-tags &lt;&#42;&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;p&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; Disallowed tag p</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;/p&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;ul&gt;Bad&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>
-<br />
-<br />
-&#160; The output with <span class="term">$config["keep_bad"] = 1</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;xml&amp;gt;Non-HTML tag xml&amp;lt;/xml&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;p&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; Disallowed tag p</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;/p&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;ul&gt;Bad&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>
-<br />
-<br />
-&#160; The output with <span class="term">$config["keep_bad"] = 3</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;xml&amp;gt;Non-HTML tag xml&amp;lt;/xml&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;p&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; Disallowed tag p</code>
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;/p&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;ul&gt;&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>
-<br />
-<br />
-&#160; The output with <span class="term">$config["keep_bad"] = 6</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>
-<br />
-
-<code class="code">&#160; &#160; Non-HTML tag xml</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; Disallowed tag p</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;ul&gt;&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>
-<br />
-<br />
-&#160; An option like <span class="term">1</span>&#160;is useful, e.g., when a writer previews his submission, whereas one like <span class="term">3</span>&#160;is useful before content is finalized and made available to all.<br />
-<br />
-&#160; <strong>Note:</strong>&#160;In the example above, unlike <span class="term">&lt;&#42;&gt;</span>, <span class="term">&lt;xml&gt;</span>&#160;gets considered as a tag (even though there is no HTML element named <span class="term">xml</span>). Thus, the <span class="term">keep_bad</span>&#160;parameter's value affects <span class="term">&lt;xml&gt;</span>&#160;but not <span class="term">&lt;&#42;&gt;</span>. In general, text matching the regular expression pattern <span class="term">&lt;(/?)([a-zA-Z][a-zA-Z1-6]&#42;)([^&gt;]&#42;?)\s?&gt;</span>&#160;is considered a tag (phrase enclosed by the angled brackets <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the <span class="term">keep_bad</span>&#160;value.<br />
-<br />
-&#160; Nesting/content rules for each of the 118 elements in htmLawed's default set (see <a href="#s3.3">section 3.3</a>) are defined in function <span class="term">hl_bal()</span>. This means that if a non-standard element besides <span class="term">embed</span>&#160;is being permitted through <span class="term">$config["elements"]</span>, the element's tag content will end up getting removed if <span class="term">$config["balance"]</span>&#160;is set to <span class="term">1</span>.<br />
-<br />
-&#160; Plain text and/or certain elements nested inside <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span>&#160;need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as <span class="term">form</span>, the input <span class="term">B&#58;&lt;input type="text" value="b" /&gt;C&#58;&lt;input type="text" value="c" /&gt;</span>&#160;is converted to <span class="term">&lt;div&gt;B&#58;&lt;input type="text" value="b" /&gt;C&#58;&lt;input type="text" value="c" /&gt;&lt;/div&gt;</span>.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.3.4" id="s3.3.4"></a><span class="item-no">3.3.4</span>&#160; Elements requiring child elements
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; As per HTML specifications, elements such as those below require legal child elements nested inside them:<br />
-<br />
-
-<code class="code">&#160; &#160; blockquote, dir, dl, form, map, menu, noscript, ol, optgroup, rbc, rtc, ruby, select, table, tbody, tfoot, thead, tr, ul</code>
-<br />
-<br />
-&#160; In some cases, the specifications stipulate the number and/or the ordering of the child elements. A <span class="term">table</span>&#160;can have 0 or 1 <span class="term">caption</span>, <span class="term">tbody</span>, <span class="term">tfoot</span>, and <span class="term">thead</span>, but they must be in this order: <span class="term">caption</span>, <span class="term">thead</span>, <span class="term">tfoot</span>, <span class="term">tbody</span>.<br />
-<br />
-&#160; htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.<br />
-<br />
-&#160; With <span class="term">$config["direct_list_nest"]</span>&#160;set to <span class="term">1</span>, htmLawed will allow direct nesting of <span class="term">ol</span>, <span class="term">ul</span>, or <span class="term">menu</span>&#160;list within another <span class="term">ol</span>, <span class="term">ul</span>, or <span class="term">menu</span>&#160;without requiring the child list to be within an <span class="term">li</span>&#160;of the parent list. While this may not be standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter <span class="term">$config["direct_list_nest"]</span>&#160;has no effect if tag balancing (<a href="#s3.3.3">section 3.3.3</a>) is turned off.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.3.5" id="s3.3.5"></a><span class="item-no">3.3.5</span>&#160; Beautify or compact HTML
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; By default, htmLawed will neither <em>beautify</em>&#160;HTML code by formatting it with indentations, etc., nor will it make it compact by removing un-needed white-space.(It does always properly white-space tag content.)<br />
-<br />
-&#160; As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside <span class="term">pre</span>&#160;elements) are all considered equivalent, and referred to as <em>white-spaces</em>. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space <em>normalization</em>&#160;allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such <em>pretty</em>&#160;HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.<br />
-<br />
-&#160; With the <span class="term">$config</span>&#160;parameter <span class="term">tidy</span>, htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides <span class="term">pre</span>, the <span class="term">script</span>&#160;and <span class="term">textarea</span>&#160;elements, CDATA sections, and HTML comments are not subjected to the tidying process.<br />
-<br />
-&#160; To <em>compact</em>, use <span class="term">$config["tidy"] = -1</span>; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.<br />
-<br />
-&#160; To <em>beautify</em>, <span class="term">$config["tidy"]</span>&#160;is set as <span class="term">1</span>, or for customized tidying, as a string like <span class="term">2s2n</span>. The <span class="term">s</span>&#160;or <span class="term">t</span>&#160;character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The <span class="term">r</span>&#160;and <span class="term">n</span>&#160;characters are used to specify line-break characters: <span class="term">n</span>&#160;for <span class="term">\n</span>&#160;(Unix/Mac OS X line-breaks), <span class="term">rn</span>&#160;or <span class="term">nr</span>&#160;for <span class="term">\r\n</span>&#160;(Windows/DOS line-breaks), or <span class="term">r</span>&#160;for <span class="term">\r</span>.<br />
-<br />
-&#160; The <span class="term">$config["tidy"]</span>&#160;value of <span class="term">1</span>&#160;is equivalent to <span class="term">2s0n</span>. Other <span class="term">$config["tidy"]</span>&#160;values are read loosely: a value of <span class="term">4</span>&#160;is equivalent to <span class="term">4s0n</span>; <span class="term">t2</span>, to <span class="term">1t2n</span>; <span class="term">s</span>, to <span class="term">2s0n</span>; <span class="term">2TR</span>, to <span class="term">2t0r</span>; <span class="term">T1</span>, to <span class="term">1t1n</span>; <span class="term">nr3</span>, to <span class="term">3s0nr</span>, and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.<br />
-<br />
-&#160; Input formatting using <span class="term">$config["tidy"]</span>&#160;is not recommended when input text has mixed markup (like HTML + PHP).<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.4" id="s3.4"></a><span class="item-no">3.4</span>&#160; Attributes
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in <a href="#s5.2">section 5.2</a>. Using the <span class="term">$spec</span>&#160;argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (<a href="#s2.3">section 2.3</a>).<br />
-<br />
-&#160; Custom <em>data-*</em>&#160;(<em>data-star</em>) attributes, where the first three characters of the value of <em>star</em>&#160;(*) after lower-casing do not equal <span class="term">xml</span>, and the value of <em>star</em>&#160;does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like <span class="term">aria-live</span>, <span class="term">onclick</span>&#160;and <span class="term">itemid</span>&#160;are also considered global attributes (<a href="#s5.2">section 5.2</a>).<br />
-<br />
-&#160; When <span class="term">$config["deny_attribute"]</span>&#160;is not set, or set to <span class="term">0</span>, or empty (<span class="term">""</span>), all attributes are permitted. Otherwise, <span class="term">$config["deny_attribute"]</span>&#160;can be set as a list of comma-separated names of the denied attributes. <span class="term">on&#42;</span>&#160;can be used to refer to the group of potentially dangerous, script-accepting event attributes like <span class="term">onblur</span>&#160;and <span class="term">onchange</span>&#160;that have <span class="term">on</span>&#160;at the beginning of their names. Similarly, <span class="term">aria&#42;</span>&#160;and <span class="term">data&#42;</span>&#160;can be used to respectively refer to the set of all ARIA and data-* attributes.<br />
-<br />
-&#160; With <span class="term">$config["safe"] = 1</span>&#160;(<a href="#s3.6">section 3.6</a>), the <span class="term">on&#42;</span>&#160;event attributes are automatically disallowed even if a value for <span class="term">$config["deny_attribute"]</span>&#160;has been manually provided.<br />
-<br />
-&#160; Note that attributes specified in <span class="term">$config["deny_attribute"]</span>&#160;are denied globally, for all elements. To deny attributes for only specific elements, <span class="term">$spec</span>&#160;(see <a href="#s2.3">section 2.3</a>) can be used. <span class="term">$spec</span>&#160;can also be used to element-specifically permit an attribute otherwise denied through <span class="term">$config["deny_attribute"]</span>.<br />
-<br />
-&#160; Finer restrictions on attributes can also be put into effect through <span class="term">$config["deny_attribute"]</span>&#160;(<a href="3.4.9">section</a>).<br />
-<br />
-&#160; <strong>Note</strong>: To deny all but a few attributes globally, a simpler way to specify <span class="term">$config["deny_attribute"]</span>&#160;would be to use the notation <span class="term">&#42; -attribute1 -attribute2 ...</span>. Thus, a value of <span class="term">&#42; -title -href</span>&#160;implies that except <span class="term">href</span>&#160;and <span class="term">title</span>&#160;(where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter <span class="term">safe</span>&#160;(<a href="#s3.6">section 3.6</a>) will have no effect on <span class="term">deny_attribute</span>. Values of <span class="term">aria&#42;</span>&#160;<span class="term">data&#42;</span>, and <span class="term">on&#42;</span>&#160;cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.<br />
-<br />
-&#160; htmLawed (function <span class="term">hl_tag()</span>) also:<br />
-<br />
-&#160; * &#160;Lower-cases attribute names<br />
-&#160; * &#160;Removes duplicate attributes (last one stays)<br />
-&#160; * &#160;Gives attributes the form <span class="term">name="value"</span>&#160;and single-spaces them, removing unnecessary white-spacing<br />
-&#160; * &#160;Provides <em>required</em>&#160;attributes (see <a href="#s3.4.1">section 3.4.1</a>)<br />
-&#160; * &#160;Double-quotes values and escapes any <span class="term">"</span>&#160;inside them<br />
-&#160; * &#160;Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point <span class="term">ad</span>) in the values with spaces<br />
-&#160; * &#160;Allows custom function to additionally filter/modify attribute values (see <a href="#s3.4.9">section 3.4.9</a>)<br />
-
-<div class="sub-sub-section"><h4>
-<a name="s3.4.1" id="s3.4.1"></a><span class="item-no">3.4.1</span>&#160; Auto-addition of XHTML-required attributes
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If indicated attributes for the following elements are found missing, htmLawed (function <span class="term">hl_tag()</span>) will add them (with values same as attribute names unless indicated otherwise below):<br />
-<br />
-&#160; * &#160;area - alt (<span class="term">area</span>)<br />
-&#160; * &#160;area, img - src, alt (<span class="term">image</span>)<br />
-&#160; * &#160;bdo - dir (<span class="term">ltr</span>)<br />
-&#160; * &#160;form - action<br />
-&#160; * &#160;label - command<br />
-&#160; * &#160;map - name<br />
-&#160; * &#160;optgroup - label<br />
-&#160; * &#160;param - name<br />
-&#160; * &#160;style - scoped<br />
-&#160; * &#160;textarea - rows (<span class="term">10</span>), cols (<span class="term">50</span>)<br />
-<br />
-&#160; Additionally, with <span class="term">$config["xml&#58;lang"]</span>&#160;set to <span class="term">1</span>&#160;or <span class="term">2</span>, if the <span class="term">lang</span>&#160;but not the <span class="term">xml&#58;lang</span>&#160;attribute is declared, then the latter is added too, with a value copied from that of <span class="term">lang</span>. This is for better standard-compliance. With <span class="term">$config["xml&#58;lang"]</span>&#160;set to <span class="term">2</span>, the <span class="term">lang</span>&#160;attribute is removed (XHTML specification).<br />
-<br />
-&#160; Note that the <span class="term">name</span>&#160;attribute for <span class="term">map</span>, invalid in XHTML, is also transformed if required -- see <a href="#s3.4.6">section 3.4.6</a>.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.2" id="s3.4.2"></a><span class="item-no">3.4.2</span>&#160; Duplicate/invalid <span class="term">id</span>&#160;values
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["unique_ids"]</span>&#160;is <span class="term">1</span>, htmLawed (function <span class="term">hl_tag()</span>) removes <span class="term">id</span>&#160;attributes with values that are not standards-compliant (must not have a space character) or duplicate. If <span class="term">$config["unique_ids"]</span>&#160;is a word (without a non-word character like space), any duplicate but otherwise valid value will be appropriately prefixed with the word to ensure its uniqueness.<br />
-<br />
-&#160; Even if multiple inputs need to be filtered (through multiple calls to htmLawed), htmLawed ensures uniqueness of <span class="term">id</span>&#160;values as it uses a global variable (<span class="term">$GLOBALS["hl_Ids"]</span>&#160;array). Further, an admin can restrict the use of certain <span class="term">id</span>&#160;values by presetting this variable before htmLawed is called into use. E.g.:<br />
-<br />
-
-<code class="code">&#160; &#160; $GLOBALS[&#39;hl_Ids&#39;] = array(&#39;top&#39;=&gt;1, &#39;bottom&#39;=&gt;1, &#39;myform&#39;=&gt;1); // id values not allowed in input</code>
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text); // filter input</code>
-<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.3" id="s3.4.3"></a><span class="item-no">3.4.3</span>&#160; URL schemes &amp; scripts in attribute values
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed edits attributes that take URLs as values if they are found to contain un-permitted schemes. E.g., if the <span class="term">afp</span>&#160;scheme is not permitted, then <span class="term">&lt;a href="afp&#58;//domain.org"&gt;</span>&#160;becomes <span class="term">&lt;a href="denied&#58;afp&#58;//domain.org"&gt;</span>, and if Javascript is not permitted <span class="term">&lt;a onclick="javascript&#58;xss();"&gt;</span>&#160;becomes <span class="term">&lt;a onclick="denied&#58;javascript&#58;xss();"&gt;</span>.<br />
-<br />
-&#160; By default htmLawed permits these schemes in URLs for the <span class="term">href</span>&#160;attribute:<br />
-<br />
-
-<code class="code">&#160; &#160; aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet</code>
-<br />
-<br />
-&#160; Also, only <span class="term">data</span>, <span class="term">file</span>, <span class="term">http</span>, <span class="term">https</span>&#160;and <span class="term">javascript</span>&#160;are permitted in these attributes that accept URLs:<br />
-<br />
-
-<code class="code">&#160; &#160; action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick</code>
-<br />
-<br />
-&#160; With <span class="term">$config["safe"] = 1</span>&#160;(<a href="#s3.6">section 3.6</a>), the above is changed to disallow <span class="term">app</span>, <span class="term">data</span>&#160;and <span class="term">javascript</span>.<br />
-<br />
-&#160; These default sets are used when <span class="term">$config["schemes"]</span>&#160;is not set (see <a href="#s2.2">section 2.2</a>). To over-ride the defaults, <span class="term">$config["schemes"]</span>&#160;is defined as a string of semi-colon-separated sub-strings of type <span class="term">attribute&#58; comma-separated schemes</span>. E.g., <span class="term">href&#58; mailto, http, https; onclick&#58; javascript; src&#58; http, https</span>. For unspecified attributes, <span class="term">data</span>, <span class="term">file</span>, <span class="term">http</span>, <span class="term">https</span>&#160;and <span class="term">javascript</span>&#160;are permitted. This can be changed by passing schemes for <span class="term">&#42;</span>&#160;in <span class="term">$config["schemes"]</span>. E.g., <span class="term">href&#58; mailto, http, https; &#42;&#58; https, https</span>.<br />
-<br />
-&#160; <span class="term">&#42;</span>&#160;(asterisk) can be put in the list of schemes to permit all protocols. E.g., <span class="term">style&#58; &#42;; img&#58; http, https</span>&#160;results in protocols not being checked in <span class="term">style</span>&#160;attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (<a href="#s3.4.4">section 3.4.4</a>) is not done. When an attribute is explicitly listed in <span class="term">$config["schemes"]</span>, then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute.<br />
-<br />
-&#160; Thus, <em>to allow the xmpp scheme</em>, one can set <span class="term">$config["schemes"]</span>&#160;as <span class="term">href&#58; mailto, http, https; &#42;&#58; http, https, xmpp</span>, or <span class="term">href&#58; mailto, http, https, xmpp; &#42;&#58; http, https, xmpp</span>, or <span class="term">&#42;&#58; &#42;</span>, and so on. The consequence of each of these example values will be different (e.g., only the last two but not the first will allow <span class="term">xmpp</span>&#160;in <span class="term">href</span>)<br />
-<br />
-&#160; As a side-note, one may find <span class="term">style&#58; &#42;</span>&#160;useful as URLs in <span class="term">style</span>&#160;attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.<br />
-<br />
-&#160; <span class="term">!</span>&#160;can be put in the list of schemes to disallow all protocols as well as <em>local</em>&#160;URLs. Thus, with <span class="term">href&#58; http, style&#58; !</span>, <span class="term">&lt;a href="http&#58;//cnn.com" style="background-image&#58; url(local.jpg);"&gt;CNN&lt;/a&gt;</span>&#160;will become <span class="term">&lt;a href="http&#58;//cnn.com" style="background-image&#58; url(denied&#58;local.jpg);"&gt;CNN&lt;/a&gt;</span><br />
-<br />
-&#160; <strong>Note</strong>: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string <span class="term">src</span>&#160;(e.g., <span class="term">dynsrc</span>) or starts with <span class="term">o</span>&#160;(e.g., <span class="term">onbeforecopy</span>).<br />
-<br />
-&#160; With <span class="term">$config["safe"] = 1</span>, all URLs are disallowed in the <span class="term">style</span>&#160;attribute values.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.4" id="s3.4.4"></a><span class="item-no">3.4.4</span>&#160; Absolute &amp; relative URLs in attribute values
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can make absolute URLs in attributes like <span class="term">href</span>&#160;relative (<span class="term">$config["abs_url"]</span>&#160;is <span class="term">-1</span>), and vice versa (<span class="term">$config["abs_url"]</span>&#160;is <span class="term">1</span>). URLs in scripts are not considered for this, and so are URLs like <span class="term">#section_6</span>&#160;(fragment), <span class="term">?name=Tim#show</span>&#160;(starting with query string), and <span class="term">;var=1?name=Tim#show</span>&#160;(starting with parameters). Further, this requires that <span class="term">$config["base_url"]</span>&#160;be set properly, with the <span class="term">&#58;//</span>&#160;and a trailing slash (<span class="term">/</span>), with no query string, etc. E.g., <span class="term">file&#58;///D&#58;/page/</span>, <span class="term">https&#58;//abc.com/x/y/</span>, or <span class="term">http&#58;//localhost/demo/</span>&#160;are okay, but <span class="term">file&#58;///D&#58;/page/?help=1</span>, <span class="term">abc.com/x/y/</span>&#160;and <span class="term">http&#58;//localhost/demo/index.htm</span>&#160;are not.<br />
-<br />
-&#160; For making absolute URLs relative, only those URLs that have the <span class="term">$config["base_url"]</span>&#160;string at the beginning are converted. E.g., with <span class="term">$config["base_url"] = "https&#58;//abc.com/x/y/"</span>, <span class="term">https&#58;//abc.com/x/y/a.gif</span>&#160;and <span class="term">https&#58;//abc.com/x/y/z/b.gif</span>&#160;become <span class="term">a.gif</span>&#160;and <span class="term">z/b.gif</span>&#160;respectively, while <span class="term">https&#58;//abc.com/x/c.gif</span>&#160;is not changed.<br />
-<br />
-&#160; When making relative URLs absolute, only values for scheme, network location (host-name) and path values in the base URL are inherited. See <a href="#s5.5">section 5.5</a>&#160;for more about the URL specification as per RFC <a href="http://www.ietf.org/rfc/rfc1808.txt">1808</a>.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.5" id="s3.4.5"></a><span class="item-no">3.4.5</span>&#160; Lower-cased, standard attribute values
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Optionally, for standard-compliance, htmLawed (function <span class="term">hl_tag()</span>) lower-cases standard attribute values to give, e.g., <span class="term">input type="password"</span>&#160;instead of <span class="term">input type="Password"</span>, if <span class="term">$config["lc_std_val"]</span>&#160;is <span class="term">1</span>. Attribute values matching those listed below for any of the elements listed further below (plus those for the <span class="term">type</span>&#160;attribute of <span class="term">button</span>&#160;or <span class="term">input</span>) are lower-cased:<br />
-<br />
-
-<code class="code">&#160; &#160; all, auto, baseline, bottom, button, captions, center, chapters, char, checkbox, circle, col, colgroup, color, cols, data, date, datetime, datetime-local, default, descriptions, email, file, get, groups, hidden, image, justify, left, ltr, metadata, middle, month, none, number, object, password, poly, post, preserve, radio, range, rect, ref, reset, right, row, rowgroup, rows, rtl, search, submit, subtitles, tel, text, time, top, url, week</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; a, area, bdo, button, col, fieldset, form, img, input, object, ol, optgroup, option, param, script, select, table, td, textarea, tfoot, th, thead, tr, track, xml&#58;space</code>
-<br />
-<br />
-&#160; The following <em>empty</em>&#160;(<em>minimized</em>) attributes are always assigned lower-cased values (same as the attribute names):<br />
-<br />
-
-<code class="code">&#160; &#160; checkbox, checked, command, compact, declare, defer, default, disabled, hidden, inert, ismap, itemscope, multiple, nohref, noresize, noshade, nowrap, open, radio, readonly, required, reversed, selected</code>
-<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.6" id="s3.4.6"></a><span class="item-no">3.4.6</span>&#160; Transformation of deprecated attributes
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["no_deprecated_attr"]</span>&#160;is <span class="term">0</span>, then deprecated attributes are removed and, in most cases, their values are transformed to CSS style properties and added to the <span class="term">style</span>&#160;attributes (function <span class="term">hl_tag()</span>). Except for <span class="term">bordercolor</span>&#160;for <span class="term">table</span>, <span class="term">tr</span>&#160;and <span class="term">td</span>, the scores of proprietary attributes that were never part of any cross-browser standard are not supported in this functionality.<br />
-<br />
-&#160; * &#160;align in caption, div, h, h2, h3, h4, h5, h6, hr, img, input, legend, object, p, table - for <span class="term">img</span>&#160;with value of <span class="term">left</span>&#160;or <span class="term">right</span>, becomes, e.g., <span class="term">float&#58; left</span>; for <span class="term">div</span>&#160;and <span class="term">table</span>&#160;with value <span class="term">center</span>, becomes <span class="term">margin&#58; auto</span>; all others become, e.g., <span class="term">text-align&#58; right</span><br />
-&#160; * &#160;bgcolor in table, td, th and tr - E.g., <span class="term">bgcolor="#ffffff"</span>&#160;becomes <span class="term">background-color&#58; #ffffff</span><br />
-&#160; * &#160;border in object - E.g., <span class="term">height="10"</span>&#160;becomes <span class="term">height&#58; 10px</span><br />
-&#160; * &#160;bordercolor in table, td and tr - E.g., <span class="term">bordercolor=#999999</span>&#160;becomes <span class="term">border-color&#58; #999999;</span><br />
-&#160; * &#160;compact in dl, ol and ul - <span class="term">font-size&#58; 85%</span><br />
-&#160; * &#160;cellspacing in table - <span class="term">cellspacing="10"</span>&#160;becomes <span class="term">border-spacing&#58; 10px</span><br />
-&#160; * &#160;clear in br - E.g., 'clear="all" becomes <span class="term">clear&#58; both</span><br />
-&#160; * &#160;height in td and th - E.g., <span class="term">height= "10"</span>&#160;becomes <span class="term">height&#58; 10px</span>&#160;and <span class="term">height="&#42;"</span>&#160;becomes <span class="term">height&#58; auto</span><br />
-&#160; * &#160;hspace in img and object - E.g., <span class="term">hspace="10"</span>&#160;becomes <span class="term">margin-left&#58; 10px; margin-right&#58; 10px</span><br />
-&#160; * &#160;language in script - <span class="term">language="VBScript"</span>&#160;becomes <span class="term">type="text/vbscript"</span><br />
-&#160; * &#160;name in a, form, iframe, img and map - E.g., <span class="term">name="xx"</span>&#160;becomes <span class="term">id="xx"</span><br />
-&#160; * &#160;noshade in hr - <span class="term">border-style&#58; none; border&#58; 0; background-color&#58; gray; color&#58; gray</span><br />
-&#160; * &#160;nowrap in td and th - <span class="term">white-space&#58; nowrap</span><br />
-&#160; * &#160;size in hr - E.g., <span class="term">size="10"</span>&#160;becomes <span class="term">height&#58; 10px</span><br />
-&#160; * &#160;vspace in img and object - E.g., <span class="term">vspace="10"</span>&#160;becomes <span class="term">margin-top&#58; 10px; margin-bottom&#58; 10px</span><br />
-&#160; * &#160;width in hr, pre, table, td and th - like <span class="term">height</span><br />
-<br />
-&#160; Example input:<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;img src="j.gif" alt="image" name="dad&#39;s" /&gt;&lt;img src="k.gif" alt="image" id="dad_off" name="dad" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;br clear="left" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;hr noshade size="1" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;img name="img" src="i.gif" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding&#58;5px;" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;table width="50em" align="center" bgcolor="red"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;&lt;tr&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;td width="20%"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;&lt;div align="center"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; &lt;h3 align="right"&gt;Section&lt;/h3&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; &lt;p align="right"&gt;Para&lt;/p&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;&lt;/div&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;td width="&#42;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;&lt;/tr&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;/table&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;br clear="all" /&gt;</code>
-<br />
-<br />
-&#160; And the output with <span class="term">$config["no_deprecated_attr"] = 1</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; &lt;img src="j.gif" alt="image" id="dad&#39;s" /&gt;&lt;img src="k.gif" alt="image" id="dad_off" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;br style="clear&#58; left;" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;hr style="border-style&#58; none; border&#58; 0; background-color&#58; gray; color&#58; gray; size&#58; 1px;" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;img src="i.gif" alt="image" width="10em" height="20" style="padding&#58;5px; float&#58; left; margin-left&#58; 10px; margin-right&#58; 10px; margin-top&#58; 10px; margin-bottom&#58; 10px; border&#58; 1px;" id="img" /&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;table width="50em" style="margin&#58; auto; background-color&#58; red;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;&lt;tr&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;td style="width&#58; 20%;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;&lt;div style="margin&#58; auto;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; &lt;h3 style="text-align&#58; right;"&gt;Section&lt;/h3&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; &lt;p style="text-align&#58; right;"&gt;Para&lt;/p&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160;&lt;/div&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;td style="width&#58; auto;"&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160;&lt;/tr&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;/table&gt;</code>
-<br />
-
-<code class="code">&#160; &#160; &lt;br style="clear&#58; both;" /&gt;</code>
-<br />
-<br />
-&#160; For <span class="term">lang</span>, deprecated in XHTML 1.1, transformation is taken care of through <span class="term">$config["xml&#58;lang"]</span>; see <a href="#s3.4.1">section 3.4.1</a>.<br />
-<br />
-&#160; The attribute <span class="term">name</span>&#160;is deprecated in <span class="term">form</span>, <span class="term">iframe</span>, and <span class="term">img</span>, and is replaced with <span class="term">id</span>&#160;if an <span class="term">id</span>&#160;attribute doesn't exist and if the <span class="term">name</span>&#160;value is appropriate for <span class="term">id</span>&#160;(i.e., doesn't have a non-word character like space). For such replacements for <span class="term">a</span>&#160;and <span class="term">map</span>, for which the <span class="term">name</span>&#160;attribute is deprecated in XHTML 1.1, <span class="term">$config["no_deprecated_attr"]</span>&#160;should be set to <span class="term">2</span>&#160;(when set to <span class="term">1</span>, for these two elements, the <span class="term">name</span>&#160;attribute is retained).<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.7" id="s3.4.7"></a><span class="item-no">3.4.7</span>&#160; Anti-spam &amp; <span class="term">href</span>
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed (function <span class="term">hl_tag()</span>) can check the <span class="term">href</span>&#160;attribute values (link addresses) as an anti-spam (email or link spam) measure.<br />
-<br />
-&#160; If <span class="term">$config["anti_mail_spam"]</span>&#160;is not <span class="term">0</span>, the <span class="term">@</span>&#160;of email addresses in <span class="term">href</span>&#160;values like <span class="term">mailto&#58;a@b.com</span>&#160;is replaced with text specified by <span class="term">$config["anti_mail_spam"]</span>. The text should be of a form that makes it clear to others that the address needs to be edited before a mail is sent; e.g., <span class="term">&lt;remove_this_antispam&gt;@</span>&#160;(makes the example address <span class="term">a&lt;remove_this_antispam&gt;@b.com</span>).<br />
-<br />
-&#160; For regular links, one can choose to have a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;in its value (which tells some search engines to not follow a link). This can discourage link spammers. Additionally, or as an alternative, one can choose to empty the <span class="term">href</span>&#160;value altogether (disable the link).<br />
-<br />
-&#160; For use of these options, <span class="term">$config["anti_link_spam"]</span>&#160;should be set as an array with values <span class="term">regex1</span>&#160;and <span class="term">regex2</span>, both or one of which can be empty (like <span class="term">array("", "regex2")</span>) to indicate that that option is not to be used. Otherwise, <span class="term">regex1</span>&#160;or <span class="term">regex2</span>&#160;should be PHP- and PCRE-compatible regular expression patterns: <span class="term">href</span>&#160;values will be matched against them and those matching the pattern will accordingly be treated.<br />
-<br />
-&#160; Note that the regular expressions should have <em>delimiters</em>, and be well-formed and preferably fast. Absolute efficiency/accuracy is often not needed.<br />
-<br />
-&#160; An example, to have a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;for all links, and to disable links that do not point to domains <span class="term">abc.com</span>&#160;and <span class="term">xyz.org</span>:<br />
-<br />
-
-<code class="code">&#160; &#160; $config["anti_link_spam"] = array(&#39;&#96;.&#96;&#39;, &#39;&#96;&#58;//\W&#42;(?!(abc\.com|xyz\.org))&#96;&#39;);</code>
-<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.8" id="s3.4.8"></a><span class="item-no">3.4.8</span>&#160; Inline style properties
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the <span class="term">style</span>&#160;attributes. (CSS properties like <span class="term">background-image</span>&#160;that accept URLs in their values are noted in <a href="#s5.3">section 5.3</a>.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting <span class="term">$config["css_expression"]</span>&#160;to <span class="term">1</span>&#160;(default setting). Note that when <span class="term">$config["css_expression"]</span>&#160;is set to <span class="term">1</span>, htmLawed will remove <span class="term">/&#42;</span>&#160;from the <span class="term">style</span>&#160;values.<br />
-<br />
-&#160; <strong>Note</strong>: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the <span class="term">style</span>&#160;attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off (<span class="term">$config["schemes"] = "...style&#58;&#42;..."</span>, see <a href="#s3.4.3">section 3.4.3</a>, and <span class="term">$config["css_expression"] = 0</span>). Alternately, admins can use their own custom function for finer handling of <span class="term">style</span>&#160;values through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; It is also possible to have htmLawed let through any <span class="term">style</span>&#160;value by setting <span class="term">$config["style_pass"]</span>&#160;to <span class="term">1</span>.<br />
-<br />
-&#160; As such, it is better to set up a CSS file with class declarations, disallow the <span class="term">style</span>&#160;attribute, set a <span class="term">$spec</span>&#160;rule (see <a href="#s2.3">section 2.3</a>) for <span class="term">class</span>&#160;for the <span class="term">oneof</span>&#160;or <span class="term">match</span>&#160;parameter, and ask writers to make use of the <span class="term">class</span>&#160;attribute.<br />
-
-</div>
-<div class="sub-sub-section"><h4>
-<a name="s3.4.9" id="s3.4.9"></a><span class="item-no">3.4.9</span>&#160; Hook function for tag content
-</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.).<br />
-<br />
-&#160; When <span class="term">$config</span>&#160;parameter <span class="term">hook_tag</span>&#160;is set to the name of a function, htmLawed (function <span class="term">hl_tag()</span>) will pass on the element name, and the <em>finalized</em>&#160;attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like <span class="term">&lt;element_name attribute_1_name="attribute_1_value"...&gt;</span>&#160;(for empty elements like <span class="term">img</span>&#160;and <span class="term">input</span>, the element-closing slash <span class="term">/</span>&#160;should also be included), etc.<br />
-<br />
-&#160; Any <span class="term">hook_tag</span>&#160;function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as <span class="term">a</span>&#160;in the closing <span class="term">&lt;/a&gt;</span>&#160;tag of the element <span class="term">&lt;a href="http&#58;//cnn.com"&gt;CNN&lt;/a&gt;</span>. No other value is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like <span class="term">&lt;/a&gt;</span>).<br />
-<br />
-&#160; This is a <strong>powerful functionality</strong>&#160;that can be exploited for various objectives: consolidate-and-convert inline <span class="term">style</span>&#160;attributes to <span class="term">class</span>, convert <span class="term">embed</span>&#160;elements to <span class="term">object</span>, permit only one <span class="term">caption</span>&#160;element in a <span class="term">table</span>&#160;element, disallow embedding of certain types of media, <strong>inject HTML</strong>, use <a href="http://csstidy.sourceforge.net">CSSTidy</a>&#160;to sanitize <span class="term">style</span>&#160;attribute values, etc.<br />
-<br />
-&#160; As an example, the custom hook code below can be used to force a series of specifically ordered <span class="term">id</span>&#160;attributes on all elements, and a specific <span class="term">param</span>&#160;element inside all <span class="term">object</span>&#160;elements:<br />
-<br />
-
-<code class="code">&#160; &#160; function my_tag_function($element, $attribute_array=0){</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; // If second argument is not received, it means a closing tag is being handled</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; if(is_numeric($attribute_array)){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; return "&lt;/$element&gt;";</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; }</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; static $id = 0;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; // Remove any duplicate element</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; if($element == &#39;param&#39; &amp;&amp; isset($attribute_array[&#39;allowscriptaccess&#39;])){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; return &#39;&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; }</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; $new_element = &#39;&#39;;</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; // Force a serialized ID number</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; $attribute_array[&#39;id&#39;] = &#39;my_&#39;. $id;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; ++$id;</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; // Inject param for allowscriptaccess</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; if($element == &#39;object&#39;){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; $new_element = &#39;&lt;param id="my_&#39;. $id. &#39;"; allowscriptaccess="never" /&gt;&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; ++$id;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; }</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; $string = &#39;&#39;;</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; foreach($attribute_array as $k=&gt;$v){</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; &#160; $string .= " {$k}=\"{$v}\"";</code>
-<br />
-
-<code class="code">&#160; &#160; &#160; }</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; static $empty_elements = array(&#39;area&#39;=&gt;1, &#39;br&#39;=&gt;1, &#39;col&#39;=&gt;1, &#39;command&#39;=&gt;1, &#39;embed&#39;=&gt;1, &#39;hr&#39;=&gt;1, &#39;img&#39;=&gt;1, &#39;input&#39;=&gt;1, &#39;isindex&#39;=&gt;1, &#39;keygen&#39;=&gt;1, &#39;link&#39;=&gt;1, &#39;meta&#39;=&gt;1, &#39;param&#39;=&gt;1, &#39;source&#39;=&gt;1, &#39;track&#39;=&gt;1, &#39;wbr&#39;=&gt;1);</code>
-<br />
-<br />
-
-<code class="code">&#160; &#160; &#160; return "&lt;{$element}{$string}". (array_key_exists($element, $empty_elements) ? &#39; /&#39; &#58; &#39;&#39;). &#39;&gt;&#39;. $new_element;</code>
-<br />
-
-<code class="code">&#160; &#160; }</code>
-<br />
-<br />
-&#160; The <span class="term">hook_tag</span>&#160;parameter is different from the <span class="term">hook</span>&#160;parameter (<a href="#s3.7">section 3.7</a>).<br />
-<br />
-&#160; Snippets of hook function code developed by others may be available on the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">htmLawed</a>&#160;website.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.5" id="s3.5"></a><span class="item-no">3.5</span>&#160; Simple configuration directive for most valid XHTML
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["valid_xhtml"]</span>&#160;is set to <span class="term">1</span>, some relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">~</span>&#160;in <a href="#s2.2">section 2.2</a>) are auto-adjusted. This allows one to pass the <span class="term">$config</span>&#160;argument with a simpler value. If a value for a parameter auto-set through <span class="term">valid_xhtml</span>&#160;is still manually provided, then that value will over-ride the auto-set value.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.6" id="s3.6"></a><span class="item-no">3.6</span>&#160; Simple configuration directive for most <em>safe</em>&#160;HTML
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; <em>Safe</em>&#160;HTML refers to HTML that is restricted to reduce the vulnerability for scripting attacks (such as XSS) based on HTML code which otherwise may still be legal and compliant with the HTML standard specifications. When elements such as <span class="term">script</span>&#160;and <span class="term">object</span>, and attributes such as <span class="term">onmouseover</span>&#160;and <span class="term">style</span>&#160;are allowed in the input text, an input writer can introduce malevolent HTML code. Note that what is considered <span class="term">safe</span>&#160;depends on the nature of the web application and the trust-level accorded to its users.<br />
-<br />
-&#160; htmLawed allows an admin to use <span class="term">$config["safe"]</span>&#160;to auto-adjust multiple <span class="term">$config</span>&#160;parameters (such as <span class="term">elements</span>&#160;which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by <span class="term">"</span>&#160;in <a href="#s2.2">section 2.2</a>). Thus, one can pass the <span class="term">$config</span>&#160;argument with a simpler value. Having the <span class="term">safe</span>&#160;parameter set to <span class="term">1</span>&#160;is equivalent to setting the following <span class="term">$config</span>&#160;parameters to the noted values :<br />
-<br />
-
-<code class="code">&#160; &#160; cdata - 0</code>
-<br />
-
-<code class="code">&#160; &#160; comment - 0</code>
-<br />
-
-<code class="code">&#160; &#160; deny_attribute - on&#42;</code>
-<br />
-
-<code class="code">&#160; &#160; elements - &#42; -applet -audio -canvas -embed -iframe -object -script -video</code>
-<br />
-
-<code class="code">&#160; &#160; schemes - href&#58; aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style&#58; !; &#42;&#58;file, http, https</code>
-<br />
-<br />
-&#160; With <span class="term">safe</span>&#160;set to <span class="term">1</span>, htmLawed considers <span class="term">CDATA</span>&#160;sections and HTML comments as plain text, and prohibits the <span class="term">applet</span>, <span class="term">audio</span>, <span class="term">canvas</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">object</span>, <span class="term">script</span>&#160;and <span class="term">video</span>&#160;elements, and the <span class="term">on&#42;</span>&#160;attributes like <span class="term">onclick</span>. ( There are <span class="term">$config</span>&#160;parameters like <span class="term">css_expression</span>&#160;that are not affected by the value set for <span class="term">safe</span>&#160;but whose default values still contribute towards a more <em>safe</em>&#160;output.) Further, unless overridden by the value for parameter <span class="term">schemes</span>&#160;(see <a href="#s3.4.3">section 3.4.3</a>), the schemes <span class="term">app</span>, <span class="term">data</span>&#160;and <span class="term">javascript</span>&#160;are not permitted, and URLs with schemes are neutralized so that, e.g., <span class="term">style="moz-binding&#58;url(http&#58;//danger)"</span>&#160;becomes <span class="term">style="moz-binding&#58;url(denied&#58;http&#58;//danger)"</span>.<br />
-<br />
-&#160; Admins, however, may still want to completely deny the <span class="term">style</span>&#160;attribute, e.g., with code like<br />
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text, array(&#39;safe&#39;=&gt;1, &#39;deny_attribute&#39;=&gt;&#39;style&#39;));</code>
-<br />
-<br />
-&#160; Permitting the <span class="term">style</span>&#160;attribute brings in risks of <em>click-jacking</em>, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check <span class="term">style</span>&#160;values. It does provide ways for the code-developer implementing htmLawed to do such checks through the <span class="term">$spec</span>&#160;argument, and through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.8">section 3.4.8</a>&#160;for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.<br />
-<br />
-&#160; If a value for a parameter auto-set through <span class="term">safe</span>&#160;is still manually provided, then that value can over-ride the auto-set value. E.g., with <span class="term">$config["safe"] = 1</span>&#160;and <span class="term">$config["elements"] = "&#42; +script"</span>, <span class="term">script</span>, but not <span class="term">applet</span>, is allowed. Such over-ride does not occur for <span class="term">deny_attribute</span>&#160;(for legacy reason) when comma-separated attribute names are provided as the value for this parameter (<a href="#s3.4">section 3.4</a>); instead htmLawed will add <span class="term">on&#42;</span>&#160;to the value provided for <span class="term">deny_attribute</span>.<br />
-<br />
-&#160; A page illustrating the efficacy of htmLawed's anti-XSS abilities with <span class="term">safe</span>&#160;set to <span class="term">1</span>&#160;against XSS vectors listed by <a href="http://ha.ckers.org/xss.html">RSnake</a>&#160;may be available <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm">here</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.7" id="s3.7"></a><span class="item-no">3.7</span>&#160; Using a hook function
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; If <span class="term">$config["hook"]</span>&#160;is not set to <span class="term">0</span>, then htmLawed will allow preliminarily processed input to be altered by a hook function named by <span class="term">$config["hook"]</span>&#160;before starting the main work (but after handling of characters, entities, HTML comments and <span class="term">CDATA</span>&#160;sections -- see code for function <span class="term">htmLawed()</span>).<br />
-<br />
-&#160; The hook function also allows one to alter the <em>finalized</em>&#160;values of <span class="term">$config</span>&#160;and <span class="term">$spec</span>.<br />
-<br />
-&#160; Note that the <span class="term">hook</span>&#160;parameter is different from the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; Snippets of hook function code developed by others may be available on the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">htmLawed</a>&#160;website.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.8" id="s3.8"></a><span class="item-no">3.8</span>&#160; Obtaining <em>finalized</em>&#160;parameter values
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed can assign the <em>finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values to a variable named by <span class="term">$config["show_setting"]</span>. The variable, made global by htmLawed, is set as an array with three keys: <span class="term">config</span>, with the <span class="term">$config</span>&#160;value, <span class="term">spec</span>, with the <span class="term">$spec</span>&#160;value, and <span class="term">time</span>, with a value that is the Unix time (the output of PHP's <span class="term">microtime()</span>&#160;function) when the value was assigned. Admins should use a PHP-compliant variable name (e.g., one that does not begin with a numerical digit) that does not conflict with variable names in their non-htmLawed code.<br />
-<br />
-&#160; The values, which are also post-hook function (if any), can be used to auto-generate information (on, e.g., the elements that are permitted) for input writers.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s3.9" id="s3.9"></a><span class="item-no">3.9</span>&#160; Retaining non-HTML tags in input with mixed markup
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; htmLawed does not remove certain characters that, though invalid, are nevertheless <em>discouraged</em>&#160;in HTML documents as per the specifications (see <a href="#s5.1">section 5.1</a>). This can be utilized to deal with input that contains mixed markup. Input that may have HTML markup as well as some other markup that is based on the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters is considered to have mixed markup. The non-HTML markup can be rather proprietary (like markup for emoticons/smileys), or standard (like MathML or SVG). Or it can be programming code meant for execution/evaluation (such as embedded PHP code).<br />
-<br />
-&#160; To deal with such mixed markup, the input text can be pre-processed to hide the non-HTML markup by specifically replacing the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters with some of the HTML-discouraged characters (see <a href="#s3.1.2">section 3.1.2</a>). Post-htmLawed processing, the replacements are reverted.<br />
-<br />
-&#160; An example (mixed HTML and PHP code in input text):<br />
-<br />
-
-<code class="code">&#160; &#160; $text = preg_replace(&#39;&#96;&lt;\?php(.+?)\?&gt;&#96;sm&#39;, "\x83?php\\1?\x84", $text);</code>
-<br />
-
-<code class="code">&#160; &#160; $processed = htmLawed($text);</code>
-<br />
-
-<code class="code">&#160; &#160; $processed = preg_replace(&#39;&#96;\x83\?php(.+?)\?\x84&#96;sm&#39;, &#39;&lt;?php$1?&gt;&#39;, $processed);</code>
-<br />
-<br />
-&#160; This code will not work if <span class="term">$config["clean_ms_char"]</span>&#160;is set to <span class="term">1</span>&#160;(<a href="#s3.1">section 3.1</a>), in which case one should instead deploy a hook function (<a href="#s3.7">section 3.7</a>). (htmLawed internally uses certain control characters, code-points <span class="term">1</span>&#160;to <span class="term">7</span>, and use of these characters as markers in the logic of hook functions may cause issues.)<br />
-<br />
-&#160; Admins may also be able to use <span class="term">$config["and_mark"]</span>&#160;to deal with such mixed markup; see <a href="#s3.2">section 3.2</a>.<br />
-
-</div>
-</div>
-<div class="section"><h2>
-<a name="s4" id="s4"></a><span class="item-no">4</span>&#160; Other
-</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<div class="sub-section"><h3>
-<a name="s4.1" id="s4.1"></a><span class="item-no">4.1</span>&#160; Support
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Software updates and forum-based community-support may be found at <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a>. For general PHP issues (not htmLawed-specific), support may be found through internet searches and at <a href="http://php.net">http://php.net</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.2" id="s4.2"></a><span class="item-no">4.2</span>&#160; Known issues
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; See <a href="#s2.8">section 2.8</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.3" id="s4.3"></a><span class="item-no">4.3</span>&#160; Change-log
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the <span class="term">htmLawed.php</span>&#160;file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)<br />
-<br />
-&#160; <em>Version number - Release date. Notes</em><br />
-<br />
-&#160; 1.2.5 - 24 September 2019. Fixes two bugs in <span class="term">font</span>&#160;tag transformation<br />
-<br />
-&#160; 1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in <span class="term">$config["schemes"]</span><br />
-<br />
-&#160; 1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4<br />
-<br />
-&#160; 1.2.4 - 31 August 2017. Removes use of PHP <span class="term">create_function</span>&#160;function and <span class="term">$php_errormsg</span>&#160;reserved variable (deprecated in PHP 7.2)<br />
-<br />
-&#160; 1.2.3 - 5 July 2017. New option value of <span class="term">4</span>&#160;for <span class="term">$config["comments"]</span>&#160;to stop enforcing a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker<br />
-<br />
-&#160; 1.2.2 - 25 May 2017. Fix for a bug in parsing <span class="term">$spec</span>&#160;that got introduced in version 1.2; also, <span class="term">$spec</span>&#160;is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules<br />
-<br />
-&#160; 1.2.1.1 - 17 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes<br />
-<br />
-&#160; 1.2.1 - 15 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes<br />
-<br />
-&#160; 1.2 - 11 February 2017. (First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-* and microdata attributes; <span class="term">app</span>, <span class="term">data</span>, <span class="term">javascript</span>&#160;and <span class="term">tel</span>&#160;URL schemes (thus, <span class="term">javascript&#58;</span>&#160;is not filtered in default mode). Removed support for code using Kses functions (see <a href="#s2.6">section 2.6</a>). Changes in revisions to the beta releases are not noted here.<br />
-<br />
-&#160; 1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in <span class="term">$spec</span><br />
-<br />
-&#160; 1.1.21 - 27 February 2016. Improvement and security fix in transforming <span class="term">font</span>&#160;element<br />
-<br />
-&#160; 1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML 4) standard <span class="term">allowfullscreen</span>&#160;attribute of <span class="term">iframe</span><br />
-<br />
-&#160; 1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc<br />
-<br />
-&#160; 1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags<br />
-<br />
-&#160; 1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with <span class="term">e</span>&#160;modifier for compatibility with PHP 5.5.<br />
-<br />
-&#160; 1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols<br />
-<br />
-&#160; 1.1.15 - 11 August 2013. Improved tidying/prettifying functionality<br />
-<br />
-&#160; 1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during <span class="term">tidying</span>&#160;when <span class="term">balance</span>&#160;is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like <span class="term">blockquote</span><br />
-<br />
-&#160; 1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes<br />
-<br />
-&#160; 1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the <span class="term">face</span>&#160;attribute<br />
-<br />
-&#160; 1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. <span class="term">$config["hook_tag"]</span>, if specified, now receives names of elements in closing tags.<br />
-<br />
-&#160; 1.1.10 - 22 October 2011. Fix for a bug in the <span class="term">tidy</span>&#160;functionality that caused the entire input to be replaced with a single space; new parameter, <span class="term">$config["direct_list_nest"]</span>&#160;to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)<br />
-<br />
-&#160; 1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of <span class="term">li</span>&#160;within <span class="term">dir</span><br />
-<br />
-&#160; 1.1.9.4 - 3 July 2010. Parameter <span class="term">schemes</span>&#160;now accepts <span class="term">!</span>&#160;so any URL, even a local one, can be <em>denied</em>. An issue in which a second URL value in <span class="term">style</span>&#160;properties was not checked was fixed.<br />
-<br />
-&#160; 1.1.9.3 - 17 May 2010. Checks for correct nesting of <span class="term">param</span><br />
-<br />
-&#160; 1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes<br />
-<br />
-&#160; 1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for <span class="term">flashvars</span>&#160;attribute for <span class="term">embed</span><br />
-<br />
-&#160; 1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values<br />
-<br />
-&#160; 1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice<br />
-<br />
-&#160; 1.1.8 - 23 April 2009. Parameter <span class="term">deny_attribute</span>&#160;now accepts the wild-card <span class="term">&#42;</span>, making it simpler to specify its value when all but a few attributes are being denied; fixed a bug in interpreting <span class="term">$spec</span><br />
-<br />
-&#160; 1.1.7 - 11-12 March 2009. Attributes globally denied through <span class="term">deny_attribute</span>&#160;can be allowed element-specifically through <span class="term">$spec</span>; <span class="term">$config["style_pass"]</span>&#160;allowing letting through any <span class="term">style</span>&#160;value introduced; altered logic to catch certain types of dynamic crafted CSS expressions<br />
-<br />
-&#160; 1.1.3-6 - 28-31 January - 4 February 2009. Altered logic to catch certain types of dynamic crafted CSS expressions<br />
-<br />
-&#160; 1.1.2 - 22 January 2009. Fixed bug in parsing of <span class="term">font</span>&#160;attributes during tag transformation<br />
-<br />
-&#160; 1.1.1 - 27 September 2008. Better nesting correction when omitable closing tags are absent<br />
-<br />
-&#160; 1.1 - 29 June 2008. <span class="term">$config["hook_tag"]</span>&#160;and <span class="term">$config["tidy"]</span>&#160;introduced for custom tag/attribute check/modification/injection and output compaction/beautification; fixed a regex-in-$spec parsing bug<br />
-<br />
-&#160; 1.0.9 - 11 June 2008. Fix for a bug in checks for invalid HTML code-point entities<br />
-<br />
-&#160; 1.0.8 - 15 May 2008. Permit <span class="term">bordercolor</span>&#160;attribute for <span class="term">table</span>, <span class="term">td</span>&#160;and <span class="term">tr</span><br />
-<br />
-&#160; 1.0.7 - 1 May 2008. Support for <span class="term">wmode</span>&#160;attribute for <span class="term">embed</span>; <span class="term">$config["show_setting"]</span>&#160;introduced; improved <span class="term">$config["elements"]</span>&#160;evaluation<br />
-<br />
-&#160; 1.0.6 - 20 April 2008. <span class="term">$config["and_mark"]</span>&#160;introduced<br />
-<br />
-&#160; 1.0.5 - 12 March 2008. <span class="term">style</span>&#160;URL schemes essentially disallowed when $config <span class="term">safe</span>&#160;is on; improved regex for CSS expression search<br />
-<br />
-&#160; 1.0.4 - 10 March 2008. Improved corrections for <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span><br />
-<br />
-&#160; 1.0.3 - 3 March 2008. Character entities for soft-hyphens are now replaced with spaces (instead of being removed); fix for a bug allowing <span class="term">td</span>&#160;directly inside <span class="term">table</span>; <span class="term">$config["safe"]</span>&#160;introduced<br />
-<br />
-&#160; 1.0.2 - 13 February 2008. Improved implementation of <span class="term">$config["keep_bad"]</span><br />
-<br />
-&#160; 1.0.1 - 7 November 2007. Improved regex for identifying URLs, protocols and dynamic expressions (<span class="term">hl_tag()</span>&#160;and <span class="term">hl_prot()</span>); no error display with <span class="term">hl_regex()</span><br />
-<br />
-&#160; 1.0 - 2 November 2007. First release<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.4" id="s4.4"></a><span class="item-no">4.4</span>&#160; Testing
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; To test htmLawed using a form interface, a <a href="htmLawedTest.php">demo</a>&#160;web-page is provided with the htmLawed distribution (<span class="term">htmLawed.php</span>&#160;and <span class="term">htmLawedTest.php</span>&#160;should be in the same directory on the web-server). A file with <a href="htmLawed_TESTCASE.txt">test-cases</a>&#160;is also provided.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.5" id="s4.5"></a><span class="item-no">4.5</span>&#160; Upgrade, &amp; old versions
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Upgrading is as simple as replacing the previous version of <span class="term">htmLawed.php</span>, assuming the file was not modified for customized features. As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.<br />
-<br />
-&#160; <strong>Note:</strong>&#160;The following upgrades may affect the functionality of a specific htmLawed installation:<br />
-<br />
-&#160; (1) From version 1.1-1.1.10 to 1.1.11 or later, if a <span class="term">hook_tag</span>&#160;function is in use: In version 1.1.11 and later, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a <span class="term">hook_tag</span>&#160;function receives only the element name. The <span class="term">hook_tag</span>&#160;function therefore may have to be edited. See <a href="#s3.4.9">section 3.4.9</a>.<br />
-<br />
-&#160; (2) From version older than 1.2.beta to later, if htmLawed was used as Kses replacement with Kses code in use: In version 1.2.beta or later, htmLawed no longer provides direct support for code that uses Kses functions (see <a href="#s2.6">section 2.6</a>).<br />
-<br />
-&#160; (3) From version older than 1.2 to later, if htmLawed is used without <span class="term">$config["safe"]</span>&#160;set to 1: Unlike previous versions, htmLawed version 1.2 and later permit <span class="term">data</span>&#160;and <span class="term">javascript</span>&#160;URL schemes by default (see <a href="#s3.4.3">section 3.4.3</a>).<br />
-<br />
-&#160; Old versions of htmLawed may be available online. E.g., for version 1.0, check <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip</a>; for 1.1.1, <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip</a>; and for 1.1.22, <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.6" id="s4.6"></a><span class="item-no">4.6</span>&#160; Comparison with <span class="term">HTMLPurifier</span>
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; The HTMLPurifier PHP library by Edward Yang is a very good HTML filtering script that uses object oriented PHP code. Compared to htmLawed, it (as of year 2015):<br />
-<br />
-&#160; * &#160;does not support PHP versions older than 5.0 (HTMLPurifier dropped PHP 4 support after version 2)<br />
-<br />
-&#160; * &#160;is 15-20 times bigger (scores of files totalling more than 750 kb)<br />
-<br />
-&#160; * &#160;consumes 10-15 times more RAM memory (just including the HTMLPurifier files without calling the filter requires a few MBs of memory)<br />
-<br />
-&#160; * &#160;is expectedly slower<br />
-<br />
-&#160; * &#160;lacks many of the extra features of htmLawed (like entity conversions and code compaction/beautification)<br />
-<br />
-&#160; * &#160;has poor documentation<br />
-<br />
-&#160; However, HTMLPurifier has finer checks for character encodings and attribute values, and can log warnings and errors. Visit the HTMLPurifier <a href="http://htmlpurifier.org">website</a>&#160;for updated information.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.7" id="s4.7"></a><span class="item-no">4.7</span>&#160; Use through application plug-ins/modules
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Plug-ins/modules to implement htmLawed in applications such as Drupal may have been developed. Check the application websites and the htmLawed <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">forum</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.8" id="s4.8"></a><span class="item-no">4.8</span>&#160; Use in non-PHP applications
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Non-PHP applications written in Python, Ruby, etc., may be able to use htmLawed through system calls to the PHP engine. Such code may have been documented on the internet. Also check the forum on the htmLawed <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">site</a>.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.9" id="s4.9"></a><span class="item-no">4.9</span>&#160; Donate
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; A donation in any currency and amount to appreciate or support this software can be sent by <a href="http://paypal.com">PayPal</a>&#160;to this email address: drpatnaik at yahoo dot com.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s4.10" id="s4.10"></a><span class="item-no">4.10</span>&#160; Acknowledgements
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.<br />
-<br />
-&#160; Thank you!<br />
-
-</div>
-</div>
-<div class="section"><h2>
-<a name="s5" id="s5"></a><span class="item-no">5</span>&#160; Appendices
-</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<div class="sub-section"><h3>
-<a name="s5.1" id="s5.1"></a><span class="item-no">5.1</span>&#160; Characters discouraged in XHTML
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Characters represented by the following hexadecimal code-points are <em>not</em>&#160;invalid, even though some validators may issue messages stating otherwise.<br />
-<br />
-&#160; <span class="term">7f</span>&#160;to <span class="term">84</span>, <span class="term">86</span>&#160;to <span class="term">9f</span>, <span class="term">fdd0</span>&#160;to <span class="term">fddf</span>, <span class="term">1fffe</span>, <span class="term">1ffff</span>, <span class="term">2fffe</span>, <span class="term">2ffff</span>, <span class="term">3fffe</span>, <span class="term">3ffff</span>, <span class="term">4fffe</span>, <span class="term">4ffff</span>, <span class="term">5fffe</span>, <span class="term">5ffff</span>, <span class="term">6fffe</span>, <span class="term">6ffff</span>, <span class="term">7fffe</span>, <span class="term">7ffff</span>, <span class="term">8fffe</span>, <span class="term">8ffff</span>, <span class="term">9fffe</span>, <span class="term">9ffff</span>, <span class="term">afffe</span>, <span class="term">affff</span>, <span class="term">bfffe</span>, <span class="term">bffff</span>, <span class="term">cfffe</span>, <span class="term">cffff</span>, <span class="term">dfffe</span>, <span class="term">dffff</span>, <span class="term">efffe</span>, <span class="term">effff</span>, <span class="term">ffffe</span>, <span class="term">fffff</span>, <span class="term">10fffe</span>&#160;and <span class="term">10ffff</span><br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s5.2" id="s5.2"></a><span class="item-no">5.2</span>&#160; Valid attribute-element combinations
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; * &#160;includes deprecated attributes (marked <span class="term">^</span>), attributes for microdata (marked <span class="term">&#42;</span>), the non-standard <span class="term">bordercolor</span>, and new-in-HTML5 attributes (marked <span class="term">~</span>); can have multiple comma-separated values (marked <span class="term">%</span>); can have multiple space-separated values (marked <span class="term">$</span>)<br />
-&#160; * &#160;only non-frameset, HTML body elements<br />
-&#160; * &#160;<span class="term">name</span>&#160;for <span class="term">a</span>&#160;and <span class="term">map</span>, and <span class="term">lang</span>&#160;are invalid in XHTML 1.1<br />
-&#160; * &#160;<span class="term">target</span>&#160;is valid for <span class="term">a</span>&#160;in XHTML 1.1 and higher<br />
-&#160; * &#160;<span class="term">xml&#58;space</span>&#160;is only for XHTML 1.1<br />
-<br />
-&#160; abbr - td, th<br />
-&#160; accept - form, input<br />
-&#160; accept-charset - form<br />
-&#160; action - form<br />
-&#160; align - applet, caption^, col, colgroup, div^, embed, h1^, h2^, h3^, h4^, h5^, h6^, hr^, iframe, img^, input^, legend^, object^, p^, table^, tbody, td, tfoot, th, thead, tr<br />
-&#160; allowfullscreen - iframe<br />
-&#160; alt - applet, area, img, input<br />
-&#160; archive - applet, object<br />
-&#160; async~ - script<br />
-&#160; autocomplete~ - input<br />
-&#160; autofocus~ - button, input, keygen, select, textarea<br />
-&#160; autoplay~ - audio, video<br />
-&#160; axis - td, th<br />
-&#160; bgcolor - embed, table^, td^, th^, tr^<br />
-&#160; border - img, object^, table<br />
-&#160; bordercolor - table, td, tr<br />
-&#160; cellpadding - table<br />
-&#160; cellspacing - table<br />
-&#160; challenge~ - keygen<br />
-&#160; char - col, colgroup, tbody, td, tfoot, th, thead, tr<br />
-&#160; charoff - col, colgroup, tbody, td, tfoot, th, thead, tr<br />
-&#160; charset - a, script<br />
-&#160; checked - command, input<br />
-&#160; cite - blockquote, del, ins, q<br />
-&#160; classid - object<br />
-&#160; clear - br^<br />
-&#160; code - applet<br />
-&#160; codebase - object, applet<br />
-&#160; codetype - object<br />
-&#160; color - font<br />
-&#160; cols - textarea<br />
-&#160; colspan - td, th<br />
-&#160; compact - dir, dl^, menu, ol^, ul^<br />
-&#160; content - meta<br />
-&#160; controls~ - audio, video<br />
-&#160; coords - area, a<br />
-&#160; crossorigin~ - img<br />
-&#160; data - object<br />
-&#160; datetime - del, ins, time<br />
-&#160; declare - object<br />
-&#160; default~ - track<br />
-&#160; defer - script<br />
-&#160; dir - bdo<br />
-&#160; dirname~ - input, textarea<br />
-&#160; disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea<br />
-&#160; download~ - a<br />
-&#160; enctype - form<br />
-&#160; face - font<br />
-&#160; flashvars** - embed<br />
-&#160; for - label, output<br />
-&#160; form~ - button, fieldset, input, keygen, label, object, output, select, textarea<br />
-&#160; formaction~ - button, input<br />
-&#160; formenctype~ - button, input<br />
-&#160; formmethod~ - button, input<br />
-&#160; formnovalidate~ - button, input<br />
-&#160; formtarget~ - button, input<br />
-&#160; frame - table<br />
-&#160; frameborder - iframe<br />
-&#160; headers - td, th<br />
-&#160; height - applet, canvas, embed, iframe, img, input, object, td^, th^, video<br />
-&#160; high~ - meter<br />
-&#160; href - a, area, link<br />
-&#160; hreflang - a, area, link<br />
-&#160; hspace - applet, embed, img^, object^<br />
-&#160; icon~ - command<br />
-&#160; ismap - img, input<br />
-&#160; keytype~ - keygen<br />
-&#160; keyparams~ - keygen<br />
-&#160; kind~ - track<br />
-&#160; label - command, menu, option, optgroup, track<br />
-&#160; language - script^<br />
-&#160; list~ - input<br />
-&#160; longdesc - img, iframe<br />
-&#160; loop~ - audio, video<br />
-&#160; low~ - meter<br />
-&#160; marginheight - iframe<br />
-&#160; marginwidth - iframe<br />
-&#160; max~ - input, meter, progress<br />
-&#160; maxlength - input, textarea<br />
-&#160; media~ - a, area, link, source, style<br />
-&#160; mediagroup~ - audio, video<br />
-&#160; method - form<br />
-&#160; min~ - input, meter<br />
-&#160; model** - embed<br />
-&#160; multiple - input, select<br />
-&#160; muted~ - audio, video<br />
-&#160; name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea<br />
-&#160; nohref - area<br />
-&#160; noshade - hr^<br />
-&#160; novalidate~ - form<br />
-&#160; nowrap - td^, th^<br />
-&#160; object - applet<br />
-&#160; open~ - details<br />
-&#160; optimum~ - meter<br />
-&#160; pattern~ - input<br />
-&#160; ping~ - a, area<br />
-&#160; placeholder~ - input, textarea<br />
-&#160; pluginspage** - embed<br />
-&#160; pluginurl** - embed<br />
-&#160; poster~ - video<br />
-&#160; pqg~ - keygen<br />
-&#160; preload~ - audio, video<br />
-&#160; prompt - isindex<br />
-&#160; pubdate~ - time<br />
-&#160; radiogroup* - command<br />
-&#160; readonly - input, textarea<br />
-&#160; required~ - input, select, textarea<br />
-&#160; rel$ - a, area, link<br />
-&#160; rev - a<br />
-&#160; reversed~ - old<br />
-&#160; rows - textarea<br />
-&#160; rowspan - td, th<br />
-&#160; rules - table<br />
-&#160; sandbox~ - iframe<br />
-&#160; scope - td, th<br />
-&#160; scoped~ - style<br />
-&#160; scrolling - iframe<br />
-&#160; seamless~ - iframe<br />
-&#160; selected - option<br />
-&#160; shape - area, a<br />
-&#160; size - font, hr^, input, select<br />
-&#160; sizes~ - link<br />
-&#160; span - col, colgroup<br />
-&#160; src - audio, embed, iframe, img, input, script, source, track, video<br />
-&#160; srcdoc~ - iframe<br />
-&#160; srclang~ - track<br />
-&#160; srcset~% - img<br />
-&#160; standby - object<br />
-&#160; start - ol<br />
-&#160; step~ - input<br />
-&#160; summary - table<br />
-&#160; target - a, area, form<br />
-&#160; type - a, area, button, command, embed, input, li, link, menu, object, ol, param, script, source, style, ul<br />
-&#160; typemustmatch~ - object<br />
-&#160; usemap - img, input, object<br />
-&#160; valign - col, colgroup, tbody, td, tfoot, th, thead, tr<br />
-&#160; value - button, data, input, li, meter, option, param, progress<br />
-&#160; valuetype - param<br />
-&#160; vspace - applet, embed, img^, object^<br />
-&#160; width - applet, canvas, col, colgroup, embed, hr^, iframe, img, input, object, pre^, table, td^, th^, video<br />
-&#160; wmode - embed<br />
-&#160; wrap~ - textarea<br />
-<br />
-&#160; The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:<br />
-<br />
-&#160; accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space<br />
-<br />
-&#160; Custom <em>data-*</em>&#160;attributes, where the first three characters of the value of <em>star</em>&#160;(*) after lower-casing do not equal <span class="term">xml</span>&#160;and the value of <em>star</em>&#160;does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s5.3" id="s5.3"></a><span class="item-no">5.3</span>&#160; CSS 2.1 properties accepting URLs
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; background<br />
-&#160; background-image<br />
-&#160; content<br />
-&#160; cue-after<br />
-&#160; cue-before<br />
-&#160; cursor<br />
-&#160; list-style<br />
-&#160; list-style-image<br />
-&#160; play-during<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s5.4" id="s5.4"></a><span class="item-no">5.4</span>&#160; Microsoft Windows 1252 character replacements
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Key: <span class="term">d</span>&#160;double, <span class="term">l</span>&#160;left, <span class="term">q</span>&#160;quote, <span class="term">r</span>&#160;right, <span class="term">s.</span>&#160;single<br />
-<br />
-&#160; Code-point (decimal) - hexadecimal value - replacement entity - represented character<br />
-<br />
-&#160; 127 - 7f - (removed) - (not used)<br />
-&#160; 128 - 80 - &amp;#8364; - euro<br />
-&#160; 129 - 81 - (removed) - (not used)<br />
-&#160; 130 - 82 - &amp;#8218; - baseline s. q<br />
-&#160; 131 - 83 - &amp;#402; - florin<br />
-&#160; 132 - 84 - &amp;#8222; - baseline d q<br />
-&#160; 133 - 85 - &amp;#8230; - ellipsis<br />
-&#160; 134 - 86 - &amp;#8224; - dagger<br />
-&#160; 135 - 87 - &amp;#8225; - d dagger<br />
-&#160; 136 - 88 - &amp;#710; - circumflex accent<br />
-&#160; 137 - 89 - &amp;#8240; - permile<br />
-&#160; 138 - 8a - &amp;#352; - S Hacek<br />
-&#160; 139 - 8b - &amp;#8249; - l s. guillemet<br />
-&#160; 140 - 8c - &amp;#338; - OE ligature<br />
-&#160; 141 - 8d - (removed) - (not used)<br />
-&#160; 142 - 8e - &amp;#381; - Z dieresis<br />
-&#160; 143 - 8f - (removed) - (not used)<br />
-&#160; 144 - 90 - (removed) - (not used)<br />
-&#160; 145 - 91 - &amp;#8216; - l s. q<br />
-&#160; 146 - 92 - &amp;#8217; - r s. q<br />
-&#160; 147 - 93 - &amp;#8220; - l d q<br />
-&#160; 148 - 94 - &amp;#8221; - r d q<br />
-&#160; 149 - 95 - &amp;#8226; - bullet<br />
-&#160; 150 - 96 - &amp;#8211; - en dash<br />
-&#160; 151 - 97 - &amp;#8212; - em dash<br />
-&#160; 152 - 98 - &amp;#732; - tilde accent<br />
-&#160; 153 - 99 - &amp;#8482; - trademark<br />
-&#160; 154 - 9a - &amp;#353; - s Hacek<br />
-&#160; 155 - 9b - &amp;#8250; - r s. guillemet<br />
-&#160; 156 - 9c - &amp;#339; - oe ligature<br />
-&#160; 157 - 9d - (removed) - (not used)<br />
-&#160; 158 - 9e - &amp;#382; - z dieresis<br />
-&#160; 159 - 9f - &amp;#376; - Y dieresis<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s5.5" id="s5.5"></a><span class="item-no">5.5</span>&#160; URL format
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; An <em>absolute</em>&#160;URL has a <span class="term">protocol</span>&#160;or <span class="term">scheme</span>, a <span class="term">network location</span>&#160;or <span class="term">hostname</span>, and, optional <span class="term">path</span>, <span class="term">parameters</span>, <span class="term">query</span>&#160;and <span class="term">fragment</span>&#160;segments. Thus, an absolute URL has this generic structure:<br />
-<br />
-
-<code class="code">&#160; &#160; (scheme) &#58; (//network location) /(path) ;(parameters) ?(query) #(fragment)</code>
-<br />
-<br />
-&#160; The schemes can only contain letters, digits, <span class="term">+</span>, <span class="term">.</span>&#160;and <span class="term">-</span>. Hostname is the portion after the <span class="term">//</span>&#160;and up to the first <span class="term">/</span>&#160;(if any; else, up to the end) when <span class="term">&#58;</span>&#160;is followed by a <span class="term">//</span>&#160;(e.g., <span class="term">abc.com</span>&#160;in <span class="term">ftp&#58;//abc.com/def</span>); otherwise, it consists of everything after the <span class="term">&#58;</span>&#160;(e.g., <span class="term">def@abc.com</span>&#160;in mailto:def@abc.com').<br />
-<br />
-&#160; <em>Relative</em>&#160;URLs do not have explicit schemes and network locations; such values are inherited from a <em>base</em>&#160;URL.<br />
-
-</div>
-<div class="sub-section"><h3>
-<a name="s5.6" id="s5.6"></a><span class="item-no">5.6</span>&#160; Brief on htmLawed code
-</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
-<br />
-&#160; Much of the code's logic and reasoning can be understood from the documentation above.<br />
-<br />
-&#160; The <strong>output</strong>&#160;of htmLawed is a text string containing the processed input. There is no custom error tracking.<br />
-<br />
-&#160; <strong>Function arguments</strong>&#160;for htmLawed are:<br />
-<br />
-&#160; * &#160;<span class="term">$in</span>&#160;- first argument; a text string; the <strong>input text</strong>&#160;to be processed. Any extraneous slashes added by PHP when <em>magic quotes</em>&#160;are enabled should be removed beforehand using PHP's <span class="term">stripslashes()</span>&#160;function.<br />
-<br />
-&#160; * &#160;<span class="term">$config</span>&#160;- second argument; an associative array; optional; named <span class="term">$C</span>&#160;within htmLawed code. The array has keys with names like <span class="term">balance</span>&#160;and <span class="term">keep_bad</span>, and the values, which can be boolean, string, or array, depending on the key, are read to accordingly set the <strong>configurable parameters</strong>&#160;(indicated by the keys). All configurable parameters receive some default value if the value to be used is not specified by the user through <span class="term">$config</span>. <em>Finalized</em>&#160;<span class="term">$config</span>&#160;is thus a filtered and possibly larger array.<br />
-<br />
-&#160; * &#160;<span class="term">$spec</span>&#160;- third argument; a text string; optional. The string has rules, written in an htmLawed-designated format, <strong>specifying</strong>&#160;element-specific attribute and attribute value restrictions. Function <span class="term">hl_spec()</span>&#160;is used to convert the string to an associative-array, named <span class="term">$S</span>&#160;within htmLawed code, for internal use. <em>Finalized</em>&#160;<span class="term">$spec</span>&#160;is thus an array.<br />
-<br />
-&#160; <em>Finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;are made <strong>global variables</strong>&#160;while htmLawed is at work. Values of any pre-existing global variables with same names are noted, and their values are restored after htmLawed finishes processing the input (to capture the <em>finalized</em>&#160;values, the <span class="term">show_settings</span>&#160;parameter of <span class="term">$config</span>&#160;should be used). Depending on <span class="term">$config</span>, another global variable <span class="term">hl_Ids</span>, to track <span class="term">id</span>&#160;attribute values for uniqueness, may be set. Unlike the other two variables, this one is not reset (or unset) post-processing.<br />
-<br />
-&#160; Except for the main <span class="term">htmLawed()</span>&#160;function, htmLawed's functions are <strong>name-spaced</strong>&#160;using the <span class="term">hl_</span>&#160;prefix. The <strong>functions</strong>&#160;and their roles are:<br />
-<br />
-&#160; * &#160;<span class="term">hl_attrval</span>&#160;- check attribute values against <span class="term">$spec</span><br />
-&#160; * &#160;<span class="term">hl_bal</span>&#160;- balance tags and ensure proper nesting<br />
-&#160; * &#160;<span class="term">hl_cmtcd</span>&#160;- handle CDATA sections and HTML comments<br />
-&#160; * &#160;<span class="term">hl_ent</span>&#160;- handle character entities<br />
-&#160; * &#160;<span class="term">hl_prot</span>&#160;- check a URL scheme/protocol<br />
-&#160; * &#160;<span class="term">hl_regex</span>&#160;- check syntax of a regular expression<br />
-&#160; * &#160;<span class="term">hl_spec</span>&#160;- convert user-supplied <span class="term">$spec</span>&#160;value to one used internally<br />
-&#160; * &#160;<span class="term">hl_tag</span>&#160;- handle element tags and attributes<br />
-&#160; * &#160;<span class="term">hl_tag2</span>&#160;- transform element tags<br />
-&#160; * &#160;<span class="term">hl_tidy</span>&#160;- compact/beautify HTML<br />
-&#160; * &#160;<span class="term">hl_version</span>&#160;- report htmLawed version<br />
-&#160; * &#160;<span class="term">htmLawed</span>&#160;- main function<br />
-<br />
-&#160; <span class="term">htmLawed()</span>&#160;finalizes <span class="term">$spec</span>&#160;(with the help of <span class="term">hl_spec()</span>) and <span class="term">$config</span>, and globalizes them. Finalization of <span class="term">$config</span>&#160;involves setting default values if an inappropriate or invalid one is supplied. This includes calling <span class="term">hl_regex()</span>&#160;to check well-formedness of regular expression patterns if such expressions are user-supplied through <span class="term">$config</span>. <span class="term">htmLawed()</span>&#160;then removes invalid characters like nulls and <span class="term">x01</span>&#160;and appropriately handles entities using <span class="term">hl_ent()</span>. HTML comments and CDATA sections are identified and treated as per <span class="term">$config</span>&#160;with the help of <span class="term">hl_cmtcd()</span>. When retained, the <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;characters identifying them, and the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters inside them, are replaced with control characters (code-points <span class="term">1</span>&#160;to <span class="term">5</span>) till any tag balancing is completed.<br />
-<br />
-&#160; After this <em>initial processing</em>&#160;<span class="term">htmLawed()</span>&#160;identifies tags using regex and processes them with the help of <span class="term">hl_tag()</span>&#160;-- &#160;a large function that analyzes tag content, filtering it as per HTML standards, <span class="term">$config</span>&#160;and <span class="term">$spec</span>. Among other things, <span class="term">hl_tag()</span>&#160;transforms deprecated elements using <span class="term">hl_tag2()</span>, removes attributes from closing tags, checks attribute values as per <span class="term">$spec</span>&#160;rules using <span class="term">hl_attrval()</span>, and checks URL protocols using <span class="term">hl_prot()</span>. <span class="term">htmLawed()</span>&#160;performs tag balancing and nesting checks with a call to <span class="term">hl_bal()</span>, and optionally compacts/beautifies the output with proper white-spacing with a call to <span class="term">hl_tidy()</span>. The latter temporarily replaces white-space, and <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters inside <span class="term">pre</span>, <span class="term">script</span>&#160;and <span class="term">textarea</span>&#160;elements, and HTML comments and CDATA sections with control characters (code-points <span class="term">1</span>&#160;to <span class="term">5</span>, and <span class="term">7</span>).<br />
-<br />
-&#160; htmLawed permits the use of custom code or <strong>hook functions</strong>&#160;at two stages. The first, called inside <span class="term">htmLawed()</span>, allows the input text as well as the finalized <span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values to be altered right after the initial processing (see <a href="#s3.7">section 3.7</a>). The second is called by <span class="term">hl_tag()</span>&#160;once the tag content is finalized (see <a href="#s3.4.9">section 3.4.9</a>).<br />
-<br />
-&#160; The functionality of htmLawed is dictated by the external HTML standards. The code of htmLawed is thus written for a clear-cut aim, with not much concern for tweaking by other developers. The code is only minimally annotated with comments -- it is not meant to instruct. PHP developers familiar with the HTML specifications will see the logic, and others can always refer to the htmLawed documentation.
-</div>
-</div>
-<br />
-<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 25 Sep, 2019 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
-</div><!-- ended div body -->
-</div><!-- ended div top -->
-</body>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+<meta http-equiv="Content-Language" content="en" />

+<meta name="description" content="htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter - htmLawed_README.txt - presented with rTxt2htm, a PHP Labware utility" />

+<meta name="keywords" content="htmLawed, HTM, HTML, HTML5, HTML 5, XHTML, XHTML5, HTML Tidy, converter, filter, formatter, purifier, sanitizer, XSS, input, PHP, software, code, script, security, cross-site scripting, hack, sanitize, remove, standards, tags, attributes, elements, Aria, Ruby, data attributes, tidy, indent, auto-indent, prettify, pretty print, htmLawed_README.txt, rTxt2htm, PHP Labware" />

+<style type="text/css" media="all">

+<!--/*--><![CDATA[/*><!--*/

+a {text-decoration:none; color: blue;}

+a:hover {color: red;}

+a:visited {color: blue;}

+body {margin: 0; padding: 0;}

+body, div, html, p {font-family: Georgia, 'Times new roman', Times;}

+code.code {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}

+div.comment {padding: 5px; color: #999999; font-size: 80%;}

+div.comment a {color: #6699cc;}

+div#body {width: 70%; margin: 5px; padding: 5px;} /* holds non-toc content */

+div#toc {position: fixed; top: 5px; left: 73%; z-index: 2; margin-top: 5px; margin-left: 5px; border: 1px solid gray; padding: 5px; background-color: #ededed; width: 23%; overflow: auto; max-height:94%; font-size: 90%;} /* holds content table (toc) */

+div#top {font-size: 14px; margin: 5px; padding: 5px;} /* holds all content */

+div.monospace {overflow: auto; font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}

+div.sub-section {padding-left: 15px;}

+div.sub-sub-section {padding-left: 30px;}

+h1 {font-size: 22px; margin-top: 5px; margin-bottom: 5px;}

+h2 {font-size: 20px; float: left; margin-top: 15px; margin-bottom: 5px;}

+h3 {font-size: 18px; float: left; margin-top: 15px; margin-bottom: 5px;}

+h4 {font-size: 16px; float: left; margin-top: 15px; margin-bottom: 5px;}

+hr {margin-top: 15px; margin-bottom: 5px;}

+input, textarea {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}

+p.subtle {color: gray; padding: 0; padding-top: 10px; margin: 0;}

+p.subtle a, p.subtle a:visited {color: #6699cc;}

+span.item-no {color: black;}

+span.subtle {color: gray; margin: 0; padding:0;}

+span.subtle a, span.subtle a:visited {color: #6699cc;}

+span.term {font-family: 'Bitstream vera sans mono', 'Courier New', 'Courier', monospace;}

+span.toc-item {color: black;}

+span.totop {float: right; margin-top: 15px; margin-bottom: 5px;}

+span.totop a, span.totop a:visited {color: #6699cc;}

+@media screen { /* fixes for old IE */

+ * html, * html body {overflow-y: auto!important; height: 100%; margin: 0; padding: 0;}

+ * html div#body {height: 100%; overflow-y: auto; position: relative;}

+ * html div#toc {position: absolute;}

+}

+/*]]>*/-->

+</style>

+<title>htmLawed documentation | htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter</title>

+</head>

+<body>

+<div id="top">

+<h1><a id="peak" name="peak"></a>htmLawed documentation</h1>

+

+<div id="toc"><span class="toc-item"><a href="#s1"><span class="item-no">1</span>&#160; About htmLawed</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.1"><span class="item-no">1.1</span>&#160; Example uses</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.2"><span class="item-no">1.2</span>&#160; Features</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.3"><span class="item-no">1.3</span>&#160; History</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.4"><span class="item-no">1.4</span>&#160; License &amp; copyright</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.5"><span class="item-no">1.5</span>&#160; Terms used here</a></span><br />

+&#160; <span class="toc-item"><a href="#s1.6"><span class="item-no">1.6</span>&#160; Availability</a></span><br />

+<span class="toc-item"><a href="#s2"><span class="item-no">2</span>&#160; Usage</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.1"><span class="item-no">2.1</span>&#160; Simple</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.2"><span class="item-no">2.2</span>&#160; Configuring htmLawed using the <span class="term">$config</span>&#160;argument</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.3"><span class="item-no">2.3</span>&#160; Extra HTML specifications using the <span class="term">$spec</span>&#160;argument</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.4"><span class="item-no">2.4</span>&#160; Performance time &amp; memory usage</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.5"><span class="item-no">2.5</span>&#160; Some security risks to keep in mind</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.6"><span class="item-no">2.6</span>&#160; Use with <span class="term">kses()</span>&#160;code</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.7"><span class="item-no">2.7</span>&#160; Tolerance for ill-written HTML</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.8"><span class="item-no">2.8</span>&#160; Limitations &amp; work-arounds</a></span><br />

+&#160; <span class="toc-item"><a href="#s2.9"><span class="item-no">2.9</span>&#160; Examples of usage</a></span><br />

+<span class="toc-item"><a href="#s3"><span class="item-no">3</span>&#160; Details</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.1"><span class="item-no">3.1</span>&#160; Invalid/dangerous characters</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.2"><span class="item-no">3.2</span>&#160; Character references/entities</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.3"><span class="item-no">3.3</span>&#160; HTML elements</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.3.1"><span class="item-no">3.3.1</span>&#160; HTML comments &amp; <span class="term">CDATA</span>&#160;sections</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.3.2"><span class="item-no">3.3.2</span>&#160; Tag-transformation for better compliance with standards</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.3.3"><span class="item-no">3.3.3</span>&#160; Tag balancing &amp; proper nesting</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.3.4"><span class="item-no">3.3.4</span>&#160; Elements requiring child elements</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.3.5"><span class="item-no">3.3.5</span>&#160; Beautify or compact HTML</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.4"><span class="item-no">3.4</span>&#160; Attributes</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.1"><span class="item-no">3.4.1</span>&#160; Auto-addition of XHTML-required attributes</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.2"><span class="item-no">3.4.2</span>&#160; Duplicate/invalid <span class="term">id</span>&#160;values</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.3"><span class="item-no">3.4.3</span>&#160; URL schemes &amp; scripts in attribute values</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.4"><span class="item-no">3.4.4</span>&#160; Absolute &amp; relative URLs</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.5"><span class="item-no">3.4.5</span>&#160; Lower-cased, standard attribute values</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.6"><span class="item-no">3.4.6</span>&#160; Transformation of deprecated attributes</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.7"><span class="item-no">3.4.7</span>&#160; Anti-spam &amp; <span class="term">href</span></a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.8"><span class="item-no">3.4.8</span>&#160; Inline style properties</a></span><br />

+&#160; &#160; <span class="toc-item"><a href="#s3.4.9"><span class="item-no">3.4.9</span>&#160; Hook function for tag content</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.5"><span class="item-no">3.5</span>&#160; Simple configuration directive for most valid XHTML</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.6"><span class="item-no">3.6</span>&#160; Simple configuration directive for most <em>safe</em>&#160;HTML</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.7"><span class="item-no">3.7</span>&#160; Using a hook function</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.8"><span class="item-no">3.8</span>&#160; Obtaining <em>finalized</em>&#160;parameter values</a></span><br />

+&#160; <span class="toc-item"><a href="#s3.9"><span class="item-no">3.9</span>&#160; Retaining non-HTML tags in input with mixed markup</a></span><br />

+<span class="toc-item"><a href="#s4"><span class="item-no">4</span>&#160; Other</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.1"><span class="item-no">4.1</span>&#160; Support</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.2"><span class="item-no">4.2</span>&#160; Known issues</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.3"><span class="item-no">4.3</span>&#160; Change-log</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.4"><span class="item-no">4.4</span>&#160; Testing</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.5"><span class="item-no">4.5</span>&#160; Upgrade, &amp; old versions</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.6"><span class="item-no">4.6</span>&#160; Comparison with <span class="term">HTMLPurifier</span></a></span><br />

+&#160; <span class="toc-item"><a href="#s4.7"><span class="item-no">4.7</span>&#160; Use through application plug-ins/modules</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.8"><span class="item-no">4.8</span>&#160; Use in non-PHP applications</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.9"><span class="item-no">4.9</span>&#160; Donate</a></span><br />

+&#160; <span class="toc-item"><a href="#s4.10"><span class="item-no">4.10</span>&#160; Acknowledgements</a></span><br />

+<span class="toc-item"><a href="#s5"><span class="item-no">5</span>&#160; Appendices</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.1"><span class="item-no">5.1</span>&#160; Characters discouraged in HTML</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.2"><span class="item-no">5.2</span>&#160; Valid attribute-element combinations</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.3"><span class="item-no">5.3</span>&#160; CSS 2.1 properties accepting URLs</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.4"><span class="item-no">5.4</span>&#160; Microsoft Windows 1252 character replacements</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.5"><span class="item-no">5.5</span>&#160; URL format</a></span><br />

+&#160; <span class="toc-item"><a href="#s5.6"><span class="item-no">5.6</span>&#160; Brief on htmLawed code</a></span></div><!-- ended div toc -->

+

+<div id="body">

+<br />

+<div class="comment">htmLawed_README.txt, 24 September 2019<br />

+htmLawed 1.2.5, 24 September 2019<br />

+Copyright Santosh Patnaik<br />

+Dual licensed with LGPL 3 and GPL 2+<br />

+A PHP Labware internal utility &#45; <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a>&#160;</div>

+<br />

+

+<div class="section"><h2>

+<a name="s1" id="s1"></a><span class="item-no">1</span>&#160; About htmLawed

+</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed is a PHP script to process text with HTML markup to make it more compliant with HTML standards and with administrative policies. It works by making HTML well-formed with balanced and properly nested tags, neutralizing code that introduces a security vulnerability or is used for cross-site scripting (XSS) attacks, allowing only specified HTML tags and attributes, and so on. Such <em>lawing in</em>&#160;of HTML code ensures that it is in accordance with the aesthetics, safety and usability requirements set by administrators.<br />

+<br />

+&#160; htmLawed is highly customizable, and fast with low memory usage. Its free and open-source code is in one small file. It does not require extensions or libraries, and works in older versions of PHP as well. It is a good alternative to the HTML <a href="http://tidy.sourceforge.net">Tidy</a>&#160;application.<br />

+

+<div class="sub-section"><h3>

+<a name="s1.1" id="s1.1"></a><span class="item-no">1.1</span>&#160; Example uses

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; * &#160;Filtering of text submitted as comments on blogs to allow only certain HTML elements<br />

+<br />

+&#160; * &#160;Making RSS newsfeed items standard-compliant: often one uses an excerpt from an HTML document for the content, and with unbalanced tags, non-numerical entities, etc., such excerpts may not be XML-compliant<br />

+<br />

+&#160; * &#160;Beautifying or pretty-printing HTML code<br />

+<br />

+&#160; * &#160;Text processing for stricter XML standard-compliance: e.g., to have lowercased <span class="term">x</span>&#160;in hexadecimal numeric entities becomes necessary if an HTML document with MathML content needs to be served as <span class="term">application/xml</span><br />

+<br />

+&#160; * &#160;Scraping text from web-pages<br />

+<br />

+&#160; * &#160;Transforming an HTML element to another<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s1.2" id="s1.2"></a><span class="item-no">1.2</span>&#160; Features

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Key: <span class="term">&#42;</span>&#160;security feature, <span class="term">^</span>&#160;standard compliance, <span class="term">~</span>&#160;requires setting right options<br />

+<br />

+&#160; htmLawed:<br />

+<br />

+&#160; * &#160;makes input more <strong>secure</strong>&#160;and <strong>standard-compliant</strong>&#160;for HTML as well as generic <strong>XML</strong>&#160;documents &#160;^<br />

+&#160; * &#160;supports markup for <strong>HTML 5</strong>&#160;and <strong>microdata, ARIA, Ruby, custom attributes</strong>, etc. &#160;^<br />

+&#160; * &#160;can <strong>beautify</strong>&#160;or <strong>compact</strong>&#160;HTML &#160;~<br />

+&#160; * &#160;works with input of almost any <strong>character encoding</strong>&#160;and does not affect it<br />

+&#160; * &#160;has good <strong>tolerance for ill-written HTML</strong><br />

+<br />

+&#160; * &#160;can enforce <strong>restricted use of elements</strong>&#160; *~<br />

+&#160; * &#160;ensures proper closure of empty elements like <span class="term">img</span>&#160; ^<br />

+&#160; * &#160;<strong>transforms deprecated elements</strong>&#160;like <span class="term">font</span>&#160; ^~<br />

+&#160; * &#160;can permit HTML <strong>comments</strong>&#160;and <strong>CDATA</strong>&#160;sections &#160;^~<br />

+&#160; * &#160;can permit all elements, including <span class="term">script</span>, <span class="term">object</span>&#160;and <span class="term">form</span>&#160; ~<br />

+<br />

+&#160; * &#160;can <strong>restrict attributes by element</strong>&#160; ^~<br />

+&#160; * &#160;removes <strong>invalid attributes</strong>&#160; ^<br />

+&#160; * &#160;lower-cases element and attribute names &#160;^<br />

+&#160; * &#160;provides <strong>required attributes</strong>, like <span class="term">alt</span>&#160;for <span class="term">image</span>&#160; ^<br />

+&#160; * &#160;<strong>transforms deprecated attributes</strong>&#160; ^~<br />

+&#160; * &#160;ensures attributes are <strong>declared only once</strong>&#160; ^<br />

+&#160; * &#160;permits <strong>custom</strong>, non-standard attributes as well as custom rules for standard attributes &#160;~<br />

+<br />

+&#160; * &#160;declares value for <em>empty</em>&#160;(<em>minimized</em>&#160;or <em>boolean</em>) attributes like <span class="term">checked</span>&#160; ^<br />

+&#160; * &#160;checks for potentially dangerous attribute values &#160;*~<br />

+&#160; * &#160;ensures <strong>unique</strong>&#160;<span class="term">id</span>&#160;attribute values &#160;^~<br />

+&#160; * &#160;<strong>double-quotes</strong>&#160;attribute values &#160;^<br />

+&#160; * &#160;lower-cases <strong>standard attribute values</strong>&#160;like <span class="term">password</span>&#160; ^<br />

+<br />

+&#160; * &#160;can restrict <strong>URL protocol/scheme by attribute</strong>&#160; *~<br />

+&#160; * &#160;can disable <strong>dynamic expressions</strong>&#160;in <span class="term">style</span>&#160;values &#160;*~<br />

+<br />

+&#160; * &#160;neutralizes invalid named <strong>character entities</strong>&#160; ^<br />

+&#160; * &#160;converts hexadecimal numeric entities to decimal ones, or vice versa &#160;^~<br />

+&#160; * &#160;converts named entities to numeric ones for generic XML use &#160;^~<br />

+<br />

+&#160; * &#160;removes <strong>null</strong>&#160;characters &#160;*<br />

+&#160; * &#160;neutralizes potentially dangerous proprietary Netscape <strong>Javascript entities</strong>&#160; *<br />

+&#160; * &#160;replaces potentially dangerous <strong>soft-hyphen</strong>&#160;character in URL-accepting attribute values with spaces &#160;*<br />

+<br />

+&#160; * &#160;removes common <strong>invalid characters</strong>&#160;not allowed in HTML or XML &#160;^<br />

+&#160; * &#160;replaces <strong>characters from Microsoft applications</strong>&#160;like <span class="term">Word</span>&#160;that are discouraged in HTML or XML &#160;^~<br />

+&#160; * &#160;neutralize entities for characters invalid or discouraged in HTML or XML &#160;^<br />

+&#160; * &#160;appropriately neutralize <span class="term">&lt;</span>, <span class="term">&amp;</span>, <span class="term">"</span>, and <span class="term">&gt;</span>&#160;characters &#160;^*<br />

+<br />

+&#160; * &#160;understands improperly spaced tag content (e.g., spread over more than a line) and properly spaces them<br />

+&#160; * &#160;attempts to <strong>balance tags</strong>&#160;for well-formedness &#160;^~<br />

+&#160; * &#160;understands when <strong>omitable closing tags</strong>&#160;like <span class="term">&lt;/p&gt;</span>&#160;are missing &#160;^~<br />

+&#160; * &#160;attempts to permit only <strong>validly nested tags</strong>&#160; ^~<br />

+&#160; * &#160;can <strong>either remove or neutralize bad content</strong>&#160;^~<br />

+&#160; * &#160;attempts to <strong>rectify common errors of plain-text misplacement</strong>&#160;(e.g., directly inside <span class="term">blockquote</span>) ^~<br />

+<br />

+&#160; * &#160;has optional <strong>anti-spam</strong>&#160;measures such as addition of <span class="term">rel="nofollow"</span>&#160;and link-disabling &#160;~<br />

+&#160; * &#160;optionally makes <strong>relative URLs absolute</strong>, and vice versa &#160;~<br />

+<br />

+&#160; * &#160;optionally marks <span class="term">&amp;</span>&#160;to identify the entities for <span class="term">&amp;</span>, <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;introduced by it &#160;~<br />

+<br />

+&#160; * &#160;allows deployment of powerful <strong>hook functions</strong>&#160;to <strong>inject</strong>&#160;HTML, <strong>consolidate</strong>&#160;<span class="term">style</span>&#160;attributes to <span class="term">class</span>, finely check attribute values, etc. &#160;~<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s1.3" id="s1.3"></a><span class="item-no">1.3</span>&#160; History

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed was created in 2007 for use with <span class="term">LabWiki</span>, a wiki software developed at PHP Labware, as a suitable software could not be found. Existing PHP software like <span class="term">Kses</span>&#160;and <span class="term">HTMLPurifier</span>&#160;were deemed inadequate, slow, resource-intensive, or dependent on an extension or external application like <span class="term">HTML Tidy</span>. The core logic of htmLawed, that of identifying HTML elements and attributes, was based on the <span class="term">Kses</span>&#160;(version 0.2.2) HTML filter software of Ulf Harnhammar (it can still be used with code that uses <span class="term">Kses</span>; see <a href="#s2.6">section 2.6</a>.). Support for HTML version 5 was added in May 2013 in a beta and in February 2017 in a production release.<br />

+<br />

+&#160; See <a href="#s4.3">section 4.3</a>&#160;for a detailed log of changes in htmLawed over the years, and <a href="#s4.10">section 4.10</a>&#160;for acknowledgements.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s1.4" id="s1.4"></a><span class="item-no">1.4</span>&#160; License &amp; copyright

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed is free and open-source software, copyrighted by Santosh Patnaik, MD, PhD, and dual-licensed with LGPL version <a href="http://www.gnu.org/licenses/lgpl-3.0.txt">3</a>, and GPL version <a href="http://www.gnu.org/licenses/gpl-2.0.txt">2</a>&#160;(or later) licenses.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s1.5" id="s1.5"></a><span class="item-no">1.5</span>&#160; Terms used here

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; In this document, only HTML body-level elements are considered. htmLawed does not have support for head-level elements, <span class="term">body</span>, and the frame-level elements, <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>, and these elements are ignored here.<br />

+<br />

+&#160; * &#160;<em>administrator</em>&#160;- or admin; person setting up the code that utilizes htmLawed; also, <em>user</em><br />

+&#160; * &#160;<em>attributes</em>&#160;- name-value pairs like <span class="term">href="http&#58;//x.com"</span>&#160;in opening tags<br />

+&#160; * &#160;<em>author</em>&#160;- see <em>writer</em><br />

+&#160; * &#160;<em>character</em>&#160;- atomic unit of text; internally represented by a numeric <em>code-point</em>&#160;as specified by the <em>encoding</em>&#160;or <em>charset</em>&#160;in use<br />

+&#160; * &#160;<em>entity</em>&#160;- markup like <span class="term">&amp;gt;</span>&#160;and <span class="term">&amp;#160;</span>&#160;used to refer to a character<br />

+&#160; * &#160;<em>element</em>&#160;- HTML element like <span class="term">a</span>&#160;and <span class="term">img</span><br />

+&#160; * &#160;<em>element content</em>&#160;- &#160;content between the opening and closing tags of an element, like <span class="term">click</span>&#160;of the <span class="term">&lt;a href="x"&gt;click&lt;/a&gt;</span>&#160;element<br />

+&#160; * &#160;<em>HTML</em>&#160;- implies XHTML unless specified otherwise<br />

+&#160; * &#160;<em>HTML body</em>&#160;- content in the <em>body</em>&#160;container of an HTML document<br />

+&#160; * &#160;<em>input</em>&#160;- text given to htmLawed to process<br />

+&#160; * &#160;<em>legal</em>&#160;– standard-compliant; also, <em>valid</em><br />

+&#160; * &#160;<em>processing</em>&#160;- involves filtering, correction, etc., of input<br />

+&#160; * &#160;<em>safe</em>&#160;- absence or reduction of certain characters and HTML elements and attributes in HTML of text that can otherwise potentially, and circumstantially, expose text readers to security vulnerabilities like cross-site scripting attacks (XSS)<br />

+&#160; * &#160;<em>scheme</em>&#160;- a URL protocol like <span class="term">http</span>&#160;and <span class="term">ftp</span><br />

+&#160; * &#160;<em>specification</em>&#160;- detailed description including rules that define HTML<br />

+&#160; * &#160;<em>standard</em>&#160;– widely accepted specification<br />

+&#160; * &#160;<em>style property</em>&#160;- terms like <span class="term">border</span>&#160;and <span class="term">height</span>&#160;for which declarations are made in values for the <span class="term">style</span>&#160;attribute of elements<br />

+&#160; * &#160;<em>tag</em>&#160;- markers like <span class="term">&lt;a href="x"&gt;</span>&#160;and <span class="term">&lt;/a&gt;</span>&#160;delineating element content; the opening tag can contain attributes<br />

+&#160; * &#160;<em>tag content</em>&#160;- consists of tag markers <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, element names like <span class="term">div</span>, and possibly attributes<br />

+&#160; * &#160;<em>user</em>&#160;- administrator<br />

+&#160; * &#160;<em>valid</em>&#160;- see <em>legal</em><br />

+&#160; * &#160;<em>writer</em>&#160;- end-user like a blog commenter providing the input that is to be processed; also, <em>author</em><br />

+&#160; * &#160;<em>XHTML</em>&#160;- XML-compliant HTML; parsing rules for XHTML are more strict than for regular HTML<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s1.6" id="s1.6"></a><span class="item-no">1.6</span>&#160; Availability

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can be downloaded for free at its <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">website</a>. Besides the <span class="term">htmLawed.php</span>&#160;file, the download has the htmLawed documentation (this document) in plain <a href="htmLawed_README.txt">text</a>&#160;and <a href="htmLawed_README.htm">HTML</a>&#160;formats, a script for <a href="htmLawedTest.php">testing</a>, and a text file for <a href="htmLawed_TESTCASE.txt">test-cases</a>. htmLawed is also available as a PHP class (OOP code) at its website.<br />

+

+</div>

+</div>

+<div class="section"><h2>

+<a name="s2" id="s2"></a><span class="item-no">2</span>&#160; Usage

+</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed works in PHP version 4.4 or higher. Either <span class="term">include()</span>&#160;the <span class="term">htmLawed.php</span>&#160;file, or copy-paste the entire code.<br />

+<br />

+&#160; To use with PHP 4.3, have the following code included:<br />

+<br />

+

+<code class="code">&#160; &#160; if(!function_exists(&#39;ctype_digit&#39;)){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;function ctype_digit($var){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; return ((int) $var == $var);</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;}</code>

+<br />

+

+<code class="code">&#160; &#160; }</code>

+<br />

+

+<div class="sub-section"><h3>

+<a name="s2.1" id="s2.1"></a><span class="item-no">2.1</span>&#160; Simple

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; The input text to be processed, <span class="term">$text</span>, is passed as an argument of type string; <span class="term">htmLawed()</span>&#160;returns the processed string:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text);</code>

+<br />

+<br />

+&#160; With the <span class="term">htmLawed class</span>&#160;(<a href="#s1.6">section 1.6</a>), usage is:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed&#58;&#58;hl($text);</code>

+<br />

+<br />

+&#160; <strong>Notes</strong>: (1) If input is from a <span class="term">$_GET</span>&#160;or <span class="term">$_POST</span>&#160;value, and <span class="term">magic quotes</span>&#160;are enabled on the PHP setup, run <span class="term">stripslashes()</span>&#160;on the input before passing to htmLawed. (2) htmLawed does not have support for head-level elements, <span class="term">body</span>, and the frame-level elements, <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>.<br />

+<br />

+&#160; By default, htmLawed will process the text allowing all valid HTML elements/tags and commonly used URL schemes and CSS style properties. It will allow Javascript code, <span class="term">CDATA</span>&#160;sections and HTML comments, balance tags, and ensure proper nesting of elements. Such actions can be configured using two other optional arguments -- <span class="term">$config</span>&#160;and <span class="term">$spec</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text, $config, $spec);</code>

+<br />

+<br />

+&#160; The <span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;arguments are detailed below. Some examples are shown in <a href="#s2.9">section 2.9</a>. For maximum protection against <span class="term">XSS</span>&#160;and other security vulnerabilities, consider using the <span class="term">safe</span>&#160;parameter; see <a href="#s3.6">section 3.6</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.2" id="s2.2"></a><span class="item-no">2.2</span>&#160; Configuring htmLawed using the <span class="term">$config</span>&#160;argument

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; <span class="term">$config</span>&#160;instructs htmLawed on how to tackle certain tasks. When <span class="term">$config</span>&#160;is not specified, or not set as an array (e.g., <span class="term">$config = 1</span>), htmLawed will take default actions. One or many of the task-action or parameter-value pairs can be specified in <span class="term">$config</span>&#160;as array key-value pairs. If a parameter is not specified, htmLawed will use the default value for it, indicated further below. In PHP code, parameter values that are integers should not be quoted and should be used as numeric types (unless meant as string/text). Thus, for instance:<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;comment&#39;=&gt;0, &#39;cdata&#39;=&gt;1, &#39;elements&#39;=&gt;&#39;a, b, strong&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text, $config);</code>

+<br />

+<br />

+&#160; Below are the various parameters that can be specified in <span class="term">$config</span>.<br />

+<br />

+&#160; Key: <span class="term">&#42;</span>&#160;default, <span class="term">^</span>&#160;different from htmLawed versions below 1.2, <span class="term">~</span>&#160;different default when <span class="term">valid_xhtml</span>&#160;is set to <span class="term">1</span>&#160;(see <a href="#s3.5">section 3.5</a>), <span class="term">"</span>&#160;different default when <span class="term">safe</span>&#160;is set to <span class="term">1</span>&#160;(see <a href="#s3.6">section 3.6</a>)<br />

+<br />

+&#160; <strong>abs_url</strong><br />

+&#160; Make URLs absolute or relative; <span class="term">$config["base_url"]</span>&#160;needs to be set; see <a href="#s3.4.4">section 3.4.4</a><br />

+<br />

+&#160; <span class="term">-1</span>&#160;- make relative<br />

+&#160; <span class="term">0</span>&#160;- no action &#160;*<br />

+&#160; <span class="term">1</span>&#160;- make absolute<br />

+<br />

+&#160; <strong>and_mark</strong><br />

+&#160; Mark <span class="term">&amp;</span>&#160;characters in the original input; see <a href="#s3.2">section 3.2</a><br />

+<br />

+&#160; <strong>anti_link_spam</strong><br />

+&#160; Anti-link-spam measure; see <a href="#s3.4.7">section 3.4.7</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no measure taken &#160;*<br />

+&#160; <em>array("regex1", "regex2")</em>&#160;- will ensure a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;in its value in case the <span class="term">href</span>&#160;attribute value matches the regular expression pattern <span class="term">regex1</span>, and/or will remove <span class="term">href</span>&#160;if its value matches the regular expression pattern <span class="term">regex2</span>. E.g., <span class="term">array("/./", "/&#58;//\W&#42;(?!(abc\.com|xyz\.org))/")</span>; see <a href="#s3.4.7">section 3.4.7</a>&#160;for more.<br />

+<br />

+&#160; <strong>anti_mail_spam</strong><br />

+&#160; Anti-mail-spam measure; see <a href="#s3.4.7">section 3.4.7</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no measure taken &#160;*<br />

+&#160; <em>word</em>&#160;- <span class="term">@</span>&#160;in mail address in <span class="term">href</span>&#160;attribute value is replaced with specified <em>word</em><br />

+<br />

+&#160; <strong>balance</strong><br />

+&#160; Balance tags for well-formedness and proper nesting; see <a href="#s3.3.3">section 3.3.3</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no<br />

+&#160; <span class="term">1</span>&#160;- yes &#160;*<br />

+<br />

+&#160; <strong>base_url</strong><br />

+&#160; Base URL value that needs to be set if <span class="term">$config["abs_url"]</span>&#160;is not <span class="term">0</span>; see <a href="#s3.4.4">section 3.4.4</a><br />

+<br />

+&#160; <strong>cdata</strong><br />

+&#160; Handling of <span class="term">CDATA</span>&#160;sections; see <a href="#s3.3.1">section 3.3.1</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- don't consider <span class="term">CDATA</span>&#160;sections as markup and proceed as if plain text &#160;"<br />

+&#160; <span class="term">1</span>&#160;- remove<br />

+&#160; <span class="term">2</span>&#160;- allow, but neutralize any <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;inside by converting them to named entities<br />

+&#160; <span class="term">3</span>&#160;- allow &#160;*<br />

+<br />

+&#160; <strong>clean_ms_char</strong><br />

+&#160; Replace <em>discouraged</em>&#160;characters introduced by Microsoft Word, etc.; see <a href="#s3.1">section 3.1</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;- yes<br />

+&#160; <span class="term">2</span>&#160;- yes, but replace special single &amp; double quotes with ordinary ones<br />

+<br />

+&#160; <strong>comment</strong><br />

+&#160; Handling of HTML comments; see <a href="#s3.3.1">section 3.3.1</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- don't consider comments as markup and proceed as if plain text &#160;"<br />

+&#160; <span class="term">1</span>&#160;- remove<br />

+&#160; <span class="term">2</span>&#160;- allow, but neutralize any <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;inside by converting to named entities<br />

+&#160; <span class="term">3</span>&#160;- allow &#160;*<br />

+<br />

+&#160; <strong>css_expression</strong><br />

+&#160; Allow dynamic CSS expression by not removing the expression from CSS property values in <span class="term">style</span>&#160;attributes; see <a href="#s3.4.8">section 3.4.8</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- remove &#160;*<br />

+&#160; <span class="term">1</span>&#160;- allow<br />

+<br />

+&#160; <strong>deny_attribute</strong><br />

+&#160; Denied HTML attributes; see <a href="#s3.4">section 3.4</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- none &#160;*<br />

+&#160; <em>string</em>&#160;- dictated by values in <em>string</em><br />

+&#160; <span class="term">on&#42;</span>&#160;- on* event attributes like <span class="term">onfocus</span>&#160;not allowed &#160;"<br />

+<br />

+&#160; <strong>direct_nest_list</strong><br />

+&#160; Allow direct nesting of a list within another without requiring it to be a list item; see <a href="#s3.3.4">section 3.3.4</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;- yes<br />

+<br />

+&#160; <strong>elements</strong><br />

+&#160; Allowed HTML elements; see <a href="#s3.3">section 3.3</a><br />

+<br />

+&#160; <em>all</em>&#160;- *^<br />

+&#160; <span class="term">&#42; -acronym -big -center -dir -font -isindex -s -strike -tt</span>&#160;- &#160;~^<br />

+&#160; <em>applet, audio, canvas, embed, iframe, object, script, and video elements not allowed</em>&#160;- &#160;"^<br />

+<br />

+&#160; <strong>hexdec_entity</strong><br />

+&#160; Allow hexadecimal numeric entities and do not convert to the more widely accepted decimal ones, or convert decimal to hexadecimal ones; see <a href="#s3.2">section 3.2</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no<br />

+&#160; <span class="term">1</span>&#160;- yes &#160;*<br />

+&#160; <span class="term">2</span>&#160;- convert decimal to hexadecimal ones<br />

+<br />

+&#160; <strong>hook</strong><br />

+&#160; Name of an optional hook function to alter the input string, <span class="term">$config</span>&#160;or <span class="term">$spec</span>&#160;before htmLawed enters the main phase of its work; see <a href="#s3.7">section 3.7</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no hook function &#160;*<br />

+&#160; <em>name</em>&#160;- <em>name</em>&#160;is name of the hook function<br />

+<br />

+&#160; <strong>hook_tag</strong><br />

+&#160; Name of an optional hook function to alter tag content finalized by htmLawed; see <a href="#s3.4.9">section 3.4.9</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no hook function &#160;*<br />

+&#160; <em>name</em>&#160;- <em>name</em>&#160;is name of the hook function<br />

+<br />

+&#160; <strong>keep_bad</strong><br />

+&#160; Neutralize <em>bad</em>&#160;tags by converting their <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;characters to entities, or remove them; see <a href="#s3.3.3">section 3.3.3</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- remove<br />

+&#160; <span class="term">1</span>&#160;- neutralize both tags and element content<br />

+&#160; <span class="term">2</span>&#160;- remove tags but neutralize element content<br />

+&#160; <span class="term">3</span>&#160;and <span class="term">4</span>&#160;- like <span class="term">1</span>&#160;and <span class="term">2</span>&#160;but remove if text (<span class="term">pcdata</span>) is invalid in parent element<br />

+&#160; <span class="term">5</span>&#160;and <span class="term">6</span>&#160;* - &#160;like <span class="term">3</span>&#160;and <span class="term">4</span>&#160;but line-breaks, tabs and spaces are left<br />

+<br />

+&#160; <strong>lc_std_val</strong><br />

+&#160; For XHTML compliance, predefined, standard attribute values, like <span class="term">get</span>&#160;for the <span class="term">method</span>&#160;attribute of <span class="term">form</span>, must be lowercased; see <a href="#s3.4.5">section 3.4.5</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no<br />

+&#160; <span class="term">1</span>&#160;- yes &#160;*<br />

+<br />

+&#160; <strong>make_tag_strict</strong><br />

+&#160; Transform or remove these deprecated HTML elements, even if they are allowed by the admin: acronym, applet, big, center, dir, font, isindex, s, strike, tt; see <a href="#s3.3.2">section 3.3.2</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no<br />

+&#160; <span class="term">1</span>&#160;- yes, but leave <span class="term">applet</span>&#160;and <span class="term">isindex</span>&#160;that currently cannot be transformed &#160;*^<br />

+&#160; <span class="term">2</span>&#160;- yes, removing <span class="term">applet</span>&#160;and <span class="term">isindex</span>&#160;elements and their contents (nested elements remain) &#160;~^<br />

+<br />

+&#160; <strong>named_entity</strong><br />

+&#160; Allow non-universal named HTML entities, or convert to numeric ones; see <a href="#s3.2">section 3.2</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- convert<br />

+&#160; <span class="term">1</span>&#160;- allow &#160;*<br />

+<br />

+&#160; <strong>no_deprecated_attr</strong><br />

+&#160; Allow deprecated attributes or transform them; see <a href="#s3.4.6">section 3.4.6</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- allow<br />

+&#160; <span class="term">1</span>&#160;- transform, but <span class="term">name</span>&#160;attributes for <span class="term">a</span>&#160;and <span class="term">map</span>&#160;are retained &#160;*<br />

+&#160; <span class="term">2</span>&#160;- transform<br />

+<br />

+&#160; <strong>parent</strong><br />

+&#160; Name of the parent element, possibly imagined, that will hold the input; see <a href="#s3.3">section 3.3</a><br />

+<br />

+&#160; <strong>safe</strong><br />

+&#160; Magic parameter to make input the most secure against vulnerabilities like XSS without needing to specify other relevant <span class="term">$config</span>&#160;parameters; see <a href="#s3.6">section 3.6</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;- will auto-adjust other relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">"</span>&#160;in this list) &#160;^<br />

+<br />

+&#160; <strong>schemes</strong><br />

+&#160; Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or <span class="term">!</span>&#160;to <em>deny</em>&#160;any URL); <span class="term">&#42;</span>&#160;covers all unspecified attributes; see <a href="#s3.4.3">section 3.4.3</a><br />

+<br />

+&#160; <span class="term">href&#58; aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet; &#42;&#58;data, file, http, https, javascript</span>&#160; *^<br />

+&#160; <span class="term">href&#58; aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style&#58; !; &#42;&#58;file, http, https</span>&#160; "<br />

+<br />

+&#160; <strong>show_setting</strong><br />

+&#160; Name of a PHP variable to assign the <em>finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values; see <a href="#s3.8">section 3.8</a><br />

+<br />

+&#160; <strong>style_pass</strong><br />

+&#160; Ignore <span class="term">style</span>&#160;attribute values, letting them through without any alteration<br />

+<br />

+&#160; <span class="term">0</span>&#160;- no *<br />

+&#160; <span class="term">1</span>&#160;- htmLawed will let through any <span class="term">style</span>&#160;value; see <a href="#s3.4.8">section 3.4.8</a><br />

+<br />

+&#160; <strong>tidy</strong><br />

+&#160; Beautify or compact HTML code; see <a href="#s3.3.5">section 3.3.5</a><br />

+<br />

+&#160; <span class="term">-1</span>&#160;- compact<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;or <em>string</em>&#160;- beautify (custom format specified by <span class="term">string</span>)<br />

+<br />

+&#160; <strong>unique_ids</strong><br />

+&#160; <span class="term">id</span>&#160;attribute value checks; see <a href="#s3.4.2">section 3.4.2</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no<br />

+&#160; <span class="term">1</span>&#160;- remove duplicate and/or invalid ones &#160;*<br />

+&#160; <em>word</em>&#160;- remove invalid ones and replace duplicate ones with new and unique ones based on the <em>word</em>; the admin-specified <em>word</em>&#160;cannot contain a space character<br />

+<br />

+&#160; <strong>valid_xhtml</strong><br />

+&#160; Magic parameter to make input the most valid XHTML without needing to specify other relevant <span class="term">$config</span>&#160;parameters; see <a href="#s3.5">section 3.5</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;- will auto-adjust other relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">~</span>&#160;in this list)<br />

+<br />

+&#160; <strong>xml:lang</strong><br />

+&#160; Auto-add <span class="term">xml&#58;lang</span>&#160;attribute; see <a href="#s3.4.1">section 3.4.1</a><br />

+<br />

+&#160; <span class="term">0</span>&#160;- no &#160;*<br />

+&#160; <span class="term">1</span>&#160;- add if <span class="term">lang</span>&#160;attribute is present<br />

+&#160; <span class="term">2</span>&#160;- add if <span class="term">lang</span>&#160;attribute is present, and remove <span class="term">lang</span>&#160; ~<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.3" id="s2.3"></a><span class="item-no">2.3</span>&#160; Extra HTML specifications using the $spec parameter

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; The <span class="term">$spec</span>&#160;argument of htmLawed can be used to disallow an otherwise legal attribute for an element, or to restrict the attribute's values. This can also be helpful as a security measure (e.g., in certain versions of browsers, certain values can cause buffer overflows and denial of service attacks), or in enforcing admin policies. <span class="term">$spec</span>&#160;is specified as a string of text containing one or more <em>rules</em>, with multiple rules separated from each other by a semi-colon (<span class="term">;</span>). E.g.,<br />

+<br />

+

+<code class="code">&#160; &#160; $spec = &#39;i=-&#42;; td, tr=style, id, -&#42;; a=id(match="/[a-z][a-z\d.&#58;\-&#96;"]&#42;/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text, $config, $spec);</code>

+<br />

+<br />

+&#160; Or,<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text, $config, &#39;i=-&#42;; td, tr=style, id, -&#42;; a=id(match="/[a-z][a-z\d.&#58;\-&#96;"]&#42;/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt&#39;);</code>

+<br />

+<br />

+&#160; A rule begins with an HTML <strong>element</strong>&#160;name(s) (<em>rule-element</em>), for which the rule applies, followed by an equal-to (=) sign. A rule-element may represent multiple elements if comma (,)-separated element names are used. E.g., <span class="term">th,td,tr=</span>.<br />

+<br />

+&#160; Rest of the rule consists of comma-separated HTML <strong>attribute names</strong>. A minus (-) character before an attribute means that the attribute is not permitted inside the rule-element. E.g., <span class="term">-width</span>. To deny all attributes, <span class="term">-&#42;</span>&#160;can be used.<br />

+<br />

+&#160; Following shows examples of rule excerpts with rule-element <span class="term">a</span>&#160;and the attributes that are being permitted:<br />

+<br />

+&#160; * &#160;<span class="term">a=</span>&#160;- all<br />

+&#160; * &#160;<span class="term">a=id</span>&#160;- all<br />

+&#160; * &#160;<span class="term">a=href, title, -id, -onclick</span>&#160;- all except <span class="term">id</span>&#160;and <span class="term">onclick</span><br />

+&#160; * &#160;<span class="term">a=&#42;, id, -id</span>&#160;- all except <span class="term">id</span><br />

+&#160; * &#160;<span class="term">a=-&#42;</span>&#160;- none<br />

+&#160; * &#160;<span class="term">a=-&#42;, href, title</span>&#160;- none except <span class="term">href</span>&#160;and <span class="term">title</span><br />

+&#160; * &#160;<span class="term">a=-&#42;, -id, href, title</span>&#160;- none except <span class="term">href</span>&#160;and <span class="term">title</span><br />

+<br />

+&#160; Rules regarding <strong>attribute values</strong>&#160;are optionally specified inside round brackets after attribute names in solidus (/)-separated <em>parameter = value</em>&#160;pairs. E.g., <span class="term">title(maxlen=30/minlen=5)</span>. None or one or more of the following parameters may be specified:<br />

+<br />

+&#160; * &#160;<span class="term">oneof</span>&#160;- one or more choices separated by <span class="term">|</span>&#160;that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive<br />

+<br />

+&#160; * &#160;<span class="term">noneof</span>&#160;- one or more choices separated by <span class="term">|</span>&#160;that the value should not match; matching is case-sensitive<br />

+<br />

+&#160; * &#160;<span class="term">maxlen</span>&#160;and <span class="term">minlen</span>&#160;- upper and lower limits for the number of characters in the attribute value; specified in numbers<br />

+<br />

+&#160; * &#160;<span class="term">maxval</span>&#160;and <span class="term">minval</span>&#160;- upper and lower limits for the numerical value specified in the attribute value; specified in numbers<br />

+<br />

+&#160; * &#160;<span class="term">match</span>&#160;and <span class="term">nomatch</span>&#160;- pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)<br />

+<br />

+&#160; * &#160;<span class="term">default</span>&#160;- a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters<br />

+<br />

+&#160; If <span class="term">default</span>&#160;is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The <span class="term">default</span>&#160;value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., <span class="term">maxlen</span>&#160;to <span class="term">-1</span>).<br />

+<br />

+&#160; Examples with <em>input</em>&#160;<span class="term">&lt;input title="WIDTH" value="10em" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span>&#160;are shown below.<br />

+<br />

+&#160; <em>Rule</em>: <span class="term">input=title(maxlen=60/minlen=6), value</span><br />

+&#160; <em>Output</em>: <span class="term">&lt;input value="10em" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span><br />

+<br />

+&#160; <em>Rule</em>: <span class="term">input=title(), value(maxval=8/default=6)</span><br />

+&#160; <em>Output</em>: <span class="term">&lt;input title="WIDTH" value="6" /&gt;&lt;input title="length" value="5" class="ic1 ic2" /&gt;</span><br />

+<br />

+&#160; <em>Rule</em>: <span class="term">input=title(nomatch=%w.d%i), value(match=%em%/default=6em)</span><br />

+&#160; <em>Output</em>: <span class="term">&lt;input value="10em" /&gt;&lt;input title="length" value="6em" class="ic1 ic2" /&gt;</span><br />

+<br />

+&#160; <em>Rule</em>: <span class="term">input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)</span><br />

+&#160; <em>Output</em>: <span class="term">&lt;input title="depth" value="10em" /&gt;&lt;input title="depth" class="ic1" /&gt;</span><br />

+<br />

+&#160; <strong>Special characters</strong>: The characters <span class="term">;</span>, <span class="term">,</span>, <span class="term">/</span>, <span class="term">(</span>, <span class="term">)</span>, <span class="term">|</span>, <span class="term">~</span>&#160;and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be <em>escaped</em>&#160;by enclosing in pairs of double-quotes (<span class="term">"</span>). A back-tick (<span class="term">&#96;</span>) can be used to escape a literal <span class="term">"</span>. An example rule illustrating this is <span class="term">input=value(maxlen=30/match="/^\w/"/default="your &#96;"ID&#96;"")</span>.<br />

+<br />

+&#160; <strong>Attributes that accept multiple values</strong>: If an attribute is <span class="term">accesskey</span>, <span class="term">class</span>, <span class="term">itemtype</span>&#160;or <span class="term">rel</span>, which can have multiple, space-separated values, or <span class="term">srcset</span>, which can have multiple, comma-separated values, htmLawed will parse the attribute value for such multiple values and will individually test each of them.<br />

+<br />

+&#160; <strong>Note</strong>: To deny an attribute for all elements for which it is legal, <span class="term">$config["deny_attribute"]</span>&#160;(see <a href="#s3.4">section 3.4</a>) can be used instead of <span class="term">$spec</span>. Also, attributes can be allowed element-specifically through <span class="term">$spec</span>&#160;while being denied globally through <span class="term">$config["deny_attribute"]</span>. The <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) can also be possibly used to implement a functionality like that achieved using <span class="term">$spec</span>&#160;functionality.<br />

+<br />

+&#160; <strong>Note</strong>: Attributes' specifications for an element may be set through multiple rules. In case of conflict, the attribute specification in the first rule will get precedence.<br />

+<br />

+&#160; <span class="term">$spec</span>&#160;can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of <span class="term">$spec</span>&#160;will permit the custom uses of the standard <span class="term">rel</span>&#160;attribute in <span class="term">input</span>&#160;(not permitted as per standards) and of a non-standard attribute, <span class="term">vFlag</span>, in <span class="term">img</span>.<br />

+<br />

+

+<code class="code">&#160; &#160; $spec = &#39;img=vFlag; input=rel&#39;</code>

+<br />

+<br />

+&#160; The attribute names must begin with an alphabet and cannot have space, equal-to (=) and solidus (/) characters.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.4" id="s2.4"></a><span class="item-no">2.4</span>&#160; Performance time &amp; memory usage

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; The time and memory consumed during text processing by htmLawed depends on its configuration, the size of the input, and the amount, nestedness and well-formedness of the HTML markup within the input. In particular, tag balancing and beautification each can increase the processing time by about a quarter.<br />

+<br />

+&#160; The htmLawed <a href="htmLawedTest.php">demo</a>&#160;can be used to evaluate the performance and effects of different types of input and <span class="term">$config</span>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.5" id="s2.5"></a><span class="item-no">2.5</span>&#160; Some security risks to keep in mind

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially <em>dangerous</em>&#160;HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permitted through htmLawed's setting should be considered. For example, following increase security risks:<br />

+<br />

+&#160; * &#160;Allowing <span class="term">script</span>, <span class="term">applet</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">canvas</span>, <span class="term">audio</span>, <span class="term">video</span>&#160;or <span class="term">object</span>&#160;elements, or certain of their attributes like <span class="term">allowscriptaccess</span><br />

+<br />

+&#160; * &#160;Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., <span class="term">&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert("xss");&lt;/script&gt;&lt;![endif]--&gt;</span><br />

+<br />

+&#160; * &#160;Allowing dynamic CSS expressions (some Internet Explorer versions are vulnerable)<br />

+<br />

+&#160; * &#160;Allowing the <span class="term">style</span>&#160;attribute<br />

+<br />

+&#160; To remove <em>unsecure</em>&#160;HTML, code-developers using htmLawed must set <span class="term">$config</span>&#160;appropriately. E.g., <span class="term">$config["elements"] = "&#42; -script"</span>&#160;to deny the <span class="term">script</span>&#160;element (<a href="#s3.3">section 3.3</a>), <span class="term">$config["safe"] = 1</span>&#160;to auto-configure ceratin htmLawed parameters for maximizing security (<a href="#s3.6">section 3.6</a>), etc.<br />

+<br />

+&#160; Permitting the <span class="term">&#42;style&#42;</span>&#160;attribute brings in risks of <em>click-jacking</em>, <em>phishing</em>, web-page overlays, etc., <em>even</em>&#160;when the <span class="term">safe</span>&#160;parameter is enabled (see <a href="#s3.6">section 3.6</a>). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's <span class="term">$spec</span>&#160;argument, and through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.8">section 3.4.8</a>&#160;for more). Disallowing <span class="term">style</span>&#160;completely and relying on CSS classes and stylesheet files is recommended.<br />

+<br />

+&#160; htmLawed does not check or correct the character <strong>encoding</strong>&#160;of the input it receives. In conjunction with permissive circumstances, such as when the character encoding is left undefined through HTTP headers or HTML <span class="term">meta</span>&#160;tags, this can allow for an exploit (like Google's <em>UTF-7/XSS</em>&#160;vulnerability of the past).<br />

+<br />

+&#160; Ocassionally, though very rarely, the default settings with which htmLawed runs may change between different versions of htmLawed. Admins should keep this in mind when upgrading htmLawed. Important changes in htmLawed's default behavior in new releases of the software are noted in <a href="#s4.5">section 4.5</a>&#160;on upgrades.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.6" id="s2.6"></a><span class="item-no">2.6</span>&#160; Use with <span class="term">kses()</span>&#160;code

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; The <span class="term">Kses</span>&#160;PHP script for HTML filtering is used by many applications (like <span class="term">WordPress</span>, as in year 2012). It is possible to have such applications use htmLawed instead, since it is compatible with code that calls the <span class="term">kses()</span>&#160;function declared in the <span class="term">Kses</span>&#160;file (usually named <span class="term">kses.php</span>). E.g., application code like this will continue to work after replacing <span class="term">Kses</span>&#160;with htmLawed:<br />

+<br />

+

+<code class="code">&#160; &#160; $comment_filtered = kses($comment_input, array(&#39;a&#39;=&gt;array(), &#39;b&#39;=&gt;array(), &#39;i&#39;=&gt;array()));</code>

+<br />

+<br />

+&#160; If the application uses a <span class="term">Kses</span>&#160;file that has the <span class="term">kses()</span>&#160;function declared, then, to have the application use htmLawed instead of <span class="term">Kses</span>, rename <span class="term">htmLawed.php</span>&#160;(to <span class="term">kses.php</span>, e.g.) and replace the <span class="term">Kses</span>&#160;file (or just replace the code in the <span class="term">Kses</span>&#160;file with the htmLawed code). If the <span class="term">kses()</span>&#160;function in the <span class="term">Kses</span>&#160;file had been renamed by the application developer (e.g., in <span class="term">WordPress</span>, it is named <span class="term">wp_kses()</span>), then appropriately rename the <span class="term">kses()</span>&#160;function in the htmLawed code. Then, add the following code (which was a part of htmLawed prior to version 1.2):<br />

+<br />

+

+<code class="code">&#160; &#160; // kses compatibility</code>

+<br />

+

+<code class="code">&#160; &#160; function kses($t, $h, $p=array(&#39;http&#39;, &#39;https&#39;, &#39;ftp&#39;, &#39;news&#39;, &#39;nntp&#39;, &#39;telnet&#39;, &#39;gopher&#39;, &#39;mailto&#39;)){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;foreach($h as $k=&gt;$v){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; $h[$k][&#39;n&#39;][&#39;&#42;&#39;] = 1;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;}</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$C[&#39;cdata&#39;] = $C[&#39;comment&#39;] = $C[&#39;make_tag_strict&#39;] = $C[&#39;no_deprecated_attr&#39;] = $C[&#39;unique_ids&#39;] = 0;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$C[&#39;keep_bad&#39;] = 1;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$C[&#39;elements&#39;] = count($h) ? strtolower(implode(&#39;,&#39;, array_keys($h))) &#58; &#39;-&#42;&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$C[&#39;hook&#39;] = &#39;kses_hook&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$C[&#39;schemes&#39;] = &#39;&#42;&#58;&#39;. implode(&#39;,&#39;, $p);</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;return htmLawed($t, $C, $h);</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;}</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; function kses_hook($t, &amp;$C, &amp;$S){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;return $t;</code>

+<br />

+

+<code class="code">&#160; &#160; }</code>

+<br />

+<br />

+&#160; If the <span class="term">Kses</span>&#160;file used by the application has been significantly altered by the application developers, then one may need a different approach. E.g., with <span class="term">WordPress</span>&#160;(as in the year 2012), it is best to copy the htmLawed code, along with the above-mentioned additions, to <span class="term">wp_includes/kses.php</span>, rename the newly added function <span class="term">kses()</span>&#160;to <span class="term">wp_kses()</span>, and delete the code for the original <span class="term">wp_kses()</span>&#160;function.<br />

+<br />

+&#160; If the <span class="term">Kses</span>&#160;code has a non-empty hook function (e.g., <span class="term">wp_kses_hook()</span>&#160;in case of <span class="term">WordPress</span>), then the code for htmLawed's <span class="term">kses_hook()</span>&#160;function should be appropriately edited. However, the requirement of the hook function should be re-evaluated considering that htmLawed has extra capabilities. With <span class="term">WordPress</span>, the hook function is an essential one. The following code is suggested for the htmLawed <span class="term">kses_hook()</span>&#160;in case of <span class="term">WordPress</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; // kses compatibility</code>

+<br />

+

+<code class="code">&#160; &#160; function kses_hook($string, &amp;$cf, &amp;$spec){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$allowed_html = $spec;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;$allowed_protocols = array();</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;foreach($cf[&#39;schemes&#39;] as $v){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; foreach($v as $k2=&gt;$v2){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;if(!in_array($k2, $allowed_protocols)){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; $allowed_protocols[] = $k2;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;}</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; }</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;}</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;return wp_kses_hook($string, $allowed_html, $allowed_protocols);</code>

+<br />

+

+<code class="code">&#160; &#160; }</code>

+<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.7" id="s2.7"></a><span class="item-no">2.7</span>&#160; Tolerance for ill-written HTML

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can work with ill-written HTML code in the input. However, HTML that is too ill-written may not be <em>read</em>&#160;as HTML, and may therefore get identified as mere plain text. Following statements indicate the degree of <em>looseness</em>&#160;that htmLawed can work with, and can be provided in instructions to writers:<br />

+<br />

+&#160; * &#160;Tags must be flanked by <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;with no <span class="term">&gt;</span>&#160;inside -- any needed <span class="term">&gt;</span>&#160;should be put in as <span class="term">&amp;gt;</span>. It is possible for tag content (element name and attributes) to be spread over many lines instead of being on one. A space may be present between the tag content and <span class="term">&gt;</span>, like <span class="term">&lt;div &gt;</span>&#160;and <span class="term">&lt;img / &gt;</span>, but not after the <span class="term">&lt;</span>.<br />

+<br />

+&#160; * &#160;Element and attribute names need not be lower-cased.<br />

+<br />

+&#160; * &#160;Attribute string of elements may be liberally spaced with tabs, line-breaks, etc.<br />

+<br />

+&#160; * &#160;Attribute values may be single- and not double-quoted.<br />

+<br />

+&#160; * &#160;Left-padding of numeric entities (like, <span class="term">&amp;#0160;</span>, <span class="term">&amp;x07ff;</span>) with <span class="term">0</span>&#160;is okay as long as the number of characters between between the <span class="term">&amp;</span>&#160;and the <span class="term">;</span>&#160;does not exceed 8. All entities must end with <span class="term">;</span>&#160;though.<br />

+<br />

+&#160; * &#160;Named character entities must be properly cased. Thus, <span class="term">&amp;Lt;</span>&#160;or <span class="term">&amp;TILDE;</span>&#160;will not be recognized as entities and will be <em>neutralized</em>.<br />

+<br />

+&#160; * &#160;HTML comments should not be inside element tags (they can be between tags), and should begin with <span class="term">&lt;!--</span>&#160;and end with <span class="term">--&gt;</span>. Characters like <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;may be allowed inside depending on <span class="term">$config</span>, but any <span class="term">--&gt;</span>&#160;inside should be put in as <span class="term">--&amp;gt;</span>. Any <span class="term">--</span>&#160;inside will be automatically converted to <span class="term">-</span>, and a space will be added before the <span class="term">--&gt;</span>&#160;comment-closing marker &#160;unless <span class="term">$config["comments"]</span>&#160;is set to <span class="term">4</span>&#160;(<a href="#s3.3.1">section 3.3.1</a>).<br />

+<br />

+&#160; * &#160;<span class="term">CDATA</span>&#160;sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with <span class="term">&lt;[CDATA[</span>&#160;and end with <span class="term">]]&gt;</span>. Characters like <span class="term">&lt;</span>, <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;may be allowed inside depending on <span class="term">$config</span>, but any <span class="term">]]&gt;</span>&#160;inside should be put in as <span class="term">]]&amp;gt;</span>.<br />

+<br />

+&#160; * &#160;For attribute values, character entities <span class="term">&amp;lt;</span>, <span class="term">&amp;gt;</span>&#160;and <span class="term">&amp;amp;</span>&#160;should be used instead of characters <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, and <span class="term">&amp;</span>&#160;(when <span class="term">&amp;</span>&#160;is not part of a character entity). This applies even for Javascript code in values of attributes like <span class="term">onclick</span>.<br />

+<br />

+&#160; * &#160;Characters <span class="term">&lt;</span>, <span class="term">&gt;</span>, <span class="term">&amp;</span>&#160;and <span class="term">"</span>&#160;that are part of actual Javascript, etc., code in <span class="term">script</span>&#160;elements should be used as such and not be put in as entities like <span class="term">&amp;gt;</span>. Otherwise, though the HTML will be valid, the code may fail to work. Further, if such characters have to be used, then they should be put inside <span class="term">CDATA</span>&#160;sections.<br />

+<br />

+&#160; * &#160;Simple instructions like "an opening tag cannot be present between two closing tags" and "nested elements should be closed in the reverse order of how they were opened" can help authors write balanced HTML. If tags are imbalanced, htmLawed will try to balance them, but in the process, depending on <span class="term">$config["keep_bad"]</span>, some code/text may be lost.<br />

+<br />

+&#160; * &#160;Input authors should be notified of admin-specified allowed elements, attributes, configuration values (like conversion of named entities to numeric ones), etc.<br />

+<br />

+&#160; * &#160;With <span class="term">$config["unique_ids"]</span>&#160;not <span class="term">0</span>&#160;and the <span class="term">id</span>&#160;attribute being permitted, writers should carefully avoid using duplicate or invalid <span class="term">id</span>&#160;values as even though htmLawed will correct/remove the values, the final output may not be the one desired. E.g., when <span class="term">&lt;a id="home"&gt;&lt;/a&gt;&lt;input id="home" /&gt;&lt;label for="home"&gt;&lt;/label&gt;</span>&#160;is processed into<br />

+<span class="term">&lt;a id="home"&gt;&lt;/a&gt;&lt;input id="prefix_home" /&gt;&lt;label for="home"&gt;&lt;/label&gt;</span>.<br />

+<br />

+&#160; * &#160;Even if intended HTML is lost from an ill-written input, the processed output will be more secure and standard-compliant.<br />

+<br />

+&#160; * &#160;For URLs, unless <span class="term">$config["scheme"]</span>&#160;is appropriately set, writers should avoid using escape characters or entities in schemes. E.g., <span class="term">htt&amp;#112;</span>&#160;(which many browsers will read as the harmless <span class="term">http</span>) may be considered bad by htmLawed.<br />

+<br />

+&#160; * &#160;htmLawed will attempt to put plain text present directly inside <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span>&#160;elements (illegal as per the specifications) inside auto-generated <span class="term">div</span>&#160;elements during tag balancing (<a href="#s3.3.3">section 3.3.3</a>).<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.8" id="s2.8"></a><span class="item-no">2.8</span>&#160; Limitations &amp; work-arounds

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed's main objective is to make the input text <em>more</em>&#160;standard-compliant, secure for readers, and free of HTML elements and attributes considered undesirable by the administrator. Some of its current limitations, regardless of this objective, are noted below along with possible work-arounds.<br />

+<br />

+&#160; It should be borne in mind that no browser application is 100% standard-compliant, standard specifications continue to evolve, and many browsers accept commonly used non-standard HTML. Regarding security, note that <em>unsafe</em>&#160;HTML code is not legally invalid per se.<br />

+<br />

+&#160; * &#160;By default, htmLawed will not strictly adhere to the <em>current</em>&#160;HTML standard. Admins can configure htmLawed to be more strict about standard compliance. Standard specification for HTML is continuously evolving. There are two bodies (<a href="http://www.w3c.org">W3C</a>&#160;and <a href="http://www.whatwg.org">WHATWG</a>) that specify the standard and their specifications are not identical. E.g., as in mid-2013, the <span class="term">border</span>&#160;attribute is valid in <span class="term">table</span>&#160;as per W3C but not WHATWG. Thus, htmLawed may not be fully compliant with the standard of a specific group. The HTML standards/rules that htmLawed uses in its logic are a mix of the W3C and WHATWG standards, and can be lax because of the laxity of HTML interpreters (browsers) regarding standards.<br />

+<br />

+&#160; * &#160;In general, htmLawed processes input to generate output that is most likely to be standard-compatible in most users' browsers. Thus, for example, it does not enforce the required value of <span class="term">0</span>&#160;on <span class="term">border</span>&#160;attribute of <span class="term">img</span>&#160;(an HTML version 5 specification).<br />

+<br />

+&#160; * &#160;htmLawed is meant for input that goes into the <span class="term">body</span>&#160;of HTML documents. HTML's head-level elements are not supported, nor are the frame-specific elements <span class="term">frameset</span>, <span class="term">frame</span>&#160;and <span class="term">noframes</span>. However, content of the latter elements can be individually filtered through htmLawed.<br />

+<br />

+&#160; * &#160;It cannot handle input that has non-HTML code like <span class="term">SVG</span>&#160;and <span class="term">MathML</span>. One way around is to break the input into pieces and passing only those without non-HTML code to htmLawed. Another is described in <a href="#s3.9">section 3.9</a>. A third way may be to some how take advantage of the <span class="term">$config["and_mark"]</span>&#160;parameter (see <a href="#s3.2">section 3.2</a>).<br />

+<br />

+&#160; * &#160;By default, htmLawed won't check many attribute values for standard compliance. E.g., <span class="term">width="20m"</span>&#160;with the dimension in non-standard <span class="term">m</span>&#160;is let through. Implementing universal and strict attribute value checks can make htmLawed slow and resource-intensive. Admins should look at the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) or <span class="term">$spec</span>&#160;to enforce finer checks on attribute values.<br />

+<br />

+&#160; * &#160;By default, htmLawed considers all ARIA, data-*, event and microdata attributes as global attributes and permits them in all elements. This is not strictly standard-compliant. E.g., the <span class="term">itemtype</span>&#160;microdata attribute is permitted only in elements that also have the <span class="term">itemscope</span>&#160;attribute. Admins can configure htmLawed to be more strict about this (<a href="#s2.3">section 2.3</a>).<br />

+<br />

+&#160; * &#160;The attributes, deprecated (which can be transformed too) or not, that it supports are largely those that are in the specifications. Only a few of the proprietary attributes are supported. However, <span class="term">$spec</span>&#160;can be used to allow custom attributes (<a href="#s2.3">section 2.3</a>).<br />

+<br />

+&#160; * &#160;Except for contained URLs and dynamic expressions (also optional), htmLawed does not check CSS style property values. Admins should look at using the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) or <span class="term">$spec</span>&#160;for finer checks. Perhaps the best option is to disallow <span class="term">style</span>&#160;but allow <span class="term">class</span>&#160;attributes with the right <span class="term">oneof</span>&#160;or <span class="term">match</span>&#160;values for <span class="term">class</span>, and have the various class style properties in <span class="term">.css</span>&#160;CSS stylesheet files.<br />

+<br />

+&#160; * &#160;htmLawed does not parse emoticons, decode <em>BBcode</em>, or <em>wikify</em>, auto-converting text to proper HTML. Similarly, it won't convert line-breaks to <span class="term">br</span>&#160;elements. Such functions are beyond its purview. Admins should use other code to pre- or post-process the input for such purposes.<br />

+<br />

+&#160; * &#160;htmLawed cannot be used to have links force-opened in new windows (by auto-adding appropriate <span class="term">target</span>&#160;and <span class="term">onclick</span>&#160;attributes to <span class="term">a</span>). Admins should look at Javascript-based DOM-modifying solutions for this. Admins may also be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; * &#160;Nesting-based checks are not possible. E.g., one cannot disallow <span class="term">p</span>&#160;elements specifically inside <span class="term">td</span>&#160;while permitting it elsewhere. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; * &#160;Except for optionally converting absolute or relative URLs to the other type, htmLawed will not alter URLs (e.g., to change the value of query strings or to convert <span class="term">http</span>&#160;to <span class="term">https</span>. Having absolute URLs may be a standard-requirement, e.g., when HTML is embedded in email messages, whereas altering URLs for other purposes is beyond htmLawed's goals. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; * &#160;Pairs of opening and closing tags that do not enclose any content (like <span class="term">&lt;em&gt;&lt;/em&gt;</span>) are not removed. This may be against the standard specification for certain elements (e.g., <span class="term">table</span>). However, presence of such standard-incompliant code will not break the display or layout of content. Admins can also use simple regex-based code to filter out such code.<br />

+<br />

+&#160; * &#160;htmLawed does not check for certain element orderings described in the standard specifications (e.g., in a <span class="term">table</span>, <span class="term">tbody</span>&#160;is allowed before <span class="term">tfoot</span>). Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; * &#160;htmLawed does not check the number of nested elements. E.g., it will allow two <span class="term">caption</span>&#160;elements in a <span class="term">table</span>&#160;element, illegal as per standard specifications. Admins may be able to use a custom hook function to enforce such checks (<span class="term">hook_tag</span>&#160;parameter; see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; * &#160;There are multiple ways to interpret ill-written HTML. E.g., in <span class="term">&lt;small&gt;&lt;small&gt;text&lt;/small&gt;</span>, is it that the second closing tag for <span class="term">small</span>&#160;is missing or is it that the second opening tag for <span class="term">small</span>&#160;was put in by mistake? htmLawed corrects the HTML in the string assuming the former, while the user may have intended the string for the latter. This is an issue that is impossible to address perfectly.<br />

+<br />

+&#160; * &#160;htmLawed might convert certain entities to actual characters and remove backslashes and CSS comment-markers (<span class="term">/&#42;</span>) in <span class="term">style</span>&#160;attribute values in order to detect malicious HTML like crafted, Internet Explorer browser-specific dynamic expressions like <span class="term">&amp;#101;xpression...</span>. If this is too harsh, admins can allow CSS expressions through htmLawed core but then use a custom function through the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>) to more specifically identify CSS expressions in the <span class="term">style</span>&#160;attribute values. Also, using <span class="term">$config["style_pass"]</span>, it is possible to have htmLawed pass <span class="term">style</span>&#160;attribute values without even looking at them (<a href="#s3.4.8">section 3.4.8</a>).<br />

+<br />

+&#160; * &#160;htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., <span class="term">&lt;a href="http&#58;//x%22+style=%22background-image&#58;xss"&gt;x&lt;/a&gt;</span>). These arise when browsers mis-identify markup in <em>escaped</em>&#160;text, defeating the very purpose of escaping text (a bad browser will read the given example as <span class="term">&lt;a href="http&#58;//x" style="background-image&#58;xss"&gt;x&lt;/a&gt;</span>).<br />

+<br />

+&#160; * &#160;Because of poor Unicode support in PHP, htmLawed does not remove the <em>high value</em>&#160;HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see <a href="#s3.1">section 3.1</a>).<br />

+<br />

+&#160; * &#160;htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML <span class="term">meta</span>&#160;tags, this can permit an exploit (like Google's <em>UTF-7/XSS</em>&#160;vulnerability of the past). Also, htmLawed can mangle input text if it is not well-formed in terms of character encoding. Administrators can consider using code available elsewhere to check well-formedness of input text characters to correct any defect.<br />

+<br />

+&#160; * &#160;htmLawed is expected to work with input texts in ASCII standard-compatible single-byte encodings such as national variants of ASCII (like ISO-646-DE/German of the ISO 646 standard), extended ASCII variants (like ISO 8859-10/Turkish of the ISO 8859/ISO Latin standard), ISO 8859-based Windows variants (like Windows 1252), EBCDIC, Shift JIS (Japanese), GB-Roman (Chinese), and KS-Roman (Korean). It should also properly handle texts with variable-byte encodings like UTF-7 (Unicode) and UTF-8 (Unicode). However, htmLawed may mangle input texts with double-byte encodings like UTF-16 (Unicode), JIS X 0208:1997 (Japanese) and K SX 1001:1992 (Korean), or the UTF-32 (Unicode) quadruple-byte encoding. If an input text has such an encoding, administrators can use PHP's <a href="http://php.net/manual/en/book.iconv.php">iconv</a>&#160;functions, or some other mean, to convert text to UTF-8 before passing it to htmLawed.<br />

+<br />

+&#160; * &#160;Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s2.9" id="s2.9"></a><span class="item-no">2.9</span>&#160; Examples of usage

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Safest, allowing only <em>safe</em>&#160;HTML markup --<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;safe&#39;=&gt;1);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Simplest, allowing all valid HTML markup including Javascript --<br />

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in);</code>

+<br />

+<br />

+&#160; Allowing all valid HTML markup but restricting URL schemes in <span class="term">src</span>&#160;attribute values to <span class="term">http</span>&#160;and <span class="term">https</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;schemes&#39;=&gt;&#39;&#42;&#58;&#42;; src&#58;http, https&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Allowing only <span class="term">safe</span>&#160;HTML and the elements <span class="term">a</span>, <span class="term">em</span>, and <span class="term">strong</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;safe&#39;=&gt;1, &#39;elements&#39;=&gt;&#39;a, em, strong&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Not allowing elements <span class="term">script</span>&#160;and <span class="term">object</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;elements&#39;=&gt;&#39;&#42; -script -object&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Not allowing attributes <span class="term">id</span>&#160;and <span class="term">style</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;id, style&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Permitting only attributes <span class="term">title</span>&#160;and <span class="term">href</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;&#42; -title -href&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Remove bad/disallowed tags altogether instead of converting them to entities --<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;keep_bad&#39;=&gt;0);</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config);</code>

+<br />

+<br />

+&#160; Allowing attribute <span class="term">title</span>&#160;only in <span class="term">a</span>&#160;and not allowing attributes <span class="term">id</span>, <span class="term">style</span>, or scriptable <em>on*</em>&#160;attributes like <span class="term">onclick</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $config = array(&#39;deny_attribute&#39;=&gt;&#39;title, id, style, on&#42;&#39;);</code>

+<br />

+

+<code class="code">&#160; &#160; $spec = &#39;a=title&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config, $spec);</code>

+<br />

+<br />

+&#160; Allowing a custom attribute, <span class="term">vFlag</span>, in <span class="term">img</span>&#160;and permitting custom use of the standard attribute, <span class="term">rel</span>, in <span class="term">input</span>&#160;--<br />

+<br />

+

+<code class="code">&#160; &#160; $spec = &#39;img=vFlag; input=rel&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; $out = htmLawed($in, $config, $spec);</code>

+<br />

+<br />

+&#160; Some case-studies are presented below.<br />

+<br />

+&#160; <strong>1.</strong>&#160;A blog administrator wants to allow only <span class="term">a</span>, <span class="term">em</span>, <span class="term">strike</span>, <span class="term">strong</span>&#160;and <span class="term">u</span>&#160;in comments, but needs <span class="term">strike</span>&#160;and <span class="term">u</span>&#160;transformed to <span class="term">span</span>&#160;for better XHTML 1-strict compliance, and, he wants the <span class="term">a</span>&#160;links to point only to <span class="term">http</span>&#160;or <span class="term">https</span>&#160;resources:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;elements&#39;=&gt;&#39;a, em, strike, strong, u&#39;, &#39;make_tag_strict&#39;=&gt;1, &#39;safe&#39;=&gt;1, &#39;schemes&#39;=&gt;&#39;&#42;&#58;http, https&#39;), &#39;a=href&#39;);</code>

+<br />

+<br />

+&#160; <strong>2.</strong>&#160;An author uses a custom-made web application to load content on his website. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional <em>bad</em>&#160;characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;css_expression&#39;=&gt;1, &#39;keep_bad&#39;=&gt;1, &#39;make_tag_strict&#39;=&gt;1, &#39;schemes&#39;=&gt;&#39;&#42;&#58;&#42;&#39;, &#39;valid_xhtml&#39;=&gt;1));</code>

+<br />

+<br />

+&#160; For the final submission process, <span class="term">keep_bad</span>&#160;is set to <span class="term">6</span>. A value of <span class="term">1</span>&#160;for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.<br />

+<br />

+&#160; <strong>3.</strong>&#160;A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($in, array(&#39;elements&#39;=&gt;&#39;tr, td&#39;, &#39;tidy&#39;=&gt;-1), &#39;tr, td =&#39;);</code>

+<br />

+

+</div>

+</div>

+<div class="section"><h2>

+<a name="s3" id="s3"></a><span class="item-no">3</span>&#160; Details

+</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<div class="sub-section"><h3>

+<a name="s3.1" id="s3.1"></a><span class="item-no">3.1</span>&#160; Invalid/dangerous characters

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Valid characters (more correctly, their code-points) in HTML or XML are, hexadecimally, <span class="term">9</span>, <span class="term">a</span>, <span class="term">d</span>, <span class="term">20</span>&#160;to <span class="term">d7ff</span>, and <span class="term">e000</span>&#160;to <span class="term">10ffff</span>, except <span class="term">fffe</span>&#160;and <span class="term">ffff</span>&#160;(decimally, <span class="term">9</span>, <span class="term">10</span>, <span class="term">13</span>, <span class="term">32</span>&#160;to <span class="term">55295</span>, and <span class="term">57344</span>&#160;to <span class="term">1114111</span>, except <span class="term">65534</span>&#160;and <span class="term">65535</span>). htmLawed removes the invalid characters <span class="term">0</span>&#160;to <span class="term">8</span>, <span class="term">b</span>, <span class="term">c</span>, and <span class="term">e</span>&#160;to <span class="term">1f</span>.<br />

+<br />

+&#160; Because of PHP's poor native support for multi-byte characters, htmLawed cannot check for the remaining invalid code-points. However, for various reasons, it is very unlikely for any of those characters to be in the input.<br />

+<br />

+&#160; Characters that are discouraged (see <a href="#s5.1">section 5.1</a>) but not invalid are not removed by htmLawed.<br />

+<br />

+&#160; It (function <span class="term">hl_tag()</span>) also replaces the potentially dangerous (in some Mozilla [Firefox] and Opera browsers) soft-hyphen character (code-point, hexadecimally, <span class="term">ad</span>, or decimally, <span class="term">173</span>) in attribute values with spaces. Where required, the characters <span class="term">&lt;</span>, <span class="term">&gt;</span>, <span class="term">&amp;</span>, and <span class="term">"</span>&#160;are converted to entities.<br />

+<br />

+&#160; With <span class="term">$config["clean_ms_char"]</span>&#160;set as <span class="term">1</span>&#160;or <span class="term">2</span>, many of the discouraged characters (decimal code-points <span class="term">127</span>&#160;to <span class="term">159</span>&#160;except <span class="term">133</span>) that many Microsoft applications incorrectly use (as per the <span class="term">Windows 1252</span>&#160;[<span class="term">Cp-1252</span>] or a similar encoding system), and the character for decimal code-point <span class="term">133</span>, are converted to appropriate decimal numerical entities (or removed for a few cases)-- see appendix in <a href="#s5.4">section 5.4</a>. This can help avoid some display issues arising from copying-pasting of content.<br />

+<br />

+&#160; With <span class="term">$config["clean_ms_char"]</span>&#160;set as <span class="term">2</span>, characters for the hexadecimal code-points <span class="term">82</span>, <span class="term">91</span>, and <span class="term">92</span>&#160;(for special single-quotes), and <span class="term">84</span>, <span class="term">93</span>, and <span class="term">94</span>&#160;(for special double-quotes) are converted to ordinary single and double quotes respectively and not to entities.<br />

+<br />

+&#160; The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.<br />

+<br />

+&#160; The <span class="term">$config["clean_ms_char"]</span>&#160;parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the <span class="term">Windows 1252</span>&#160;(<span class="term">Cp-1252</span>) or a similar encoding like <span class="term">Cp-1251</span>&#160;(otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.2" id="s3.2"></a><span class="item-no">3.2</span>&#160; Character references/entities

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Valid character entities take the form <span class="term">&amp;&#42;;</span>&#160;where <span class="term">&#42;</span>&#160;is <span class="term">#x</span>&#160;followed by a hexadecimal number (hexadecimal numeric entity; like <span class="term">&amp;#xA0;</span>&#160;for non-breaking space), or alphanumeric like <span class="term">gt</span>&#160;(external or named entity; like <span class="term">&amp;nbsp;</span>&#160;for non-breaking space), or <span class="term">#</span>&#160;followed by a number (decimal numeric entity; like <span class="term">&amp;#160;</span>&#160;for non-breaking space). Character entities referring to the soft-hyphen character (the <span class="term">&amp;shy;</span>&#160;or <span class="term">\xad</span>&#160;character; hexadecimal code-point <span class="term">ad</span>&#160;[decimal <span class="term">173</span>]) in URL-accepting attribute values are always replaced with spaces; soft-hyphens in attribute values introduce vulnerabilities in some older versions of the Opera and Mozilla [Firefox] browsers.<br />

+<br />

+&#160; htmLawed (function <span class="term">hl_ent()</span>):<br />

+<br />

+&#160; * &#160;Neutralizes entities with multiple leading zeroes or missing semi-colons (potentially dangerous)<br />

+<br />

+&#160; * &#160;Lowercases the <span class="term">X</span>&#160;(for XML-compliance) and <span class="term">A-F</span>&#160;of hexadecimal numeric entities<br />

+<br />

+&#160; * &#160;Neutralizes entities referring to characters that are HTML-invalid (see <a href="#s3.1">section 3.1</a>)<br />

+<br />

+&#160; * &#160;Neutralizes entities referring to characters that are HTML-discouraged (code-points, hexadecimally, <span class="term">7f</span>&#160;to <span class="term">84</span>, <span class="term">86</span>&#160;to <span class="term">9f</span>, and <span class="term">fdd0</span>&#160;to <span class="term">fddf</span>, or decimally, <span class="term">127</span>&#160;to <span class="term">132</span>, <span class="term">134</span>&#160;to <span class="term">159</span>, and <span class="term">64991</span>&#160;to <span class="term">64976</span>). Entities referring to the remaining discouraged characters (see <a href="#s5.1">section 5.1</a>&#160;for a full list) are let through.<br />

+<br />

+&#160; * &#160;Neutralizes named entities that are not in the specifications<br />

+<br />

+&#160; * &#160;Optionally converts valid HTML-specific named entities except <span class="term">&amp;gt;</span>, <span class="term">&amp;lt;</span>, <span class="term">&amp;quot;</span>, and <span class="term">&amp;amp;</span>&#160;to decimal numeric ones (hexadecimal if $config["hexdec_entity"] is <span class="term">2</span>) for generic XML-compliance. For this, <span class="term">$config["named_entity"]</span>&#160;should be <span class="term">1</span>.<br />

+<br />

+&#160; * &#160;Optionally converts hexadecimal numeric entities to the more widely supported decimal ones. For this, <span class="term">$config["hexdec_entity"]</span>&#160;should be <span class="term">0</span>.<br />

+<br />

+&#160; * &#160;Optionally converts decimal numeric entities to the hexadecimal ones. For this, <span class="term">$config["hexdec_entity"]</span>&#160;should be <span class="term">2</span>.<br />

+<br />

+&#160; <em>Neutralization</em>&#160;refers to the <em>entitification</em>&#160;of <span class="term">&amp;</span>&#160;to <span class="term">&amp;amp;</span>.<br />

+<br />

+&#160; <strong>Note</strong>: htmLawed does not convert entities to the actual characters represented by them; one can pass the htmLawed output through PHP's <span class="term">html_entity_decode</span>&#160;<a href="http://www.php.net/html_entity_decode">function</a>&#160;for that.<br />

+<br />

+&#160; <strong>Note</strong>: If <span class="term">$config["and_mark"]</span>&#160;is set, and set to a value other than <span class="term">0</span>, then the <span class="term">&amp;</span>&#160;characters in the original input are replaced with the control character for the hexadecimal code-point <span class="term">6</span>&#160;(<span class="term">\x06</span>; <span class="term">&amp;</span>&#160;characters introduced by htmLawed, e.g., after converting <span class="term">&lt;</span>&#160;to <span class="term">&amp;lt;</span>, are not affected). This allows one to distinguish, say, an <span class="term">&amp;gt;</span>&#160;introduced by htmLawed and an <span class="term">&amp;gt;</span>&#160;put in by the input writer, and can be helpful in further processing of the htmLawed-processed text (e.g., to identify the character sequence <span class="term">o(&gt;&lt;)o</span>&#160;to generate an emoticon image). When this feature is active, admins should ensure that the htmLawed output is not directly used in web pages or XML documents as the presence of the <span class="term">\x06</span>&#160;can break documents. Before use in such documents, and preferably before any storage, any remaining <span class="term">\x06</span>&#160;should be changed back to <span class="term">&amp;</span>, e.g., with:<br />

+<br />

+

+<code class="code">&#160; &#160; $final = str_replace("\x06", &#39;&amp;&#39;, $prelim);</code>

+<br />

+<br />

+&#160; Also, see <a href="#s3.9">section 3.9</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.3" id="s3.3"></a><span class="item-no">3.3</span>&#160; HTML elements

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can be configured to allow only certain HTML elements (tags) in the input. Disallowed elements (just tag-content, and not element-content), based on <span class="term">$config["keep_bad"]</span>, are either <em>neutralized</em>&#160;(converted to plain text by entitification of <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>) or removed.<br />

+<br />

+&#160; E.g., with only <span class="term">em</span>&#160;permitted:<br />

+<br />

+&#160; Input:<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is &lt;a href="http&#58;//a.com&gt;a.com&lt;/a&gt;.</code>

+<br />

+<br />

+&#160; Output, with <span class="term">$config["keep_bad"] = 0</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is a.com.</code>

+<br />

+<br />

+&#160; Output, with <span class="term">$config["keep_bad"]</span>&#160;not <span class="term">0</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;em&gt;My&lt;/em&gt; website is &amp;lt;a href=""&amp;gt;a.com&amp;lt;/a&amp;gt;.</code>

+<br />

+<br />

+&#160; See <a href="#s3.3.3">section 3.3.3</a>&#160;for differences between the various non-zero <span class="term">$config["keep_bad"]</span>&#160;values.<br />

+<br />

+&#160; htmLawed by default permits these 118 HTML elements:<br />

+<br />

+

+<code class="code">&#160; &#160; a, abbr, acronym, address, applet, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, embed, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, isindex, kbd, keygen, label, legend, li, link, main, map, mark, menu, meta, meter, nav, noscript, object, ol, optgroup, option, output, p, param, pre, progress, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, section, select, small, source, span, strike, strong, style, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr</code>

+<br />

+<br />

+&#160; The HTML version 4 elements <span class="term">acronym</span>, <span class="term">applet</span>, <span class="term">big</span>, <span class="term">center</span>, <span class="term">dir</span>, <span class="term">font</span>, <span class="term">strike</span>, and <span class="term">tt</span>&#160;are obsolete/deprecated in HTML version 5. On the other hand, the obsolete/deprecated HTML 4 elements <span class="term">embed</span>, <span class="term">menu</span>&#160;and <span class="term">u</span>&#160;are no longer so in HTML 5. Elements new to HTML 5 are <span class="term">article</span>, <span class="term">aside</span>, <span class="term">audio</span>, <span class="term">bdi</span>, <span class="term">canvas</span>, <span class="term">command</span>, <span class="term">data</span>, <span class="term">datalist</span>, <span class="term">details</span>, <span class="term">figure</span>, <span class="term">figcaption</span>, <span class="term">footer</span>, <span class="term">header</span>, <span class="term">hgroup</span>, <span class="term">keygen</span>, <span class="term">link</span>, <span class="term">main</span>, <span class="term">mark</span>, <span class="term">meta</span>, <span class="term">meter</span>, <span class="term">nav</span>, <span class="term">output</span>, <span class="term">progress</span>, <span class="term">section</span>, <span class="term">source</span>, <span class="term">style</span>, <span class="term">summary</span>, <span class="term">time</span>, <span class="term">track</span>, <span class="term">video</span>, and <span class="term">wbr</span>. The <span class="term">link</span>, <span class="term">meta</span>&#160;and <span class="term">style</span>&#160;elements exist in HTML 4 but are not allowed in the HTML body. These 16 elements are <em>empty</em>&#160;elements that have an opening tag with possible content but no element content (thus, no closing tag): <span class="term">area</span>, <span class="term">br</span>, <span class="term">col</span>, <span class="term">command</span>, <span class="term">embed</span>, <span class="term">hr</span>, <span class="term">img</span>, <span class="term">input</span>, <span class="term">isindex</span>, <span class="term">keygen</span>, <span class="term">link</span>, <span class="term">meta</span>, <span class="term">param</span>, <span class="term">source</span>, <span class="term">track</span>, and <span class="term">wbr</span>.<br />

+<br />

+&#160; With <span class="term">$config["safe"] = 1</span>, the default set will exclude <span class="term">applet</span>, <span class="term">audio</span>, <span class="term">canvas</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">object</span>, <span class="term">script</span>&#160;and <span class="term">video</span>; see <a href="#s3.6">section 3.6</a>.<br />

+<br />

+&#160; When <span class="term">$config["elements"]</span>, which specifies allowed elements, is <em>properly</em>&#160;defined, and neither empty nor set to <span class="term">0</span>&#160;or <span class="term">&#42;</span>, the default set is not used. To have elements added to or removed from the default set, a <span class="term">+/-</span>&#160;notation is used. E.g., <span class="term">&#42;-script-object</span>&#160;implies that only <span class="term">script</span>&#160;and <span class="term">object</span>&#160;are disallowed, whereas <span class="term">&#42;+embed</span>&#160;means that <span class="term">noembed</span>&#160;is also allowed. Elements can also be specified as comma separated names. E.g., <span class="term">a, b, i</span>&#160;means only <span class="term">a</span>, <span class="term">b</span>&#160;and <span class="term">i</span>&#160;are permitted. In this notation, <span class="term">&#42;</span>, <span class="term">+</span>&#160;and <span class="term">-</span>&#160;have no significance and can actually cause a mis-reading.<br />

+<br />

+&#160; Some more examples of <span class="term">$config["elements"]</span>&#160;values indicating permitted elements (note that empty spaces are liberally allowed for clarity):<br />

+<br />

+&#160; * &#160;<span class="term">a, blockquote, code, em, strong</span>&#160;-- only <span class="term">a</span>, <span class="term">blockquote</span>, <span class="term">code</span>, <span class="term">em</span>, and <span class="term">strong</span><br />

+&#160; * &#160;<span class="term">&#42;-script</span>&#160;-- all excluding <span class="term">script</span><br />

+&#160; * &#160;<span class="term">&#42; -acronym -big -center -dir -font -isindex -s -strike -tt</span>&#160;-- only non-obsolete/deprecated elements of HTML5<br />

+&#160; * &#160;<span class="term">&#42;+noembed-script</span>&#160;-- all including <span class="term">noembed</span>&#160;excluding <span class="term">script</span><br />

+<br />

+&#160; Some mis-usages (and the resulting permitted elements) that can be avoided:<br />

+<br />

+&#160; * &#160;<span class="term">-&#42;</span>&#160;-- none; instead of htmLawed, one might just use, e.g., the <span class="term">htmlspecialchars()</span>&#160;PHP function<br />

+&#160; * &#160;<span class="term">&#42;, -script</span>&#160;-- all except <span class="term">script</span>; admin probably meant <span class="term">&#42;-script</span><br />

+&#160; * &#160;<span class="term">-&#42;, a, em, strong</span>&#160;-- all; admin probably meant <span class="term">a, em, strong</span><br />

+&#160; * &#160;<span class="term">&#42;</span>&#160;-- all; admin need not have set <span class="term">elements</span><br />

+&#160; * &#160;<span class="term">&#42;-form+form</span>&#160;-- all; a <span class="term">+</span>&#160;will always over-ride any <span class="term">-</span><br />

+&#160; * &#160;<span class="term">&#42;, noembed</span>&#160;-- only <span class="term">noembed</span>; admin probably meant <span class="term">&#42;+noembed</span><br />

+&#160; * &#160;<span class="term">a, +b, i</span>&#160;-- only <span class="term">a</span>&#160;and <span class="term">i</span>; admin probably meant <span class="term">a, b, i</span><br />

+<br />

+&#160; Basically, when using the <span class="term">+/-</span>&#160;notation, commas (<span class="term">,</span>) should not be used, and vice versa, and <span class="term">&#42;</span>&#160;should be used with the former but not the latter.<br />

+<br />

+&#160; <strong>Note</strong>: Even if an element that is not in the default set is allowed through <span class="term">$config["elements"]</span>, like <span class="term">noembed</span>&#160;in the last example, it will eventually be removed during tag balancing unless such balancing is turned off (<span class="term">$config["balance"]</span>&#160;set to <span class="term">0</span>). Currently, the only way around this, which actually is simple, is to edit htmLawed's PHP code which define various arrays in the function <span class="term">hl_bal()</span>&#160;to accommodate the element and its nesting properties.<br />

+<br />

+&#160; A possible second way to specify allowed elements is to set <span class="term">$config["parent"]</span>&#160;to an element name that supposedly will hold the input, and to set <span class="term">$config["balance"]</span>&#160;to <span class="term">1</span>. During tag balancing (see <a href="#s3.3.3">section 3.3.3</a>), all elements that cannot legally nest inside the parent element will be removed. The parent element is auto-reset to <span class="term">div</span>&#160;if <span class="term">$config["parent"]</span>&#160;is empty, <span class="term">body</span>, or an element not in htmLawed's default set of 118 elements.<br />

+<br />

+&#160; <em>Tag transformation</em>&#160;is possible for improving compliance with HTML standards -- most of the obsolete/deprecated elements of HTML version 5 are converted to valid &#160;ones; see <a href="#s3.3.2">section 3.3.2</a>.<br />

+

+<div class="sub-sub-section"><h4>

+<a name="s3.3.1" id="s3.3.1"></a><span class="item-no">3.3.1</span>&#160; Handling of comments &amp; CDATA sections

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; <span class="term">CDATA</span>&#160;sections have the format <span class="term">&lt;![CDATA[...anything but not "]]&gt;"...]]&gt;</span>, and HTML comments, <span class="term">&lt;!--...anything but not "--&gt;"... --&gt;</span>. Neither HTML comments nor <span class="term">CDATA</span>&#160;sections can reside inside tags. HTML comments can exist anywhere else, but <span class="term">CDATA</span>&#160;sections can exist only where plain text is allowed (e.g., immediately inside <span class="term">td</span>&#160;element content but not immediately inside <span class="term">tr</span>&#160;element content).<br />

+<br />

+&#160; htmLawed (function <span class="term">hl_cmtcd()</span>) handles HTML comments or <span class="term">CDATA</span>&#160;sections depending on the values of <span class="term">$config["comment"]</span>&#160;or <span class="term">$config["cdata"]</span>. If <span class="term">0</span>, such markup is not looked for and the text is processed like plain text. If <span class="term">1</span>, it is removed completely. If <span class="term">2</span>, it is preserved but any <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;inside are changed to entities. If <span class="term">3</span>&#160;for <span class="term">$config["cdata"]</span>, or <span class="term">3</span>&#160;or <span class="term">4</span>&#160;for <span class="term">$config["comment"]</span>, they are left as such. When <span class="term">$config["comment"]</span>&#160;is set to <span class="term">4</span>, htmLawed will not force a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).<br />

+<br />

+&#160; Note that for the last two cases, HTML comments and <span class="term">CDATA</span>&#160;sections will always be removed from tag content (function <span class="term">hl_tag()</span>).<br />

+<br />

+&#160; Examples:<br />

+<br />

+&#160; Input:<br />

+

+<code class="code">&#160; &#160; &lt;!-- home link--&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 0, $config["cdata"] = 2</span>):<br />

+

+<code class="code">&#160; &#160; &amp;lt;-- home link--&amp;gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 1, $config["cdata"] = 2</span>):<br />

+

+<code class="code">&#160; &#160; &lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 2, $config["cdata"] = 2</span>):<br />

+

+<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 2, $config["cdata"] = 1</span>):<br />

+

+<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 3, $config["cdata"] = 3</span>):<br />

+

+<code class="code">&#160; &#160; &lt;!-- home link --&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+&#160; Output (<span class="term">$config["comment"] = 4, $config["cdata"] = 3</span>):<br />

+

+<code class="code">&#160; &#160; &lt;!-- home link--&gt;&lt;a href="home.htm"&gt;&lt;![CDATA[x=&amp;y]]&gt;Home&lt;/a&gt;</code>

+<br />

+<br />

+&#160; For standard-compliance, comments are given the form <span class="term">&lt;!--comment --&gt;</span>, and any <span class="term">--</span>&#160;in the content is made <span class="term">-</span>. When <span class="term">$config["comment"]</span>&#160;is set to <span class="term">4</span>, htmLawed will not force a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker.<br />

+<br />

+&#160; When <span class="term">$config["safe"] = 1</span>, CDATA sections and comments are considered plain text unless <span class="term">$config["comment"]</span>&#160;or <span class="term">$config["cdata"]</span>&#160;is explicitly specified; see <a href="#s3.6">section 3.6</a>.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.3.2" id="s3.3.2"></a><span class="item-no">3.3.2</span>&#160; Tag-transformation for better compliance with standards

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["make_tag_strict"]</span>&#160;is set and not <span class="term">0</span>, following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function <span class="term">hl_tag2()</span>):<br />

+<br />

+&#160; * &#160;acronym - <span class="term">abbr</span><br />

+&#160; * &#160;applet - based on <span class="term">$config["make_tag_strict"]</span>, unchanged (<span class="term">1</span>) or removed (<span class="term">2</span>)<br />

+&#160; * &#160;big - <span class="term">span style="font-size&#58; larger;"</span><br />

+&#160; * &#160;center - <span class="term">div style="text-align&#58; center;"</span><br />

+&#160; * &#160;dir - <span class="term">ul</span><br />

+&#160; * &#160;font (face, size, color) - &#160; &#160;<span class="term">span style="font-family&#58; ; font-size&#58; ; color&#58; ;"</span>&#160;(size transformation <a href="http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html">reference</a>)<br />

+&#160; * &#160;isindex - based on <span class="term">$config["make_tag_strict"]</span>, unchanged (<span class="term">1</span>) or removed (<span class="term">2</span>)<br />

+&#160; * &#160;s - <span class="term">span style="text-decoration&#58; line-through;"</span><br />

+&#160; * &#160;strike - <span class="term">span style="text-decoration&#58; line-through;"</span><br />

+&#160; * &#160;tt - <span class="term">code</span><br />

+<br />

+&#160; For an element with a pre-existing <span class="term">style</span>&#160;attribute value, the extra style properties are appended.<br />

+<br />

+&#160; Example input:<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;center&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;The PHP &lt;s&gt;software&lt;/s&gt; script used for this &lt;strike&gt;web-page&lt;/strike&gt; web-page is &lt;font style="font-weight&#58; bold " face=arial size=&#39;+3&#39; color &#160; = &#160;"red &#160;"&gt;htmLawedTest.php&lt;/font&gt;, from &lt;u style= &#39;color&#58;green&#39;&gt;PHP Labware&lt;/u&gt;.</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;/center&gt;</code>

+<br />

+<br />

+&#160; The output:<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;div style="text-align&#58; center;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;The PHP &lt;span style="text-decoration&#58; line-through;"&gt;software&lt;/span&gt; script used for this &lt;span style="text-decoration&#58; line-through;"&gt;web-page&lt;/span&gt; web-page is &lt;span style="font-weight&#58; bold; font-size&#58; 200%; color&#58; red; font-family&#58; arial;"&gt;htmLawedTest.php&lt;/span&gt;, from &lt;u style="color&#58;green"&gt;PHP Labware&lt;/u&gt;.</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;/div&gt;</code>

+<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.3.3" id="s3.3.3"></a><span class="item-no">3.3.3</span>&#160; Tag balancing &amp; proper nesting

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["balance"]</span>&#160;is set to <span class="term">1</span>, htmLawed (function <span class="term">hl_bal()</span>) checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).<br />

+<br />

+&#160; Depending on the value of <span class="term">$config["keep_bad"]</span>&#160;(see <a href="#s2.2">section 2.2</a>&#160;and <a href="#s3.3">section 3.3</a>), illegal content may be removed or neutralized to plain text by converting &lt; and &gt; to entities:<br />

+<br />

+&#160; <span class="term">0</span>&#160;- remove; this option is available only to maintain Kses-compatibility and should not be used otherwise (see <a href="#s2.6">section 2.6</a>)<br />

+&#160; <span class="term">1</span>&#160;- neutralize tags and keep element content<br />

+&#160; <span class="term">2</span>&#160;- remove tags but keep element content<br />

+&#160; <span class="term">3</span>&#160;and <span class="term">4</span>&#160;- like <span class="term">1</span>&#160;and <span class="term">2</span>, but keep element content only if text (<span class="term">pcdata</span>) is valid in parent element as per specs<br />

+&#160; <span class="term">5</span>&#160;and <span class="term">6</span>&#160;- &#160;like <span class="term">3</span>&#160;and <span class="term">4</span>, but line-breaks, tabs and spaces are left<br />

+<br />

+&#160; Example input (disallowing the <span class="term">p</span>&#160;element):<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;&#42;&gt; Pseudo-tags &lt;&#42;&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;p&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; Disallowed tag p</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;/p&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;ul&gt;Bad&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>

+<br />

+<br />

+&#160; The output with <span class="term">$config["keep_bad"] = 1</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;xml&amp;gt;Non-HTML tag xml&amp;lt;/xml&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;p&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; Disallowed tag p</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;/p&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;ul&gt;Bad&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>

+<br />

+<br />

+&#160; The output with <span class="term">$config["keep_bad"] = 3</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;xml&amp;gt;Non-HTML tag xml&amp;lt;/xml&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;p&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; Disallowed tag p</code>

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;/p&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;ul&gt;&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>

+<br />

+<br />

+&#160; The output with <span class="term">$config["keep_bad"] = 6</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &amp;lt;&#42;&amp;gt; Pseudo-tags &amp;lt;&#42;&amp;gt;</code>

+<br />

+

+<code class="code">&#160; &#160; Non-HTML tag xml</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; Disallowed tag p</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;ul&gt;&lt;li&gt;OK&lt;/li&gt;&lt;/ul&gt;</code>

+<br />

+<br />

+&#160; An option like <span class="term">1</span>&#160;is useful, e.g., when a writer previews his submission, whereas one like <span class="term">3</span>&#160;is useful before content is finalized and made available to all.<br />

+<br />

+&#160; <strong>Note:</strong>&#160;In the example above, unlike <span class="term">&lt;&#42;&gt;</span>, <span class="term">&lt;xml&gt;</span>&#160;gets considered as a tag (even though there is no HTML element named <span class="term">xml</span>). Thus, the <span class="term">keep_bad</span>&#160;parameter's value affects <span class="term">&lt;xml&gt;</span>&#160;but not <span class="term">&lt;&#42;&gt;</span>. In general, text matching the regular expression pattern <span class="term">&lt;(/?)([a-zA-Z][a-zA-Z1-6]&#42;)([^&gt;]&#42;?)\s?&gt;</span>&#160;is considered a tag (phrase enclosed by the angled brackets <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>, and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the <span class="term">keep_bad</span>&#160;value.<br />

+<br />

+&#160; Nesting/content rules for each of the 118 elements in htmLawed's default set (see <a href="#s3.3">section 3.3</a>) are defined in function <span class="term">hl_bal()</span>. This means that if a non-standard element besides <span class="term">embed</span>&#160;is being permitted through <span class="term">$config["elements"]</span>, the element's tag content will end up getting removed if <span class="term">$config["balance"]</span>&#160;is set to <span class="term">1</span>.<br />

+<br />

+&#160; Plain text and/or certain elements nested inside <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span>&#160;need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as <span class="term">form</span>, the input <span class="term">B&#58;&lt;input type="text" value="b" /&gt;C&#58;&lt;input type="text" value="c" /&gt;</span>&#160;is converted to <span class="term">&lt;div&gt;B&#58;&lt;input type="text" value="b" /&gt;C&#58;&lt;input type="text" value="c" /&gt;&lt;/div&gt;</span>.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.3.4" id="s3.3.4"></a><span class="item-no">3.3.4</span>&#160; Elements requiring child elements

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; As per HTML specifications, elements such as those below require legal child elements nested inside them:<br />

+<br />

+

+<code class="code">&#160; &#160; blockquote, dir, dl, form, map, menu, noscript, ol, optgroup, rbc, rtc, ruby, select, table, tbody, tfoot, thead, tr, ul</code>

+<br />

+<br />

+&#160; In some cases, the specifications stipulate the number and/or the ordering of the child elements. A <span class="term">table</span>&#160;can have 0 or 1 <span class="term">caption</span>, <span class="term">tbody</span>, <span class="term">tfoot</span>, and <span class="term">thead</span>, but they must be in this order: <span class="term">caption</span>, <span class="term">thead</span>, <span class="term">tfoot</span>, <span class="term">tbody</span>.<br />

+<br />

+&#160; htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.<br />

+<br />

+&#160; With <span class="term">$config["direct_list_nest"]</span>&#160;set to <span class="term">1</span>, htmLawed will allow direct nesting of <span class="term">ol</span>, <span class="term">ul</span>, or <span class="term">menu</span>&#160;list within another <span class="term">ol</span>, <span class="term">ul</span>, or <span class="term">menu</span>&#160;without requiring the child list to be within an <span class="term">li</span>&#160;of the parent list. While this may not be standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter <span class="term">$config["direct_list_nest"]</span>&#160;has no effect if tag balancing (<a href="#s3.3.3">section 3.3.3</a>) is turned off.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.3.5" id="s3.3.5"></a><span class="item-no">3.3.5</span>&#160; Beautify or compact HTML

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; By default, htmLawed will neither <em>beautify</em>&#160;HTML code by formatting it with indentations, etc., nor will it make it compact by removing un-needed white-space.(It does always properly white-space tag content.)<br />

+<br />

+&#160; As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside <span class="term">pre</span>&#160;elements) are all considered equivalent, and referred to as <em>white-spaces</em>. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space <em>normalization</em>&#160;allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such <em>pretty</em>&#160;HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.<br />

+<br />

+&#160; With the <span class="term">$config</span>&#160;parameter <span class="term">tidy</span>, htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides <span class="term">pre</span>, the <span class="term">script</span>&#160;and <span class="term">textarea</span>&#160;elements, CDATA sections, and HTML comments are not subjected to the tidying process.<br />

+<br />

+&#160; To <em>compact</em>, use <span class="term">$config["tidy"] = -1</span>; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.<br />

+<br />

+&#160; To <em>beautify</em>, <span class="term">$config["tidy"]</span>&#160;is set as <span class="term">1</span>, or for customized tidying, as a string like <span class="term">2s2n</span>. The <span class="term">s</span>&#160;or <span class="term">t</span>&#160;character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The <span class="term">r</span>&#160;and <span class="term">n</span>&#160;characters are used to specify line-break characters: <span class="term">n</span>&#160;for <span class="term">\n</span>&#160;(Unix/Mac OS X line-breaks), <span class="term">rn</span>&#160;or <span class="term">nr</span>&#160;for <span class="term">\r\n</span>&#160;(Windows/DOS line-breaks), or <span class="term">r</span>&#160;for <span class="term">\r</span>.<br />

+<br />

+&#160; The <span class="term">$config["tidy"]</span>&#160;value of <span class="term">1</span>&#160;is equivalent to <span class="term">2s0n</span>. Other <span class="term">$config["tidy"]</span>&#160;values are read loosely: a value of <span class="term">4</span>&#160;is equivalent to <span class="term">4s0n</span>; <span class="term">t2</span>, to <span class="term">1t2n</span>; <span class="term">s</span>, to <span class="term">2s0n</span>; <span class="term">2TR</span>, to <span class="term">2t0r</span>; <span class="term">T1</span>, to <span class="term">1t1n</span>; <span class="term">nr3</span>, to <span class="term">3s0nr</span>, and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.<br />

+<br />

+&#160; Input formatting using <span class="term">$config["tidy"]</span>&#160;is not recommended when input text has mixed markup (like HTML + PHP).<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.4" id="s3.4"></a><span class="item-no">3.4</span>&#160; Attributes

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in <a href="#s5.2">section 5.2</a>. Using the <span class="term">$spec</span>&#160;argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (<a href="#s2.3">section 2.3</a>).<br />

+<br />

+&#160; Custom <em>data-*</em>&#160;(<em>data-star</em>) attributes, where the first three characters of the value of <em>star</em>&#160;(*) after lower-casing do not equal <span class="term">xml</span>, and the value of <em>star</em>&#160;does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like <span class="term">aria-live</span>, <span class="term">onclick</span>&#160;and <span class="term">itemid</span>&#160;are also considered global attributes (<a href="#s5.2">section 5.2</a>).<br />

+<br />

+&#160; When <span class="term">$config["deny_attribute"]</span>&#160;is not set, or set to <span class="term">0</span>, or empty (<span class="term">""</span>), all attributes are permitted. Otherwise, <span class="term">$config["deny_attribute"]</span>&#160;can be set as a list of comma-separated names of the denied attributes. <span class="term">on&#42;</span>&#160;can be used to refer to the group of potentially dangerous, script-accepting event attributes like <span class="term">onblur</span>&#160;and <span class="term">onchange</span>&#160;that have <span class="term">on</span>&#160;at the beginning of their names. Similarly, <span class="term">aria&#42;</span>&#160;and <span class="term">data&#42;</span>&#160;can be used to respectively refer to the set of all ARIA and data-* attributes.<br />

+<br />

+&#160; With <span class="term">$config["safe"] = 1</span>&#160;(<a href="#s3.6">section 3.6</a>), the <span class="term">on&#42;</span>&#160;event attributes are automatically disallowed even if a value for <span class="term">$config["deny_attribute"]</span>&#160;has been manually provided.<br />

+<br />

+&#160; Note that attributes specified in <span class="term">$config["deny_attribute"]</span>&#160;are denied globally, for all elements. To deny attributes for only specific elements, <span class="term">$spec</span>&#160;(see <a href="#s2.3">section 2.3</a>) can be used. <span class="term">$spec</span>&#160;can also be used to element-specifically permit an attribute otherwise denied through <span class="term">$config["deny_attribute"]</span>.<br />

+<br />

+&#160; Finer restrictions on attributes can also be put into effect through <span class="term">$config["deny_attribute"]</span>&#160;(<a href="3.4.9">section</a>).<br />

+<br />

+&#160; <strong>Note</strong>: To deny all but a few attributes globally, a simpler way to specify <span class="term">$config["deny_attribute"]</span>&#160;would be to use the notation <span class="term">&#42; -attribute1 -attribute2 ...</span>. Thus, a value of <span class="term">&#42; -title -href</span>&#160;implies that except <span class="term">href</span>&#160;and <span class="term">title</span>&#160;(where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter <span class="term">safe</span>&#160;(<a href="#s3.6">section 3.6</a>) will have no effect on <span class="term">deny_attribute</span>. Values of <span class="term">aria&#42;</span>&#160;<span class="term">data&#42;</span>, and <span class="term">on&#42;</span>&#160;cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.<br />

+<br />

+&#160; htmLawed (function <span class="term">hl_tag()</span>) also:<br />

+<br />

+&#160; * &#160;Lower-cases attribute names<br />

+&#160; * &#160;Removes duplicate attributes (last one stays)<br />

+&#160; * &#160;Gives attributes the form <span class="term">name="value"</span>&#160;and single-spaces them, removing unnecessary white-spacing<br />

+&#160; * &#160;Provides <em>required</em>&#160;attributes (see <a href="#s3.4.1">section 3.4.1</a>)<br />

+&#160; * &#160;Double-quotes values and escapes any <span class="term">"</span>&#160;inside them<br />

+&#160; * &#160;Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point <span class="term">ad</span>) in the values with spaces<br />

+&#160; * &#160;Allows custom function to additionally filter/modify attribute values (see <a href="#s3.4.9">section 3.4.9</a>)<br />

+

+<div class="sub-sub-section"><h4>

+<a name="s3.4.1" id="s3.4.1"></a><span class="item-no">3.4.1</span>&#160; Auto-addition of XHTML-required attributes

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If indicated attributes for the following elements are found missing, htmLawed (function <span class="term">hl_tag()</span>) will add them (with values same as attribute names unless indicated otherwise below):<br />

+<br />

+&#160; * &#160;area - alt (<span class="term">area</span>)<br />

+&#160; * &#160;area, img - src, alt (<span class="term">image</span>)<br />

+&#160; * &#160;bdo - dir (<span class="term">ltr</span>)<br />

+&#160; * &#160;form - action<br />

+&#160; * &#160;label - command<br />

+&#160; * &#160;map - name<br />

+&#160; * &#160;optgroup - label<br />

+&#160; * &#160;param - name<br />

+&#160; * &#160;style - scoped<br />

+&#160; * &#160;textarea - rows (<span class="term">10</span>), cols (<span class="term">50</span>)<br />

+<br />

+&#160; Additionally, with <span class="term">$config["xml&#58;lang"]</span>&#160;set to <span class="term">1</span>&#160;or <span class="term">2</span>, if the <span class="term">lang</span>&#160;but not the <span class="term">xml&#58;lang</span>&#160;attribute is declared, then the latter is added too, with a value copied from that of <span class="term">lang</span>. This is for better standard-compliance. With <span class="term">$config["xml&#58;lang"]</span>&#160;set to <span class="term">2</span>, the <span class="term">lang</span>&#160;attribute is removed (XHTML specification).<br />

+<br />

+&#160; Note that the <span class="term">name</span>&#160;attribute for <span class="term">map</span>, invalid in XHTML, is also transformed if required -- see <a href="#s3.4.6">section 3.4.6</a>.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.2" id="s3.4.2"></a><span class="item-no">3.4.2</span>&#160; Duplicate/invalid <span class="term">id</span>&#160;values

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["unique_ids"]</span>&#160;is <span class="term">1</span>, htmLawed (function <span class="term">hl_tag()</span>) removes <span class="term">id</span>&#160;attributes with values that are not standards-compliant (must not have a space character) or duplicate. If <span class="term">$config["unique_ids"]</span>&#160;is a word (without a non-word character like space), any duplicate but otherwise valid value will be appropriately prefixed with the word to ensure its uniqueness.<br />

+<br />

+&#160; Even if multiple inputs need to be filtered (through multiple calls to htmLawed), htmLawed ensures uniqueness of <span class="term">id</span>&#160;values as it uses a global variable (<span class="term">$GLOBALS["hl_Ids"]</span>&#160;array). Further, an admin can restrict the use of certain <span class="term">id</span>&#160;values by presetting this variable before htmLawed is called into use. E.g.:<br />

+<br />

+

+<code class="code">&#160; &#160; $GLOBALS[&#39;hl_Ids&#39;] = array(&#39;top&#39;=&gt;1, &#39;bottom&#39;=&gt;1, &#39;myform&#39;=&gt;1); // id values not allowed in input</code>

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text); // filter input</code>

+<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.3" id="s3.4.3"></a><span class="item-no">3.4.3</span>&#160; URL schemes &amp; scripts in attribute values

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed edits attributes that take URLs as values if they are found to contain un-permitted schemes. E.g., if the <span class="term">afp</span>&#160;scheme is not permitted, then <span class="term">&lt;a href="afp&#58;//domain.org"&gt;</span>&#160;becomes <span class="term">&lt;a href="denied&#58;afp&#58;//domain.org"&gt;</span>, and if Javascript is not permitted <span class="term">&lt;a onclick="javascript&#58;xss();"&gt;</span>&#160;becomes <span class="term">&lt;a onclick="denied&#58;javascript&#58;xss();"&gt;</span>.<br />

+<br />

+&#160; By default htmLawed permits these schemes in URLs for the <span class="term">href</span>&#160;attribute:<br />

+<br />

+

+<code class="code">&#160; &#160; aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet</code>

+<br />

+<br />

+&#160; Also, only <span class="term">data</span>, <span class="term">file</span>, <span class="term">http</span>, <span class="term">https</span>&#160;and <span class="term">javascript</span>&#160;are permitted in these attributes that accept URLs:<br />

+<br />

+

+<code class="code">&#160; &#160; action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick</code>

+<br />

+<br />

+&#160; With <span class="term">$config["safe"] = 1</span>&#160;(<a href="#s3.6">section 3.6</a>), the above is changed to disallow <span class="term">app</span>, <span class="term">data</span>&#160;and <span class="term">javascript</span>.<br />

+<br />

+&#160; These default sets are used when <span class="term">$config["schemes"]</span>&#160;is not set (see <a href="#s2.2">section 2.2</a>). To over-ride the defaults, <span class="term">$config["schemes"]</span>&#160;is defined as a string of semi-colon-separated sub-strings of type <span class="term">attribute&#58; comma-separated schemes</span>. E.g., <span class="term">href&#58; mailto, http, https; onclick&#58; javascript; src&#58; http, https</span>. For unspecified attributes, <span class="term">data</span>, <span class="term">file</span>, <span class="term">http</span>, <span class="term">https</span>&#160;and <span class="term">javascript</span>&#160;are permitted. This can be changed by passing schemes for <span class="term">&#42;</span>&#160;in <span class="term">$config["schemes"]</span>. E.g., <span class="term">href&#58; mailto, http, https; &#42;&#58; https, https</span>.<br />

+<br />

+&#160; <span class="term">&#42;</span>&#160;(asterisk) can be put in the list of schemes to permit all protocols. E.g., <span class="term">style&#58; &#42;; img&#58; http, https</span>&#160;results in protocols not being checked in <span class="term">style</span>&#160;attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (<a href="#s3.4.4">section 3.4.4</a>) is not done. When an attribute is explicitly listed in <span class="term">$config["schemes"]</span>, then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute.<br />

+<br />

+&#160; Thus, <em>to allow the xmpp scheme</em>, one can set <span class="term">$config["schemes"]</span>&#160;as <span class="term">href&#58; mailto, http, https; &#42;&#58; http, https, xmpp</span>, or <span class="term">href&#58; mailto, http, https, xmpp; &#42;&#58; http, https, xmpp</span>, or <span class="term">&#42;&#58; &#42;</span>, and so on. The consequence of each of these example values will be different (e.g., only the last two but not the first will allow <span class="term">xmpp</span>&#160;in <span class="term">href</span>)<br />

+<br />

+&#160; As a side-note, one may find <span class="term">style&#58; &#42;</span>&#160;useful as URLs in <span class="term">style</span>&#160;attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.<br />

+<br />

+&#160; <span class="term">!</span>&#160;can be put in the list of schemes to disallow all protocols as well as <em>local</em>&#160;URLs. Thus, with <span class="term">href&#58; http, style&#58; !</span>, <span class="term">&lt;a href="http&#58;//cnn.com" style="background-image&#58; url(local.jpg);"&gt;CNN&lt;/a&gt;</span>&#160;will become <span class="term">&lt;a href="http&#58;//cnn.com" style="background-image&#58; url(denied&#58;local.jpg);"&gt;CNN&lt;/a&gt;</span><br />

+<br />

+&#160; <strong>Note</strong>: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string <span class="term">src</span>&#160;(e.g., <span class="term">dynsrc</span>) or starts with <span class="term">o</span>&#160;(e.g., <span class="term">onbeforecopy</span>).<br />

+<br />

+&#160; With <span class="term">$config["safe"] = 1</span>, all URLs are disallowed in the <span class="term">style</span>&#160;attribute values.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.4" id="s3.4.4"></a><span class="item-no">3.4.4</span>&#160; Absolute &amp; relative URLs in attribute values

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can make absolute URLs in attributes like <span class="term">href</span>&#160;relative (<span class="term">$config["abs_url"]</span>&#160;is <span class="term">-1</span>), and vice versa (<span class="term">$config["abs_url"]</span>&#160;is <span class="term">1</span>). URLs in scripts are not considered for this, and so are URLs like <span class="term">#section_6</span>&#160;(fragment), <span class="term">?name=Tim#show</span>&#160;(starting with query string), and <span class="term">;var=1?name=Tim#show</span>&#160;(starting with parameters). Further, this requires that <span class="term">$config["base_url"]</span>&#160;be set properly, with the <span class="term">&#58;//</span>&#160;and a trailing slash (<span class="term">/</span>), with no query string, etc. E.g., <span class="term">file&#58;///D&#58;/page/</span>, <span class="term">https&#58;//abc.com/x/y/</span>, or <span class="term">http&#58;//localhost/demo/</span>&#160;are okay, but <span class="term">file&#58;///D&#58;/page/?help=1</span>, <span class="term">abc.com/x/y/</span>&#160;and <span class="term">http&#58;//localhost/demo/index.htm</span>&#160;are not.<br />

+<br />

+&#160; For making absolute URLs relative, only those URLs that have the <span class="term">$config["base_url"]</span>&#160;string at the beginning are converted. E.g., with <span class="term">$config["base_url"] = "https&#58;//abc.com/x/y/"</span>, <span class="term">https&#58;//abc.com/x/y/a.gif</span>&#160;and <span class="term">https&#58;//abc.com/x/y/z/b.gif</span>&#160;become <span class="term">a.gif</span>&#160;and <span class="term">z/b.gif</span>&#160;respectively, while <span class="term">https&#58;//abc.com/x/c.gif</span>&#160;is not changed.<br />

+<br />

+&#160; When making relative URLs absolute, only values for scheme, network location (host-name) and path values in the base URL are inherited. See <a href="#s5.5">section 5.5</a>&#160;for more about the URL specification as per RFC <a href="http://www.ietf.org/rfc/rfc1808.txt">1808</a>.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.5" id="s3.4.5"></a><span class="item-no">3.4.5</span>&#160; Lower-cased, standard attribute values

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Optionally, for standard-compliance, htmLawed (function <span class="term">hl_tag()</span>) lower-cases standard attribute values to give, e.g., <span class="term">input type="password"</span>&#160;instead of <span class="term">input type="Password"</span>, if <span class="term">$config["lc_std_val"]</span>&#160;is <span class="term">1</span>. Attribute values matching those listed below for any of the elements listed further below (plus those for the <span class="term">type</span>&#160;attribute of <span class="term">button</span>&#160;or <span class="term">input</span>) are lower-cased:<br />

+<br />

+

+<code class="code">&#160; &#160; all, auto, baseline, bottom, button, captions, center, chapters, char, checkbox, circle, col, colgroup, color, cols, data, date, datetime, datetime-local, default, descriptions, email, file, get, groups, hidden, image, justify, left, ltr, metadata, middle, month, none, number, object, password, poly, post, preserve, radio, range, rect, ref, reset, right, row, rowgroup, rows, rtl, search, submit, subtitles, tel, text, time, top, url, week</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; a, area, bdo, button, col, fieldset, form, img, input, object, ol, optgroup, option, param, script, select, table, td, textarea, tfoot, th, thead, tr, track, xml&#58;space</code>

+<br />

+<br />

+&#160; The following <em>empty</em>&#160;(<em>minimized</em>) attributes are always assigned lower-cased values (same as the attribute names):<br />

+<br />

+

+<code class="code">&#160; &#160; checkbox, checked, command, compact, declare, defer, default, disabled, hidden, inert, ismap, itemscope, multiple, nohref, noresize, noshade, nowrap, open, radio, readonly, required, reversed, selected</code>

+<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.6" id="s3.4.6"></a><span class="item-no">3.4.6</span>&#160; Transformation of deprecated attributes

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["no_deprecated_attr"]</span>&#160;is <span class="term">0</span>, then deprecated attributes are removed and, in most cases, their values are transformed to CSS style properties and added to the <span class="term">style</span>&#160;attributes (function <span class="term">hl_tag()</span>). Except for <span class="term">bordercolor</span>&#160;for <span class="term">table</span>, <span class="term">tr</span>&#160;and <span class="term">td</span>, the scores of proprietary attributes that were never part of any cross-browser standard are not supported in this functionality.<br />

+<br />

+&#160; * &#160;align in caption, div, h, h2, h3, h4, h5, h6, hr, img, input, legend, object, p, table - for <span class="term">img</span>&#160;with value of <span class="term">left</span>&#160;or <span class="term">right</span>, becomes, e.g., <span class="term">float&#58; left</span>; for <span class="term">div</span>&#160;and <span class="term">table</span>&#160;with value <span class="term">center</span>, becomes <span class="term">margin&#58; auto</span>; all others become, e.g., <span class="term">text-align&#58; right</span><br />

+&#160; * &#160;bgcolor in table, td, th and tr - E.g., <span class="term">bgcolor="#ffffff"</span>&#160;becomes <span class="term">background-color&#58; #ffffff</span><br />

+&#160; * &#160;border in object - E.g., <span class="term">height="10"</span>&#160;becomes <span class="term">height&#58; 10px</span><br />

+&#160; * &#160;bordercolor in table, td and tr - E.g., <span class="term">bordercolor=#999999</span>&#160;becomes <span class="term">border-color&#58; #999999;</span><br />

+&#160; * &#160;compact in dl, ol and ul - <span class="term">font-size&#58; 85%</span><br />

+&#160; * &#160;cellspacing in table - <span class="term">cellspacing="10"</span>&#160;becomes <span class="term">border-spacing&#58; 10px</span><br />

+&#160; * &#160;clear in br - E.g., 'clear="all" becomes <span class="term">clear&#58; both</span><br />

+&#160; * &#160;height in td and th - E.g., <span class="term">height= "10"</span>&#160;becomes <span class="term">height&#58; 10px</span>&#160;and <span class="term">height="&#42;"</span>&#160;becomes <span class="term">height&#58; auto</span><br />

+&#160; * &#160;hspace in img and object - E.g., <span class="term">hspace="10"</span>&#160;becomes <span class="term">margin-left&#58; 10px; margin-right&#58; 10px</span><br />

+&#160; * &#160;language in script - <span class="term">language="VBScript"</span>&#160;becomes <span class="term">type="text/vbscript"</span><br />

+&#160; * &#160;name in a, form, iframe, img and map - E.g., <span class="term">name="xx"</span>&#160;becomes <span class="term">id="xx"</span><br />

+&#160; * &#160;noshade in hr - <span class="term">border-style&#58; none; border&#58; 0; background-color&#58; gray; color&#58; gray</span><br />

+&#160; * &#160;nowrap in td and th - <span class="term">white-space&#58; nowrap</span><br />

+&#160; * &#160;size in hr - E.g., <span class="term">size="10"</span>&#160;becomes <span class="term">height&#58; 10px</span><br />

+&#160; * &#160;vspace in img and object - E.g., <span class="term">vspace="10"</span>&#160;becomes <span class="term">margin-top&#58; 10px; margin-bottom&#58; 10px</span><br />

+&#160; * &#160;width in hr, pre, table, td and th - like <span class="term">height</span><br />

+<br />

+&#160; Example input:<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;img src="j.gif" alt="image" name="dad&#39;s" /&gt;&lt;img src="k.gif" alt="image" id="dad_off" name="dad" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;br clear="left" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;hr noshade size="1" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;img name="img" src="i.gif" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding&#58;5px;" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;table width="50em" align="center" bgcolor="red"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;&lt;tr&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;td width="20%"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;&lt;div align="center"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; &lt;h3 align="right"&gt;Section&lt;/h3&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; &lt;p align="right"&gt;Para&lt;/p&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;&lt;/div&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;td width="&#42;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;&lt;/tr&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;/table&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;br clear="all" /&gt;</code>

+<br />

+<br />

+&#160; And the output with <span class="term">$config["no_deprecated_attr"] = 1</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; &lt;img src="j.gif" alt="image" id="dad&#39;s" /&gt;&lt;img src="k.gif" alt="image" id="dad_off" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;br style="clear&#58; left;" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;hr style="border-style&#58; none; border&#58; 0; background-color&#58; gray; color&#58; gray; size&#58; 1px;" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;img src="i.gif" alt="image" width="10em" height="20" style="padding&#58;5px; float&#58; left; margin-left&#58; 10px; margin-right&#58; 10px; margin-top&#58; 10px; margin-bottom&#58; 10px; border&#58; 1px;" id="img" /&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;table width="50em" style="margin&#58; auto; background-color&#58; red;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;&lt;tr&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;td style="width&#58; 20%;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;&lt;div style="margin&#58; auto;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; &lt;h3 style="text-align&#58; right;"&gt;Section&lt;/h3&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; &lt;p style="text-align&#58; right;"&gt;Para&lt;/p&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160;&lt;/div&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;td style="width&#58; auto;"&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &lt;/td&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160;&lt;/tr&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;/table&gt;</code>

+<br />

+

+<code class="code">&#160; &#160; &lt;br style="clear&#58; both;" /&gt;</code>

+<br />

+<br />

+&#160; For <span class="term">lang</span>, deprecated in XHTML 1.1, transformation is taken care of through <span class="term">$config["xml&#58;lang"]</span>; see <a href="#s3.4.1">section 3.4.1</a>.<br />

+<br />

+&#160; The attribute <span class="term">name</span>&#160;is deprecated in <span class="term">form</span>, <span class="term">iframe</span>, and <span class="term">img</span>, and is replaced with <span class="term">id</span>&#160;if an <span class="term">id</span>&#160;attribute doesn't exist and if the <span class="term">name</span>&#160;value is appropriate for <span class="term">id</span>&#160;(i.e., doesn't have a non-word character like space). For such replacements for <span class="term">a</span>&#160;and <span class="term">map</span>, for which the <span class="term">name</span>&#160;attribute is deprecated in XHTML 1.1, <span class="term">$config["no_deprecated_attr"]</span>&#160;should be set to <span class="term">2</span>&#160;(when set to <span class="term">1</span>, for these two elements, the <span class="term">name</span>&#160;attribute is retained).<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.7" id="s3.4.7"></a><span class="item-no">3.4.7</span>&#160; Anti-spam &amp; <span class="term">href</span>

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed (function <span class="term">hl_tag()</span>) can check the <span class="term">href</span>&#160;attribute values (link addresses) as an anti-spam (email or link spam) measure.<br />

+<br />

+&#160; If <span class="term">$config["anti_mail_spam"]</span>&#160;is not <span class="term">0</span>, the <span class="term">@</span>&#160;of email addresses in <span class="term">href</span>&#160;values like <span class="term">mailto&#58;a@b.com</span>&#160;is replaced with text specified by <span class="term">$config["anti_mail_spam"]</span>. The text should be of a form that makes it clear to others that the address needs to be edited before a mail is sent; e.g., <span class="term">&lt;remove_this_antispam&gt;@</span>&#160;(makes the example address <span class="term">a&lt;remove_this_antispam&gt;@b.com</span>).<br />

+<br />

+&#160; For regular links, one can choose to have a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;in its value (which tells some search engines to not follow a link). This can discourage link spammers. Additionally, or as an alternative, one can choose to empty the <span class="term">href</span>&#160;value altogether (disable the link).<br />

+<br />

+&#160; For use of these options, <span class="term">$config["anti_link_spam"]</span>&#160;should be set as an array with values <span class="term">regex1</span>&#160;and <span class="term">regex2</span>, both or one of which can be empty (like <span class="term">array("", "regex2")</span>) to indicate that that option is not to be used. Otherwise, <span class="term">regex1</span>&#160;or <span class="term">regex2</span>&#160;should be PHP- and PCRE-compatible regular expression patterns: <span class="term">href</span>&#160;values will be matched against them and those matching the pattern will accordingly be treated.<br />

+<br />

+&#160; Note that the regular expressions should have <em>delimiters</em>, and be well-formed and preferably fast. Absolute efficiency/accuracy is often not needed.<br />

+<br />

+&#160; An example, to have a <span class="term">rel</span>&#160;attribute with <span class="term">nofollow</span>&#160;for all links, and to disable links that do not point to domains <span class="term">abc.com</span>&#160;and <span class="term">xyz.org</span>:<br />

+<br />

+

+<code class="code">&#160; &#160; $config["anti_link_spam"] = array(&#39;&#96;.&#96;&#39;, &#39;&#96;&#58;//\W&#42;(?!(abc\.com|xyz\.org))&#96;&#39;);</code>

+<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.8" id="s3.4.8"></a><span class="item-no">3.4.8</span>&#160; Inline style properties

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the <span class="term">style</span>&#160;attributes. (CSS properties like <span class="term">background-image</span>&#160;that accept URLs in their values are noted in <a href="#s5.3">section 5.3</a>.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting <span class="term">$config["css_expression"]</span>&#160;to <span class="term">1</span>&#160;(default setting). Note that when <span class="term">$config["css_expression"]</span>&#160;is set to <span class="term">1</span>, htmLawed will remove <span class="term">/&#42;</span>&#160;from the <span class="term">style</span>&#160;values.<br />

+<br />

+&#160; <strong>Note</strong>: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the <span class="term">style</span>&#160;attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off (<span class="term">$config["schemes"] = "...style&#58;&#42;..."</span>, see <a href="#s3.4.3">section 3.4.3</a>, and <span class="term">$config["css_expression"] = 0</span>). Alternately, admins can use their own custom function for finer handling of <span class="term">style</span>&#160;values through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; It is also possible to have htmLawed let through any <span class="term">style</span>&#160;value by setting <span class="term">$config["style_pass"]</span>&#160;to <span class="term">1</span>.<br />

+<br />

+&#160; As such, it is better to set up a CSS file with class declarations, disallow the <span class="term">style</span>&#160;attribute, set a <span class="term">$spec</span>&#160;rule (see <a href="#s2.3">section 2.3</a>) for <span class="term">class</span>&#160;for the <span class="term">oneof</span>&#160;or <span class="term">match</span>&#160;parameter, and ask writers to make use of the <span class="term">class</span>&#160;attribute.<br />

+

+</div>

+<div class="sub-sub-section"><h4>

+<a name="s3.4.9" id="s3.4.9"></a><span class="item-no">3.4.9</span>&#160; Hook function for tag content

+</h4><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.).<br />

+<br />

+&#160; When <span class="term">$config</span>&#160;parameter <span class="term">hook_tag</span>&#160;is set to the name of a function, htmLawed (function <span class="term">hl_tag()</span>) will pass on the element name, and the <em>finalized</em>&#160;attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like <span class="term">&lt;element_name attribute_1_name="attribute_1_value"...&gt;</span>&#160;(for empty elements like <span class="term">img</span>&#160;and <span class="term">input</span>, the element-closing slash <span class="term">/</span>&#160;should also be included), etc.<br />

+<br />

+&#160; Any <span class="term">hook_tag</span>&#160;function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as <span class="term">a</span>&#160;in the closing <span class="term">&lt;/a&gt;</span>&#160;tag of the element <span class="term">&lt;a href="http&#58;//cnn.com"&gt;CNN&lt;/a&gt;</span>. No other value is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like <span class="term">&lt;/a&gt;</span>).<br />

+<br />

+&#160; This is a <strong>powerful functionality</strong>&#160;that can be exploited for various objectives: consolidate-and-convert inline <span class="term">style</span>&#160;attributes to <span class="term">class</span>, convert <span class="term">embed</span>&#160;elements to <span class="term">object</span>, permit only one <span class="term">caption</span>&#160;element in a <span class="term">table</span>&#160;element, disallow embedding of certain types of media, <strong>inject HTML</strong>, use <a href="http://csstidy.sourceforge.net">CSSTidy</a>&#160;to sanitize <span class="term">style</span>&#160;attribute values, etc.<br />

+<br />

+&#160; As an example, the custom hook code below can be used to force a series of specifically ordered <span class="term">id</span>&#160;attributes on all elements, and a specific <span class="term">param</span>&#160;element inside all <span class="term">object</span>&#160;elements:<br />

+<br />

+

+<code class="code">&#160; &#160; function my_tag_function($element, $attribute_array=0){</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; // If second argument is not received, it means a closing tag is being handled</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; if(is_numeric($attribute_array)){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; return "&lt;/$element&gt;";</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; }</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; static $id = 0;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; // Remove any duplicate element</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; if($element == &#39;param&#39; &amp;&amp; isset($attribute_array[&#39;allowscriptaccess&#39;])){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; return &#39;&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; }</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; $new_element = &#39;&#39;;</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; // Force a serialized ID number</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; $attribute_array[&#39;id&#39;] = &#39;my_&#39;. $id;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; ++$id;</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; // Inject param for allowscriptaccess</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; if($element == &#39;object&#39;){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; $new_element = &#39;&lt;param id="my_&#39;. $id. &#39;"; allowscriptaccess="never" /&gt;&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; ++$id;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; }</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; $string = &#39;&#39;;</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; foreach($attribute_array as $k=&gt;$v){</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; &#160; $string .= " {$k}=\"{$v}\"";</code>

+<br />

+

+<code class="code">&#160; &#160; &#160; }</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; static $empty_elements = array(&#39;area&#39;=&gt;1, &#39;br&#39;=&gt;1, &#39;col&#39;=&gt;1, &#39;command&#39;=&gt;1, &#39;embed&#39;=&gt;1, &#39;hr&#39;=&gt;1, &#39;img&#39;=&gt;1, &#39;input&#39;=&gt;1, &#39;isindex&#39;=&gt;1, &#39;keygen&#39;=&gt;1, &#39;link&#39;=&gt;1, &#39;meta&#39;=&gt;1, &#39;param&#39;=&gt;1, &#39;source&#39;=&gt;1, &#39;track&#39;=&gt;1, &#39;wbr&#39;=&gt;1);</code>

+<br />

+<br />

+

+<code class="code">&#160; &#160; &#160; return "&lt;{$element}{$string}". (array_key_exists($element, $empty_elements) ? &#39; /&#39; &#58; &#39;&#39;). &#39;&gt;&#39;. $new_element;</code>

+<br />

+

+<code class="code">&#160; &#160; }</code>

+<br />

+<br />

+&#160; The <span class="term">hook_tag</span>&#160;parameter is different from the <span class="term">hook</span>&#160;parameter (<a href="#s3.7">section 3.7</a>).<br />

+<br />

+&#160; Snippets of hook function code developed by others may be available on the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">htmLawed</a>&#160;website.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.5" id="s3.5"></a><span class="item-no">3.5</span>&#160; Simple configuration directive for most valid XHTML

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["valid_xhtml"]</span>&#160;is set to <span class="term">1</span>, some relevant <span class="term">$config</span>&#160;parameters (indicated by <span class="term">~</span>&#160;in <a href="#s2.2">section 2.2</a>) are auto-adjusted. This allows one to pass the <span class="term">$config</span>&#160;argument with a simpler value. If a value for a parameter auto-set through <span class="term">valid_xhtml</span>&#160;is still manually provided, then that value will over-ride the auto-set value.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.6" id="s3.6"></a><span class="item-no">3.6</span>&#160; Simple configuration directive for most <em>safe</em>&#160;HTML

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; <em>Safe</em>&#160;HTML refers to HTML that is restricted to reduce the vulnerability for scripting attacks (such as XSS) based on HTML code which otherwise may still be legal and compliant with the HTML standard specifications. When elements such as <span class="term">script</span>&#160;and <span class="term">object</span>, and attributes such as <span class="term">onmouseover</span>&#160;and <span class="term">style</span>&#160;are allowed in the input text, an input writer can introduce malevolent HTML code. Note that what is considered <span class="term">safe</span>&#160;depends on the nature of the web application and the trust-level accorded to its users.<br />

+<br />

+&#160; htmLawed allows an admin to use <span class="term">$config["safe"]</span>&#160;to auto-adjust multiple <span class="term">$config</span>&#160;parameters (such as <span class="term">elements</span>&#160;which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by <span class="term">"</span>&#160;in <a href="#s2.2">section 2.2</a>). Thus, one can pass the <span class="term">$config</span>&#160;argument with a simpler value. Having the <span class="term">safe</span>&#160;parameter set to <span class="term">1</span>&#160;is equivalent to setting the following <span class="term">$config</span>&#160;parameters to the noted values :<br />

+<br />

+

+<code class="code">&#160; &#160; cdata - 0</code>

+<br />

+

+<code class="code">&#160; &#160; comment - 0</code>

+<br />

+

+<code class="code">&#160; &#160; deny_attribute - on&#42;</code>

+<br />

+

+<code class="code">&#160; &#160; elements - &#42; -applet -audio -canvas -embed -iframe -object -script -video</code>

+<br />

+

+<code class="code">&#160; &#160; schemes - href&#58; aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style&#58; !; &#42;&#58;file, http, https</code>

+<br />

+<br />

+&#160; With <span class="term">safe</span>&#160;set to <span class="term">1</span>, htmLawed considers <span class="term">CDATA</span>&#160;sections and HTML comments as plain text, and prohibits the <span class="term">applet</span>, <span class="term">audio</span>, <span class="term">canvas</span>, <span class="term">embed</span>, <span class="term">iframe</span>, <span class="term">object</span>, <span class="term">script</span>&#160;and <span class="term">video</span>&#160;elements, and the <span class="term">on&#42;</span>&#160;attributes like <span class="term">onclick</span>. ( There are <span class="term">$config</span>&#160;parameters like <span class="term">css_expression</span>&#160;that are not affected by the value set for <span class="term">safe</span>&#160;but whose default values still contribute towards a more <em>safe</em>&#160;output.) Further, unless overridden by the value for parameter <span class="term">schemes</span>&#160;(see <a href="#s3.4.3">section 3.4.3</a>), the schemes <span class="term">app</span>, <span class="term">data</span>&#160;and <span class="term">javascript</span>&#160;are not permitted, and URLs with schemes are neutralized so that, e.g., <span class="term">style="moz-binding&#58;url(http&#58;//danger)"</span>&#160;becomes <span class="term">style="moz-binding&#58;url(denied&#58;http&#58;//danger)"</span>.<br />

+<br />

+&#160; Admins, however, may still want to completely deny the <span class="term">style</span>&#160;attribute, e.g., with code like<br />

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text, array(&#39;safe&#39;=&gt;1, &#39;deny_attribute&#39;=&gt;&#39;style&#39;));</code>

+<br />

+<br />

+&#160; Permitting the <span class="term">style</span>&#160;attribute brings in risks of <em>click-jacking</em>, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check <span class="term">style</span>&#160;values. It does provide ways for the code-developer implementing htmLawed to do such checks through the <span class="term">$spec</span>&#160;argument, and through the <span class="term">hook_tag</span>&#160;parameter (see <a href="#s3.4.8">section 3.4.8</a>&#160;for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.<br />

+<br />

+&#160; If a value for a parameter auto-set through <span class="term">safe</span>&#160;is still manually provided, then that value can over-ride the auto-set value. E.g., with <span class="term">$config["safe"] = 1</span>&#160;and <span class="term">$config["elements"] = "&#42; +script"</span>, <span class="term">script</span>, but not <span class="term">applet</span>, is allowed. Such over-ride does not occur for <span class="term">deny_attribute</span>&#160;(for legacy reason) when comma-separated attribute names are provided as the value for this parameter (<a href="#s3.4">section 3.4</a>); instead htmLawed will add <span class="term">on&#42;</span>&#160;to the value provided for <span class="term">deny_attribute</span>.<br />

+<br />

+&#160; A page illustrating the efficacy of htmLawed's anti-XSS abilities with <span class="term">safe</span>&#160;set to <span class="term">1</span>&#160;against XSS vectors listed by <a href="http://ha.ckers.org/xss.html">RSnake</a>&#160;may be available <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm">here</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.7" id="s3.7"></a><span class="item-no">3.7</span>&#160; Using a hook function

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; If <span class="term">$config["hook"]</span>&#160;is not set to <span class="term">0</span>, then htmLawed will allow preliminarily processed input to be altered by a hook function named by <span class="term">$config["hook"]</span>&#160;before starting the main work (but after handling of characters, entities, HTML comments and <span class="term">CDATA</span>&#160;sections -- see code for function <span class="term">htmLawed()</span>).<br />

+<br />

+&#160; The hook function also allows one to alter the <em>finalized</em>&#160;values of <span class="term">$config</span>&#160;and <span class="term">$spec</span>.<br />

+<br />

+&#160; Note that the <span class="term">hook</span>&#160;parameter is different from the <span class="term">hook_tag</span>&#160;parameter (<a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; Snippets of hook function code developed by others may be available on the <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">htmLawed</a>&#160;website.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.8" id="s3.8"></a><span class="item-no">3.8</span>&#160; Obtaining <em>finalized</em>&#160;parameter values

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed can assign the <em>finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values to a variable named by <span class="term">$config["show_setting"]</span>. The variable, made global by htmLawed, is set as an array with three keys: <span class="term">config</span>, with the <span class="term">$config</span>&#160;value, <span class="term">spec</span>, with the <span class="term">$spec</span>&#160;value, and <span class="term">time</span>, with a value that is the Unix time (the output of PHP's <span class="term">microtime()</span>&#160;function) when the value was assigned. Admins should use a PHP-compliant variable name (e.g., one that does not begin with a numerical digit) that does not conflict with variable names in their non-htmLawed code.<br />

+<br />

+&#160; The values, which are also post-hook function (if any), can be used to auto-generate information (on, e.g., the elements that are permitted) for input writers.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s3.9" id="s3.9"></a><span class="item-no">3.9</span>&#160; Retaining non-HTML tags in input with mixed markup

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; htmLawed does not remove certain characters that, though invalid, are nevertheless <em>discouraged</em>&#160;in HTML documents as per the specifications (see <a href="#s5.1">section 5.1</a>). This can be utilized to deal with input that contains mixed markup. Input that may have HTML markup as well as some other markup that is based on the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters is considered to have mixed markup. The non-HTML markup can be rather proprietary (like markup for emoticons/smileys), or standard (like MathML or SVG). Or it can be programming code meant for execution/evaluation (such as embedded PHP code).<br />

+<br />

+&#160; To deal with such mixed markup, the input text can be pre-processed to hide the non-HTML markup by specifically replacing the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters with some of the HTML-discouraged characters (see <a href="#s3.1.2">section 3.1.2</a>). Post-htmLawed processing, the replacements are reverted.<br />

+<br />

+&#160; An example (mixed HTML and PHP code in input text):<br />

+<br />

+

+<code class="code">&#160; &#160; $text = preg_replace(&#39;&#96;&lt;\?php(.+?)\?&gt;&#96;sm&#39;, "\x83?php\\1?\x84", $text);</code>

+<br />

+

+<code class="code">&#160; &#160; $processed = htmLawed($text);</code>

+<br />

+

+<code class="code">&#160; &#160; $processed = preg_replace(&#39;&#96;\x83\?php(.+?)\?\x84&#96;sm&#39;, &#39;&lt;?php$1?&gt;&#39;, $processed);</code>

+<br />

+<br />

+&#160; This code will not work if <span class="term">$config["clean_ms_char"]</span>&#160;is set to <span class="term">1</span>&#160;(<a href="#s3.1">section 3.1</a>), in which case one should instead deploy a hook function (<a href="#s3.7">section 3.7</a>). (htmLawed internally uses certain control characters, code-points <span class="term">1</span>&#160;to <span class="term">7</span>, and use of these characters as markers in the logic of hook functions may cause issues.)<br />

+<br />

+&#160; Admins may also be able to use <span class="term">$config["and_mark"]</span>&#160;to deal with such mixed markup; see <a href="#s3.2">section 3.2</a>.<br />

+

+</div>

+</div>

+<div class="section"><h2>

+<a name="s4" id="s4"></a><span class="item-no">4</span>&#160; Other

+</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<div class="sub-section"><h3>

+<a name="s4.1" id="s4.1"></a><span class="item-no">4.1</span>&#160; Support

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Software updates and forum-based community-support may be found at <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a>. For general PHP issues (not htmLawed-specific), support may be found through internet searches and at <a href="http://php.net">http://php.net</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.2" id="s4.2"></a><span class="item-no">4.2</span>&#160; Known issues

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; See <a href="#s2.8">section 2.8</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.3" id="s4.3"></a><span class="item-no">4.3</span>&#160; Change-log

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the <span class="term">htmLawed.php</span>&#160;file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)<br />

+<br />

+&#160; <em>Version number - Release date. Notes</em><br />

+<br />

+&#160; 1.2.5 - 24 September 2019. Fixes two bugs in <span class="term">font</span>&#160;tag transformation<br />

+<br />

+&#160; 1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in <span class="term">$config["schemes"]</span><br />

+<br />

+&#160; 1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4<br />

+<br />

+&#160; 1.2.4 - 31 August 2017. Removes use of PHP <span class="term">create_function</span>&#160;function and <span class="term">$php_errormsg</span>&#160;reserved variable (deprecated in PHP 7.2)<br />

+<br />

+&#160; 1.2.3 - 5 July 2017. New option value of <span class="term">4</span>&#160;for <span class="term">$config["comments"]</span>&#160;to stop enforcing a space character before the <span class="term">--&gt;</span>&#160;comment-closing marker<br />

+<br />

+&#160; 1.2.2 - 25 May 2017. Fix for a bug in parsing <span class="term">$spec</span>&#160;that got introduced in version 1.2; also, <span class="term">$spec</span>&#160;is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules<br />

+<br />

+&#160; 1.2.1.1 - 17 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes<br />

+<br />

+&#160; 1.2.1 - 15 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes<br />

+<br />

+&#160; 1.2 - 11 February 2017. (First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-* and microdata attributes; <span class="term">app</span>, <span class="term">data</span>, <span class="term">javascript</span>&#160;and <span class="term">tel</span>&#160;URL schemes (thus, <span class="term">javascript&#58;</span>&#160;is not filtered in default mode). Removed support for code using Kses functions (see <a href="#s2.6">section 2.6</a>). Changes in revisions to the beta releases are not noted here.<br />

+<br />

+&#160; 1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in <span class="term">$spec</span><br />

+<br />

+&#160; 1.1.21 - 27 February 2016. Improvement and security fix in transforming <span class="term">font</span>&#160;element<br />

+<br />

+&#160; 1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML 4) standard <span class="term">allowfullscreen</span>&#160;attribute of <span class="term">iframe</span><br />

+<br />

+&#160; 1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc<br />

+<br />

+&#160; 1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags<br />

+<br />

+&#160; 1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with <span class="term">e</span>&#160;modifier for compatibility with PHP 5.5.<br />

+<br />

+&#160; 1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols<br />

+<br />

+&#160; 1.1.15 - 11 August 2013. Improved tidying/prettifying functionality<br />

+<br />

+&#160; 1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during <span class="term">tidying</span>&#160;when <span class="term">balance</span>&#160;is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like <span class="term">blockquote</span><br />

+<br />

+&#160; 1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes<br />

+<br />

+&#160; 1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the <span class="term">face</span>&#160;attribute<br />

+<br />

+&#160; 1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. <span class="term">$config["hook_tag"]</span>, if specified, now receives names of elements in closing tags.<br />

+<br />

+&#160; 1.1.10 - 22 October 2011. Fix for a bug in the <span class="term">tidy</span>&#160;functionality that caused the entire input to be replaced with a single space; new parameter, <span class="term">$config["direct_list_nest"]</span>&#160;to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)<br />

+<br />

+&#160; 1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of <span class="term">li</span>&#160;within <span class="term">dir</span><br />

+<br />

+&#160; 1.1.9.4 - 3 July 2010. Parameter <span class="term">schemes</span>&#160;now accepts <span class="term">!</span>&#160;so any URL, even a local one, can be <em>denied</em>. An issue in which a second URL value in <span class="term">style</span>&#160;properties was not checked was fixed.<br />

+<br />

+&#160; 1.1.9.3 - 17 May 2010. Checks for correct nesting of <span class="term">param</span><br />

+<br />

+&#160; 1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes<br />

+<br />

+&#160; 1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for <span class="term">flashvars</span>&#160;attribute for <span class="term">embed</span><br />

+<br />

+&#160; 1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values<br />

+<br />

+&#160; 1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice<br />

+<br />

+&#160; 1.1.8 - 23 April 2009. Parameter <span class="term">deny_attribute</span>&#160;now accepts the wild-card <span class="term">&#42;</span>, making it simpler to specify its value when all but a few attributes are being denied; fixed a bug in interpreting <span class="term">$spec</span><br />

+<br />

+&#160; 1.1.7 - 11-12 March 2009. Attributes globally denied through <span class="term">deny_attribute</span>&#160;can be allowed element-specifically through <span class="term">$spec</span>; <span class="term">$config["style_pass"]</span>&#160;allowing letting through any <span class="term">style</span>&#160;value introduced; altered logic to catch certain types of dynamic crafted CSS expressions<br />

+<br />

+&#160; 1.1.3-6 - 28-31 January - 4 February 2009. Altered logic to catch certain types of dynamic crafted CSS expressions<br />

+<br />

+&#160; 1.1.2 - 22 January 2009. Fixed bug in parsing of <span class="term">font</span>&#160;attributes during tag transformation<br />

+<br />

+&#160; 1.1.1 - 27 September 2008. Better nesting correction when omitable closing tags are absent<br />

+<br />

+&#160; 1.1 - 29 June 2008. <span class="term">$config["hook_tag"]</span>&#160;and <span class="term">$config["tidy"]</span>&#160;introduced for custom tag/attribute check/modification/injection and output compaction/beautification; fixed a regex-in-$spec parsing bug<br />

+<br />

+&#160; 1.0.9 - 11 June 2008. Fix for a bug in checks for invalid HTML code-point entities<br />

+<br />

+&#160; 1.0.8 - 15 May 2008. Permit <span class="term">bordercolor</span>&#160;attribute for <span class="term">table</span>, <span class="term">td</span>&#160;and <span class="term">tr</span><br />

+<br />

+&#160; 1.0.7 - 1 May 2008. Support for <span class="term">wmode</span>&#160;attribute for <span class="term">embed</span>; <span class="term">$config["show_setting"]</span>&#160;introduced; improved <span class="term">$config["elements"]</span>&#160;evaluation<br />

+<br />

+&#160; 1.0.6 - 20 April 2008. <span class="term">$config["and_mark"]</span>&#160;introduced<br />

+<br />

+&#160; 1.0.5 - 12 March 2008. <span class="term">style</span>&#160;URL schemes essentially disallowed when $config <span class="term">safe</span>&#160;is on; improved regex for CSS expression search<br />

+<br />

+&#160; 1.0.4 - 10 March 2008. Improved corrections for <span class="term">blockquote</span>, <span class="term">form</span>, <span class="term">map</span>&#160;and <span class="term">noscript</span><br />

+<br />

+&#160; 1.0.3 - 3 March 2008. Character entities for soft-hyphens are now replaced with spaces (instead of being removed); fix for a bug allowing <span class="term">td</span>&#160;directly inside <span class="term">table</span>; <span class="term">$config["safe"]</span>&#160;introduced<br />

+<br />

+&#160; 1.0.2 - 13 February 2008. Improved implementation of <span class="term">$config["keep_bad"]</span><br />

+<br />

+&#160; 1.0.1 - 7 November 2007. Improved regex for identifying URLs, protocols and dynamic expressions (<span class="term">hl_tag()</span>&#160;and <span class="term">hl_prot()</span>); no error display with <span class="term">hl_regex()</span><br />

+<br />

+&#160; 1.0 - 2 November 2007. First release<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.4" id="s4.4"></a><span class="item-no">4.4</span>&#160; Testing

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; To test htmLawed using a form interface, a <a href="htmLawedTest.php">demo</a>&#160;web-page is provided with the htmLawed distribution (<span class="term">htmLawed.php</span>&#160;and <span class="term">htmLawedTest.php</span>&#160;should be in the same directory on the web-server). A file with <a href="htmLawed_TESTCASE.txt">test-cases</a>&#160;is also provided.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.5" id="s4.5"></a><span class="item-no">4.5</span>&#160; Upgrade, &amp; old versions

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Upgrading is as simple as replacing the previous version of <span class="term">htmLawed.php</span>, assuming the file was not modified for customized features. As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.<br />

+<br />

+&#160; <strong>Note:</strong>&#160;The following upgrades may affect the functionality of a specific htmLawed installation:<br />

+<br />

+&#160; (1) From version 1.1-1.1.10 to 1.1.11 or later, if a <span class="term">hook_tag</span>&#160;function is in use: In version 1.1.11 and later, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a <span class="term">hook_tag</span>&#160;function receives only the element name. The <span class="term">hook_tag</span>&#160;function therefore may have to be edited. See <a href="#s3.4.9">section 3.4.9</a>.<br />

+<br />

+&#160; (2) From version older than 1.2.beta to later, if htmLawed was used as Kses replacement with Kses code in use: In version 1.2.beta or later, htmLawed no longer provides direct support for code that uses Kses functions (see <a href="#s2.6">section 2.6</a>).<br />

+<br />

+&#160; (3) From version older than 1.2 to later, if htmLawed is used without <span class="term">$config["safe"]</span>&#160;set to 1: Unlike previous versions, htmLawed version 1.2 and later permit <span class="term">data</span>&#160;and <span class="term">javascript</span>&#160;URL schemes by default (see <a href="#s3.4.3">section 3.4.3</a>).<br />

+<br />

+&#160; Old versions of htmLawed may be available online. E.g., for version 1.0, check <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip</a>; for 1.1.1, <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip</a>; and for 1.1.22, <a href="http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip">http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.6" id="s4.6"></a><span class="item-no">4.6</span>&#160; Comparison with <span class="term">HTMLPurifier</span>

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; The HTMLPurifier PHP library by Edward Yang is a very good HTML filtering script that uses object oriented PHP code. Compared to htmLawed, it (as of year 2015):<br />

+<br />

+&#160; * &#160;does not support PHP versions older than 5.0 (HTMLPurifier dropped PHP 4 support after version 2)<br />

+<br />

+&#160; * &#160;is 15-20 times bigger (scores of files totalling more than 750 kb)<br />

+<br />

+&#160; * &#160;consumes 10-15 times more RAM memory (just including the HTMLPurifier files without calling the filter requires a few MBs of memory)<br />

+<br />

+&#160; * &#160;is expectedly slower<br />

+<br />

+&#160; * &#160;lacks many of the extra features of htmLawed (like entity conversions and code compaction/beautification)<br />

+<br />

+&#160; * &#160;has poor documentation<br />

+<br />

+&#160; However, HTMLPurifier has finer checks for character encodings and attribute values, and can log warnings and errors. Visit the HTMLPurifier <a href="http://htmlpurifier.org">website</a>&#160;for updated information.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.7" id="s4.7"></a><span class="item-no">4.7</span>&#160; Use through application plug-ins/modules

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Plug-ins/modules to implement htmLawed in applications such as Drupal may have been developed. Check the application websites and the htmLawed <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">forum</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.8" id="s4.8"></a><span class="item-no">4.8</span>&#160; Use in non-PHP applications

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Non-PHP applications written in Python, Ruby, etc., may be able to use htmLawed through system calls to the PHP engine. Such code may have been documented on the internet. Also check the forum on the htmLawed <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">site</a>.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.9" id="s4.9"></a><span class="item-no">4.9</span>&#160; Donate

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; A donation in any currency and amount to appreciate or support this software can be sent by <a href="http://paypal.com">PayPal</a>&#160;to this email address: drpatnaik at yahoo dot com.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s4.10" id="s4.10"></a><span class="item-no">4.10</span>&#160; Acknowledgements

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.<br />

+<br />

+&#160; Thank you!<br />

+

+</div>

+</div>

+<div class="section"><h2>

+<a name="s5" id="s5"></a><span class="item-no">5</span>&#160; Appendices

+</h2><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<div class="sub-section"><h3>

+<a name="s5.1" id="s5.1"></a><span class="item-no">5.1</span>&#160; Characters discouraged in XHTML

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Characters represented by the following hexadecimal code-points are <em>not</em>&#160;invalid, even though some validators may issue messages stating otherwise.<br />

+<br />

+&#160; <span class="term">7f</span>&#160;to <span class="term">84</span>, <span class="term">86</span>&#160;to <span class="term">9f</span>, <span class="term">fdd0</span>&#160;to <span class="term">fddf</span>, <span class="term">1fffe</span>, <span class="term">1ffff</span>, <span class="term">2fffe</span>, <span class="term">2ffff</span>, <span class="term">3fffe</span>, <span class="term">3ffff</span>, <span class="term">4fffe</span>, <span class="term">4ffff</span>, <span class="term">5fffe</span>, <span class="term">5ffff</span>, <span class="term">6fffe</span>, <span class="term">6ffff</span>, <span class="term">7fffe</span>, <span class="term">7ffff</span>, <span class="term">8fffe</span>, <span class="term">8ffff</span>, <span class="term">9fffe</span>, <span class="term">9ffff</span>, <span class="term">afffe</span>, <span class="term">affff</span>, <span class="term">bfffe</span>, <span class="term">bffff</span>, <span class="term">cfffe</span>, <span class="term">cffff</span>, <span class="term">dfffe</span>, <span class="term">dffff</span>, <span class="term">efffe</span>, <span class="term">effff</span>, <span class="term">ffffe</span>, <span class="term">fffff</span>, <span class="term">10fffe</span>&#160;and <span class="term">10ffff</span><br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s5.2" id="s5.2"></a><span class="item-no">5.2</span>&#160; Valid attribute-element combinations

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; * &#160;includes deprecated attributes (marked <span class="term">^</span>), attributes for microdata (marked <span class="term">&#42;</span>), the non-standard <span class="term">bordercolor</span>, and new-in-HTML5 attributes (marked <span class="term">~</span>); can have multiple comma-separated values (marked <span class="term">%</span>); can have multiple space-separated values (marked <span class="term">$</span>)<br />

+&#160; * &#160;only non-frameset, HTML body elements<br />

+&#160; * &#160;<span class="term">name</span>&#160;for <span class="term">a</span>&#160;and <span class="term">map</span>, and <span class="term">lang</span>&#160;are invalid in XHTML 1.1<br />

+&#160; * &#160;<span class="term">target</span>&#160;is valid for <span class="term">a</span>&#160;in XHTML 1.1 and higher<br />

+&#160; * &#160;<span class="term">xml&#58;space</span>&#160;is only for XHTML 1.1<br />

+<br />

+&#160; abbr - td, th<br />

+&#160; accept - form, input<br />

+&#160; accept-charset - form<br />

+&#160; action - form<br />

+&#160; align - applet, caption^, col, colgroup, div^, embed, h1^, h2^, h3^, h4^, h5^, h6^, hr^, iframe, img^, input^, legend^, object^, p^, table^, tbody, td, tfoot, th, thead, tr<br />

+&#160; allowfullscreen - iframe<br />

+&#160; alt - applet, area, img, input<br />

+&#160; archive - applet, object<br />

+&#160; async~ - script<br />

+&#160; autocomplete~ - input<br />

+&#160; autofocus~ - button, input, keygen, select, textarea<br />

+&#160; autoplay~ - audio, video<br />

+&#160; axis - td, th<br />

+&#160; bgcolor - embed, table^, td^, th^, tr^<br />

+&#160; border - img, object^, table<br />

+&#160; bordercolor - table, td, tr<br />

+&#160; cellpadding - table<br />

+&#160; cellspacing - table<br />

+&#160; challenge~ - keygen<br />

+&#160; char - col, colgroup, tbody, td, tfoot, th, thead, tr<br />

+&#160; charoff - col, colgroup, tbody, td, tfoot, th, thead, tr<br />

+&#160; charset - a, script<br />

+&#160; checked - command, input<br />

+&#160; cite - blockquote, del, ins, q<br />

+&#160; classid - object<br />

+&#160; clear - br^<br />

+&#160; code - applet<br />

+&#160; codebase - object, applet<br />

+&#160; codetype - object<br />

+&#160; color - font<br />

+&#160; cols - textarea<br />

+&#160; colspan - td, th<br />

+&#160; compact - dir, dl^, menu, ol^, ul^<br />

+&#160; content - meta<br />

+&#160; controls~ - audio, video<br />

+&#160; coords - area, a<br />

+&#160; crossorigin~ - img<br />

+&#160; data - object<br />

+&#160; datetime - del, ins, time<br />

+&#160; declare - object<br />

+&#160; default~ - track<br />

+&#160; defer - script<br />

+&#160; dir - bdo<br />

+&#160; dirname~ - input, textarea<br />

+&#160; disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea<br />

+&#160; download~ - a<br />

+&#160; enctype - form<br />

+&#160; face - font<br />

+&#160; flashvars** - embed<br />

+&#160; for - label, output<br />

+&#160; form~ - button, fieldset, input, keygen, label, object, output, select, textarea<br />

+&#160; formaction~ - button, input<br />

+&#160; formenctype~ - button, input<br />

+&#160; formmethod~ - button, input<br />

+&#160; formnovalidate~ - button, input<br />

+&#160; formtarget~ - button, input<br />

+&#160; frame - table<br />

+&#160; frameborder - iframe<br />

+&#160; headers - td, th<br />

+&#160; height - applet, canvas, embed, iframe, img, input, object, td^, th^, video<br />

+&#160; high~ - meter<br />

+&#160; href - a, area, link<br />

+&#160; hreflang - a, area, link<br />

+&#160; hspace - applet, embed, img^, object^<br />

+&#160; icon~ - command<br />

+&#160; ismap - img, input<br />

+&#160; keytype~ - keygen<br />

+&#160; keyparams~ - keygen<br />

+&#160; kind~ - track<br />

+&#160; label - command, menu, option, optgroup, track<br />

+&#160; language - script^<br />

+&#160; list~ - input<br />

+&#160; longdesc - img, iframe<br />

+&#160; loop~ - audio, video<br />

+&#160; low~ - meter<br />

+&#160; marginheight - iframe<br />

+&#160; marginwidth - iframe<br />

+&#160; max~ - input, meter, progress<br />

+&#160; maxlength - input, textarea<br />

+&#160; media~ - a, area, link, source, style<br />

+&#160; mediagroup~ - audio, video<br />

+&#160; method - form<br />

+&#160; min~ - input, meter<br />

+&#160; model** - embed<br />

+&#160; multiple - input, select<br />

+&#160; muted~ - audio, video<br />

+&#160; name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea<br />

+&#160; nohref - area<br />

+&#160; noshade - hr^<br />

+&#160; novalidate~ - form<br />

+&#160; nowrap - td^, th^<br />

+&#160; object - applet<br />

+&#160; open~ - details<br />

+&#160; optimum~ - meter<br />

+&#160; pattern~ - input<br />

+&#160; ping~ - a, area<br />

+&#160; placeholder~ - input, textarea<br />

+&#160; pluginspage** - embed<br />

+&#160; pluginurl** - embed<br />

+&#160; poster~ - video<br />

+&#160; pqg~ - keygen<br />

+&#160; preload~ - audio, video<br />

+&#160; prompt - isindex<br />

+&#160; pubdate~ - time<br />

+&#160; radiogroup* - command<br />

+&#160; readonly - input, textarea<br />

+&#160; required~ - input, select, textarea<br />

+&#160; rel$ - a, area, link<br />

+&#160; rev - a<br />

+&#160; reversed~ - old<br />

+&#160; rows - textarea<br />

+&#160; rowspan - td, th<br />

+&#160; rules - table<br />

+&#160; sandbox~ - iframe<br />

+&#160; scope - td, th<br />

+&#160; scoped~ - style<br />

+&#160; scrolling - iframe<br />

+&#160; seamless~ - iframe<br />

+&#160; selected - option<br />

+&#160; shape - area, a<br />

+&#160; size - font, hr^, input, select<br />

+&#160; sizes~ - link<br />

+&#160; span - col, colgroup<br />

+&#160; src - audio, embed, iframe, img, input, script, source, track, video<br />

+&#160; srcdoc~ - iframe<br />

+&#160; srclang~ - track<br />

+&#160; srcset~% - img<br />

+&#160; standby - object<br />

+&#160; start - ol<br />

+&#160; step~ - input<br />

+&#160; summary - table<br />

+&#160; target - a, area, form<br />

+&#160; type - a, area, button, command, embed, input, li, link, menu, object, ol, param, script, source, style, ul<br />

+&#160; typemustmatch~ - object<br />

+&#160; usemap - img, input, object<br />

+&#160; valign - col, colgroup, tbody, td, tfoot, th, thead, tr<br />

+&#160; value - button, data, input, li, meter, option, param, progress<br />

+&#160; valuetype - param<br />

+&#160; vspace - applet, embed, img^, object^<br />

+&#160; width - applet, canvas, col, colgroup, embed, hr^, iframe, img, input, object, pre^, table, td^, th^, video<br />

+&#160; wmode - embed<br />

+&#160; wrap~ - textarea<br />

+<br />

+&#160; The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:<br />

+<br />

+&#160; accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space<br />

+<br />

+&#160; Custom <em>data-*</em>&#160;attributes, where the first three characters of the value of <em>star</em>&#160;(*) after lower-casing do not equal <span class="term">xml</span>&#160;and the value of <em>star</em>&#160;does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s5.3" id="s5.3"></a><span class="item-no">5.3</span>&#160; CSS 2.1 properties accepting URLs

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; background<br />

+&#160; background-image<br />

+&#160; content<br />

+&#160; cue-after<br />

+&#160; cue-before<br />

+&#160; cursor<br />

+&#160; list-style<br />

+&#160; list-style-image<br />

+&#160; play-during<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s5.4" id="s5.4"></a><span class="item-no">5.4</span>&#160; Microsoft Windows 1252 character replacements

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Key: <span class="term">d</span>&#160;double, <span class="term">l</span>&#160;left, <span class="term">q</span>&#160;quote, <span class="term">r</span>&#160;right, <span class="term">s.</span>&#160;single<br />

+<br />

+&#160; Code-point (decimal) - hexadecimal value - replacement entity - represented character<br />

+<br />

+&#160; 127 - 7f - (removed) - (not used)<br />

+&#160; 128 - 80 - &amp;#8364; - euro<br />

+&#160; 129 - 81 - (removed) - (not used)<br />

+&#160; 130 - 82 - &amp;#8218; - baseline s. q<br />

+&#160; 131 - 83 - &amp;#402; - florin<br />

+&#160; 132 - 84 - &amp;#8222; - baseline d q<br />

+&#160; 133 - 85 - &amp;#8230; - ellipsis<br />

+&#160; 134 - 86 - &amp;#8224; - dagger<br />

+&#160; 135 - 87 - &amp;#8225; - d dagger<br />

+&#160; 136 - 88 - &amp;#710; - circumflex accent<br />

+&#160; 137 - 89 - &amp;#8240; - permile<br />

+&#160; 138 - 8a - &amp;#352; - S Hacek<br />

+&#160; 139 - 8b - &amp;#8249; - l s. guillemet<br />

+&#160; 140 - 8c - &amp;#338; - OE ligature<br />

+&#160; 141 - 8d - (removed) - (not used)<br />

+&#160; 142 - 8e - &amp;#381; - Z dieresis<br />

+&#160; 143 - 8f - (removed) - (not used)<br />

+&#160; 144 - 90 - (removed) - (not used)<br />

+&#160; 145 - 91 - &amp;#8216; - l s. q<br />

+&#160; 146 - 92 - &amp;#8217; - r s. q<br />

+&#160; 147 - 93 - &amp;#8220; - l d q<br />

+&#160; 148 - 94 - &amp;#8221; - r d q<br />

+&#160; 149 - 95 - &amp;#8226; - bullet<br />

+&#160; 150 - 96 - &amp;#8211; - en dash<br />

+&#160; 151 - 97 - &amp;#8212; - em dash<br />

+&#160; 152 - 98 - &amp;#732; - tilde accent<br />

+&#160; 153 - 99 - &amp;#8482; - trademark<br />

+&#160; 154 - 9a - &amp;#353; - s Hacek<br />

+&#160; 155 - 9b - &amp;#8250; - r s. guillemet<br />

+&#160; 156 - 9c - &amp;#339; - oe ligature<br />

+&#160; 157 - 9d - (removed) - (not used)<br />

+&#160; 158 - 9e - &amp;#382; - z dieresis<br />

+&#160; 159 - 9f - &amp;#376; - Y dieresis<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s5.5" id="s5.5"></a><span class="item-no">5.5</span>&#160; URL format

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; An <em>absolute</em>&#160;URL has a <span class="term">protocol</span>&#160;or <span class="term">scheme</span>, a <span class="term">network location</span>&#160;or <span class="term">hostname</span>, and, optional <span class="term">path</span>, <span class="term">parameters</span>, <span class="term">query</span>&#160;and <span class="term">fragment</span>&#160;segments. Thus, an absolute URL has this generic structure:<br />

+<br />

+

+<code class="code">&#160; &#160; (scheme) &#58; (//network location) /(path) ;(parameters) ?(query) #(fragment)</code>

+<br />

+<br />

+&#160; The schemes can only contain letters, digits, <span class="term">+</span>, <span class="term">.</span>&#160;and <span class="term">-</span>. Hostname is the portion after the <span class="term">//</span>&#160;and up to the first <span class="term">/</span>&#160;(if any; else, up to the end) when <span class="term">&#58;</span>&#160;is followed by a <span class="term">//</span>&#160;(e.g., <span class="term">abc.com</span>&#160;in <span class="term">ftp&#58;//abc.com/def</span>); otherwise, it consists of everything after the <span class="term">&#58;</span>&#160;(e.g., <span class="term">def@abc.com</span>&#160;in mailto:def@abc.com').<br />

+<br />

+&#160; <em>Relative</em>&#160;URLs do not have explicit schemes and network locations; such values are inherited from a <em>base</em>&#160;URL.<br />

+

+</div>

+<div class="sub-section"><h3>

+<a name="s5.6" id="s5.6"></a><span class="item-no">5.6</span>&#160; Brief on htmLawed code

+</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />

+<br />

+&#160; Much of the code's logic and reasoning can be understood from the documentation above.<br />

+<br />

+&#160; The <strong>output</strong>&#160;of htmLawed is a text string containing the processed input. There is no custom error tracking.<br />

+<br />

+&#160; <strong>Function arguments</strong>&#160;for htmLawed are:<br />

+<br />

+&#160; * &#160;<span class="term">$in</span>&#160;- first argument; a text string; the <strong>input text</strong>&#160;to be processed. Any extraneous slashes added by PHP when <em>magic quotes</em>&#160;are enabled should be removed beforehand using PHP's <span class="term">stripslashes()</span>&#160;function.<br />

+<br />

+&#160; * &#160;<span class="term">$config</span>&#160;- second argument; an associative array; optional; named <span class="term">$C</span>&#160;within htmLawed code. The array has keys with names like <span class="term">balance</span>&#160;and <span class="term">keep_bad</span>, and the values, which can be boolean, string, or array, depending on the key, are read to accordingly set the <strong>configurable parameters</strong>&#160;(indicated by the keys). All configurable parameters receive some default value if the value to be used is not specified by the user through <span class="term">$config</span>. <em>Finalized</em>&#160;<span class="term">$config</span>&#160;is thus a filtered and possibly larger array.<br />

+<br />

+&#160; * &#160;<span class="term">$spec</span>&#160;- third argument; a text string; optional. The string has rules, written in an htmLawed-designated format, <strong>specifying</strong>&#160;element-specific attribute and attribute value restrictions. Function <span class="term">hl_spec()</span>&#160;is used to convert the string to an associative-array, named <span class="term">$S</span>&#160;within htmLawed code, for internal use. <em>Finalized</em>&#160;<span class="term">$spec</span>&#160;is thus an array.<br />

+<br />

+&#160; <em>Finalized</em>&#160;<span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;are made <strong>global variables</strong>&#160;while htmLawed is at work. Values of any pre-existing global variables with same names are noted, and their values are restored after htmLawed finishes processing the input (to capture the <em>finalized</em>&#160;values, the <span class="term">show_settings</span>&#160;parameter of <span class="term">$config</span>&#160;should be used). Depending on <span class="term">$config</span>, another global variable <span class="term">hl_Ids</span>, to track <span class="term">id</span>&#160;attribute values for uniqueness, may be set. Unlike the other two variables, this one is not reset (or unset) post-processing.<br />

+<br />

+&#160; Except for the main <span class="term">htmLawed()</span>&#160;function, htmLawed's functions are <strong>name-spaced</strong>&#160;using the <span class="term">hl_</span>&#160;prefix. The <strong>functions</strong>&#160;and their roles are:<br />

+<br />

+&#160; * &#160;<span class="term">hl_attrval</span>&#160;- check attribute values against <span class="term">$spec</span><br />

+&#160; * &#160;<span class="term">hl_bal</span>&#160;- balance tags and ensure proper nesting<br />

+&#160; * &#160;<span class="term">hl_cmtcd</span>&#160;- handle CDATA sections and HTML comments<br />

+&#160; * &#160;<span class="term">hl_ent</span>&#160;- handle character entities<br />

+&#160; * &#160;<span class="term">hl_prot</span>&#160;- check a URL scheme/protocol<br />

+&#160; * &#160;<span class="term">hl_regex</span>&#160;- check syntax of a regular expression<br />

+&#160; * &#160;<span class="term">hl_spec</span>&#160;- convert user-supplied <span class="term">$spec</span>&#160;value to one used internally<br />

+&#160; * &#160;<span class="term">hl_tag</span>&#160;- handle element tags and attributes<br />

+&#160; * &#160;<span class="term">hl_tag2</span>&#160;- transform element tags<br />

+&#160; * &#160;<span class="term">hl_tidy</span>&#160;- compact/beautify HTML<br />

+&#160; * &#160;<span class="term">hl_version</span>&#160;- report htmLawed version<br />

+&#160; * &#160;<span class="term">htmLawed</span>&#160;- main function<br />

+<br />

+&#160; <span class="term">htmLawed()</span>&#160;finalizes <span class="term">$spec</span>&#160;(with the help of <span class="term">hl_spec()</span>) and <span class="term">$config</span>, and globalizes them. Finalization of <span class="term">$config</span>&#160;involves setting default values if an inappropriate or invalid one is supplied. This includes calling <span class="term">hl_regex()</span>&#160;to check well-formedness of regular expression patterns if such expressions are user-supplied through <span class="term">$config</span>. <span class="term">htmLawed()</span>&#160;then removes invalid characters like nulls and <span class="term">x01</span>&#160;and appropriately handles entities using <span class="term">hl_ent()</span>. HTML comments and CDATA sections are identified and treated as per <span class="term">$config</span>&#160;with the help of <span class="term">hl_cmtcd()</span>. When retained, the <span class="term">&lt;</span>&#160;and <span class="term">&gt;</span>&#160;characters identifying them, and the <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters inside them, are replaced with control characters (code-points <span class="term">1</span>&#160;to <span class="term">5</span>) till any tag balancing is completed.<br />

+<br />

+&#160; After this <em>initial processing</em>&#160;<span class="term">htmLawed()</span>&#160;identifies tags using regex and processes them with the help of <span class="term">hl_tag()</span>&#160;-- &#160;a large function that analyzes tag content, filtering it as per HTML standards, <span class="term">$config</span>&#160;and <span class="term">$spec</span>. Among other things, <span class="term">hl_tag()</span>&#160;transforms deprecated elements using <span class="term">hl_tag2()</span>, removes attributes from closing tags, checks attribute values as per <span class="term">$spec</span>&#160;rules using <span class="term">hl_attrval()</span>, and checks URL protocols using <span class="term">hl_prot()</span>. <span class="term">htmLawed()</span>&#160;performs tag balancing and nesting checks with a call to <span class="term">hl_bal()</span>, and optionally compacts/beautifies the output with proper white-spacing with a call to <span class="term">hl_tidy()</span>. The latter temporarily replaces white-space, and <span class="term">&lt;</span>, <span class="term">&gt;</span>&#160;and <span class="term">&amp;</span>&#160;characters inside <span class="term">pre</span>, <span class="term">script</span>&#160;and <span class="term">textarea</span>&#160;elements, and HTML comments and CDATA sections with control characters (code-points <span class="term">1</span>&#160;to <span class="term">5</span>, and <span class="term">7</span>).<br />

+<br />

+&#160; htmLawed permits the use of custom code or <strong>hook functions</strong>&#160;at two stages. The first, called inside <span class="term">htmLawed()</span>, allows the input text as well as the finalized <span class="term">$config</span>&#160;and <span class="term">$spec</span>&#160;values to be altered right after the initial processing (see <a href="#s3.7">section 3.7</a>). The second is called by <span class="term">hl_tag()</span>&#160;once the tag content is finalized (see <a href="#s3.4.9">section 3.4.9</a>).<br />

+<br />

+&#160; The functionality of htmLawed is dictated by the external HTML standards. The code of htmLawed is thus written for a clear-cut aim, with not much concern for tweaking by other developers. The code is only minimally annotated with comments -- it is not meant to instruct. PHP developers familiar with the HTML specifications will see the logic, and others can always refer to the htmLawed documentation.

+</div>

+</div>

+<br />

+<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 25 Sep, 2019 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>

+</div><!-- ended div body -->

+</div><!-- ended div top -->

+</body>

 </html>
\ No newline at end of file
diff --git a/lib/htmlawed/htmLawed_README.txt b/lib/htmlawed/htmLawed_README.txt
index 7950500..824fe90 100755
--- a/lib/htmlawed/htmLawed_README.txt
+++ b/lib/htmlawed/htmLawed_README.txt
@@ -1,1817 +1,1817 @@
-/*
-htmLawed_README.txt, 24 September 2019
-htmLawed 1.2.5, 24 September 2019
-Copyright Santosh Patnaik
-Dual licensed with LGPL 3 and GPL 2+
-A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
-*/
-
-
-==  Content =========================================================
-
-
-1  About htmLawed
-  1.1  Example uses
-  1.2  Features
-  1.3  History
-  1.4  License & copyright
-  1.5  Terms used here
-  1.6  Availability
-2  Usage
-  2.1  Simple
-  2.2  Configuring htmLawed using the '$config' argument
-  2.3  Extra HTML specifications using the '$spec' argument
-  2.4  Performance time & memory usage
-  2.5  Some security risks to keep in mind
-  2.6  Use with 'kses()' code
-  2.7  Tolerance for ill-written HTML
-  2.8  Limitations & work-arounds
-  2.9  Examples of usage
-3  Details
-  3.1  Invalid/dangerous characters
-  3.2  Character references/entities
-  3.3  HTML elements
-    3.3.1  HTML comments & 'CDATA' sections
-    3.3.2  Tag-transformation for better compliance with standards
-    3.3.3  Tag balancing & proper nesting
-    3.3.4  Elements requiring child elements
-    3.3.5  Beautify or compact HTML
-  3.4  Attributes
-    3.4.1  Auto-addition of XHTML-required attributes
-    3.4.2  Duplicate/invalid 'id' values
-    3.4.3  URL schemes & scripts in attribute values
-    3.4.4  Absolute & relative URLs
-    3.4.5  Lower-cased, standard attribute values
-    3.4.6  Transformation of deprecated attributes
-    3.4.7  Anti-spam & 'href'
-    3.4.8  Inline style properties
-    3.4.9  Hook function for tag content
-  3.5  Simple configuration directive for most valid XHTML
-  3.6  Simple configuration directive for most `safe` HTML
-  3.7  Using a hook function
-  3.8  Obtaining `finalized` parameter values
-  3.9  Retaining non-HTML tags in input with mixed markup
-4  Other
-  4.1  Support
-  4.2  Known issues
-  4.3  Change-log
-  4.4  Testing
-  4.5  Upgrade, & old versions
-  4.6  Comparison with 'HTMLPurifier'
-  4.7  Use through application plug-ins/modules
-  4.8  Use in non-PHP applications
-  4.9  Donate
-  4.10  Acknowledgements
-5  Appendices
-  5.1  Characters discouraged in HTML
-  5.2  Valid attribute-element combinations
-  5.3  CSS 2.1 properties accepting URLs
-  5.4  Microsoft Windows 1252 character replacements
-  5.5  URL format
-  5.6  Brief on htmLawed code
-
-
-== 1  About htmLawed ================================================
-
-
-  htmLawed is a PHP script to process text with HTML markup to make it more compliant with HTML standards and with administrative policies. It works by making HTML well-formed with balanced and properly nested tags, neutralizing code that introduces a security vulnerability or is used for cross-site scripting (XSS) attacks, allowing only specified HTML tags and attributes, and so on. Such `lawing in` of HTML code ensures that it is in accordance with the aesthetics, safety and usability requirements set by administrators.
-  
-  htmLawed is highly customizable, and fast with low memory usage. Its free and open-source code is in one small file. It does not require extensions or libraries, and works in older versions of PHP as well. It is a good alternative to the HTML Tidy:- http://tidy.sourceforge.net application.
-
-
--- 1.1  Example uses ------------------------------------------------
-
-
-  *  Filtering of text submitted as comments on blogs to allow only certain HTML elements
-
-  *  Making RSS newsfeed items standard-compliant: often one uses an excerpt from an HTML document for the content, and with unbalanced tags, non-numerical entities, etc., such excerpts may not be XML-compliant
-  
-  *  Beautifying or pretty-printing HTML code
-
-  *  Text processing for stricter XML standard-compliance: e.g., to have lowercased 'x' in hexadecimal numeric entities becomes necessary if an HTML document with MathML content needs to be served as 'application/xml'
-
-  *  Scraping text from web-pages
-  
-  *  Transforming an HTML element to another
-
-
--- 1.2  Features ---------------------------------------------------o
-
-
-  Key: '*' security feature, '^' standard compliance, '~' requires setting right options
-  
-  htmLawed:
-  
-  *  makes input more *secure* and *standard-compliant* for HTML as well as generic *XML* documents  ^
-  *  supports markup for *HTML 5* and *microdata, ARIA, Ruby, custom attributes*, etc.  ^
-  *  can *beautify* or *compact* HTML  ~
-  *  works with input of almost any *character encoding* and does not affect it
-  *  has good *tolerance for ill-written HTML*
-
-  *  can enforce *restricted use of elements*  *~
-  *  ensures proper closure of empty elements like 'img'  ^
-  *  *transforms deprecated elements* like 'font'  ^~
-  *  can permit HTML *comments* and *CDATA* sections  ^~
-  *  can permit all elements, including 'script', 'object' and 'form'  ~
-
-  *  can *restrict attributes by element*  ^~
-  *  removes *invalid attributes*  ^
-  *  lower-cases element and attribute names  ^
-  *  provides *required attributes*, like 'alt' for 'image'  ^
-  *  *transforms deprecated attributes*  ^~
-  *  ensures attributes are *declared only once*  ^
-  *  permits *custom*, non-standard attributes as well as custom rules for standard attributes  ~
-
-  *  declares value for `empty` (`minimized` or `boolean`) attributes like 'checked'  ^
-  *  checks for potentially dangerous attribute values  *~
-  *  ensures *unique* 'id' attribute values  ^~
-  *  *double-quotes* attribute values  ^
-  *  lower-cases *standard attribute values* like 'password'  ^
-
-  *  can restrict *URL protocol/scheme by attribute*  *~
-  *  can disable *dynamic expressions* in 'style' values  *~
-
-  *  neutralizes invalid named *character entities*  ^
-  *  converts hexadecimal numeric entities to decimal ones, or vice versa  ^~
-  *  converts named entities to numeric ones for generic XML use  ^~
-
-  *  removes *null* characters  *
-  *  neutralizes potentially dangerous proprietary Netscape *Javascript entities*  *
-  *  replaces potentially dangerous *soft-hyphen* character in URL-accepting attribute values with spaces  *
-
-  *  removes common *invalid characters* not allowed in HTML or XML  ^
-  *  replaces *characters from Microsoft applications* like 'Word' that are discouraged in HTML or XML  ^~
-  *  neutralize entities for characters invalid or discouraged in HTML or XML  ^
-  *  appropriately neutralize '<', '&', '"', and '>' characters  ^*
-
-  *  understands improperly spaced tag content (e.g., spread over more than a line) and properly spaces them
-  *  attempts to *balance tags* for well-formedness  ^~
-  *  understands when *omitable closing tags* like '</p>' are missing  ^~
-  *  attempts to permit only *validly nested tags*  ^~
-  *  can *either remove or neutralize bad content* ^~
-  *  attempts to *rectify common errors of plain-text misplacement* (e.g., directly inside 'blockquote') ^~
-
-  *  has optional *anti-spam* measures such as addition of 'rel="nofollow"' and link-disabling  ~
-  *  optionally makes *relative URLs absolute*, and vice versa  ~
-
-  *  optionally marks '&' to identify the entities for '&', '<' and '>' introduced by it  ~
-
-  *  allows deployment of powerful *hook functions* to *inject* HTML, *consolidate* 'style' attributes to 'class', finely check attribute values, etc.  ~
-
-
--- 1.3  History ----------------------------------------------------o
-
-
-  htmLawed was created in 2007 for use with 'LabWiki', a wiki software developed at PHP Labware, as a suitable software could not be found. Existing PHP software like 'Kses' and 'HTMLPurifier' were deemed inadequate, slow, resource-intensive, or dependent on an extension or external application like 'HTML Tidy'. The core logic of htmLawed, that of identifying HTML elements and attributes, was based on the 'Kses' (version 0.2.2) HTML filter software of Ulf Harnhammar (it can still be used with code that uses 'Kses'; see section:- #2.6.). Support for HTML version 5 was added in May 2013 in a beta and in February 2017 in a production release.
-  
-  See section:- #4.3 for a detailed log of changes in htmLawed over the years, and section:- #4.10 for acknowledgements.
-
-
--- 1.4  License & copyright ----------------------------------------o
-
-
-  htmLawed is free and open-source software, copyrighted by Santosh Patnaik, MD, PhD, and dual-licensed with LGPL version 3:- http://www.gnu.org/licenses/lgpl-3.0.txt, and GPL version 2:- http://www.gnu.org/licenses/gpl-2.0.txt (or later) licenses.
-
-
--- 1.5  Terms used here --------------------------------------------o
-
-
-  In this document, only HTML body-level elements are considered. htmLawed does not have support for head-level elements, 'body', and the frame-level elements, 'frameset', 'frame' and 'noframes', and these elements are ignored here.
-
-  *  `administrator` - or admin; person setting up the code that utilizes htmLawed; also, `user`
-  *  `attributes` - name-value pairs like 'href="http://x.com"' in opening tags
-  *  `author` - see `writer`
-  *  `character` - atomic unit of text; internally represented by a numeric `code-point` as specified by the `encoding` or `charset` in use
-  *  `entity` - markup like '&gt;' and '&#160;' used to refer to a character
-  *  `element` - HTML element like 'a' and 'img'
-  *  `element content` -  content between the opening and closing tags of an element, like 'click' of the '<a href="x">click</a>' element
-  *  `HTML` - implies XHTML unless specified otherwise
-  *  `HTML body` - content in the `body` container of an HTML document
-  *  `input` - text given to htmLawed to process
-  *  `legal` – standard-compliant; also, `valid`
-  *  `processing` - involves filtering, correction, etc., of input
-  *  `safe` - absence or reduction of certain characters and HTML elements and attributes in HTML of text that can otherwise potentially, and circumstantially, expose text readers to security vulnerabilities like cross-site scripting attacks (XSS)
-  *  `scheme` - a URL protocol like 'http' and 'ftp'
-  *  `specification` - detailed description including rules that define HTML
-  *  `standard` – widely accepted specification
-  *  `style property` - terms like 'border' and 'height' for which declarations are made in values for the 'style' attribute of elements
-  *  `tag` - markers like '<a href="x">' and '</a>' delineating element content; the opening tag can contain attributes
-  *  `tag content` - consists of tag markers '<' and '>', element names like 'div', and possibly attributes
-  *  `user` - administrator
-  *  `valid` - see `legal`
-  *  `writer` - end-user like a blog commenter providing the input that is to be processed; also, `author`
-  *  `XHTML` - XML-compliant HTML; parsing rules for XHTML are more strict than for regular HTML
-
-
--- 1.6  Availability -----------------------------------------------o
-
-
-  htmLawed can be downloaded for free at its website:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed. Besides the 'htmLawed.php' file, the download has the htmLawed documentation (this document) in plain text:- htmLawed_README.txt and HTML:- htmLawed_README.htm formats, a script for testing:- htmLawedTest.php, and a text file for test-cases:- htmLawed_TESTCASE.txt. htmLawed is also available as a PHP class (OOP code) at its website.
-
-
-== 2  Usage =======================================================oo
-
-
-  htmLawed works in PHP version 4.4 or higher. Either 'include()' the 'htmLawed.php' file, or copy-paste the entire code.
-  
-  To use with PHP 4.3, have the following code included:
-
-    if(!function_exists('ctype_digit')){
-     function ctype_digit($var){
-      return ((int) $var == $var);
-     }
-    }
-
-
--- 2.1  Simple ------------------------------------------------------
-
-
-  The input text to be processed, '$text', is passed as an argument of type string; 'htmLawed()' returns the processed string:
-
-    $processed = htmLawed($text);
-    
-  With the 'htmLawed class' (section:- #1.6), usage is:
-  
-    $processed = htmLawed::hl($text);
-
-  *Notes*: (1) If input is from a '$_GET' or '$_POST' value, and 'magic quotes' are enabled on the PHP setup, run 'stripslashes()' on the input before passing to htmLawed. (2) htmLawed does not have support for head-level elements, 'body', and the frame-level elements, 'frameset', 'frame' and 'noframes'.
-
-  By default, htmLawed will process the text allowing all valid HTML elements/tags and commonly used URL schemes and CSS style properties. It will allow Javascript code, 'CDATA' sections and HTML comments, balance tags, and ensure proper nesting of elements. Such actions can be configured using two other optional arguments -- '$config' and '$spec':
-
-    $processed = htmLawed($text, $config, $spec); 
-
-  The '$config' and '$spec' arguments are detailed below. Some examples are shown in section:- #2.9. For maximum protection against 'XSS' and other security vulnerabilities, consider using the 'safe' parameter; see section:- #3.6.
-
-
--- 2.2  Configuring htmLawed using the '$config' argument ---------o
-
-
-  '$config' instructs htmLawed on how to tackle certain tasks. When '$config' is not specified, or not set as an array (e.g., '$config = 1'), htmLawed will take default actions. One or many of the task-action or parameter-value pairs can be specified in '$config' as array key-value pairs. If a parameter is not specified, htmLawed will use the default value for it, indicated further below. In PHP code, parameter values that are integers should not be quoted and should be used as numeric types (unless meant as string/text). Thus, for instance:
-
-    $config = array('comment'=>0, 'cdata'=>1, 'elements'=>'a, b, strong');
-    $processed = htmLawed($text, $config);
-
-  Below are the various parameters that can be specified in '$config'.
-
-  Key: '*' default, '^' different from htmLawed versions below 1.2, '~' different default when 'valid_xhtml' is set to '1' (see section:- #3.5), '"' different default when 'safe' is set to '1' (see section:- #3.6)
-
-  *abs_url*
-  Make URLs absolute or relative; '$config["base_url"]' needs to be set; see section:- #3.4.4
-
-  '-1' - make relative
-  '0' - no action  *
-  '1' - make absolute
-
-  *and_mark*
-  Mark '&' characters in the original input; see section:- #3.2
-
-  *anti_link_spam*
-  Anti-link-spam measure; see section:- #3.4.7
-      
-  '0' - no measure taken  *
-  `array("regex1", "regex2")` - will ensure a 'rel' attribute with 'nofollow' in its value in case the 'href' attribute value matches the regular expression pattern 'regex1', and/or will remove 'href' if its value matches the regular expression pattern 'regex2'. E.g., 'array("/./", "/://\W*(?!(abc\.com|xyz\.org))/")'; see section:- #3.4.7 for more.
-
-  *anti_mail_spam*
-  Anti-mail-spam measure; see section:- #3.4.7
-
-  '0' - no measure taken  *
-  `word` - '@' in mail address in 'href' attribute value is replaced with specified `word`
-
-  *balance*
-  Balance tags for well-formedness and proper nesting; see section:- #3.3.3
-
-  '0' - no
-  '1' - yes  *
-
-  *base_url*
-  Base URL value that needs to be set if '$config["abs_url"]' is not '0'; see section:- #3.4.4
-
-  *cdata*
-  Handling of 'CDATA' sections; see section:- #3.3.1
-
-  '0' - don't consider 'CDATA' sections as markup and proceed as if plain text  "
-  '1' - remove
-  '2' - allow, but neutralize any '<', '>', and '&' inside by converting them to named entities
-  '3' - allow  *
-
-  *clean_ms_char*
-  Replace `discouraged` characters introduced by Microsoft Word, etc.; see section:- #3.1
-
-  '0' - no  *
-  '1' - yes
-  '2' - yes, but replace special single & double quotes with ordinary ones
-
-  *comment*
-  Handling of HTML comments; see section:- #3.3.1
-
-  '0' - don't consider comments as markup and proceed as if plain text  "
-  '1' - remove
-  '2' - allow, but neutralize any '<', '>', and '&' inside by converting to named entities
-  '3' - allow  *
-
-  *css_expression*
-  Allow dynamic CSS expression by not removing the expression from CSS property values in 'style' attributes; see section:- #3.4.8
-
-  '0' - remove  *
-  '1' - allow
-
-  *deny_attribute*
-  Denied HTML attributes; see section:- #3.4
-
-  '0' - none  *
-  `string` - dictated by values in `string`
-  'on*' - on* event attributes like 'onfocus' not allowed  "
-  
-  *direct_nest_list*
-  Allow direct nesting of a list within another without requiring it to be a list item; see section:- #3.3.4
-
-  '0' - no  *
-  '1' - yes
-
-  *elements*
-  Allowed HTML elements; see section:- #3.3
-
-  `all` - *^
-  '* -acronym -big -center -dir -font -isindex -s -strike -tt' -  ~^
-  `applet, audio, canvas, embed, iframe, object, script, and video elements not allowed` -  "^
-
-  *hexdec_entity*
-  Allow hexadecimal numeric entities and do not convert to the more widely accepted decimal ones, or convert decimal to hexadecimal ones; see section:- #3.2
-
-  '0' - no
-  '1' - yes  *
-  '2' - convert decimal to hexadecimal ones
-
-  *hook*
-  Name of an optional hook function to alter the input string, '$config' or '$spec' before htmLawed enters the main phase of its work; see section:- #3.7
-
-  '0' - no hook function  *
-  `name` - `name` is name of the hook function
-
-  *hook_tag*
-  Name of an optional hook function to alter tag content finalized by htmLawed; see section:- #3.4.9
-
-  '0' - no hook function  *
-  `name` - `name` is name of the hook function
-
-  *keep_bad*
-  Neutralize `bad` tags by converting their '<' and '>' characters to entities, or remove them; see section:- #3.3.3
-
-  '0' - remove  
-  '1' - neutralize both tags and element content
-  '2' - remove tags but neutralize element content
-  '3' and '4' - like '1' and '2' but remove if text ('pcdata') is invalid in parent element
-  '5' and '6' * -  like '3' and '4' but line-breaks, tabs and spaces are left
-
-  *lc_std_val*
-  For XHTML compliance, predefined, standard attribute values, like 'get' for the 'method' attribute of 'form', must be lowercased; see section:- #3.4.5
-
-  '0' - no
-  '1' - yes  *
-
-  *make_tag_strict*
-  Transform or remove these deprecated HTML elements, even if they are allowed by the admin: acronym, applet, big, center, dir, font, isindex, s, strike, tt; see section:- #3.3.2
-
-  '0' - no  
-  '1' - yes, but leave 'applet' and 'isindex' that currently cannot be transformed  *^
-  '2' - yes, removing 'applet' and 'isindex' elements and their contents (nested elements remain)  ~^
-
-  *named_entity*
-  Allow non-universal named HTML entities, or convert to numeric ones; see section:- #3.2
-
-  '0' - convert
-  '1' - allow  *
-
-  *no_deprecated_attr*
-  Allow deprecated attributes or transform them; see section:- #3.4.6
-
-  '0' - allow  
-  '1' - transform, but 'name' attributes for 'a' and 'map' are retained  *
-  '2' - transform
-
-  *parent*
-  Name of the parent element, possibly imagined, that will hold the input; see section:- #3.3
-
-  *safe*
-  Magic parameter to make input the most secure against vulnerabilities like XSS without needing to specify other relevant '$config' parameters; see section:- #3.6
-
-  '0' - no  *
-  '1' - will auto-adjust other relevant '$config' parameters (indicated by '"' in this list)  ^
-
-  *schemes*
-  Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or '!' to `deny` any URL); '*' covers all unspecified attributes; see section:- #3.4.3
-
-  'href: aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet; *:data, file, http, https, javascript'  *^
-  'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https'  "
-
-  *show_setting*
-  Name of a PHP variable to assign the `finalized` '$config' and '$spec' values; see section:- #3.8
-
-  *style_pass*
-  Ignore 'style' attribute values, letting them through without any alteration
-
-  '0' - no *
-  '1' - htmLawed will let through any 'style' value; see section:- #3.4.8
-
-  *tidy*
-  Beautify or compact HTML code; see section:- #3.3.5
-
-  '-1' - compact
-  '0' - no  *
-  '1' or `string` - beautify (custom format specified by 'string')
-
-  *unique_ids*
-  'id' attribute value checks; see section:- #3.4.2
-
-  '0' - no  
-  '1' - remove duplicate and/or invalid ones  *
-  `word` - remove invalid ones and replace duplicate ones with new and unique ones based on the `word`; the admin-specified `word` cannot contain a space character
-
-  *valid_xhtml*
-  Magic parameter to make input the most valid XHTML without needing to specify other relevant '$config' parameters; see section:- #3.5
-
-  '0' - no  *
-  '1' - will auto-adjust other relevant '$config' parameters (indicated by '~' in this list)
-
-  *xml:lang*
-  Auto-add 'xml:lang' attribute; see section:- #3.4.1
-
-  '0' - no  *
-  '1' - add if 'lang' attribute is present
-  '2' - add if 'lang' attribute is present, and remove 'lang'  ~
-
-
--- 2.3  Extra HTML specifications using the $spec parameter --------o
-
-
-  The '$spec' argument of htmLawed can be used to disallow an otherwise legal attribute for an element, or to restrict the attribute's values. This can also be helpful as a security measure (e.g., in certain versions of browsers, certain values can cause buffer overflows and denial of service attacks), or in enforcing admin policies. '$spec' is specified as a string of text containing one or more `rules`, with multiple rules separated from each other by a semi-colon (';'). E.g.,
-
-    $spec = 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt';
-    $processed = htmLawed($text, $config, $spec);
-
-  Or,
-
-    $processed = htmLawed($text, $config, 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt');
-
-  A rule begins with an HTML *element* name(s) (`rule-element`), for which the rule applies, followed by an equal-to (=) sign. A rule-element may represent multiple elements if comma (,)-separated element names are used. E.g., 'th,td,tr='.
-
-  Rest of the rule consists of comma-separated HTML *attribute names*. A minus (-) character before an attribute means that the attribute is not permitted inside the rule-element. E.g., '-width'. To deny all attributes, '-*' can be used.
-
-  Following shows examples of rule excerpts with rule-element 'a' and the attributes that are being permitted:
-
-  *  'a=' - all
-  *  'a=id' - all
-  *  'a=href, title, -id, -onclick' - all except 'id' and 'onclick'
-  *  'a=*, id, -id' - all except 'id'
-  *  'a=-*' - none
-  *  'a=-*, href, title' - none except 'href' and 'title'
-  *  'a=-*, -id, href, title' - none except 'href' and 'title'
-
-  Rules regarding *attribute values* are optionally specified inside round brackets after attribute names in solidus (/)-separated `parameter = value` pairs. E.g., 'title(maxlen=30/minlen=5)'. None or one or more of the following parameters may be specified:
-
-  *  'oneof' - one or more choices separated by '|' that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive
-
-  *  'noneof' - one or more choices separated by '|' that the value should not match; matching is case-sensitive
-
-  *  'maxlen' and 'minlen' - upper and lower limits for the number of characters in the attribute value; specified in numbers
-
-  *  'maxval' and 'minval' - upper and lower limits for the numerical value specified in the attribute value; specified in numbers
-
-  *  'match' and 'nomatch' - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)
-
-  *  'default' - a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters
-
-  If 'default' is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The 'default' value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., 'maxlen' to '-1').
-
-  Examples with `input` '<input title="WIDTH" value="10em" /><input title="length" value="5" class="ic1 ic2" />' are shown below.
-
-  `Rule`: 'input=title(maxlen=60/minlen=6), value'
-  `Output`: '<input value="10em" /><input title="length" value="5" class="ic1 ic2" />'
-
-  `Rule`: 'input=title(), value(maxval=8/default=6)'
-  `Output`: '<input title="WIDTH" value="6" /><input title="length" value="5" class="ic1 ic2" />'
-
-  `Rule`: 'input=title(nomatch=%w.d%i), value(match=%em%/default=6em)'
-  `Output`: '<input value="10em" /><input title="length" value="6em" class="ic1 ic2" />'
-
-  `Rule`: 'input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)'
-  `Output`: '<input title="depth" value="10em" /><input title="depth" class="ic1" />'
-
-  *Special characters*: The characters ';', ',', '/', '(', ')', '|', '~' and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be `escaped` by enclosing in pairs of double-quotes ('"'). A back-tick ('`') can be used to escape a literal '"'. An example rule illustrating this is 'input=value(maxlen=30/match="/^\w/"/default="your `"ID`"")'.
-
-  *Attributes that accept multiple values*: If an attribute is 'accesskey', 'class', 'itemtype' or 'rel', which can have multiple, space-separated values, or 'srcset', which can have multiple, comma-separated values, htmLawed will parse the attribute value for such multiple values and will individually test each of them.
-   
-  *Note*: To deny an attribute for all elements for which it is legal, '$config["deny_attribute"]' (see section:- #3.4) can be used instead of '$spec'. Also, attributes can be allowed element-specifically through '$spec' while being denied globally through '$config["deny_attribute"]'. The 'hook_tag' parameter (section:- #3.4.9) can also be possibly used to implement a functionality like that achieved using '$spec' functionality.
-  
-  *Note*: Attributes' specifications for an element may be set through multiple rules. In case of conflict, the attribute specification in the first rule will get precedence.
-  
-  '$spec' can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of '$spec' will permit the custom uses of the standard 'rel' attribute in 'input' (not permitted as per standards) and of a non-standard attribute, 'vFlag', in 'img'.
-  
-    $spec = 'img=vFlag; input=rel'
-
-  The attribute names must begin with an alphabet and cannot have space, equal-to (=) and solidus (/) characters.
-
-
--- 2.4  Performance time & memory usage ----------------------------o
-
-
-  The time and memory consumed during text processing by htmLawed depends on its configuration, the size of the input, and the amount, nestedness and well-formedness of the HTML markup within the input. In particular, tag balancing and beautification each can increase the processing time by about a quarter.
-
-  The htmLawed demo:- htmLawedTest.php can be used to evaluate the performance and effects of different types of input and '$config'.
-
-
--- 2.5  Some security risks to keep in mind ------------------------o
-
-
-  When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially `dangerous` HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permitted through htmLawed's setting should be considered. For example, following increase security risks:
-
-  *  Allowing 'script', 'applet', 'embed', 'iframe', 'canvas', 'audio', 'video' or 'object' elements, or certain of their attributes like 'allowscriptaccess'
-
-  *  Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., '<!--[if gte IE 4]><script>alert("xss");</script><![endif]-->'
-  
-  *  Allowing dynamic CSS expressions (some Internet Explorer versions are vulnerable)
-  
-  *  Allowing the 'style' attribute
-
-  To remove `unsecure` HTML, code-developers using htmLawed must set '$config' appropriately. E.g., '$config["elements"] = "* -script"' to deny the 'script' element (section:- #3.3), '$config["safe"] = 1' to auto-configure ceratin htmLawed parameters for maximizing security (section:- #3.6), etc. 
-  
-  Permitting the '*style*' attribute brings in risks of `click-jacking`, `phishing`, web-page overlays, etc., `even` when the 'safe' parameter is enabled (see section:- #3.6). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing 'style' completely and relying on CSS classes and stylesheet files is recommended.
-  
-  htmLawed does not check or correct the character *encoding* of the input it receives. In conjunction with permissive circumstances, such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can allow for an exploit (like Google's `UTF-7/XSS` vulnerability of the past).
-  
-  Ocassionally, though very rarely, the default settings with which htmLawed runs may change between different versions of htmLawed. Admins should keep this in mind when upgrading htmLawed. Important changes in htmLawed's default behavior in new releases of the software are noted in section:- #4.5 on upgrades.
-
-
--- 2.6  Use with 'kses()' code -------------------------------------o
-
-
-  The 'Kses' PHP script for HTML filtering is used by many applications (like 'WordPress', as in year 2012). It is possible to have such applications use htmLawed instead, since it is compatible with code that calls the 'kses()' function declared in the 'Kses' file (usually named 'kses.php'). E.g., application code like this will continue to work after replacing 'Kses' with htmLawed:
-
-    $comment_filtered = kses($comment_input, array('a'=>array(), 'b'=>array(), 'i'=>array()));
-
-  If the application uses a 'Kses' file that has the 'kses()' function declared, then, to have the application use htmLawed instead of 'Kses', rename 'htmLawed.php' (to 'kses.php', e.g.) and replace the 'Kses' file (or just replace the code in the 'Kses' file with the htmLawed code). If the 'kses()' function in the 'Kses' file had been renamed by the application developer (e.g., in 'WordPress', it is named 'wp_kses()'), then appropriately rename the 'kses()' function in the htmLawed code. Then, add the following code (which was a part of htmLawed prior to version 1.2):
-
-    // kses compatibility
-    function kses($t, $h, $p=array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto')){
-     foreach($h as $k=>$v){
-      $h[$k]['n']['*'] = 1;
-     }
-     $C['cdata'] = $C['comment'] = $C['make_tag_strict'] = $C['no_deprecated_attr'] = $C['unique_ids'] = 0;
-     $C['keep_bad'] = 1;
-     $C['elements'] = count($h) ? strtolower(implode(',', array_keys($h))) : '-*';
-     $C['hook'] = 'kses_hook';
-     $C['schemes'] = '*:'. implode(',', $p);
-     return htmLawed($t, $C, $h);
-     }
-
-    function kses_hook($t, &$C, &$S){
-     return $t;
-    }
-
-  If the 'Kses' file used by the application has been significantly altered by the application developers, then one may need a different approach. E.g., with 'WordPress' (as in the year 2012), it is best to copy the htmLawed code, along with the above-mentioned additions, to 'wp_includes/kses.php', rename the newly added function 'kses()' to 'wp_kses()', and delete the code for the original 'wp_kses()' function.
-
-  If the 'Kses' code has a non-empty hook function (e.g., 'wp_kses_hook()' in case of 'WordPress'), then the code for htmLawed's 'kses_hook()' function should be appropriately edited. However, the requirement of the hook function should be re-evaluated considering that htmLawed has extra capabilities. With 'WordPress', the hook function is an essential one. The following code is suggested for the htmLawed 'kses_hook()' in case of 'WordPress':
-
-    // kses compatibility
-    function kses_hook($string, &$cf, &$spec){   
-     $allowed_html = $spec;
-     $allowed_protocols = array();
-     foreach($cf['schemes'] as $v){
-      foreach($v as $k2=>$v2){
-       if(!in_array($k2, $allowed_protocols)){
-        $allowed_protocols[] = $k2;
-       }
-      }
-     }
-     return wp_kses_hook($string, $allowed_html, $allowed_protocols);
-    }
-
-
--- 2.7  Tolerance for ill-written HTML -----------------------------o
-
-
-  htmLawed can work with ill-written HTML code in the input. However, HTML that is too ill-written may not be `read` as HTML, and may therefore get identified as mere plain text. Following statements indicate the degree of `looseness` that htmLawed can work with, and can be provided in instructions to writers:
-
-  *  Tags must be flanked by '<' and '>' with no '>' inside -- any needed '>' should be put in as '&gt;'. It is possible for tag content (element name and attributes) to be spread over many lines instead of being on one. A space may be present between the tag content and '>', like '<div >' and '<img / >', but not after the '<'.
-
-  *  Element and attribute names need not be lower-cased.
-
-  *  Attribute string of elements may be liberally spaced with tabs, line-breaks, etc.
-
-  *  Attribute values may be single- and not double-quoted.
-
-  *  Left-padding of numeric entities (like, '&#0160;', '&x07ff;') with '0' is okay as long as the number of characters between between the '&' and the ';' does not exceed 8. All entities must end with ';' though. 
-
-  *  Named character entities must be properly cased. Thus, '&Lt;' or '&TILDE;' will not be recognized as entities and will be `neutralized`.
-
-  *  HTML comments should not be inside element tags (they can be between tags), and should begin with '<!--' and end with '-->'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '--&gt;'. Any '--' inside will be automatically converted to '-', and a space will be added before the '-->' comment-closing marker  unless '$config["comments"]' is set to '4' (section:- #3.3.1).
-
-  *  'CDATA' sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with '<[CDATA[' and end with ']]>'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any ']]>' inside should be put in as ']]&gt;'.
-
-  *  For attribute values, character entities '&lt;', '&gt;' and '&amp;' should be used instead of characters '<' and '>', and '&' (when '&' is not part of a character entity). This applies even for Javascript code in values of attributes like 'onclick'.
-
-  *  Characters '<', '>', '&' and '"' that are part of actual Javascript, etc., code in 'script' elements should be used as such and not be put in as entities like '&gt;'. Otherwise, though the HTML will be valid, the code may fail to work. Further, if such characters have to be used, then they should be put inside 'CDATA' sections.
-
-  *  Simple instructions like "an opening tag cannot be present between two closing tags" and "nested elements should be closed in the reverse order of how they were opened" can help authors write balanced HTML. If tags are imbalanced, htmLawed will try to balance them, but in the process, depending on '$config["keep_bad"]', some code/text may be lost.
-
-  *  Input authors should be notified of admin-specified allowed elements, attributes, configuration values (like conversion of named entities to numeric ones), etc.
-
-  *  With '$config["unique_ids"]' not '0' and the 'id' attribute being permitted, writers should carefully avoid using duplicate or invalid 'id' values as even though htmLawed will correct/remove the values, the final output may not be the one desired. E.g., when '<a id="home"></a><input id="home" /><label for="home"></label>' is processed into 
-'<a id="home"></a><input id="prefix_home" /><label for="home"></label>'.
-
-  *  Even if intended HTML is lost from an ill-written input, the processed output will be more secure and standard-compliant.
-
-  *  For URLs, unless '$config["scheme"]' is appropriately set, writers should avoid using escape characters or entities in schemes. E.g., 'htt&#112;' (which many browsers will read as the harmless 'http') may be considered bad by htmLawed.
-
-  *  htmLawed will attempt to put plain text present directly inside 'blockquote', 'form', 'map' and 'noscript' elements (illegal as per the specifications) inside auto-generated 'div' elements during tag balancing (section:- #3.3.3).
-
-
--- 2.8  Limitations & work-arounds ---------------------------------o
-
-
-  htmLawed's main objective is to make the input text `more` standard-compliant, secure for readers, and free of HTML elements and attributes considered undesirable by the administrator. Some of its current limitations, regardless of this objective, are noted below along with possible work-arounds.
-
-  It should be borne in mind that no browser application is 100% standard-compliant, standard specifications continue to evolve, and many browsers accept commonly used non-standard HTML. Regarding security, note that `unsafe` HTML code is not legally invalid per se.
-  
-  *  By default, htmLawed will not strictly adhere to the `current` HTML standard. Admins can configure htmLawed to be more strict about standard compliance. Standard specification for HTML is continuously evolving. There are two bodies (W3C:- http://www.w3c.org and WHATWG:- http://www.whatwg.org) that specify the standard and their specifications are not identical. E.g., as in mid-2013, the 'border' attribute is valid in 'table' as per W3C but not WHATWG. Thus, htmLawed may not be fully compliant with the standard of a specific group. The HTML standards/rules that htmLawed uses in its logic are a mix of the W3C and WHATWG standards, and can be lax because of the laxity of HTML interpreters (browsers) regarding standards.
-  
-  *  In general, htmLawed processes input to generate output that is most likely to be standard-compatible in most users' browsers. Thus, for example, it does not enforce the required value of '0' on 'border' attribute of 'img' (an HTML version 5 specification).
-
-  *  htmLawed is meant for input that goes into the 'body' of HTML documents. HTML's head-level elements are not supported, nor are the frame-specific elements 'frameset', 'frame' and 'noframes'. However, content of the latter elements can be individually filtered through htmLawed.
-
-  *  It cannot handle input that has non-HTML code like 'SVG' and 'MathML'. One way around is to break the input into pieces and passing only those without non-HTML code to htmLawed. Another is described in section:- #3.9. A third way may be to some how take advantage of the '$config["and_mark"]' parameter (see section:- #3.2).
-
-  *  By default, htmLawed won't check many attribute values for standard compliance. E.g., 'width="20m"' with the dimension in non-standard 'm' is let through. Implementing universal and strict attribute value checks can make htmLawed slow and resource-intensive. Admins should look at the 'hook_tag' parameter (section:- #3.4.9) or '$spec' to enforce finer checks on attribute values.
-  
-  *  By default, htmLawed considers all ARIA, data-*, event and microdata attributes as global attributes and permits them in all elements. This is not strictly standard-compliant. E.g., the 'itemtype' microdata attribute is permitted only in elements that also have the 'itemscope' attribute. Admins can configure htmLawed to be more strict about this (section:- #2.3).
-
-  *  The attributes, deprecated (which can be transformed too) or not, that it supports are largely those that are in the specifications. Only a few of the proprietary attributes are supported. However, '$spec' can be used to allow custom attributes (section:- #2.3).
-
-  *  Except for contained URLs and dynamic expressions (also optional), htmLawed does not check CSS style property values. Admins should look at using the 'hook_tag' parameter (section:- #3.4.9) or '$spec' for finer checks. Perhaps the best option is to disallow 'style' but allow 'class' attributes with the right 'oneof' or 'match' values for 'class', and have the various class style properties in '.css' CSS stylesheet files.
-
-  *  htmLawed does not parse emoticons, decode `BBcode`, or `wikify`, auto-converting text to proper HTML. Similarly, it won't convert line-breaks to 'br' elements. Such functions are beyond its purview. Admins should use other code to pre- or post-process the input for such purposes.
-
-  *  htmLawed cannot be used to have links force-opened in new windows (by auto-adding appropriate 'target' and 'onclick' attributes to 'a'). Admins should look at Javascript-based DOM-modifying solutions for this. Admins may also be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).
-
-  *  Nesting-based checks are not possible. E.g., one cannot disallow 'p' elements specifically inside 'td' while permitting it elsewhere. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).
-
-  *  Except for optionally converting absolute or relative URLs to the other type, htmLawed will not alter URLs (e.g., to change the value of query strings or to convert 'http' to 'https'. Having absolute URLs may be a standard-requirement, e.g., when HTML is embedded in email messages, whereas altering URLs for other purposes is beyond htmLawed's goals. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).
-
-  *  Pairs of opening and closing tags that do not enclose any content (like '<em></em>') are not removed. This may be against the standard specification for certain elements (e.g., 'table'). However, presence of such standard-incompliant code will not break the display or layout of content. Admins can also use simple regex-based code to filter out such code.
-
-  *  htmLawed does not check for certain element orderings described in the standard specifications (e.g., in a 'table', 'tbody' is allowed before 'tfoot'). Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).
-
-  *  htmLawed does not check the number of nested elements. E.g., it will allow two 'caption' elements in a 'table' element, illegal as per standard specifications. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).
-  
-  *  There are multiple ways to interpret ill-written HTML. E.g., in '<small><small>text</small>', is it that the second closing tag for 'small' is missing or is it that the second opening tag for 'small' was put in by mistake? htmLawed corrects the HTML in the string assuming the former, while the user may have intended the string for the latter. This is an issue that is impossible to address perfectly.
-
-  *  htmLawed might convert certain entities to actual characters and remove backslashes and CSS comment-markers ('/*') in 'style' attribute values in order to detect malicious HTML like crafted, Internet Explorer browser-specific dynamic expressions like '&#101;xpression...'. If this is too harsh, admins can allow CSS expressions through htmLawed core but then use a custom function through the 'hook_tag' parameter (section:- #3.4.9) to more specifically identify CSS expressions in the 'style' attribute values. Also, using '$config["style_pass"]', it is possible to have htmLawed pass 'style' attribute values without even looking at them (section:- #3.4.8).
-
-  *  htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., '<a href="http://x%22+style=%22background-image:xss">x</a>'). These arise when browsers mis-identify markup in `escaped` text, defeating the very purpose of escaping text (a bad browser will read the given example as '<a href="http://x" style="background-image:xss">x</a>').
-  
-  *  Because of poor Unicode support in PHP, htmLawed does not remove the `high value` HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see section:- #3.1).
-  
-  *  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can permit an exploit (like Google's `UTF-7/XSS` vulnerability of the past). Also, htmLawed can mangle input text if it is not well-formed in terms of character encoding. Administrators can consider using code available elsewhere to check well-formedness of input text characters to correct any defect.
-  
-  *  htmLawed is expected to work with input texts in ASCII standard-compatible single-byte encodings such as national variants of ASCII (like ISO-646-DE/German of the ISO 646 standard), extended ASCII variants (like ISO 8859-10/Turkish of the ISO 8859/ISO Latin standard), ISO 8859-based Windows variants (like Windows 1252), EBCDIC, Shift JIS (Japanese), GB-Roman (Chinese), and KS-Roman (Korean). It should also properly handle texts with variable-byte encodings like UTF-7 (Unicode) and UTF-8 (Unicode). However, htmLawed may mangle input texts with double-byte encodings like UTF-16 (Unicode), JIS X 0208:1997 (Japanese) and K SX 1001:1992 (Korean), or the UTF-32 (Unicode) quadruple-byte encoding. If an input text has such an encoding, administrators can use PHP's iconv:- http://php.net/manual/en/book.iconv.php functions, or some other mean, to convert text to UTF-8 before passing it to htmLawed.
-
-  *  Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.
-
-
--- 2.9  Examples of usage ------------------------------------------o
-
-
-  Safest, allowing only `safe` HTML markup --
-  
-    $config = array('safe'=>1);
-    $out = htmLawed($in, $config);
-    
-  Simplest, allowing all valid HTML markup including Javascript --
-  
-    $out = htmLawed($in);
-    
-  Allowing all valid HTML markup but restricting URL schemes in 'src' attribute values to 'http' and 'https' --
-  
-    $config = array('schemes'=>'*:*; src:http, https');
-    $out = htmLawed($in, $config);
-    
-  Allowing only 'safe' HTML and the elements 'a', 'em', and 'strong' --
-  
-    $config = array('safe'=>1, 'elements'=>'a, em, strong');
-    $out = htmLawed($in, $config);
-    
-  Not allowing elements 'script' and 'object' --
-  
-    $config = array('elements'=>'* -script -object');
-    $out = htmLawed($in, $config);
-    
-  Not allowing attributes 'id' and 'style' --
-  
-    $config = array('deny_attribute'=>'id, style');
-    $out = htmLawed($in, $config);
-    
-  Permitting only attributes 'title' and 'href' --
-  
-    $config = array('deny_attribute'=>'* -title -href');
-    $out = htmLawed($in, $config);
-    
-  Remove bad/disallowed tags altogether instead of converting them to entities --
-  
-    $config = array('keep_bad'=>0);
-    $out = htmLawed($in, $config);
-    
-  Allowing attribute 'title' only in 'a' and not allowing attributes 'id', 'style', or scriptable `on*` attributes like 'onclick' --
-  
-    $config = array('deny_attribute'=>'title, id, style, on*');
-    $spec = 'a=title';
-    $out = htmLawed($in, $config, $spec);
-    
-  Allowing a custom attribute, 'vFlag', in 'img' and permitting custom use of the standard attribute, 'rel', in 'input' --
-  
-    $spec = 'img=vFlag; input=rel';
-    $out = htmLawed($in, $config, $spec);
-
-  Some case-studies are presented below.
-
-  *1.* A blog administrator wants to allow only 'a', 'em', 'strike', 'strong' and 'u' in comments, but needs 'strike' and 'u' transformed to 'span' for better XHTML 1-strict compliance, and, he wants the 'a' links to point only to 'http' or 'https' resources:
-
-    $processed = htmLawed($in, array('elements'=>'a, em, strike, strong, u', 'make_tag_strict'=>1, 'safe'=>1, 'schemes'=>'*:http, https'), 'a=href');
-
-  *2.* An author uses a custom-made web application to load content on his website. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional `bad` characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:
-
-    $processed = htmLawed($in, array('css_expression'=>1, 'keep_bad'=>1, 'make_tag_strict'=>1, 'schemes'=>'*:*', 'valid_xhtml'=>1));
-
-  For the final submission process, 'keep_bad' is set to '6'. A value of '1' for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.
-
-  *3.* A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:
-
-    $processed = htmLawed($in, array('elements'=>'tr, td', 'tidy'=>-1), 'tr, td =');
-
-
-== 3  Details =====================================================oo
-
-
--- 3.1  Invalid/dangerous characters --------------------------------
-
-
-  Valid characters (more correctly, their code-points) in HTML or XML are, hexadecimally, '9', 'a', 'd', '20' to 'd7ff', and 'e000' to '10ffff', except 'fffe' and 'ffff' (decimally, '9', '10', '13', '32' to '55295', and '57344' to '1114111', except '65534' and '65535'). htmLawed removes the invalid characters '0' to '8', 'b', 'c', and 'e' to '1f'.
-
-  Because of PHP's poor native support for multi-byte characters, htmLawed cannot check for the remaining invalid code-points. However, for various reasons, it is very unlikely for any of those characters to be in the input.
-
-  Characters that are discouraged (see section:- #5.1) but not invalid are not removed by htmLawed.
-
-  It (function 'hl_tag()') also replaces the potentially dangerous (in some Mozilla [Firefox] and Opera browsers) soft-hyphen character (code-point, hexadecimally, 'ad', or decimally, '173') in attribute values with spaces. Where required, the characters '<', '>', '&', and '"' are converted to entities.
-
-  With '$config["clean_ms_char"]' set as '1' or '2', many of the discouraged characters (decimal code-points '127' to '159' except '133') that many Microsoft applications incorrectly use (as per the 'Windows 1252' ['Cp-1252'] or a similar encoding system), and the character for decimal code-point '133', are converted to appropriate decimal numerical entities (or removed for a few cases)-- see appendix in section:- #5.4. This can help avoid some display issues arising from copying-pasting of content.
-
-  With '$config["clean_ms_char"]' set as '2', characters for the hexadecimal code-points '82', '91', and '92' (for special single-quotes), and '84', '93', and '94' (for special double-quotes) are converted to ordinary single and double quotes respectively and not to entities.
-
-  The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.
-
-  The '$config["clean_ms_char"]' parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the 'Windows 1252' ('Cp-1252') or a similar encoding like 'Cp-1251' (otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.
-
-
--- 3.2  Character references/entities ------------------------------o
-
-
-  Valid character entities take the form '&*;' where '*' is '#x' followed by a hexadecimal number (hexadecimal numeric entity; like '&#xA0;' for non-breaking space), or alphanumeric like 'gt' (external or named entity; like '&nbsp;' for non-breaking space), or '#' followed by a number (decimal numeric entity; like '&#160;' for non-breaking space). Character entities referring to the soft-hyphen character (the '&shy;' or '\xad' character; hexadecimal code-point 'ad' [decimal '173']) in URL-accepting attribute values are always replaced with spaces; soft-hyphens in attribute values introduce vulnerabilities in some older versions of the Opera and Mozilla [Firefox] browsers.
-
-  htmLawed (function 'hl_ent()'):
-
-  *  Neutralizes entities with multiple leading zeroes or missing semi-colons (potentially dangerous)
-
-  *  Lowercases the 'X' (for XML-compliance) and 'A-F' of hexadecimal numeric entities
-
-  *  Neutralizes entities referring to characters that are HTML-invalid (see section:- #3.1)
-
-  *  Neutralizes entities referring to characters that are HTML-discouraged (code-points, hexadecimally, '7f' to '84', '86' to '9f', and 'fdd0' to 'fddf', or decimally, '127' to '132', '134' to '159', and '64991' to '64976'). Entities referring to the remaining discouraged characters (see section:- #5.1 for a full list) are let through.
-
-  *  Neutralizes named entities that are not in the specifications
-
-  *  Optionally converts valid HTML-specific named entities except '&gt;', '&lt;', '&quot;', and '&amp;' to decimal numeric ones (hexadecimal if $config["hexdec_entity"] is '2') for generic XML-compliance. For this, '$config["named_entity"]' should be '1'.
-
-  *  Optionally converts hexadecimal numeric entities to the more widely supported decimal ones. For this, '$config["hexdec_entity"]' should be '0'.
-
-  *  Optionally converts decimal numeric entities to the hexadecimal ones. For this, '$config["hexdec_entity"]' should be '2'.
-
-  `Neutralization` refers to the `entitification` of '&' to '&amp;'.
-
-  *Note*: htmLawed does not convert entities to the actual characters represented by them; one can pass the htmLawed output through PHP's 'html_entity_decode' function:- http://www.php.net/html_entity_decode for that.
-
-  *Note*: If '$config["and_mark"]' is set, and set to a value other than '0', then the '&' characters in the original input are replaced with the control character for the hexadecimal code-point '6' ('\x06'; '&' characters introduced by htmLawed, e.g., after converting '<' to '&lt;', are not affected). This allows one to distinguish, say, an '&gt;' introduced by htmLawed and an '&gt;' put in by the input writer, and can be helpful in further processing of the htmLawed-processed text (e.g., to identify the character sequence 'o(><)o' to generate an emoticon image). When this feature is active, admins should ensure that the htmLawed output is not directly used in web pages or XML documents as the presence of the '\x06' can break documents. Before use in such documents, and preferably before any storage, any remaining '\x06' should be changed back to '&', e.g., with:
-
-    $final = str_replace("\x06", '&', $prelim);
-
-  Also, see section:- #3.9.
-
-
--- 3.3  HTML elements ----------------------------------------------o
-
-
-  htmLawed can be configured to allow only certain HTML elements (tags) in the input. Disallowed elements (just tag-content, and not element-content), based on '$config["keep_bad"]', are either `neutralized` (converted to plain text by entitification of '<' and '>') or removed.
-
-  E.g., with only 'em' permitted:
-
-  Input:
-
-      <em>My</em> website is <a href="http://a.com>a.com</a>.
-
-  Output, with '$config["keep_bad"] = 0':
-
-      <em>My</em> website is a.com.
-
-  Output, with '$config["keep_bad"]' not '0':
-
-      <em>My</em> website is &lt;a href=""&gt;a.com&lt;/a&gt;.
-
-  See section:- #3.3.3 for differences between the various non-zero '$config["keep_bad"]' values.
-
-  htmLawed by default permits these 118 HTML elements:
-
-    a, abbr, acronym, address, applet, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, embed, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, isindex, kbd, keygen, label, legend, li, link, main, map, mark, menu, meta, meter, nav, noscript, object, ol, optgroup, option, output, p, param, pre, progress, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, section, select, small, source, span, strike, strong, style, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr
-
-  The HTML version 4 elements 'acronym', 'applet', 'big', 'center', 'dir', 'font', 'strike', and 'tt' are obsolete/deprecated in HTML version 5. On the other hand, the obsolete/deprecated HTML 4 elements 'embed', 'menu' and 'u' are no longer so in HTML 5. Elements new to HTML 5 are 'article', 'aside', 'audio', 'bdi', 'canvas', 'command', 'data', 'datalist', 'details', 'figure', 'figcaption', 'footer', 'header', 'hgroup', 'keygen', 'link', 'main', 'mark', 'meta', 'meter', 'nav', 'output', 'progress', 'section', 'source', 'style', 'summary', 'time', 'track', 'video', and 'wbr'. The 'link', 'meta' and 'style' elements exist in HTML 4 but are not allowed in the HTML body. These 16 elements are `empty` elements that have an opening tag with possible content but no element content (thus, no closing tag): 'area', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'isindex', 'keygen', 'link', 'meta', 'param', 'source', 'track', and 'wbr'.
-
-  With '$config["safe"] = 1', the default set will exclude 'applet', 'audio', 'canvas', 'embed', 'iframe', 'object', 'script' and 'video'; see section:- #3.6.
-
-  When '$config["elements"]', which specifies allowed elements, is `properly` defined, and neither empty nor set to '0' or '*', the default set is not used. To have elements added to or removed from the default set, a '+/-' notation is used. E.g., '*-script-object' implies that only 'script' and 'object' are disallowed, whereas '*+embed' means that 'noembed' is also allowed. Elements can also be specified as comma separated names. E.g., 'a, b, i' means only 'a', 'b' and 'i' are permitted. In this notation, '*', '+' and '-' have no significance and can actually cause a mis-reading.
-
-  Some more examples of '$config["elements"]' values indicating permitted elements (note that empty spaces are liberally allowed for clarity):
-
-  *  'a, blockquote, code, em, strong' -- only 'a', 'blockquote', 'code', 'em', and 'strong'
-  *  '*-script' -- all excluding 'script'
-  *  '* -acronym -big -center -dir -font -isindex -s -strike -tt' -- only non-obsolete/deprecated elements of HTML5
-  *  '*+noembed-script' -- all including 'noembed' excluding 'script'
-
-  Some mis-usages (and the resulting permitted elements) that can be avoided:
-
-  *  '-*' -- none; instead of htmLawed, one might just use, e.g., the 'htmlspecialchars()' PHP function
-  *  '*, -script' -- all except 'script'; admin probably meant '*-script'
-  *  '-*, a, em, strong' -- all; admin probably meant 'a, em, strong'
-  *  '*' -- all; admin need not have set 'elements'
-  *  '*-form+form' -- all; a '+' will always over-ride any '-'
-  *  '*, noembed' -- only 'noembed'; admin probably meant '*+noembed'
-  *  'a, +b, i' -- only 'a' and 'i'; admin probably meant 'a, b, i'
-
-  Basically, when using the '+/-' notation, commas (',') should not be used, and vice versa, and '*' should be used with the former but not the latter.
-
-  *Note*: Even if an element that is not in the default set is allowed through '$config["elements"]', like 'noembed' in the last example, it will eventually be removed during tag balancing unless such balancing is turned off ('$config["balance"]' set to '0'). Currently, the only way around this, which actually is simple, is to edit htmLawed's PHP code which define various arrays in the function 'hl_bal()' to accommodate the element and its nesting properties.
-
-  A possible second way to specify allowed elements is to set '$config["parent"]' to an element name that supposedly will hold the input, and to set '$config["balance"]' to '1'. During tag balancing (see section:- #3.3.3), all elements that cannot legally nest inside the parent element will be removed. The parent element is auto-reset to 'div' if '$config["parent"]' is empty, 'body', or an element not in htmLawed's default set of 118 elements.
-
-  `Tag transformation` is possible for improving compliance with HTML standards -- most of the obsolete/deprecated elements of HTML version 5 are converted to valid  ones; see section:- #3.3.2.
-
-
-.. 3.3.1  Handling of comments & CDATA sections .....................
-
-
-  'CDATA' sections have the format '<![CDATA[...anything but not "]]>"...]]>', and HTML comments, '<!--...anything but not "-->"... -->'. Neither HTML comments nor 'CDATA' sections can reside inside tags. HTML comments can exist anywhere else, but 'CDATA' sections can exist only where plain text is allowed (e.g., immediately inside 'td' element content but not immediately inside 'tr' element content).
-
-  htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3' for '$config["cdata"]', or '3' or '4' for '$config["comment"]', they are left as such. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).  
-
-  Note that for the last two cases, HTML comments and 'CDATA' sections will always be removed from tag content (function 'hl_tag()').
-
-  Examples:
-
-  Input:
-    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
-  Output ('$config["comment"] = 0, $config["cdata"] = 2'):
-    &lt;-- home link--&gt;<a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>
-  Output ('$config["comment"] = 1, $config["cdata"] = 2'):
-    <a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>
-  Output ('$config["comment"] = 2, $config["cdata"] = 2'):
-    <!-- home link --><a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>
-  Output ('$config["comment"] = 2, $config["cdata"] = 1'):
-    <!-- home link --><a href="home.htm">Home</a>
-  Output ('$config["comment"] = 3, $config["cdata"] = 3'):
-    <!-- home link --><a href="home.htm"><![CDATA[x=&y]]>Home</a>
-  Output ('$config["comment"] = 4, $config["cdata"] = 3'):
-    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
-    
-  For standard-compliance, comments are given the form '<!--comment -->', and any '--' in the content is made '-'. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker.
-
-  When '$config["safe"] = 1', CDATA sections and comments are considered plain text unless '$config["comment"]' or '$config["cdata"]' is explicitly specified; see section:- #3.6.
-
-
-.. 3.3.2  Tag-transformation for better compliance with standards ..o
-
-
-  If '$config["make_tag_strict"]' is set and not '0', following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function 'hl_tag2()'):
-
-  *  acronym - 'abbr'
-  *  applet - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2')
-  *  big - 'span style="font-size: larger;"'
-  *  center - 'div style="text-align: center;"'
-  *  dir - 'ul'
-  *  font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html)
-  *  isindex - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2')
-  *  s - 'span style="text-decoration: line-through;"'
-  *  strike - 'span style="text-decoration: line-through;"'
-  *  tt - 'code'
-
-  For an element with a pre-existing 'style' attribute value, the extra style properties are appended.
-
-  Example input:
-
-    <center>
-     The PHP <s>software</s> script used for this <strike>web-page</strike> web-page is <font style="font-weight: bold " face=arial size='+3' color   =  "red  ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>.
-    </center>
-
-  The output:
-
-    <div style="text-align: center;">
-     The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>.
-    </div>
-
-
-.. 3.3.3  Tag balancing & proper nesting ...........................o
-
-
-  If '$config["balance"]' is set to '1', htmLawed (function 'hl_bal()') checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).
-
-  Depending on the value of '$config["keep_bad"]' (see section:- #2.2 and section:- #3.3), illegal content may be removed or neutralized to plain text by converting < and > to entities:
-
-  '0' - remove; this option is available only to maintain Kses-compatibility and should not be used otherwise (see section:- #2.6)
-  '1' - neutralize tags and keep element content
-  '2' - remove tags but keep element content
-  '3' and '4' - like '1' and '2', but keep element content only if text ('pcdata') is valid in parent element as per specs
-  '5' and '6' -  like '3' and '4', but line-breaks, tabs and spaces are left
-
-  Example input (disallowing the 'p' element):
-
-    <*> Pseudo-tags <*>
-    <xml>Non-HTML tag xml</xml>
-    <p>
-    Disallowed tag p
-    </p>
-    <ul>Bad<li>OK</li></ul>
-
-  The output with '$config["keep_bad"] = 1':
-
-    &lt;*&gt; Pseudo-tags &lt;*&gt;
-    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;
-    &lt;p&gt;
-    Disallowed tag p
-    &lt;/p&gt;
-    <ul>Bad<li>OK</li></ul>
-
-  The output with '$config["keep_bad"] = 3':
-
-    &lt;*&gt; Pseudo-tags &lt;*&gt;
-    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;
-    &lt;p&gt;
-    Disallowed tag p
-    &lt;/p&gt;
-    <ul><li>OK</li></ul>
-
-  The output with '$config["keep_bad"] = 6':
-
-    &lt;*&gt; Pseudo-tags &lt;*&gt;
-    Non-HTML tag xml
-    
-    Disallowed tag p
-    
-    <ul><li>OK</li></ul>
-
-  An option like '1' is useful, e.g., when a writer previews his submission, whereas one like '3' is useful before content is finalized and made available to all.
-
-  *Note:* In the example above, unlike '<*>', '<xml>' gets considered as a tag (even though there is no HTML element named 'xml'). Thus, the 'keep_bad' parameter's value affects '<xml>' but not '<*>'. In general, text matching the regular expression pattern '<(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?>' is considered a tag (phrase enclosed by the angled brackets '<' and '>', and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the 'keep_bad' value.
-
-  Nesting/content rules for each of the 118 elements in htmLawed's default set (see section:- #3.3) are defined in function 'hl_bal()'. This means that if a non-standard element besides 'embed' is being permitted through '$config["elements"]', the element's tag content will end up getting removed if '$config["balance"]' is set to '1'.
-
-  Plain text and/or certain elements nested inside 'blockquote', 'form', 'map' and 'noscript' need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as 'form', the input 'B:<input type="text" value="b" />C:<input type="text" value="c" />' is converted to '<div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div>'.
-
-
-.. 3.3.4  Elements requiring child elements ........................o
-
-
-  As per HTML specifications, elements such as those below require legal child elements nested inside them:
-
-    blockquote, dir, dl, form, map, menu, noscript, ol, optgroup, rbc, rtc, ruby, select, table, tbody, tfoot, thead, tr, ul
-
-  In some cases, the specifications stipulate the number and/or the ordering of the child elements. A 'table' can have 0 or 1 'caption', 'tbody', 'tfoot', and 'thead', but they must be in this order: 'caption', 'thead', 'tfoot', 'tbody'.
-
-  htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.
-  
-  With '$config["direct_list_nest"]' set to '1', htmLawed will allow direct nesting of 'ol', 'ul', or 'menu' list within another 'ol', 'ul', or 'menu' without requiring the child list to be within an 'li' of the parent list. While this may not be standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter '$config["direct_list_nest"]' has no effect if tag balancing (section:- #3.3.3) is turned off.
-
-
-.. 3.3.5  Beautify or compact HTML .................................o
-
-
-  By default, htmLawed will neither `beautify` HTML code by formatting it with indentations, etc., nor will it make it compact by removing un-needed white-space.(It does always properly white-space tag content.)
-
-  As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside 'pre' elements) are all considered equivalent, and referred to as `white-spaces`. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space `normalization` allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such `pretty` HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.
-
-  With the '$config' parameter 'tidy', htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides 'pre', the 'script' and 'textarea' elements, CDATA sections, and HTML comments are not subjected to the tidying process.
-
-  To `compact`, use '$config["tidy"] = -1'; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.
-
-  To `beautify`, '$config["tidy"]' is set as '1', or for customized tidying, as a string like '2s2n'. The 's' or 't' character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The 'r' and 'n' characters are used to specify line-break characters: 'n' for '\n' (Unix/Mac OS X line-breaks), 'rn' or 'nr' for '\r\n' (Windows/DOS line-breaks), or 'r' for '\r'.
-
-  The '$config["tidy"]' value of '1' is equivalent to '2s0n'. Other '$config["tidy"]' values are read loosely: a value of '4' is equivalent to '4s0n'; 't2', to '1t2n'; 's', to '2s0n'; '2TR', to '2t0r'; 'T1', to '1t1n'; 'nr3', to '3s0nr', and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.
-
-  Input formatting using '$config["tidy"]' is not recommended when input text has mixed markup (like HTML + PHP).
-
-
--- 3.4  Attributes -------------------------------------------------o
-
-
-  In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in section:- #5.2. Using the '$spec' argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section:- #2.3).
-  
-  Custom `data-*` (`data-star`) attributes, where the first three characters of the value of `star` (*) after lower-casing do not equal 'xml', and the value of `star` does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like 'aria-live', 'onclick' and 'itemid' are also considered global attributes (section:- #5.2).
-
-  When '$config["deny_attribute"]' is not set, or set to '0', or empty ('""'), all attributes are permitted. Otherwise, '$config["deny_attribute"]' can be set as a list of comma-separated names of the denied attributes. 'on*' can be used to refer to the group of potentially dangerous, script-accepting event attributes like 'onblur' and 'onchange' that have 'on' at the beginning of their names. Similarly, 'aria*' and 'data*' can be used to respectively refer to the set of all ARIA and data-* attributes.
-  
-  With '$config["safe"] = 1' (section:- #3.6), the 'on*' event attributes are automatically disallowed even if a value for '$config["deny_attribute"]' has been manually provided.
-
-  Note that attributes specified in '$config["deny_attribute"]' are denied globally, for all elements. To deny attributes for only specific elements, '$spec' (see section:- #2.3) can be used. '$spec' can also be used to element-specifically permit an attribute otherwise denied through '$config["deny_attribute"]'.
-  
-  Finer restrictions on attributes can also be put into effect through '$config["deny_attribute"]' (section:- 3.4.9).
-
-  *Note*: To deny all but a few attributes globally, a simpler way to specify '$config["deny_attribute"]' would be to use the notation '* -attribute1 -attribute2 ...'. Thus, a value of '* -title -href' implies that except 'href' and 'title' (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter 'safe' (section:- #3.6) will have no effect on 'deny_attribute'. Values of 'aria*' 'data*', and 'on*' cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.
-
-  htmLawed (function 'hl_tag()') also:
-
-  *  Lower-cases attribute names
-  *  Removes duplicate attributes (last one stays)
-  *  Gives attributes the form 'name="value"' and single-spaces them, removing unnecessary white-spacing
-  *  Provides `required` attributes (see section:- #3.4.1)
-  *  Double-quotes values and escapes any '"' inside them
-  *  Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point 'ad') in the values with spaces
-  *  Allows custom function to additionally filter/modify attribute values (see section:- #3.4.9)
-
-
-.. 3.4.1  Auto-addition of XHTML-required attributes ................
-
-
-  If indicated attributes for the following elements are found missing, htmLawed (function 'hl_tag()') will add them (with values same as attribute names unless indicated otherwise below):
-
-  *  area - alt ('area')
-  *  area, img - src, alt ('image')
-  *  bdo - dir ('ltr')
-  *  form - action
-  *  label - command
-  *  map - name
-  *  optgroup - label
-  *  param - name
-  *  style - scoped
-  *  textarea - rows ('10'), cols ('50')
-
-  Additionally, with '$config["xml:lang"]' set to '1' or '2', if the 'lang' but not the 'xml:lang' attribute is declared, then the latter is added too, with a value copied from that of 'lang'. This is for better standard-compliance. With '$config["xml:lang"]' set to '2', the 'lang' attribute is removed (XHTML specification).
-
-  Note that the 'name' attribute for 'map', invalid in XHTML, is also transformed if required -- see section:- #3.4.6.
-
-
-.. 3.4.2  Duplicate/invalid 'id' values ............................o
-
-
-  If '$config["unique_ids"]' is '1', htmLawed (function 'hl_tag()') removes 'id' attributes with values that are not standards-compliant (must not have a space character) or duplicate. If '$config["unique_ids"]' is a word (without a non-word character like space), any duplicate but otherwise valid value will be appropriately prefixed with the word to ensure its uniqueness.
-
-  Even if multiple inputs need to be filtered (through multiple calls to htmLawed), htmLawed ensures uniqueness of 'id' values as it uses a global variable ('$GLOBALS["hl_Ids"]' array). Further, an admin can restrict the use of certain 'id' values by presetting this variable before htmLawed is called into use. E.g.:
-
-    $GLOBALS['hl_Ids'] = array('top'=>1, 'bottom'=>1, 'myform'=>1); // id values not allowed in input
-    $processed = htmLawed($text); // filter input
-
-
-.. 3.4.3  URL schemes & scripts in attribute values ................o
-
-
-  htmLawed edits attributes that take URLs as values if they are found to contain un-permitted schemes. E.g., if the 'afp' scheme is not permitted, then '<a href="afp://domain.org">' becomes '<a href="denied:afp://domain.org">', and if Javascript is not permitted '<a onclick="javascript:xss();">' becomes '<a onclick="denied:javascript:xss();">'.
-
-  By default htmLawed permits these schemes in URLs for the 'href' attribute:
-
-    aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet
-
-  Also, only 'data', 'file', 'http', 'https' and 'javascript' are permitted in these attributes that accept URLs:
-
-    action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick
-
-  With '$config["safe"] = 1' (section:- #3.6), the above is changed to disallow 'app', 'data' and 'javascript'.
-  
-  These default sets are used when '$config["schemes"]' is not set (see section:- #2.2). To over-ride the defaults, '$config["schemes"]' is defined as a string of semi-colon-separated sub-strings of type 'attribute: comma-separated schemes'. E.g., 'href: mailto, http, https; onclick: javascript; src: http, https'. For unspecified attributes, 'data', 'file', 'http', 'https' and 'javascript' are permitted. This can be changed by passing schemes for '*' in '$config["schemes"]'. E.g., 'href: mailto, http, https; *: https, https'.
-
-  '*' (asterisk) can be put in the list of schemes to permit all protocols. E.g., 'style: *; img: http, https' results in protocols not being checked in 'style' attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (section:- #3.4.4) is not done. When an attribute is explicitly listed in '$config["schemes"]', then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute. 
-
-  Thus, `to allow the xmpp scheme`, one can set '$config["schemes"]' as 'href: mailto, http, https; *: http, https, xmpp', or 'href: mailto, http, https, xmpp; *: http, https, xmpp', or '*: *', and so on. The consequence of each of these example values will be different (e.g., only the last two but not the first will allow 'xmpp' in 'href')
-
-  As a side-note, one may find 'style: *' useful as URLs in 'style' attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.
-  
-  '!' can be put in the list of schemes to disallow all protocols as well as `local` URLs. Thus, with 'href: http, style: !', '<a href="http://cnn.com" style="background-image: url(local.jpg);">CNN</a>' will become '<a href="http://cnn.com" style="background-image: url(denied:local.jpg);">CNN</a>'
-
-  *Note*: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string 'src' (e.g., 'dynsrc') or starts with 'o' (e.g., 'onbeforecopy').
-
-  With '$config["safe"] = 1', all URLs are disallowed in the 'style' attribute values.
-
-
-.. 3.4.4  Absolute & relative URLs in attribute values ............o
-
-
-  htmLawed can make absolute URLs in attributes like 'href' relative ('$config["abs_url"]' is '-1'), and vice versa ('$config["abs_url"]' is '1'). URLs in scripts are not considered for this, and so are URLs like '#section_6' (fragment), '?name=Tim#show' (starting with query string), and ';var=1?name=Tim#show' (starting with parameters). Further, this requires that '$config["base_url"]' be set properly, with the '://' and a trailing slash ('/'), with no query string, etc. E.g., 'file:///D:/page/', 'https://abc.com/x/y/', or 'http://localhost/demo/' are okay, but 'file:///D:/page/?help=1', 'abc.com/x/y/' and 'http://localhost/demo/index.htm' are not.
-
-  For making absolute URLs relative, only those URLs that have the '$config["base_url"]' string at the beginning are converted. E.g., with '$config["base_url"] = "https://abc.com/x/y/"', 'https://abc.com/x/y/a.gif' and 'https://abc.com/x/y/z/b.gif' become 'a.gif' and 'z/b.gif' respectively, while 'https://abc.com/x/c.gif' is not changed.
-
-  When making relative URLs absolute, only values for scheme, network location (host-name) and path values in the base URL are inherited. See section:- #5.5 for more about the URL specification as per RFC 1808:- http://www.ietf.org/rfc/rfc1808.txt.
-
-
-.. 3.4.5  Lower-cased, standard attribute values ...................o
-
-
-  Optionally, for standard-compliance, htmLawed (function 'hl_tag()') lower-cases standard attribute values to give, e.g., 'input type="password"' instead of 'input type="Password"', if '$config["lc_std_val"]' is '1'. Attribute values matching those listed below for any of the elements listed further below (plus those for the 'type' attribute of 'button' or 'input') are lower-cased:
-
-    all, auto, baseline, bottom, button, captions, center, chapters, char, checkbox, circle, col, colgroup, color, cols, data, date, datetime, datetime-local, default, descriptions, email, file, get, groups, hidden, image, justify, left, ltr, metadata, middle, month, none, number, object, password, poly, post, preserve, radio, range, rect, ref, reset, right, row, rowgroup, rows, rtl, search, submit, subtitles, tel, text, time, top, url, week
-
-    a, area, bdo, button, col, fieldset, form, img, input, object, ol, optgroup, option, param, script, select, table, td, textarea, tfoot, th, thead, tr, track, xml:space
-
-  The following `empty` (`minimized`) attributes are always assigned lower-cased values (same as the attribute names):
-
-    checkbox, checked, command, compact, declare, defer, default, disabled, hidden, inert, ismap, itemscope, multiple, nohref, noresize, noshade, nowrap, open, radio, readonly, required, reversed, selected
-
-
-.. 3.4.6  Transformation of deprecated attributes ..................o
-
-
-  If '$config["no_deprecated_attr"]' is '0', then deprecated attributes are removed and, in most cases, their values are transformed to CSS style properties and added to the 'style' attributes (function 'hl_tag()'). Except for 'bordercolor' for 'table', 'tr' and 'td', the scores of proprietary attributes that were never part of any cross-browser standard are not supported in this functionality.
-
-  *  align in caption, div, h, h2, h3, h4, h5, h6, hr, img, input, legend, object, p, table - for 'img' with value of 'left' or 'right', becomes, e.g., 'float: left'; for 'div' and 'table' with value 'center', becomes 'margin: auto'; all others become, e.g., 'text-align: right'
-  *  bgcolor in table, td, th and tr - E.g., 'bgcolor="#ffffff"' becomes 'background-color: #ffffff'
-  *  border in object - E.g., 'height="10"' becomes 'height: 10px'
-  *  bordercolor in table, td and tr - E.g., 'bordercolor=#999999' becomes 'border-color: #999999;'
-  *  compact in dl, ol and ul - 'font-size: 85%'
-  *  cellspacing in table - 'cellspacing="10"' becomes 'border-spacing: 10px'
-  *  clear in br - E.g., 'clear="all" becomes 'clear: both'
-  *  height in td and th - E.g., 'height= "10"' becomes 'height: 10px' and 'height="*"' becomes 'height: auto'
-  *  hspace in img and object - E.g., 'hspace="10"' becomes 'margin-left: 10px; margin-right: 10px'
-  *  language in script - 'language="VBScript"' becomes 'type="text/vbscript"'
-  *  name in a, form, iframe, img and map - E.g., 'name="xx"' becomes 'id="xx"'
-  *  noshade in hr - 'border-style: none; border: 0; background-color: gray; color: gray'
-  *  nowrap in td and th - 'white-space: nowrap'
-  *  size in hr - E.g., 'size="10"' becomes 'height: 10px'
-  *  vspace in img and object - E.g., 'vspace="10"' becomes 'margin-top: 10px; margin-bottom: 10px'
-  *  width in hr, pre, table, td and th - like 'height'
-
-  Example input:
-
-    <img src="j.gif" alt="image" name="dad's" /><img src="k.gif" alt="image" id="dad_off" name="dad" />
-    <br clear="left" />
-    <hr noshade size="1" />
-    <img name="img" src="i.gif" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" />
-    <table width="50em" align="center" bgcolor="red">
-     <tr>
-      <td width="20%">
-       <div align="center">
-        <h3 align="right">Section</h3>
-        <p align="right">Para</p>
-       </div>
-      </td>
-      <td width="*">
-      </td>
-     </tr>
-    </table>
-    <br clear="all" />
-
-  And the output with '$config["no_deprecated_attr"] = 1':
-
-    <img src="j.gif" alt="image" id="dad's" /><img src="k.gif" alt="image" id="dad_off" />
-    <br style="clear: left;" />
-    <hr style="border-style: none; border: 0; background-color: gray; color: gray; size: 1px;" />
-    <img src="i.gif" alt="image" width="10em" height="20" style="padding:5px; float: left; margin-left: 10px; margin-right: 10px; margin-top: 10px; margin-bottom: 10px; border: 1px;" id="img" />
-    <table width="50em" style="margin: auto; background-color: red;">
-     <tr>
-      <td style="width: 20%;">
-       <div style="margin: auto;">
-        <h3 style="text-align: right;">Section</h3>
-        <p style="text-align: right;">Para</p>
-       </div>
-      </td>
-      <td style="width: auto;">
-      </td>
-     </tr>
-    </table>
-    <br style="clear: both;" />
-
-  For 'lang', deprecated in XHTML 1.1, transformation is taken care of through '$config["xml:lang"]'; see section:- #3.4.1.
-
-  The attribute 'name' is deprecated in 'form', 'iframe', and 'img', and is replaced with 'id' if an 'id' attribute doesn't exist and if the 'name' value is appropriate for 'id' (i.e., doesn't have a non-word character like space). For such replacements for 'a' and 'map', for which the 'name' attribute is deprecated in XHTML 1.1, '$config["no_deprecated_attr"]' should be set to '2' (when set to '1', for these two elements, the 'name' attribute is retained).
-
-
-.. 3.4.7  Anti-spam & 'href' .......................................o
-
-
-  htmLawed (function 'hl_tag()') can check the 'href' attribute values (link addresses) as an anti-spam (email or link spam) measure.
-
-  If '$config["anti_mail_spam"]' is not '0', the '@' of email addresses in 'href' values like 'mailto:a@b.com' is replaced with text specified by '$config["anti_mail_spam"]'. The text should be of a form that makes it clear to others that the address needs to be edited before a mail is sent; e.g., '<remove_this_antispam>@' (makes the example address 'a<remove_this_antispam>@b.com').
-
-  For regular links, one can choose to have a 'rel' attribute with 'nofollow' in its value (which tells some search engines to not follow a link). This can discourage link spammers. Additionally, or as an alternative, one can choose to empty the 'href' value altogether (disable the link).
-
-  For use of these options, '$config["anti_link_spam"]' should be set as an array with values 'regex1' and 'regex2', both or one of which can be empty (like 'array("", "regex2")') to indicate that that option is not to be used. Otherwise, 'regex1' or 'regex2' should be PHP- and PCRE-compatible regular expression patterns: 'href' values will be matched against them and those matching the pattern will accordingly be treated.
-
-  Note that the regular expressions should have `delimiters`, and be well-formed and preferably fast. Absolute efficiency/accuracy is often not needed.
-
-  An example, to have a 'rel' attribute with 'nofollow' for all links, and to disable links that do not point to domains 'abc.com' and 'xyz.org':
-
-    $config["anti_link_spam"] = array('`.`', '`://\W*(?!(abc\.com|xyz\.org))`');
-
-
-.. 3.4.8  Inline style properties ..................................o
-
-
-  htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the 'style' attributes. (CSS properties like 'background-image' that accept URLs in their values are noted in section:- #5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting '$config["css_expression"]' to '1' (default setting). Note that when '$config["css_expression"]' is set to '1', htmLawed will remove '/*' from the 'style' values.
-
-  *Note*: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the 'style' attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off ('$config["schemes"] = "...style:*..."', see section:- #3.4.3, and '$config["css_expression"] = 0'). Alternately, admins can use their own custom function for finer handling of 'style' values through the 'hook_tag' parameter (see section:- #3.4.9).
-
-  It is also possible to have htmLawed let through any 'style' value by setting '$config["style_pass"]' to '1'.
-
-  As such, it is better to set up a CSS file with class declarations, disallow the 'style' attribute, set a '$spec' rule (see section:- #2.3) for 'class' for the 'oneof' or 'match' parameter, and ask writers to make use of the 'class' attribute.
-
-
-.. 3.4.9  Hook function for tag content ............................o
-
-
-  It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.).
-
-  When '$config' parameter 'hook_tag' is set to the name of a function, htmLawed (function 'hl_tag()') will pass on the element name, and the `finalized` attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like '<element_name attribute_1_name="attribute_1_value"...>' (for empty elements like 'img' and 'input', the element-closing slash '/' should also be included), etc.
-  
-  Any 'hook_tag' function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as 'a' in the closing '</a>' tag of the element '<a href="http://cnn.com">CNN</a>'. No other value is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like '</a>'). 
-
-  This is a *powerful functionality* that can be exploited for various objectives: consolidate-and-convert inline 'style' attributes to 'class', convert 'embed' elements to 'object', permit only one 'caption' element in a 'table' element, disallow embedding of certain types of media, *inject HTML*, use CSSTidy:- http://csstidy.sourceforge.net to sanitize 'style' attribute values, etc.
-
-  As an example, the custom hook code below can be used to force a series of specifically ordered 'id' attributes on all elements, and a specific 'param' element inside all 'object' elements:
-
-    function my_tag_function($element, $attribute_array=0){
-    
-      // If second argument is not received, it means a closing tag is being handled
-      if(is_numeric($attribute_array)){
-        return "</$element>";
-      }
-      
-      static $id = 0;
-      // Remove any duplicate element
-      if($element == 'param' && isset($attribute_array['allowscriptaccess'])){
-        return '';
-      }
-
-      $new_element = '';
-
-      // Force a serialized ID number
-      $attribute_array['id'] = 'my_'. $id;
-      ++$id;
-
-      // Inject param for allowscriptaccess
-      if($element == 'object'){
-        $new_element = '<param id="my_'. $id. '"; allowscriptaccess="never" />';
-        ++$id;
-      }
-
-      $string = '';
-      foreach($attribute_array as $k=>$v){
-        $string .= " {$k}=\"{$v}\"";
-      }
-      
-      static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1);
-
-      return "<{$element}{$string}". (array_key_exists($element, $empty_elements) ? ' /' : ''). '>'. $new_element;
-    }
-
-  The 'hook_tag' parameter is different from the 'hook' parameter (section:- #3.7).
-
-  Snippets of hook function code developed by others may be available on the htmLawed:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed website.
-
-
--- 3.5  Simple configuration directive for most valid XHTML --------o
-
-
-  If '$config["valid_xhtml"]' is set to '1', some relevant '$config' parameters (indicated by '~' in section:- #2.2) are auto-adjusted. This allows one to pass the '$config' argument with a simpler value. If a value for a parameter auto-set through 'valid_xhtml' is still manually provided, then that value will over-ride the auto-set value.
-
-
--- 3.6  Simple configuration directive for most `safe` HTML --------o
-
-
-  `Safe` HTML refers to HTML that is restricted to reduce the vulnerability for scripting attacks (such as XSS) based on HTML code which otherwise may still be legal and compliant with the HTML standard specifications. When elements such as 'script' and 'object', and attributes such as 'onmouseover' and 'style' are allowed in the input text, an input writer can introduce malevolent HTML code. Note that what is considered 'safe' depends on the nature of the web application and the trust-level accorded to its users.
-
-  htmLawed allows an admin to use '$config["safe"]' to auto-adjust multiple '$config' parameters (such as 'elements' which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by '"' in section:- #2.2). Thus, one can pass the '$config' argument with a simpler value. Having the 'safe' parameter set to '1' is equivalent to setting the following '$config' parameters to the noted values :
-  
-    cdata - 0
-    comment - 0
-    deny_attribute - on*
-    elements - * -applet -audio -canvas -embed -iframe -object -script -video
-    schemes - href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https
-
-  With 'safe' set to '1', htmLawed considers 'CDATA' sections and HTML comments as plain text, and prohibits the 'applet', 'audio', 'canvas', 'embed', 'iframe', 'object', 'script' and 'video' elements, and the 'on*' attributes like 'onclick'. ( There are '$config' parameters like 'css_expression' that are not affected by the value set for 'safe' but whose default values still contribute towards a more `safe` output.) Further, unless overridden by the value for parameter 'schemes' (see section:- #3.4.3), the schemes 'app', 'data' and 'javascript' are not permitted, and URLs with schemes are neutralized so that, e.g., 'style="moz-binding:url(http://danger)"' becomes 'style="moz-binding:url(denied:http://danger)"'.
-
-  Admins, however, may still want to completely deny the 'style' attribute, e.g., with code like
-
-    $processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style'));
-
-  Permitting the 'style' attribute brings in risks of `click-jacking`, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check 'style' values. It does provide ways for the code-developer implementing htmLawed to do such checks through the '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended. 
-  
-  If a value for a parameter auto-set through 'safe' is still manually provided, then that value can over-ride the auto-set value. E.g., with '$config["safe"] = 1' and '$config["elements"] = "* +script"', 'script', but not 'applet', is allowed. Such over-ride does not occur for 'deny_attribute' (for legacy reason) when comma-separated attribute names are provided as the value for this parameter (section:- #3.4); instead htmLawed will add 'on*' to the value provided for 'deny_attribute'.
-
-  A page illustrating the efficacy of htmLawed's anti-XSS abilities with 'safe' set to '1' against XSS vectors listed by RSnake:- http://ha.ckers.org/xss.html may be available here:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm.
-
-
--- 3.7  Using a hook function --------------------------------------o
-
-
-  If '$config["hook"]' is not set to '0', then htmLawed will allow preliminarily processed input to be altered by a hook function named by '$config["hook"]' before starting the main work (but after handling of characters, entities, HTML comments and 'CDATA' sections -- see code for function 'htmLawed()').
-
-  The hook function also allows one to alter the `finalized` values of '$config' and '$spec'.
-
-  Note that the 'hook' parameter is different from the 'hook_tag' parameter (section:- #3.4.9).
-
-  Snippets of hook function code developed by others may be available on the htmLawed:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed website.
-
-
--- 3.8  Obtaining `finalized` parameter values ---------------------o
-
-
-  htmLawed can assign the `finalized` '$config' and '$spec' values to a variable named by '$config["show_setting"]'. The variable, made global by htmLawed, is set as an array with three keys: 'config', with the '$config' value, 'spec', with the '$spec' value, and 'time', with a value that is the Unix time (the output of PHP's 'microtime()' function) when the value was assigned. Admins should use a PHP-compliant variable name (e.g., one that does not begin with a numerical digit) that does not conflict with variable names in their non-htmLawed code.
-
-  The values, which are also post-hook function (if any), can be used to auto-generate information (on, e.g., the elements that are permitted) for input writers.
-
-
--- 3.9  Retaining non-HTML tags in input with mixed markup ---------o
-
-
-  htmLawed does not remove certain characters that, though invalid, are nevertheless `discouraged` in HTML documents as per the specifications (see section:- #5.1). This can be utilized to deal with input that contains mixed markup. Input that may have HTML markup as well as some other markup that is based on the '<', '>' and '&' characters is considered to have mixed markup. The non-HTML markup can be rather proprietary (like markup for emoticons/smileys), or standard (like MathML or SVG). Or it can be programming code meant for execution/evaluation (such as embedded PHP code).
-
-  To deal with such mixed markup, the input text can be pre-processed to hide the non-HTML markup by specifically replacing the '<', '>' and '&' characters with some of the HTML-discouraged characters (see section:- #3.1.2). Post-htmLawed processing, the replacements are reverted.
-
-  An example (mixed HTML and PHP code in input text):
-
-    $text = preg_replace('`<\?php(.+?)\?>`sm', "\x83?php\\1?\x84", $text);
-    $processed = htmLawed($text);
-    $processed = preg_replace('`\x83\?php(.+?)\?\x84`sm', '<?php$1?>', $processed);
-
-  This code will not work if '$config["clean_ms_char"]' is set to '1' (section:- #3.1), in which case one should instead deploy a hook function (section:- #3.7). (htmLawed internally uses certain control characters, code-points '1' to '7', and use of these characters as markers in the logic of hook functions may cause issues.)
-
-  Admins may also be able to use '$config["and_mark"]' to deal with such mixed markup; see section:- #3.2.
- 
-
-== 4  Other =======================================================oo
-
-
--- 4.1  Support -----------------------------------------------------
-
-
-  Software updates and forum-based community-support may be found at http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed. For general PHP issues (not htmLawed-specific), support may be found through internet searches and at http://php.net.
-
-
--- 4.2  Known issues -----------------------------------------------o
-
-
-  See section:- #2.8.
-
-
--- 4.3  Change-log -------------------------------------------------o
-
-
-  (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the 'htmLawed.php' file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)
-
-  `Version number - Release date. Notes`
-
-  1.2.5 - 24 September 2019. Fixes two bugs in 'font' tag transformation
-
-  1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in '$config["schemes"]' 
-
-  1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4
-    
-  1.2.4 - 31 August 2017. Removes use of PHP 'create_function' function and '$php_errormsg' reserved variable (deprecated in PHP 7.2)
-  
-  1.2.3 - 5 July 2017. New option value of '4' for '$config["comments"]' to stop enforcing a space character before the '-->' comment-closing marker
-  
-  1.2.2 - 25 May 2017. Fix for a bug in parsing '$spec' that got introduced in version 1.2; also, '$spec' is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules
-  
-  1.2.1.1 - 17 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes
-  
-  1.2.1 - 15 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes
-  
-  1.2 - 11 February 2017. (First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-* and microdata attributes; 'app', 'data', 'javascript' and 'tel' URL schemes (thus, 'javascript:' is not filtered in default mode). Removed support for code using Kses functions (see section:- #2.6). Changes in revisions to the beta releases are not noted here.
-
-  1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in '$spec'
-  
-  1.1.21 - 27 February 2016. Improvement and security fix in transforming 'font' element
-
-  1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML 4) standard 'allowfullscreen' attribute of 'iframe'
-    
-  1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc
-
-  1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags
-  
-  1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with 'e' modifier for compatibility with PHP 5.5.
-
-  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols
-  
-  1.1.15 - 11 August 2013. Improved tidying/prettifying functionality
-  
-  1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during 'tidying' when 'balance' is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like 'blockquote'
-  
-  1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes
-  
-  1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the 'face' attribute 
-    
-  1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. '$config["hook_tag"]', if specified, now receives names of elements in closing tags.
-  
-  1.1.10 - 22 October 2011. Fix for a bug in the 'tidy' functionality that caused the entire input to be replaced with a single space; new parameter, '$config["direct_list_nest"]' to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)
-  
-  1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of 'li' within 'dir'
-  
-  1.1.9.4 - 3 July 2010. Parameter 'schemes' now accepts '!' so any URL, even a local one, can be `denied`. An issue in which a second URL value in 'style' properties was not checked was fixed.
-  
-  1.1.9.3 - 17 May 2010. Checks for correct nesting of 'param'
-  
-  1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes
-  
-  1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for 'flashvars' attribute for 'embed'
-  
-  1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values
-
-  1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice
-
-  1.1.8 - 23 April 2009. Parameter 'deny_attribute' now accepts the wild-card '*', making it simpler to specify its value when all but a few attributes are being denied; fixed a bug in interpreting '$spec'
-
-  1.1.7 - 11-12 March 2009. Attributes globally denied through 'deny_attribute' can be allowed element-specifically through '$spec'; '$config["style_pass"]' allowing letting through any 'style' value introduced; altered logic to catch certain types of dynamic crafted CSS expressions
-
-  1.1.3-6 - 28-31 January - 4 February 2009. Altered logic to catch certain types of dynamic crafted CSS expressions
-
-  1.1.2 - 22 January 2009. Fixed bug in parsing of 'font' attributes during tag transformation
-  
-  1.1.1 - 27 September 2008. Better nesting correction when omitable closing tags are absent
-
-  1.1 - 29 June 2008. '$config["hook_tag"]' and '$config["tidy"]' introduced for custom tag/attribute check/modification/injection and output compaction/beautification; fixed a regex-in-$spec parsing bug
-
-  1.0.9 - 11 June 2008. Fix for a bug in checks for invalid HTML code-point entities
-
-  1.0.8 - 15 May 2008. Permit 'bordercolor' attribute for 'table', 'td' and 'tr'
-
-  1.0.7 - 1 May 2008. Support for 'wmode' attribute for 'embed'; '$config["show_setting"]' introduced; improved '$config["elements"]' evaluation
-
-  1.0.6 - 20 April 2008. '$config["and_mark"]' introduced
-
-  1.0.5 - 12 March 2008. 'style' URL schemes essentially disallowed when $config 'safe' is on; improved regex for CSS expression search
-
-  1.0.4 - 10 March 2008. Improved corrections for 'blockquote', 'form', 'map' and 'noscript'
-
-  1.0.3 - 3 March 2008. Character entities for soft-hyphens are now replaced with spaces (instead of being removed); fix for a bug allowing 'td' directly inside 'table'; '$config["safe"]' introduced
-
-  1.0.2 - 13 February 2008. Improved implementation of '$config["keep_bad"]'
-
-  1.0.1 - 7 November 2007. Improved regex for identifying URLs, protocols and dynamic expressions ('hl_tag()' and 'hl_prot()'); no error display with 'hl_regex()'
-
-  1.0 - 2 November 2007. First release
-
-
--- 4.4  Testing ----------------------------------------------------o
-
-
-  To test htmLawed using a form interface, a demo:- htmLawedTest.php web-page is provided with the htmLawed distribution ('htmLawed.php' and 'htmLawedTest.php' should be in the same directory on the web-server). A file with test-cases:- htmLawed_TESTCASE.txt is also provided.
-
-
--- 4.5  Upgrade, & old versions ------------------------------------o
-
-
-  Upgrading is as simple as replacing the previous version of 'htmLawed.php', assuming the file was not modified for customized features. As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.
-
-  *Note:* The following upgrades may affect the functionality of a specific htmLawed installation:
-
-  (1) From version 1.1-1.1.10 to 1.1.11 or later, if a 'hook_tag' function is in use: In version 1.1.11 and later, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a 'hook_tag' function receives only the element name. The 'hook_tag' function therefore may have to be edited. See section:- #3.4.9.
-  
-  (2) From version older than 1.2.beta to later, if htmLawed was used as Kses replacement with Kses code in use: In version 1.2.beta or later, htmLawed no longer provides direct support for code that uses Kses functions (see section:- #2.6).
-  
-  (3) From version older than 1.2 to later, if htmLawed is used without '$config["safe"]' set to 1: Unlike previous versions, htmLawed version 1.2 and later permit 'data' and 'javascript' URL schemes by default (see section:- #3.4.3).
-
-  Old versions of htmLawed may be available online. E.g., for version 1.0, check http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip; for 1.1.1, http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip; and for 1.1.22, http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip.
-
-
--- 4.6  Comparison with 'HTMLPurifier' -----------------------------o
-
-
-  The HTMLPurifier PHP library by Edward Yang is a very good HTML filtering script that uses object oriented PHP code. Compared to htmLawed, it (as of year 2015):
-
-  *  does not support PHP versions older than 5.0 (HTMLPurifier dropped PHP 4 support after version 2)
-
-  *  is 15-20 times bigger (scores of files totalling more than 750 kb)
-
-  *  consumes 10-15 times more RAM memory (just including the HTMLPurifier files without calling the filter requires a few MBs of memory)
-
-  *  is expectedly slower
-
-  *  lacks many of the extra features of htmLawed (like entity conversions and code compaction/beautification)
-
-  *  has poor documentation
-
-  However, HTMLPurifier has finer checks for character encodings and attribute values, and can log warnings and errors. Visit the HTMLPurifier website:- http://htmlpurifier.org for updated information.
-
-
--- 4.7  Use through application plug-ins/modules -------------------o
-
-
-  Plug-ins/modules to implement htmLawed in applications such as Drupal may have been developed. Check the application websites and the htmLawed forum:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed.
-
-
--- 4.8  Use in non-PHP applications --------------------------------o
-
-
-  Non-PHP applications written in Python, Ruby, etc., may be able to use htmLawed through system calls to the PHP engine. Such code may have been documented on the internet. Also check the forum on the htmLawed site:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed.
-
-
--- 4.9  Donate -----------------------------------------------------o
-
-
-  A donation in any currency and amount to appreciate or support this software can be sent by PayPal:- http://paypal.com to this email address: drpatnaik at yahoo dot com.
-
-
--- 4.10  Acknowledgements ------------------------------------------o
-
-
-  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.
-
-  Thank you!
-
-
-== 5  Appendices ==================================================oo
-
-
--- 5.1  Characters discouraged in XHTML -----------------------------
-
-
-  Characters represented by the following hexadecimal code-points are `not` invalid, even though some validators may issue messages stating otherwise.
-
-  '7f' to '84', '86' to '9f', 'fdd0' to 'fddf', '1fffe', '1ffff', '2fffe', '2ffff', '3fffe', '3ffff', '4fffe', '4ffff', '5fffe', '5ffff', '6fffe', '6ffff', '7fffe', '7ffff', '8fffe', '8ffff', '9fffe', '9ffff', 'afffe', 'affff', 'bfffe', 'bffff', 'cfffe', 'cffff', 'dfffe', 'dffff', 'efffe', 'effff', 'ffffe', 'fffff', '10fffe' and '10ffff'
-
-
--- 5.2  Valid attribute-element combinations -----------------------o
-
-
-  *  includes deprecated attributes (marked '^'), attributes for microdata (marked '*'), the non-standard 'bordercolor', and new-in-HTML5 attributes (marked '~'); can have multiple comma-separated values (marked '%'); can have multiple space-separated values (marked '$')
-  *  only non-frameset, HTML body elements
-  *  'name' for 'a' and 'map', and 'lang' are invalid in XHTML 1.1
-  *  'target' is valid for 'a' in XHTML 1.1 and higher
-  *  'xml:space' is only for XHTML 1.1
-
-  abbr - td, th
-  accept - form, input
-  accept-charset - form
-  action - form
-  align - applet, caption^, col, colgroup, div^, embed, h1^, h2^, h3^, h4^, h5^, h6^, hr^, iframe, img^, input^, legend^, object^, p^, table^, tbody, td, tfoot, th, thead, tr
-  allowfullscreen - iframe
-  alt - applet, area, img, input
-  archive - applet, object
-  async~ - script
-  autocomplete~ - input
-  autofocus~ - button, input, keygen, select, textarea
-  autoplay~ - audio, video
-  axis - td, th
-  bgcolor - embed, table^, td^, th^, tr^
-  border - img, object^, table
-  bordercolor - table, td, tr
-  cellpadding - table
-  cellspacing - table
-  challenge~ - keygen
-  char - col, colgroup, tbody, td, tfoot, th, thead, tr
-  charoff - col, colgroup, tbody, td, tfoot, th, thead, tr
-  charset - a, script
-  checked - command, input
-  cite - blockquote, del, ins, q
-  classid - object
-  clear - br^
-  code - applet
-  codebase - object, applet
-  codetype - object
-  color - font
-  cols - textarea
-  colspan - td, th
-  compact - dir, dl^, menu, ol^, ul^
-  content - meta
-  controls~ - audio, video
-  coords - area, a
-  crossorigin~ - img
-  data - object
-  datetime - del, ins, time
-  declare - object
-  default~ - track
-  defer - script
-  dir - bdo
-  dirname~ - input, textarea
-  disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea
-  download~ - a
-  enctype - form
-  face - font
-  flashvars** - embed
-  for - label, output
-  form~ - button, fieldset, input, keygen, label, object, output, select, textarea
-  formaction~ - button, input
-  formenctype~ - button, input
-  formmethod~ - button, input
-  formnovalidate~ - button, input
-  formtarget~ - button, input
-  frame - table
-  frameborder - iframe
-  headers - td, th
-  height - applet, canvas, embed, iframe, img, input, object, td^, th^, video
-  high~ - meter
-  href - a, area, link
-  hreflang - a, area, link
-  hspace - applet, embed, img^, object^
-  icon~ - command
-  ismap - img, input
-  keytype~ - keygen
-  keyparams~ - keygen
-  kind~ - track
-  label - command, menu, option, optgroup, track
-  language - script^
-  list~ - input
-  longdesc - img, iframe
-  loop~ - audio, video
-  low~ - meter
-  marginheight - iframe
-  marginwidth - iframe
-  max~ - input, meter, progress
-  maxlength - input, textarea
-  media~ - a, area, link, source, style
-  mediagroup~ - audio, video
-  method - form
-  min~ - input, meter
-  model** - embed
-  multiple - input, select
-  muted~ - audio, video
-  name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea
-  nohref - area
-  noshade - hr^
-  novalidate~ - form
-  nowrap - td^, th^
-  object - applet
-  open~ - details
-  optimum~ - meter
-  pattern~ - input
-  ping~ - a, area
-  placeholder~ - input, textarea
-  pluginspage** - embed
-  pluginurl** - embed
-  poster~ - video
-  pqg~ - keygen
-  preload~ - audio, video
-  prompt - isindex
-  pubdate~ - time
-  radiogroup* - command
-  readonly - input, textarea
-  required~ - input, select, textarea
-  rel$ - a, area, link
-  rev - a
-  reversed~ - old
-  rows - textarea
-  rowspan - td, th
-  rules - table
-  sandbox~ - iframe
-  scope - td, th
-  scoped~ - style
-  scrolling - iframe
-  seamless~ - iframe
-  selected - option
-  shape - area, a
-  size - font, hr^, input, select
-  sizes~ - link
-  span - col, colgroup
-  src - audio, embed, iframe, img, input, script, source, track, video
-  srcdoc~ - iframe
-  srclang~ - track
-  srcset~% - img
-  standby - object
-  start - ol
-  step~ - input
-  summary - table
-  target - a, area, form
-  type - a, area, button, command, embed, input, li, link, menu, object, ol, param, script, source, style, ul
-  typemustmatch~ - object
-  usemap - img, input, object
-  valign - col, colgroup, tbody, td, tfoot, th, thead, tr
-  value - button, data, input, li, meter, option, param, progress
-  valuetype - param
-  vspace - applet, embed, img^, object^
-  width - applet, canvas, col, colgroup, embed, hr^, iframe, img, input, object, pre^, table, td^, th^, video
-  wmode - embed
-  wrap~ - textarea
-
-  The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:
-
-  accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space
-
-  Custom `data-*` attributes, where the first three characters of the value of `star` (*) after lower-casing do not equal 'xml' and the value of `star` does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.
-  
-
--- 5.3  CSS 2.1 properties accepting URLs --------------------------o
-
-
-  background
-  background-image
-  content
-  cue-after
-  cue-before
-  cursor
-  list-style
-  list-style-image
-  play-during
-
-
--- 5.4  Microsoft Windows 1252 character replacements --------------o
-
-
-  Key: 'd' double, 'l' left, 'q' quote, 'r' right, 's.' single
-
-  Code-point (decimal) - hexadecimal value - replacement entity - represented character
-
-  127 - 7f - (removed) - (not used)
-  128 - 80 - &#8364; - euro
-  129 - 81 - (removed) - (not used)
-  130 - 82 - &#8218; - baseline s. q
-  131 - 83 - &#402; - florin
-  132 - 84 - &#8222; - baseline d q
-  133 - 85 - &#8230; - ellipsis
-  134 - 86 - &#8224; - dagger
-  135 - 87 - &#8225; - d dagger
-  136 - 88 - &#710; - circumflex accent
-  137 - 89 - &#8240; - permile
-  138 - 8a - &#352; - S Hacek
-  139 - 8b - &#8249; - l s. guillemet
-  140 - 8c - &#338; - OE ligature
-  141 - 8d - (removed) - (not used)
-  142 - 8e - &#381; - Z dieresis
-  143 - 8f - (removed) - (not used)
-  144 - 90 - (removed) - (not used)
-  145 - 91 - &#8216; - l s. q
-  146 - 92 - &#8217; - r s. q
-  147 - 93 - &#8220; - l d q
-  148 - 94 - &#8221; - r d q
-  149 - 95 - &#8226; - bullet
-  150 - 96 - &#8211; - en dash
-  151 - 97 - &#8212; - em dash
-  152 - 98 - &#732; - tilde accent
-  153 - 99 - &#8482; - trademark
-  154 - 9a - &#353; - s Hacek
-  155 - 9b - &#8250; - r s. guillemet
-  156 - 9c - &#339; - oe ligature
-  157 - 9d - (removed) - (not used)
-  158 - 9e - &#382; - z dieresis
-  159 - 9f - &#376; - Y dieresis
-
-
--- 5.5  URL format -------------------------------------------------o
-
-
-  An `absolute` URL has a 'protocol' or 'scheme', a 'network location' or 'hostname', and, optional 'path', 'parameters', 'query' and 'fragment' segments. Thus, an absolute URL has this generic structure:
-
-    (scheme) : (//network location) /(path) ;(parameters) ?(query) #(fragment)
-
-  The schemes can only contain letters, digits, '+', '.' and '-'. Hostname is the portion after the '//' and up to the first '/' (if any; else, up to the end) when ':' is followed by a '//' (e.g., 'abc.com' in 'ftp://abc.com/def'); otherwise, it consists of everything after the ':' (e.g., 'def@abc.com' in mailto:def@abc.com').
-
-  `Relative` URLs do not have explicit schemes and network locations; such values are inherited from a `base` URL.
-
-
--- 5.6  Brief on htmLawed code -------------------------------------o
-
-
-  Much of the code's logic and reasoning can be understood from the documentation above.
-
-  The *output* of htmLawed is a text string containing the processed input. There is no custom error tracking.
-
-  *Function arguments* for htmLawed are:
-
-  *  '$in' - first argument; a text string; the *input text* to be processed. Any extraneous slashes added by PHP when `magic quotes` are enabled should be removed beforehand using PHP's 'stripslashes()' function.
-
-  *  '$config' - second argument; an associative array; optional; named '$C' within htmLawed code. The array has keys with names like 'balance' and 'keep_bad', and the values, which can be boolean, string, or array, depending on the key, are read to accordingly set the *configurable parameters* (indicated by the keys). All configurable parameters receive some default value if the value to be used is not specified by the user through '$config'. `Finalized` '$config' is thus a filtered and possibly larger array.
-
-  *  '$spec' - third argument; a text string; optional. The string has rules, written in an htmLawed-designated format, *specifying* element-specific attribute and attribute value restrictions. Function 'hl_spec()' is used to convert the string to an associative-array, named '$S' within htmLawed code, for internal use. `Finalized` '$spec' is thus an array.
-
-  `Finalized` '$config' and '$spec' are made *global variables* while htmLawed is at work. Values of any pre-existing global variables with same names are noted, and their values are restored after htmLawed finishes processing the input (to capture the `finalized` values, the 'show_settings' parameter of '$config' should be used). Depending on '$config', another global variable 'hl_Ids', to track 'id' attribute values for uniqueness, may be set. Unlike the other two variables, this one is not reset (or unset) post-processing.
-
-  Except for the main 'htmLawed()' function, htmLawed's functions are *name-spaced* using the 'hl_' prefix. The *functions* and their roles are:
-
-  *  'hl_attrval' - check attribute values against '$spec'
-  *  'hl_bal' - balance tags and ensure proper nesting
-  *  'hl_cmtcd' - handle CDATA sections and HTML comments
-  *  'hl_ent' - handle character entities
-  *  'hl_prot' - check a URL scheme/protocol
-  *  'hl_regex' - check syntax of a regular expression
-  *  'hl_spec' - convert user-supplied '$spec' value to one used internally
-  *  'hl_tag' - handle element tags and attributes
-  *  'hl_tag2' - transform element tags
-  *  'hl_tidy' - compact/beautify HTML 
-  *  'hl_version' - report htmLawed version
-  *  'htmLawed' - main function
-
-  'htmLawed()' finalizes '$spec' (with the help of 'hl_spec()') and '$config', and globalizes them. Finalization of '$config' involves setting default values if an inappropriate or invalid one is supplied. This includes calling 'hl_regex()' to check well-formedness of regular expression patterns if such expressions are user-supplied through '$config'. 'htmLawed()' then removes invalid characters like nulls and 'x01' and appropriately handles entities using 'hl_ent()'. HTML comments and CDATA sections are identified and treated as per '$config' with the help of 'hl_cmtcd()'. When retained, the '<' and '>' characters identifying them, and the '<', '>' and '&' characters inside them, are replaced with control characters (code-points '1' to '5') till any tag balancing is completed.
-
-  After this `initial processing` 'htmLawed()' identifies tags using regex and processes them with the help of 'hl_tag()' --  a large function that analyzes tag content, filtering it as per HTML standards, '$config' and '$spec'. Among other things, 'hl_tag()' transforms deprecated elements using 'hl_tag2()', removes attributes from closing tags, checks attribute values as per '$spec' rules using 'hl_attrval()', and checks URL protocols using 'hl_prot()'. 'htmLawed()' performs tag balancing and nesting checks with a call to 'hl_bal()', and optionally compacts/beautifies the output with proper white-spacing with a call to 'hl_tidy()'. The latter temporarily replaces white-space, and '<', '>' and '&' characters inside 'pre', 'script' and 'textarea' elements, and HTML comments and CDATA sections with control characters (code-points '1' to '5', and '7').
-
-  htmLawed permits the use of custom code or *hook functions* at two stages. The first, called inside 'htmLawed()', allows the input text as well as the finalized '$config' and '$spec' values to be altered right after the initial processing (see section:- #3.7). The second is called by 'hl_tag()' once the tag content is finalized (see section:- #3.4.9).
-
-  The functionality of htmLawed is dictated by the external HTML standards. The code of htmLawed is thus written for a clear-cut aim, with not much concern for tweaking by other developers. The code is only minimally annotated with comments -- it is not meant to instruct. PHP developers familiar with the HTML specifications will see the logic, and others can always refer to the htmLawed documentation.
-
-___________________________________________________________________oo
-
-
-@@description: htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter
-@@encoding: utf-8
-@@keywords: htmLawed, HTM, HTML, HTML5, HTML 5, XHTML, XHTML5, HTML Tidy, converter, filter, formatter, purifier, sanitizer, XSS, input, PHP, software, code, script, security, cross-site scripting, hack, sanitize, remove, standards, tags, attributes, elements, Aria, Ruby, data attributes, tidy, indent, auto-indent, prettify, pretty print
-@@language: en
-@@title: htmLawed documentation
+/*

+htmLawed_README.txt, 24 September 2019

+htmLawed 1.2.5, 24 September 2019

+Copyright Santosh Patnaik

+Dual licensed with LGPL 3 and GPL 2+

+A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed

+*/

+

+

+==  Content =========================================================

+

+

+1  About htmLawed

+  1.1  Example uses

+  1.2  Features

+  1.3  History

+  1.4  License & copyright

+  1.5  Terms used here

+  1.6  Availability

+2  Usage

+  2.1  Simple

+  2.2  Configuring htmLawed using the '$config' argument

+  2.3  Extra HTML specifications using the '$spec' argument

+  2.4  Performance time & memory usage

+  2.5  Some security risks to keep in mind

+  2.6  Use with 'kses()' code

+  2.7  Tolerance for ill-written HTML

+  2.8  Limitations & work-arounds

+  2.9  Examples of usage

+3  Details

+  3.1  Invalid/dangerous characters

+  3.2  Character references/entities

+  3.3  HTML elements

+    3.3.1  HTML comments & 'CDATA' sections

+    3.3.2  Tag-transformation for better compliance with standards

+    3.3.3  Tag balancing & proper nesting

+    3.3.4  Elements requiring child elements

+    3.3.5  Beautify or compact HTML

+  3.4  Attributes

+    3.4.1  Auto-addition of XHTML-required attributes

+    3.4.2  Duplicate/invalid 'id' values

+    3.4.3  URL schemes & scripts in attribute values

+    3.4.4  Absolute & relative URLs

+    3.4.5  Lower-cased, standard attribute values

+    3.4.6  Transformation of deprecated attributes

+    3.4.7  Anti-spam & 'href'

+    3.4.8  Inline style properties

+    3.4.9  Hook function for tag content

+  3.5  Simple configuration directive for most valid XHTML

+  3.6  Simple configuration directive for most `safe` HTML

+  3.7  Using a hook function

+  3.8  Obtaining `finalized` parameter values

+  3.9  Retaining non-HTML tags in input with mixed markup

+4  Other

+  4.1  Support

+  4.2  Known issues

+  4.3  Change-log

+  4.4  Testing

+  4.5  Upgrade, & old versions

+  4.6  Comparison with 'HTMLPurifier'

+  4.7  Use through application plug-ins/modules

+  4.8  Use in non-PHP applications

+  4.9  Donate

+  4.10  Acknowledgements

+5  Appendices

+  5.1  Characters discouraged in HTML

+  5.2  Valid attribute-element combinations

+  5.3  CSS 2.1 properties accepting URLs

+  5.4  Microsoft Windows 1252 character replacements

+  5.5  URL format

+  5.6  Brief on htmLawed code

+

+

+== 1  About htmLawed ================================================

+

+

+  htmLawed is a PHP script to process text with HTML markup to make it more compliant with HTML standards and with administrative policies. It works by making HTML well-formed with balanced and properly nested tags, neutralizing code that introduces a security vulnerability or is used for cross-site scripting (XSS) attacks, allowing only specified HTML tags and attributes, and so on. Such `lawing in` of HTML code ensures that it is in accordance with the aesthetics, safety and usability requirements set by administrators.

+  

+  htmLawed is highly customizable, and fast with low memory usage. Its free and open-source code is in one small file. It does not require extensions or libraries, and works in older versions of PHP as well. It is a good alternative to the HTML Tidy:- http://tidy.sourceforge.net application.

+

+

+-- 1.1  Example uses ------------------------------------------------

+

+

+  *  Filtering of text submitted as comments on blogs to allow only certain HTML elements

+

+  *  Making RSS newsfeed items standard-compliant: often one uses an excerpt from an HTML document for the content, and with unbalanced tags, non-numerical entities, etc., such excerpts may not be XML-compliant

+  

+  *  Beautifying or pretty-printing HTML code

+

+  *  Text processing for stricter XML standard-compliance: e.g., to have lowercased 'x' in hexadecimal numeric entities becomes necessary if an HTML document with MathML content needs to be served as 'application/xml'

+

+  *  Scraping text from web-pages

+  

+  *  Transforming an HTML element to another

+

+

+-- 1.2  Features ---------------------------------------------------o

+

+

+  Key: '*' security feature, '^' standard compliance, '~' requires setting right options

+  

+  htmLawed:

+  

+  *  makes input more *secure* and *standard-compliant* for HTML as well as generic *XML* documents  ^

+  *  supports markup for *HTML 5* and *microdata, ARIA, Ruby, custom attributes*, etc.  ^

+  *  can *beautify* or *compact* HTML  ~

+  *  works with input of almost any *character encoding* and does not affect it

+  *  has good *tolerance for ill-written HTML*

+

+  *  can enforce *restricted use of elements*  *~

+  *  ensures proper closure of empty elements like 'img'  ^

+  *  *transforms deprecated elements* like 'font'  ^~

+  *  can permit HTML *comments* and *CDATA* sections  ^~

+  *  can permit all elements, including 'script', 'object' and 'form'  ~

+

+  *  can *restrict attributes by element*  ^~

+  *  removes *invalid attributes*  ^

+  *  lower-cases element and attribute names  ^

+  *  provides *required attributes*, like 'alt' for 'image'  ^

+  *  *transforms deprecated attributes*  ^~

+  *  ensures attributes are *declared only once*  ^

+  *  permits *custom*, non-standard attributes as well as custom rules for standard attributes  ~

+

+  *  declares value for `empty` (`minimized` or `boolean`) attributes like 'checked'  ^

+  *  checks for potentially dangerous attribute values  *~

+  *  ensures *unique* 'id' attribute values  ^~

+  *  *double-quotes* attribute values  ^

+  *  lower-cases *standard attribute values* like 'password'  ^

+

+  *  can restrict *URL protocol/scheme by attribute*  *~

+  *  can disable *dynamic expressions* in 'style' values  *~

+

+  *  neutralizes invalid named *character entities*  ^

+  *  converts hexadecimal numeric entities to decimal ones, or vice versa  ^~

+  *  converts named entities to numeric ones for generic XML use  ^~

+

+  *  removes *null* characters  *

+  *  neutralizes potentially dangerous proprietary Netscape *Javascript entities*  *

+  *  replaces potentially dangerous *soft-hyphen* character in URL-accepting attribute values with spaces  *

+

+  *  removes common *invalid characters* not allowed in HTML or XML  ^

+  *  replaces *characters from Microsoft applications* like 'Word' that are discouraged in HTML or XML  ^~

+  *  neutralize entities for characters invalid or discouraged in HTML or XML  ^

+  *  appropriately neutralize '<', '&', '"', and '>' characters  ^*

+

+  *  understands improperly spaced tag content (e.g., spread over more than a line) and properly spaces them

+  *  attempts to *balance tags* for well-formedness  ^~

+  *  understands when *omitable closing tags* like '</p>' are missing  ^~

+  *  attempts to permit only *validly nested tags*  ^~

+  *  can *either remove or neutralize bad content* ^~

+  *  attempts to *rectify common errors of plain-text misplacement* (e.g., directly inside 'blockquote') ^~

+

+  *  has optional *anti-spam* measures such as addition of 'rel="nofollow"' and link-disabling  ~

+  *  optionally makes *relative URLs absolute*, and vice versa  ~

+

+  *  optionally marks '&' to identify the entities for '&', '<' and '>' introduced by it  ~

+

+  *  allows deployment of powerful *hook functions* to *inject* HTML, *consolidate* 'style' attributes to 'class', finely check attribute values, etc.  ~

+

+

+-- 1.3  History ----------------------------------------------------o

+

+

+  htmLawed was created in 2007 for use with 'LabWiki', a wiki software developed at PHP Labware, as a suitable software could not be found. Existing PHP software like 'Kses' and 'HTMLPurifier' were deemed inadequate, slow, resource-intensive, or dependent on an extension or external application like 'HTML Tidy'. The core logic of htmLawed, that of identifying HTML elements and attributes, was based on the 'Kses' (version 0.2.2) HTML filter software of Ulf Harnhammar (it can still be used with code that uses 'Kses'; see section:- #2.6.). Support for HTML version 5 was added in May 2013 in a beta and in February 2017 in a production release.

+  

+  See section:- #4.3 for a detailed log of changes in htmLawed over the years, and section:- #4.10 for acknowledgements.

+

+

+-- 1.4  License & copyright ----------------------------------------o

+

+

+  htmLawed is free and open-source software, copyrighted by Santosh Patnaik, MD, PhD, and dual-licensed with LGPL version 3:- http://www.gnu.org/licenses/lgpl-3.0.txt, and GPL version 2:- http://www.gnu.org/licenses/gpl-2.0.txt (or later) licenses.

+

+

+-- 1.5  Terms used here --------------------------------------------o

+

+

+  In this document, only HTML body-level elements are considered. htmLawed does not have support for head-level elements, 'body', and the frame-level elements, 'frameset', 'frame' and 'noframes', and these elements are ignored here.

+

+  *  `administrator` - or admin; person setting up the code that utilizes htmLawed; also, `user`

+  *  `attributes` - name-value pairs like 'href="http://x.com"' in opening tags

+  *  `author` - see `writer`

+  *  `character` - atomic unit of text; internally represented by a numeric `code-point` as specified by the `encoding` or `charset` in use

+  *  `entity` - markup like '&gt;' and '&#160;' used to refer to a character

+  *  `element` - HTML element like 'a' and 'img'

+  *  `element content` -  content between the opening and closing tags of an element, like 'click' of the '<a href="x">click</a>' element

+  *  `HTML` - implies XHTML unless specified otherwise

+  *  `HTML body` - content in the `body` container of an HTML document

+  *  `input` - text given to htmLawed to process

+  *  `legal` – standard-compliant; also, `valid`

+  *  `processing` - involves filtering, correction, etc., of input

+  *  `safe` - absence or reduction of certain characters and HTML elements and attributes in HTML of text that can otherwise potentially, and circumstantially, expose text readers to security vulnerabilities like cross-site scripting attacks (XSS)

+  *  `scheme` - a URL protocol like 'http' and 'ftp'

+  *  `specification` - detailed description including rules that define HTML

+  *  `standard` – widely accepted specification

+  *  `style property` - terms like 'border' and 'height' for which declarations are made in values for the 'style' attribute of elements

+  *  `tag` - markers like '<a href="x">' and '</a>' delineating element content; the opening tag can contain attributes

+  *  `tag content` - consists of tag markers '<' and '>', element names like 'div', and possibly attributes

+  *  `user` - administrator

+  *  `valid` - see `legal`

+  *  `writer` - end-user like a blog commenter providing the input that is to be processed; also, `author`

+  *  `XHTML` - XML-compliant HTML; parsing rules for XHTML are more strict than for regular HTML

+

+

+-- 1.6  Availability -----------------------------------------------o

+

+

+  htmLawed can be downloaded for free at its website:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed. Besides the 'htmLawed.php' file, the download has the htmLawed documentation (this document) in plain text:- htmLawed_README.txt and HTML:- htmLawed_README.htm formats, a script for testing:- htmLawedTest.php, and a text file for test-cases:- htmLawed_TESTCASE.txt. htmLawed is also available as a PHP class (OOP code) at its website.

+

+

+== 2  Usage =======================================================oo

+

+

+  htmLawed works in PHP version 4.4 or higher. Either 'include()' the 'htmLawed.php' file, or copy-paste the entire code.

+  

+  To use with PHP 4.3, have the following code included:

+

+    if(!function_exists('ctype_digit')){

+     function ctype_digit($var){

+      return ((int) $var == $var);

+     }

+    }

+

+

+-- 2.1  Simple ------------------------------------------------------

+

+

+  The input text to be processed, '$text', is passed as an argument of type string; 'htmLawed()' returns the processed string:

+

+    $processed = htmLawed($text);

+    

+  With the 'htmLawed class' (section:- #1.6), usage is:

+  

+    $processed = htmLawed::hl($text);

+

+  *Notes*: (1) If input is from a '$_GET' or '$_POST' value, and 'magic quotes' are enabled on the PHP setup, run 'stripslashes()' on the input before passing to htmLawed. (2) htmLawed does not have support for head-level elements, 'body', and the frame-level elements, 'frameset', 'frame' and 'noframes'.

+

+  By default, htmLawed will process the text allowing all valid HTML elements/tags and commonly used URL schemes and CSS style properties. It will allow Javascript code, 'CDATA' sections and HTML comments, balance tags, and ensure proper nesting of elements. Such actions can be configured using two other optional arguments -- '$config' and '$spec':

+

+    $processed = htmLawed($text, $config, $spec); 

+

+  The '$config' and '$spec' arguments are detailed below. Some examples are shown in section:- #2.9. For maximum protection against 'XSS' and other security vulnerabilities, consider using the 'safe' parameter; see section:- #3.6.

+

+

+-- 2.2  Configuring htmLawed using the '$config' argument ---------o

+

+

+  '$config' instructs htmLawed on how to tackle certain tasks. When '$config' is not specified, or not set as an array (e.g., '$config = 1'), htmLawed will take default actions. One or many of the task-action or parameter-value pairs can be specified in '$config' as array key-value pairs. If a parameter is not specified, htmLawed will use the default value for it, indicated further below. In PHP code, parameter values that are integers should not be quoted and should be used as numeric types (unless meant as string/text). Thus, for instance:

+

+    $config = array('comment'=>0, 'cdata'=>1, 'elements'=>'a, b, strong');

+    $processed = htmLawed($text, $config);

+

+  Below are the various parameters that can be specified in '$config'.

+

+  Key: '*' default, '^' different from htmLawed versions below 1.2, '~' different default when 'valid_xhtml' is set to '1' (see section:- #3.5), '"' different default when 'safe' is set to '1' (see section:- #3.6)

+

+  *abs_url*

+  Make URLs absolute or relative; '$config["base_url"]' needs to be set; see section:- #3.4.4

+

+  '-1' - make relative

+  '0' - no action  *

+  '1' - make absolute

+

+  *and_mark*

+  Mark '&' characters in the original input; see section:- #3.2

+

+  *anti_link_spam*

+  Anti-link-spam measure; see section:- #3.4.7

+      

+  '0' - no measure taken  *

+  `array("regex1", "regex2")` - will ensure a 'rel' attribute with 'nofollow' in its value in case the 'href' attribute value matches the regular expression pattern 'regex1', and/or will remove 'href' if its value matches the regular expression pattern 'regex2'. E.g., 'array("/./", "/://\W*(?!(abc\.com|xyz\.org))/")'; see section:- #3.4.7 for more.

+

+  *anti_mail_spam*

+  Anti-mail-spam measure; see section:- #3.4.7

+

+  '0' - no measure taken  *

+  `word` - '@' in mail address in 'href' attribute value is replaced with specified `word`

+

+  *balance*

+  Balance tags for well-formedness and proper nesting; see section:- #3.3.3

+

+  '0' - no

+  '1' - yes  *

+

+  *base_url*

+  Base URL value that needs to be set if '$config["abs_url"]' is not '0'; see section:- #3.4.4

+

+  *cdata*

+  Handling of 'CDATA' sections; see section:- #3.3.1

+

+  '0' - don't consider 'CDATA' sections as markup and proceed as if plain text  "

+  '1' - remove

+  '2' - allow, but neutralize any '<', '>', and '&' inside by converting them to named entities

+  '3' - allow  *

+

+  *clean_ms_char*

+  Replace `discouraged` characters introduced by Microsoft Word, etc.; see section:- #3.1

+

+  '0' - no  *

+  '1' - yes

+  '2' - yes, but replace special single & double quotes with ordinary ones

+

+  *comment*

+  Handling of HTML comments; see section:- #3.3.1

+

+  '0' - don't consider comments as markup and proceed as if plain text  "

+  '1' - remove

+  '2' - allow, but neutralize any '<', '>', and '&' inside by converting to named entities

+  '3' - allow  *

+

+  *css_expression*

+  Allow dynamic CSS expression by not removing the expression from CSS property values in 'style' attributes; see section:- #3.4.8

+

+  '0' - remove  *

+  '1' - allow

+

+  *deny_attribute*

+  Denied HTML attributes; see section:- #3.4

+

+  '0' - none  *

+  `string` - dictated by values in `string`

+  'on*' - on* event attributes like 'onfocus' not allowed  "

+  

+  *direct_nest_list*

+  Allow direct nesting of a list within another without requiring it to be a list item; see section:- #3.3.4

+

+  '0' - no  *

+  '1' - yes

+

+  *elements*

+  Allowed HTML elements; see section:- #3.3

+

+  `all` - *^

+  '* -acronym -big -center -dir -font -isindex -s -strike -tt' -  ~^

+  `applet, audio, canvas, embed, iframe, object, script, and video elements not allowed` -  "^

+

+  *hexdec_entity*

+  Allow hexadecimal numeric entities and do not convert to the more widely accepted decimal ones, or convert decimal to hexadecimal ones; see section:- #3.2

+

+  '0' - no

+  '1' - yes  *

+  '2' - convert decimal to hexadecimal ones

+

+  *hook*

+  Name of an optional hook function to alter the input string, '$config' or '$spec' before htmLawed enters the main phase of its work; see section:- #3.7

+

+  '0' - no hook function  *

+  `name` - `name` is name of the hook function

+

+  *hook_tag*

+  Name of an optional hook function to alter tag content finalized by htmLawed; see section:- #3.4.9

+

+  '0' - no hook function  *

+  `name` - `name` is name of the hook function

+

+  *keep_bad*

+  Neutralize `bad` tags by converting their '<' and '>' characters to entities, or remove them; see section:- #3.3.3

+

+  '0' - remove  

+  '1' - neutralize both tags and element content

+  '2' - remove tags but neutralize element content

+  '3' and '4' - like '1' and '2' but remove if text ('pcdata') is invalid in parent element

+  '5' and '6' * -  like '3' and '4' but line-breaks, tabs and spaces are left

+

+  *lc_std_val*

+  For XHTML compliance, predefined, standard attribute values, like 'get' for the 'method' attribute of 'form', must be lowercased; see section:- #3.4.5

+

+  '0' - no

+  '1' - yes  *

+

+  *make_tag_strict*

+  Transform or remove these deprecated HTML elements, even if they are allowed by the admin: acronym, applet, big, center, dir, font, isindex, s, strike, tt; see section:- #3.3.2

+

+  '0' - no  

+  '1' - yes, but leave 'applet' and 'isindex' that currently cannot be transformed  *^

+  '2' - yes, removing 'applet' and 'isindex' elements and their contents (nested elements remain)  ~^

+

+  *named_entity*

+  Allow non-universal named HTML entities, or convert to numeric ones; see section:- #3.2

+

+  '0' - convert

+  '1' - allow  *

+

+  *no_deprecated_attr*

+  Allow deprecated attributes or transform them; see section:- #3.4.6

+

+  '0' - allow  

+  '1' - transform, but 'name' attributes for 'a' and 'map' are retained  *

+  '2' - transform

+

+  *parent*

+  Name of the parent element, possibly imagined, that will hold the input; see section:- #3.3

+

+  *safe*

+  Magic parameter to make input the most secure against vulnerabilities like XSS without needing to specify other relevant '$config' parameters; see section:- #3.6

+

+  '0' - no  *

+  '1' - will auto-adjust other relevant '$config' parameters (indicated by '"' in this list)  ^

+

+  *schemes*

+  Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or '!' to `deny` any URL); '*' covers all unspecified attributes; see section:- #3.4.3

+

+  'href: aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet; *:data, file, http, https, javascript'  *^

+  'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https'  "

+

+  *show_setting*

+  Name of a PHP variable to assign the `finalized` '$config' and '$spec' values; see section:- #3.8

+

+  *style_pass*

+  Ignore 'style' attribute values, letting them through without any alteration

+

+  '0' - no *

+  '1' - htmLawed will let through any 'style' value; see section:- #3.4.8

+

+  *tidy*

+  Beautify or compact HTML code; see section:- #3.3.5

+

+  '-1' - compact

+  '0' - no  *

+  '1' or `string` - beautify (custom format specified by 'string')

+

+  *unique_ids*

+  'id' attribute value checks; see section:- #3.4.2

+

+  '0' - no  

+  '1' - remove duplicate and/or invalid ones  *

+  `word` - remove invalid ones and replace duplicate ones with new and unique ones based on the `word`; the admin-specified `word` cannot contain a space character

+

+  *valid_xhtml*

+  Magic parameter to make input the most valid XHTML without needing to specify other relevant '$config' parameters; see section:- #3.5

+

+  '0' - no  *

+  '1' - will auto-adjust other relevant '$config' parameters (indicated by '~' in this list)

+

+  *xml:lang*

+  Auto-add 'xml:lang' attribute; see section:- #3.4.1

+

+  '0' - no  *

+  '1' - add if 'lang' attribute is present

+  '2' - add if 'lang' attribute is present, and remove 'lang'  ~

+

+

+-- 2.3  Extra HTML specifications using the $spec parameter --------o

+

+

+  The '$spec' argument of htmLawed can be used to disallow an otherwise legal attribute for an element, or to restrict the attribute's values. This can also be helpful as a security measure (e.g., in certain versions of browsers, certain values can cause buffer overflows and denial of service attacks), or in enforcing admin policies. '$spec' is specified as a string of text containing one or more `rules`, with multiple rules separated from each other by a semi-colon (';'). E.g.,

+

+    $spec = 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt';

+    $processed = htmLawed($text, $config, $spec);

+

+  Or,

+

+    $processed = htmLawed($text, $config, 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt');

+

+  A rule begins with an HTML *element* name(s) (`rule-element`), for which the rule applies, followed by an equal-to (=) sign. A rule-element may represent multiple elements if comma (,)-separated element names are used. E.g., 'th,td,tr='.

+

+  Rest of the rule consists of comma-separated HTML *attribute names*. A minus (-) character before an attribute means that the attribute is not permitted inside the rule-element. E.g., '-width'. To deny all attributes, '-*' can be used.

+

+  Following shows examples of rule excerpts with rule-element 'a' and the attributes that are being permitted:

+

+  *  'a=' - all

+  *  'a=id' - all

+  *  'a=href, title, -id, -onclick' - all except 'id' and 'onclick'

+  *  'a=*, id, -id' - all except 'id'

+  *  'a=-*' - none

+  *  'a=-*, href, title' - none except 'href' and 'title'

+  *  'a=-*, -id, href, title' - none except 'href' and 'title'

+

+  Rules regarding *attribute values* are optionally specified inside round brackets after attribute names in solidus (/)-separated `parameter = value` pairs. E.g., 'title(maxlen=30/minlen=5)'. None or one or more of the following parameters may be specified:

+

+  *  'oneof' - one or more choices separated by '|' that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive

+

+  *  'noneof' - one or more choices separated by '|' that the value should not match; matching is case-sensitive

+

+  *  'maxlen' and 'minlen' - upper and lower limits for the number of characters in the attribute value; specified in numbers

+

+  *  'maxval' and 'minval' - upper and lower limits for the numerical value specified in the attribute value; specified in numbers

+

+  *  'match' and 'nomatch' - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)

+

+  *  'default' - a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters

+

+  If 'default' is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The 'default' value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., 'maxlen' to '-1').

+

+  Examples with `input` '<input title="WIDTH" value="10em" /><input title="length" value="5" class="ic1 ic2" />' are shown below.

+

+  `Rule`: 'input=title(maxlen=60/minlen=6), value'

+  `Output`: '<input value="10em" /><input title="length" value="5" class="ic1 ic2" />'

+

+  `Rule`: 'input=title(), value(maxval=8/default=6)'

+  `Output`: '<input title="WIDTH" value="6" /><input title="length" value="5" class="ic1 ic2" />'

+

+  `Rule`: 'input=title(nomatch=%w.d%i), value(match=%em%/default=6em)'

+  `Output`: '<input value="10em" /><input title="length" value="6em" class="ic1 ic2" />'

+

+  `Rule`: 'input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)'

+  `Output`: '<input title="depth" value="10em" /><input title="depth" class="ic1" />'

+

+  *Special characters*: The characters ';', ',', '/', '(', ')', '|', '~' and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be `escaped` by enclosing in pairs of double-quotes ('"'). A back-tick ('`') can be used to escape a literal '"'. An example rule illustrating this is 'input=value(maxlen=30/match="/^\w/"/default="your `"ID`"")'.

+

+  *Attributes that accept multiple values*: If an attribute is 'accesskey', 'class', 'itemtype' or 'rel', which can have multiple, space-separated values, or 'srcset', which can have multiple, comma-separated values, htmLawed will parse the attribute value for such multiple values and will individually test each of them.

+   

+  *Note*: To deny an attribute for all elements for which it is legal, '$config["deny_attribute"]' (see section:- #3.4) can be used instead of '$spec'. Also, attributes can be allowed element-specifically through '$spec' while being denied globally through '$config["deny_attribute"]'. The 'hook_tag' parameter (section:- #3.4.9) can also be possibly used to implement a functionality like that achieved using '$spec' functionality.

+  

+  *Note*: Attributes' specifications for an element may be set through multiple rules. In case of conflict, the attribute specification in the first rule will get precedence.

+  

+  '$spec' can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of '$spec' will permit the custom uses of the standard 'rel' attribute in 'input' (not permitted as per standards) and of a non-standard attribute, 'vFlag', in 'img'.

+  

+    $spec = 'img=vFlag; input=rel'

+

+  The attribute names must begin with an alphabet and cannot have space, equal-to (=) and solidus (/) characters.

+

+

+-- 2.4  Performance time & memory usage ----------------------------o

+

+

+  The time and memory consumed during text processing by htmLawed depends on its configuration, the size of the input, and the amount, nestedness and well-formedness of the HTML markup within the input. In particular, tag balancing and beautification each can increase the processing time by about a quarter.

+

+  The htmLawed demo:- htmLawedTest.php can be used to evaluate the performance and effects of different types of input and '$config'.

+

+

+-- 2.5  Some security risks to keep in mind ------------------------o

+

+

+  When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially `dangerous` HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permitted through htmLawed's setting should be considered. For example, following increase security risks:

+

+  *  Allowing 'script', 'applet', 'embed', 'iframe', 'canvas', 'audio', 'video' or 'object' elements, or certain of their attributes like 'allowscriptaccess'

+

+  *  Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., '<!--[if gte IE 4]><script>alert("xss");</script><![endif]-->'

+  

+  *  Allowing dynamic CSS expressions (some Internet Explorer versions are vulnerable)

+  

+  *  Allowing the 'style' attribute

+

+  To remove `unsecure` HTML, code-developers using htmLawed must set '$config' appropriately. E.g., '$config["elements"] = "* -script"' to deny the 'script' element (section:- #3.3), '$config["safe"] = 1' to auto-configure ceratin htmLawed parameters for maximizing security (section:- #3.6), etc. 

+  

+  Permitting the '*style*' attribute brings in risks of `click-jacking`, `phishing`, web-page overlays, etc., `even` when the 'safe' parameter is enabled (see section:- #3.6). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing 'style' completely and relying on CSS classes and stylesheet files is recommended.

+  

+  htmLawed does not check or correct the character *encoding* of the input it receives. In conjunction with permissive circumstances, such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can allow for an exploit (like Google's `UTF-7/XSS` vulnerability of the past).

+  

+  Ocassionally, though very rarely, the default settings with which htmLawed runs may change between different versions of htmLawed. Admins should keep this in mind when upgrading htmLawed. Important changes in htmLawed's default behavior in new releases of the software are noted in section:- #4.5 on upgrades.

+

+

+-- 2.6  Use with 'kses()' code -------------------------------------o

+

+

+  The 'Kses' PHP script for HTML filtering is used by many applications (like 'WordPress', as in year 2012). It is possible to have such applications use htmLawed instead, since it is compatible with code that calls the 'kses()' function declared in the 'Kses' file (usually named 'kses.php'). E.g., application code like this will continue to work after replacing 'Kses' with htmLawed:

+

+    $comment_filtered = kses($comment_input, array('a'=>array(), 'b'=>array(), 'i'=>array()));

+

+  If the application uses a 'Kses' file that has the 'kses()' function declared, then, to have the application use htmLawed instead of 'Kses', rename 'htmLawed.php' (to 'kses.php', e.g.) and replace the 'Kses' file (or just replace the code in the 'Kses' file with the htmLawed code). If the 'kses()' function in the 'Kses' file had been renamed by the application developer (e.g., in 'WordPress', it is named 'wp_kses()'), then appropriately rename the 'kses()' function in the htmLawed code. Then, add the following code (which was a part of htmLawed prior to version 1.2):

+

+    // kses compatibility

+    function kses($t, $h, $p=array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto')){

+     foreach($h as $k=>$v){

+      $h[$k]['n']['*'] = 1;

+     }

+     $C['cdata'] = $C['comment'] = $C['make_tag_strict'] = $C['no_deprecated_attr'] = $C['unique_ids'] = 0;

+     $C['keep_bad'] = 1;

+     $C['elements'] = count($h) ? strtolower(implode(',', array_keys($h))) : '-*';

+     $C['hook'] = 'kses_hook';

+     $C['schemes'] = '*:'. implode(',', $p);

+     return htmLawed($t, $C, $h);

+     }

+

+    function kses_hook($t, &$C, &$S){

+     return $t;

+    }

+

+  If the 'Kses' file used by the application has been significantly altered by the application developers, then one may need a different approach. E.g., with 'WordPress' (as in the year 2012), it is best to copy the htmLawed code, along with the above-mentioned additions, to 'wp_includes/kses.php', rename the newly added function 'kses()' to 'wp_kses()', and delete the code for the original 'wp_kses()' function.

+

+  If the 'Kses' code has a non-empty hook function (e.g., 'wp_kses_hook()' in case of 'WordPress'), then the code for htmLawed's 'kses_hook()' function should be appropriately edited. However, the requirement of the hook function should be re-evaluated considering that htmLawed has extra capabilities. With 'WordPress', the hook function is an essential one. The following code is suggested for the htmLawed 'kses_hook()' in case of 'WordPress':

+

+    // kses compatibility

+    function kses_hook($string, &$cf, &$spec){   

+     $allowed_html = $spec;

+     $allowed_protocols = array();

+     foreach($cf['schemes'] as $v){

+      foreach($v as $k2=>$v2){

+       if(!in_array($k2, $allowed_protocols)){

+        $allowed_protocols[] = $k2;

+       }

+      }

+     }

+     return wp_kses_hook($string, $allowed_html, $allowed_protocols);

+    }

+

+

+-- 2.7  Tolerance for ill-written HTML -----------------------------o

+

+

+  htmLawed can work with ill-written HTML code in the input. However, HTML that is too ill-written may not be `read` as HTML, and may therefore get identified as mere plain text. Following statements indicate the degree of `looseness` that htmLawed can work with, and can be provided in instructions to writers:

+

+  *  Tags must be flanked by '<' and '>' with no '>' inside -- any needed '>' should be put in as '&gt;'. It is possible for tag content (element name and attributes) to be spread over many lines instead of being on one. A space may be present between the tag content and '>', like '<div >' and '<img / >', but not after the '<'.

+

+  *  Element and attribute names need not be lower-cased.

+

+  *  Attribute string of elements may be liberally spaced with tabs, line-breaks, etc.

+

+  *  Attribute values may be single- and not double-quoted.

+

+  *  Left-padding of numeric entities (like, '&#0160;', '&x07ff;') with '0' is okay as long as the number of characters between between the '&' and the ';' does not exceed 8. All entities must end with ';' though. 

+

+  *  Named character entities must be properly cased. Thus, '&Lt;' or '&TILDE;' will not be recognized as entities and will be `neutralized`.

+

+  *  HTML comments should not be inside element tags (they can be between tags), and should begin with '<!--' and end with '-->'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '--&gt;'. Any '--' inside will be automatically converted to '-', and a space will be added before the '-->' comment-closing marker  unless '$config["comments"]' is set to '4' (section:- #3.3.1).

+

+  *  'CDATA' sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with '<[CDATA[' and end with ']]>'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any ']]>' inside should be put in as ']]&gt;'.

+

+  *  For attribute values, character entities '&lt;', '&gt;' and '&amp;' should be used instead of characters '<' and '>', and '&' (when '&' is not part of a character entity). This applies even for Javascript code in values of attributes like 'onclick'.

+

+  *  Characters '<', '>', '&' and '"' that are part of actual Javascript, etc., code in 'script' elements should be used as such and not be put in as entities like '&gt;'. Otherwise, though the HTML will be valid, the code may fail to work. Further, if such characters have to be used, then they should be put inside 'CDATA' sections.

+

+  *  Simple instructions like "an opening tag cannot be present between two closing tags" and "nested elements should be closed in the reverse order of how they were opened" can help authors write balanced HTML. If tags are imbalanced, htmLawed will try to balance them, but in the process, depending on '$config["keep_bad"]', some code/text may be lost.

+

+  *  Input authors should be notified of admin-specified allowed elements, attributes, configuration values (like conversion of named entities to numeric ones), etc.

+

+  *  With '$config["unique_ids"]' not '0' and the 'id' attribute being permitted, writers should carefully avoid using duplicate or invalid 'id' values as even though htmLawed will correct/remove the values, the final output may not be the one desired. E.g., when '<a id="home"></a><input id="home" /><label for="home"></label>' is processed into 

+'<a id="home"></a><input id="prefix_home" /><label for="home"></label>'.

+

+  *  Even if intended HTML is lost from an ill-written input, the processed output will be more secure and standard-compliant.

+

+  *  For URLs, unless '$config["scheme"]' is appropriately set, writers should avoid using escape characters or entities in schemes. E.g., 'htt&#112;' (which many browsers will read as the harmless 'http') may be considered bad by htmLawed.

+

+  *  htmLawed will attempt to put plain text present directly inside 'blockquote', 'form', 'map' and 'noscript' elements (illegal as per the specifications) inside auto-generated 'div' elements during tag balancing (section:- #3.3.3).

+

+

+-- 2.8  Limitations & work-arounds ---------------------------------o

+

+

+  htmLawed's main objective is to make the input text `more` standard-compliant, secure for readers, and free of HTML elements and attributes considered undesirable by the administrator. Some of its current limitations, regardless of this objective, are noted below along with possible work-arounds.

+

+  It should be borne in mind that no browser application is 100% standard-compliant, standard specifications continue to evolve, and many browsers accept commonly used non-standard HTML. Regarding security, note that `unsafe` HTML code is not legally invalid per se.

+  

+  *  By default, htmLawed will not strictly adhere to the `current` HTML standard. Admins can configure htmLawed to be more strict about standard compliance. Standard specification for HTML is continuously evolving. There are two bodies (W3C:- http://www.w3c.org and WHATWG:- http://www.whatwg.org) that specify the standard and their specifications are not identical. E.g., as in mid-2013, the 'border' attribute is valid in 'table' as per W3C but not WHATWG. Thus, htmLawed may not be fully compliant with the standard of a specific group. The HTML standards/rules that htmLawed uses in its logic are a mix of the W3C and WHATWG standards, and can be lax because of the laxity of HTML interpreters (browsers) regarding standards.

+  

+  *  In general, htmLawed processes input to generate output that is most likely to be standard-compatible in most users' browsers. Thus, for example, it does not enforce the required value of '0' on 'border' attribute of 'img' (an HTML version 5 specification).

+

+  *  htmLawed is meant for input that goes into the 'body' of HTML documents. HTML's head-level elements are not supported, nor are the frame-specific elements 'frameset', 'frame' and 'noframes'. However, content of the latter elements can be individually filtered through htmLawed.

+

+  *  It cannot handle input that has non-HTML code like 'SVG' and 'MathML'. One way around is to break the input into pieces and passing only those without non-HTML code to htmLawed. Another is described in section:- #3.9. A third way may be to some how take advantage of the '$config["and_mark"]' parameter (see section:- #3.2).

+

+  *  By default, htmLawed won't check many attribute values for standard compliance. E.g., 'width="20m"' with the dimension in non-standard 'm' is let through. Implementing universal and strict attribute value checks can make htmLawed slow and resource-intensive. Admins should look at the 'hook_tag' parameter (section:- #3.4.9) or '$spec' to enforce finer checks on attribute values.

+  

+  *  By default, htmLawed considers all ARIA, data-*, event and microdata attributes as global attributes and permits them in all elements. This is not strictly standard-compliant. E.g., the 'itemtype' microdata attribute is permitted only in elements that also have the 'itemscope' attribute. Admins can configure htmLawed to be more strict about this (section:- #2.3).

+

+  *  The attributes, deprecated (which can be transformed too) or not, that it supports are largely those that are in the specifications. Only a few of the proprietary attributes are supported. However, '$spec' can be used to allow custom attributes (section:- #2.3).

+

+  *  Except for contained URLs and dynamic expressions (also optional), htmLawed does not check CSS style property values. Admins should look at using the 'hook_tag' parameter (section:- #3.4.9) or '$spec' for finer checks. Perhaps the best option is to disallow 'style' but allow 'class' attributes with the right 'oneof' or 'match' values for 'class', and have the various class style properties in '.css' CSS stylesheet files.

+

+  *  htmLawed does not parse emoticons, decode `BBcode`, or `wikify`, auto-converting text to proper HTML. Similarly, it won't convert line-breaks to 'br' elements. Such functions are beyond its purview. Admins should use other code to pre- or post-process the input for such purposes.

+

+  *  htmLawed cannot be used to have links force-opened in new windows (by auto-adding appropriate 'target' and 'onclick' attributes to 'a'). Admins should look at Javascript-based DOM-modifying solutions for this. Admins may also be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).

+

+  *  Nesting-based checks are not possible. E.g., one cannot disallow 'p' elements specifically inside 'td' while permitting it elsewhere. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).

+

+  *  Except for optionally converting absolute or relative URLs to the other type, htmLawed will not alter URLs (e.g., to change the value of query strings or to convert 'http' to 'https'. Having absolute URLs may be a standard-requirement, e.g., when HTML is embedded in email messages, whereas altering URLs for other purposes is beyond htmLawed's goals. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).

+

+  *  Pairs of opening and closing tags that do not enclose any content (like '<em></em>') are not removed. This may be against the standard specification for certain elements (e.g., 'table'). However, presence of such standard-incompliant code will not break the display or layout of content. Admins can also use simple regex-based code to filter out such code.

+

+  *  htmLawed does not check for certain element orderings described in the standard specifications (e.g., in a 'table', 'tbody' is allowed before 'tfoot'). Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).

+

+  *  htmLawed does not check the number of nested elements. E.g., it will allow two 'caption' elements in a 'table' element, illegal as per standard specifications. Admins may be able to use a custom hook function to enforce such checks ('hook_tag' parameter; see section:- #3.4.9).

+  

+  *  There are multiple ways to interpret ill-written HTML. E.g., in '<small><small>text</small>', is it that the second closing tag for 'small' is missing or is it that the second opening tag for 'small' was put in by mistake? htmLawed corrects the HTML in the string assuming the former, while the user may have intended the string for the latter. This is an issue that is impossible to address perfectly.

+

+  *  htmLawed might convert certain entities to actual characters and remove backslashes and CSS comment-markers ('/*') in 'style' attribute values in order to detect malicious HTML like crafted, Internet Explorer browser-specific dynamic expressions like '&#101;xpression...'. If this is too harsh, admins can allow CSS expressions through htmLawed core but then use a custom function through the 'hook_tag' parameter (section:- #3.4.9) to more specifically identify CSS expressions in the 'style' attribute values. Also, using '$config["style_pass"]', it is possible to have htmLawed pass 'style' attribute values without even looking at them (section:- #3.4.8).

+

+  *  htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., '<a href="http://x%22+style=%22background-image:xss">x</a>'). These arise when browsers mis-identify markup in `escaped` text, defeating the very purpose of escaping text (a bad browser will read the given example as '<a href="http://x" style="background-image:xss">x</a>').

+  

+  *  Because of poor Unicode support in PHP, htmLawed does not remove the `high value` HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see section:- #3.1).

+  

+  *  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can permit an exploit (like Google's `UTF-7/XSS` vulnerability of the past). Also, htmLawed can mangle input text if it is not well-formed in terms of character encoding. Administrators can consider using code available elsewhere to check well-formedness of input text characters to correct any defect.

+  

+  *  htmLawed is expected to work with input texts in ASCII standard-compatible single-byte encodings such as national variants of ASCII (like ISO-646-DE/German of the ISO 646 standard), extended ASCII variants (like ISO 8859-10/Turkish of the ISO 8859/ISO Latin standard), ISO 8859-based Windows variants (like Windows 1252), EBCDIC, Shift JIS (Japanese), GB-Roman (Chinese), and KS-Roman (Korean). It should also properly handle texts with variable-byte encodings like UTF-7 (Unicode) and UTF-8 (Unicode). However, htmLawed may mangle input texts with double-byte encodings like UTF-16 (Unicode), JIS X 0208:1997 (Japanese) and K SX 1001:1992 (Korean), or the UTF-32 (Unicode) quadruple-byte encoding. If an input text has such an encoding, administrators can use PHP's iconv:- http://php.net/manual/en/book.iconv.php functions, or some other mean, to convert text to UTF-8 before passing it to htmLawed.

+

+  *  Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.

+

+

+-- 2.9  Examples of usage ------------------------------------------o

+

+

+  Safest, allowing only `safe` HTML markup --

+  

+    $config = array('safe'=>1);

+    $out = htmLawed($in, $config);

+    

+  Simplest, allowing all valid HTML markup including Javascript --

+  

+    $out = htmLawed($in);

+    

+  Allowing all valid HTML markup but restricting URL schemes in 'src' attribute values to 'http' and 'https' --

+  

+    $config = array('schemes'=>'*:*; src:http, https');

+    $out = htmLawed($in, $config);

+    

+  Allowing only 'safe' HTML and the elements 'a', 'em', and 'strong' --

+  

+    $config = array('safe'=>1, 'elements'=>'a, em, strong');

+    $out = htmLawed($in, $config);

+    

+  Not allowing elements 'script' and 'object' --

+  

+    $config = array('elements'=>'* -script -object');

+    $out = htmLawed($in, $config);

+    

+  Not allowing attributes 'id' and 'style' --

+  

+    $config = array('deny_attribute'=>'id, style');

+    $out = htmLawed($in, $config);

+    

+  Permitting only attributes 'title' and 'href' --

+  

+    $config = array('deny_attribute'=>'* -title -href');

+    $out = htmLawed($in, $config);

+    

+  Remove bad/disallowed tags altogether instead of converting them to entities --

+  

+    $config = array('keep_bad'=>0);

+    $out = htmLawed($in, $config);

+    

+  Allowing attribute 'title' only in 'a' and not allowing attributes 'id', 'style', or scriptable `on*` attributes like 'onclick' --

+  

+    $config = array('deny_attribute'=>'title, id, style, on*');

+    $spec = 'a=title';

+    $out = htmLawed($in, $config, $spec);

+    

+  Allowing a custom attribute, 'vFlag', in 'img' and permitting custom use of the standard attribute, 'rel', in 'input' --

+  

+    $spec = 'img=vFlag; input=rel';

+    $out = htmLawed($in, $config, $spec);

+

+  Some case-studies are presented below.

+

+  *1.* A blog administrator wants to allow only 'a', 'em', 'strike', 'strong' and 'u' in comments, but needs 'strike' and 'u' transformed to 'span' for better XHTML 1-strict compliance, and, he wants the 'a' links to point only to 'http' or 'https' resources:

+

+    $processed = htmLawed($in, array('elements'=>'a, em, strike, strong, u', 'make_tag_strict'=>1, 'safe'=>1, 'schemes'=>'*:http, https'), 'a=href');

+

+  *2.* An author uses a custom-made web application to load content on his website. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional `bad` characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:

+

+    $processed = htmLawed($in, array('css_expression'=>1, 'keep_bad'=>1, 'make_tag_strict'=>1, 'schemes'=>'*:*', 'valid_xhtml'=>1));

+

+  For the final submission process, 'keep_bad' is set to '6'. A value of '1' for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.

+

+  *3.* A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:

+

+    $processed = htmLawed($in, array('elements'=>'tr, td', 'tidy'=>-1), 'tr, td =');

+

+

+== 3  Details =====================================================oo

+

+

+-- 3.1  Invalid/dangerous characters --------------------------------

+

+

+  Valid characters (more correctly, their code-points) in HTML or XML are, hexadecimally, '9', 'a', 'd', '20' to 'd7ff', and 'e000' to '10ffff', except 'fffe' and 'ffff' (decimally, '9', '10', '13', '32' to '55295', and '57344' to '1114111', except '65534' and '65535'). htmLawed removes the invalid characters '0' to '8', 'b', 'c', and 'e' to '1f'.

+

+  Because of PHP's poor native support for multi-byte characters, htmLawed cannot check for the remaining invalid code-points. However, for various reasons, it is very unlikely for any of those characters to be in the input.

+

+  Characters that are discouraged (see section:- #5.1) but not invalid are not removed by htmLawed.

+

+  It (function 'hl_tag()') also replaces the potentially dangerous (in some Mozilla [Firefox] and Opera browsers) soft-hyphen character (code-point, hexadecimally, 'ad', or decimally, '173') in attribute values with spaces. Where required, the characters '<', '>', '&', and '"' are converted to entities.

+

+  With '$config["clean_ms_char"]' set as '1' or '2', many of the discouraged characters (decimal code-points '127' to '159' except '133') that many Microsoft applications incorrectly use (as per the 'Windows 1252' ['Cp-1252'] or a similar encoding system), and the character for decimal code-point '133', are converted to appropriate decimal numerical entities (or removed for a few cases)-- see appendix in section:- #5.4. This can help avoid some display issues arising from copying-pasting of content.

+

+  With '$config["clean_ms_char"]' set as '2', characters for the hexadecimal code-points '82', '91', and '92' (for special single-quotes), and '84', '93', and '94' (for special double-quotes) are converted to ordinary single and double quotes respectively and not to entities.

+

+  The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.

+

+  The '$config["clean_ms_char"]' parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the 'Windows 1252' ('Cp-1252') or a similar encoding like 'Cp-1251' (otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.

+

+

+-- 3.2  Character references/entities ------------------------------o

+

+

+  Valid character entities take the form '&*;' where '*' is '#x' followed by a hexadecimal number (hexadecimal numeric entity; like '&#xA0;' for non-breaking space), or alphanumeric like 'gt' (external or named entity; like '&nbsp;' for non-breaking space), or '#' followed by a number (decimal numeric entity; like '&#160;' for non-breaking space). Character entities referring to the soft-hyphen character (the '&shy;' or '\xad' character; hexadecimal code-point 'ad' [decimal '173']) in URL-accepting attribute values are always replaced with spaces; soft-hyphens in attribute values introduce vulnerabilities in some older versions of the Opera and Mozilla [Firefox] browsers.

+

+  htmLawed (function 'hl_ent()'):

+

+  *  Neutralizes entities with multiple leading zeroes or missing semi-colons (potentially dangerous)

+

+  *  Lowercases the 'X' (for XML-compliance) and 'A-F' of hexadecimal numeric entities

+

+  *  Neutralizes entities referring to characters that are HTML-invalid (see section:- #3.1)

+

+  *  Neutralizes entities referring to characters that are HTML-discouraged (code-points, hexadecimally, '7f' to '84', '86' to '9f', and 'fdd0' to 'fddf', or decimally, '127' to '132', '134' to '159', and '64991' to '64976'). Entities referring to the remaining discouraged characters (see section:- #5.1 for a full list) are let through.

+

+  *  Neutralizes named entities that are not in the specifications

+

+  *  Optionally converts valid HTML-specific named entities except '&gt;', '&lt;', '&quot;', and '&amp;' to decimal numeric ones (hexadecimal if $config["hexdec_entity"] is '2') for generic XML-compliance. For this, '$config["named_entity"]' should be '1'.

+

+  *  Optionally converts hexadecimal numeric entities to the more widely supported decimal ones. For this, '$config["hexdec_entity"]' should be '0'.

+

+  *  Optionally converts decimal numeric entities to the hexadecimal ones. For this, '$config["hexdec_entity"]' should be '2'.

+

+  `Neutralization` refers to the `entitification` of '&' to '&amp;'.

+

+  *Note*: htmLawed does not convert entities to the actual characters represented by them; one can pass the htmLawed output through PHP's 'html_entity_decode' function:- http://www.php.net/html_entity_decode for that.

+

+  *Note*: If '$config["and_mark"]' is set, and set to a value other than '0', then the '&' characters in the original input are replaced with the control character for the hexadecimal code-point '6' ('\x06'; '&' characters introduced by htmLawed, e.g., after converting '<' to '&lt;', are not affected). This allows one to distinguish, say, an '&gt;' introduced by htmLawed and an '&gt;' put in by the input writer, and can be helpful in further processing of the htmLawed-processed text (e.g., to identify the character sequence 'o(><)o' to generate an emoticon image). When this feature is active, admins should ensure that the htmLawed output is not directly used in web pages or XML documents as the presence of the '\x06' can break documents. Before use in such documents, and preferably before any storage, any remaining '\x06' should be changed back to '&', e.g., with:

+

+    $final = str_replace("\x06", '&', $prelim);

+

+  Also, see section:- #3.9.

+

+

+-- 3.3  HTML elements ----------------------------------------------o

+

+

+  htmLawed can be configured to allow only certain HTML elements (tags) in the input. Disallowed elements (just tag-content, and not element-content), based on '$config["keep_bad"]', are either `neutralized` (converted to plain text by entitification of '<' and '>') or removed.

+

+  E.g., with only 'em' permitted:

+

+  Input:

+

+      <em>My</em> website is <a href="http://a.com>a.com</a>.

+

+  Output, with '$config["keep_bad"] = 0':

+

+      <em>My</em> website is a.com.

+

+  Output, with '$config["keep_bad"]' not '0':

+

+      <em>My</em> website is &lt;a href=""&gt;a.com&lt;/a&gt;.

+

+  See section:- #3.3.3 for differences between the various non-zero '$config["keep_bad"]' values.

+

+  htmLawed by default permits these 118 HTML elements:

+

+    a, abbr, acronym, address, applet, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, embed, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, isindex, kbd, keygen, label, legend, li, link, main, map, mark, menu, meta, meter, nav, noscript, object, ol, optgroup, option, output, p, param, pre, progress, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, section, select, small, source, span, strike, strong, style, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr

+

+  The HTML version 4 elements 'acronym', 'applet', 'big', 'center', 'dir', 'font', 'strike', and 'tt' are obsolete/deprecated in HTML version 5. On the other hand, the obsolete/deprecated HTML 4 elements 'embed', 'menu' and 'u' are no longer so in HTML 5. Elements new to HTML 5 are 'article', 'aside', 'audio', 'bdi', 'canvas', 'command', 'data', 'datalist', 'details', 'figure', 'figcaption', 'footer', 'header', 'hgroup', 'keygen', 'link', 'main', 'mark', 'meta', 'meter', 'nav', 'output', 'progress', 'section', 'source', 'style', 'summary', 'time', 'track', 'video', and 'wbr'. The 'link', 'meta' and 'style' elements exist in HTML 4 but are not allowed in the HTML body. These 16 elements are `empty` elements that have an opening tag with possible content but no element content (thus, no closing tag): 'area', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'isindex', 'keygen', 'link', 'meta', 'param', 'source', 'track', and 'wbr'.

+

+  With '$config["safe"] = 1', the default set will exclude 'applet', 'audio', 'canvas', 'embed', 'iframe', 'object', 'script' and 'video'; see section:- #3.6.

+

+  When '$config["elements"]', which specifies allowed elements, is `properly` defined, and neither empty nor set to '0' or '*', the default set is not used. To have elements added to or removed from the default set, a '+/-' notation is used. E.g., '*-script-object' implies that only 'script' and 'object' are disallowed, whereas '*+embed' means that 'noembed' is also allowed. Elements can also be specified as comma separated names. E.g., 'a, b, i' means only 'a', 'b' and 'i' are permitted. In this notation, '*', '+' and '-' have no significance and can actually cause a mis-reading.

+

+  Some more examples of '$config["elements"]' values indicating permitted elements (note that empty spaces are liberally allowed for clarity):

+

+  *  'a, blockquote, code, em, strong' -- only 'a', 'blockquote', 'code', 'em', and 'strong'

+  *  '*-script' -- all excluding 'script'

+  *  '* -acronym -big -center -dir -font -isindex -s -strike -tt' -- only non-obsolete/deprecated elements of HTML5

+  *  '*+noembed-script' -- all including 'noembed' excluding 'script'

+

+  Some mis-usages (and the resulting permitted elements) that can be avoided:

+

+  *  '-*' -- none; instead of htmLawed, one might just use, e.g., the 'htmlspecialchars()' PHP function

+  *  '*, -script' -- all except 'script'; admin probably meant '*-script'

+  *  '-*, a, em, strong' -- all; admin probably meant 'a, em, strong'

+  *  '*' -- all; admin need not have set 'elements'

+  *  '*-form+form' -- all; a '+' will always over-ride any '-'

+  *  '*, noembed' -- only 'noembed'; admin probably meant '*+noembed'

+  *  'a, +b, i' -- only 'a' and 'i'; admin probably meant 'a, b, i'

+

+  Basically, when using the '+/-' notation, commas (',') should not be used, and vice versa, and '*' should be used with the former but not the latter.

+

+  *Note*: Even if an element that is not in the default set is allowed through '$config["elements"]', like 'noembed' in the last example, it will eventually be removed during tag balancing unless such balancing is turned off ('$config["balance"]' set to '0'). Currently, the only way around this, which actually is simple, is to edit htmLawed's PHP code which define various arrays in the function 'hl_bal()' to accommodate the element and its nesting properties.

+

+  A possible second way to specify allowed elements is to set '$config["parent"]' to an element name that supposedly will hold the input, and to set '$config["balance"]' to '1'. During tag balancing (see section:- #3.3.3), all elements that cannot legally nest inside the parent element will be removed. The parent element is auto-reset to 'div' if '$config["parent"]' is empty, 'body', or an element not in htmLawed's default set of 118 elements.

+

+  `Tag transformation` is possible for improving compliance with HTML standards -- most of the obsolete/deprecated elements of HTML version 5 are converted to valid  ones; see section:- #3.3.2.

+

+

+.. 3.3.1  Handling of comments & CDATA sections .....................

+

+

+  'CDATA' sections have the format '<![CDATA[...anything but not "]]>"...]]>', and HTML comments, '<!--...anything but not "-->"... -->'. Neither HTML comments nor 'CDATA' sections can reside inside tags. HTML comments can exist anywhere else, but 'CDATA' sections can exist only where plain text is allowed (e.g., immediately inside 'td' element content but not immediately inside 'tr' element content).

+

+  htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3' for '$config["cdata"]', or '3' or '4' for '$config["comment"]', they are left as such. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).  

+

+  Note that for the last two cases, HTML comments and 'CDATA' sections will always be removed from tag content (function 'hl_tag()').

+

+  Examples:

+

+  Input:

+    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>

+  Output ('$config["comment"] = 0, $config["cdata"] = 2'):

+    &lt;-- home link--&gt;<a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>

+  Output ('$config["comment"] = 1, $config["cdata"] = 2'):

+    <a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>

+  Output ('$config["comment"] = 2, $config["cdata"] = 2'):

+    <!-- home link --><a href="home.htm"><![CDATA[x=&amp;y]]>Home</a>

+  Output ('$config["comment"] = 2, $config["cdata"] = 1'):

+    <!-- home link --><a href="home.htm">Home</a>

+  Output ('$config["comment"] = 3, $config["cdata"] = 3'):

+    <!-- home link --><a href="home.htm"><![CDATA[x=&y]]>Home</a>

+  Output ('$config["comment"] = 4, $config["cdata"] = 3'):

+    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>

+    

+  For standard-compliance, comments are given the form '<!--comment -->', and any '--' in the content is made '-'. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker.

+

+  When '$config["safe"] = 1', CDATA sections and comments are considered plain text unless '$config["comment"]' or '$config["cdata"]' is explicitly specified; see section:- #3.6.

+

+

+.. 3.3.2  Tag-transformation for better compliance with standards ..o

+

+

+  If '$config["make_tag_strict"]' is set and not '0', following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function 'hl_tag2()'):

+

+  *  acronym - 'abbr'

+  *  applet - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2')

+  *  big - 'span style="font-size: larger;"'

+  *  center - 'div style="text-align: center;"'

+  *  dir - 'ul'

+  *  font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html)

+  *  isindex - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2')

+  *  s - 'span style="text-decoration: line-through;"'

+  *  strike - 'span style="text-decoration: line-through;"'

+  *  tt - 'code'

+

+  For an element with a pre-existing 'style' attribute value, the extra style properties are appended.

+

+  Example input:

+

+    <center>

+     The PHP <s>software</s> script used for this <strike>web-page</strike> web-page is <font style="font-weight: bold " face=arial size='+3' color   =  "red  ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>.

+    </center>

+

+  The output:

+

+    <div style="text-align: center;">

+     The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>.

+    </div>

+

+

+.. 3.3.3  Tag balancing & proper nesting ...........................o

+

+

+  If '$config["balance"]' is set to '1', htmLawed (function 'hl_bal()') checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).

+

+  Depending on the value of '$config["keep_bad"]' (see section:- #2.2 and section:- #3.3), illegal content may be removed or neutralized to plain text by converting < and > to entities:

+

+  '0' - remove; this option is available only to maintain Kses-compatibility and should not be used otherwise (see section:- #2.6)

+  '1' - neutralize tags and keep element content

+  '2' - remove tags but keep element content

+  '3' and '4' - like '1' and '2', but keep element content only if text ('pcdata') is valid in parent element as per specs

+  '5' and '6' -  like '3' and '4', but line-breaks, tabs and spaces are left

+

+  Example input (disallowing the 'p' element):

+

+    <*> Pseudo-tags <*>

+    <xml>Non-HTML tag xml</xml>

+    <p>

+    Disallowed tag p

+    </p>

+    <ul>Bad<li>OK</li></ul>

+

+  The output with '$config["keep_bad"] = 1':

+

+    &lt;*&gt; Pseudo-tags &lt;*&gt;

+    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;

+    &lt;p&gt;

+    Disallowed tag p

+    &lt;/p&gt;

+    <ul>Bad<li>OK</li></ul>

+

+  The output with '$config["keep_bad"] = 3':

+

+    &lt;*&gt; Pseudo-tags &lt;*&gt;

+    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt;

+    &lt;p&gt;

+    Disallowed tag p

+    &lt;/p&gt;

+    <ul><li>OK</li></ul>

+

+  The output with '$config["keep_bad"] = 6':

+

+    &lt;*&gt; Pseudo-tags &lt;*&gt;

+    Non-HTML tag xml

+    

+    Disallowed tag p

+    

+    <ul><li>OK</li></ul>

+

+  An option like '1' is useful, e.g., when a writer previews his submission, whereas one like '3' is useful before content is finalized and made available to all.

+

+  *Note:* In the example above, unlike '<*>', '<xml>' gets considered as a tag (even though there is no HTML element named 'xml'). Thus, the 'keep_bad' parameter's value affects '<xml>' but not '<*>'. In general, text matching the regular expression pattern '<(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?>' is considered a tag (phrase enclosed by the angled brackets '<' and '>', and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the 'keep_bad' value.

+

+  Nesting/content rules for each of the 118 elements in htmLawed's default set (see section:- #3.3) are defined in function 'hl_bal()'. This means that if a non-standard element besides 'embed' is being permitted through '$config["elements"]', the element's tag content will end up getting removed if '$config["balance"]' is set to '1'.

+

+  Plain text and/or certain elements nested inside 'blockquote', 'form', 'map' and 'noscript' need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as 'form', the input 'B:<input type="text" value="b" />C:<input type="text" value="c" />' is converted to '<div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div>'.

+

+

+.. 3.3.4  Elements requiring child elements ........................o

+

+

+  As per HTML specifications, elements such as those below require legal child elements nested inside them:

+

+    blockquote, dir, dl, form, map, menu, noscript, ol, optgroup, rbc, rtc, ruby, select, table, tbody, tfoot, thead, tr, ul

+

+  In some cases, the specifications stipulate the number and/or the ordering of the child elements. A 'table' can have 0 or 1 'caption', 'tbody', 'tfoot', and 'thead', but they must be in this order: 'caption', 'thead', 'tfoot', 'tbody'.

+

+  htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.

+  

+  With '$config["direct_list_nest"]' set to '1', htmLawed will allow direct nesting of 'ol', 'ul', or 'menu' list within another 'ol', 'ul', or 'menu' without requiring the child list to be within an 'li' of the parent list. While this may not be standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter '$config["direct_list_nest"]' has no effect if tag balancing (section:- #3.3.3) is turned off.

+

+

+.. 3.3.5  Beautify or compact HTML .................................o

+

+

+  By default, htmLawed will neither `beautify` HTML code by formatting it with indentations, etc., nor will it make it compact by removing un-needed white-space.(It does always properly white-space tag content.)

+

+  As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside 'pre' elements) are all considered equivalent, and referred to as `white-spaces`. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space `normalization` allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such `pretty` HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.

+

+  With the '$config' parameter 'tidy', htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides 'pre', the 'script' and 'textarea' elements, CDATA sections, and HTML comments are not subjected to the tidying process.

+

+  To `compact`, use '$config["tidy"] = -1'; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.

+

+  To `beautify`, '$config["tidy"]' is set as '1', or for customized tidying, as a string like '2s2n'. The 's' or 't' character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The 'r' and 'n' characters are used to specify line-break characters: 'n' for '\n' (Unix/Mac OS X line-breaks), 'rn' or 'nr' for '\r\n' (Windows/DOS line-breaks), or 'r' for '\r'.

+

+  The '$config["tidy"]' value of '1' is equivalent to '2s0n'. Other '$config["tidy"]' values are read loosely: a value of '4' is equivalent to '4s0n'; 't2', to '1t2n'; 's', to '2s0n'; '2TR', to '2t0r'; 'T1', to '1t1n'; 'nr3', to '3s0nr', and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.

+

+  Input formatting using '$config["tidy"]' is not recommended when input text has mixed markup (like HTML + PHP).

+

+

+-- 3.4  Attributes -------------------------------------------------o

+

+

+  In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in section:- #5.2. Using the '$spec' argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section:- #2.3).

+  

+  Custom `data-*` (`data-star`) attributes, where the first three characters of the value of `star` (*) after lower-casing do not equal 'xml', and the value of `star` does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like 'aria-live', 'onclick' and 'itemid' are also considered global attributes (section:- #5.2).

+

+  When '$config["deny_attribute"]' is not set, or set to '0', or empty ('""'), all attributes are permitted. Otherwise, '$config["deny_attribute"]' can be set as a list of comma-separated names of the denied attributes. 'on*' can be used to refer to the group of potentially dangerous, script-accepting event attributes like 'onblur' and 'onchange' that have 'on' at the beginning of their names. Similarly, 'aria*' and 'data*' can be used to respectively refer to the set of all ARIA and data-* attributes.

+  

+  With '$config["safe"] = 1' (section:- #3.6), the 'on*' event attributes are automatically disallowed even if a value for '$config["deny_attribute"]' has been manually provided.

+

+  Note that attributes specified in '$config["deny_attribute"]' are denied globally, for all elements. To deny attributes for only specific elements, '$spec' (see section:- #2.3) can be used. '$spec' can also be used to element-specifically permit an attribute otherwise denied through '$config["deny_attribute"]'.

+  

+  Finer restrictions on attributes can also be put into effect through '$config["deny_attribute"]' (section:- 3.4.9).

+

+  *Note*: To deny all but a few attributes globally, a simpler way to specify '$config["deny_attribute"]' would be to use the notation '* -attribute1 -attribute2 ...'. Thus, a value of '* -title -href' implies that except 'href' and 'title' (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter 'safe' (section:- #3.6) will have no effect on 'deny_attribute'. Values of 'aria*' 'data*', and 'on*' cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.

+

+  htmLawed (function 'hl_tag()') also:

+

+  *  Lower-cases attribute names

+  *  Removes duplicate attributes (last one stays)

+  *  Gives attributes the form 'name="value"' and single-spaces them, removing unnecessary white-spacing

+  *  Provides `required` attributes (see section:- #3.4.1)

+  *  Double-quotes values and escapes any '"' inside them

+  *  Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point 'ad') in the values with spaces

+  *  Allows custom function to additionally filter/modify attribute values (see section:- #3.4.9)

+

+

+.. 3.4.1  Auto-addition of XHTML-required attributes ................

+

+

+  If indicated attributes for the following elements are found missing, htmLawed (function 'hl_tag()') will add them (with values same as attribute names unless indicated otherwise below):

+

+  *  area - alt ('area')

+  *  area, img - src, alt ('image')

+  *  bdo - dir ('ltr')

+  *  form - action

+  *  label - command

+  *  map - name

+  *  optgroup - label

+  *  param - name

+  *  style - scoped

+  *  textarea - rows ('10'), cols ('50')

+

+  Additionally, with '$config["xml:lang"]' set to '1' or '2', if the 'lang' but not the 'xml:lang' attribute is declared, then the latter is added too, with a value copied from that of 'lang'. This is for better standard-compliance. With '$config["xml:lang"]' set to '2', the 'lang' attribute is removed (XHTML specification).

+

+  Note that the 'name' attribute for 'map', invalid in XHTML, is also transformed if required -- see section:- #3.4.6.

+

+

+.. 3.4.2  Duplicate/invalid 'id' values ............................o

+

+

+  If '$config["unique_ids"]' is '1', htmLawed (function 'hl_tag()') removes 'id' attributes with values that are not standards-compliant (must not have a space character) or duplicate. If '$config["unique_ids"]' is a word (without a non-word character like space), any duplicate but otherwise valid value will be appropriately prefixed with the word to ensure its uniqueness.

+

+  Even if multiple inputs need to be filtered (through multiple calls to htmLawed), htmLawed ensures uniqueness of 'id' values as it uses a global variable ('$GLOBALS["hl_Ids"]' array). Further, an admin can restrict the use of certain 'id' values by presetting this variable before htmLawed is called into use. E.g.:

+

+    $GLOBALS['hl_Ids'] = array('top'=>1, 'bottom'=>1, 'myform'=>1); // id values not allowed in input

+    $processed = htmLawed($text); // filter input

+

+

+.. 3.4.3  URL schemes & scripts in attribute values ................o

+

+

+  htmLawed edits attributes that take URLs as values if they are found to contain un-permitted schemes. E.g., if the 'afp' scheme is not permitted, then '<a href="afp://domain.org">' becomes '<a href="denied:afp://domain.org">', and if Javascript is not permitted '<a onclick="javascript:xss();">' becomes '<a onclick="denied:javascript:xss();">'.

+

+  By default htmLawed permits these schemes in URLs for the 'href' attribute:

+

+    aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet

+

+  Also, only 'data', 'file', 'http', 'https' and 'javascript' are permitted in these attributes that accept URLs:

+

+    action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick

+

+  With '$config["safe"] = 1' (section:- #3.6), the above is changed to disallow 'app', 'data' and 'javascript'.

+  

+  These default sets are used when '$config["schemes"]' is not set (see section:- #2.2). To over-ride the defaults, '$config["schemes"]' is defined as a string of semi-colon-separated sub-strings of type 'attribute: comma-separated schemes'. E.g., 'href: mailto, http, https; onclick: javascript; src: http, https'. For unspecified attributes, 'data', 'file', 'http', 'https' and 'javascript' are permitted. This can be changed by passing schemes for '*' in '$config["schemes"]'. E.g., 'href: mailto, http, https; *: https, https'.

+

+  '*' (asterisk) can be put in the list of schemes to permit all protocols. E.g., 'style: *; img: http, https' results in protocols not being checked in 'style' attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (section:- #3.4.4) is not done. When an attribute is explicitly listed in '$config["schemes"]', then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute. 

+

+  Thus, `to allow the xmpp scheme`, one can set '$config["schemes"]' as 'href: mailto, http, https; *: http, https, xmpp', or 'href: mailto, http, https, xmpp; *: http, https, xmpp', or '*: *', and so on. The consequence of each of these example values will be different (e.g., only the last two but not the first will allow 'xmpp' in 'href')

+

+  As a side-note, one may find 'style: *' useful as URLs in 'style' attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.

+  

+  '!' can be put in the list of schemes to disallow all protocols as well as `local` URLs. Thus, with 'href: http, style: !', '<a href="http://cnn.com" style="background-image: url(local.jpg);">CNN</a>' will become '<a href="http://cnn.com" style="background-image: url(denied:local.jpg);">CNN</a>'

+

+  *Note*: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string 'src' (e.g., 'dynsrc') or starts with 'o' (e.g., 'onbeforecopy').

+

+  With '$config["safe"] = 1', all URLs are disallowed in the 'style' attribute values.

+

+

+.. 3.4.4  Absolute & relative URLs in attribute values ............o

+

+

+  htmLawed can make absolute URLs in attributes like 'href' relative ('$config["abs_url"]' is '-1'), and vice versa ('$config["abs_url"]' is '1'). URLs in scripts are not considered for this, and so are URLs like '#section_6' (fragment), '?name=Tim#show' (starting with query string), and ';var=1?name=Tim#show' (starting with parameters). Further, this requires that '$config["base_url"]' be set properly, with the '://' and a trailing slash ('/'), with no query string, etc. E.g., 'file:///D:/page/', 'https://abc.com/x/y/', or 'http://localhost/demo/' are okay, but 'file:///D:/page/?help=1', 'abc.com/x/y/' and 'http://localhost/demo/index.htm' are not.

+

+  For making absolute URLs relative, only those URLs that have the '$config["base_url"]' string at the beginning are converted. E.g., with '$config["base_url"] = "https://abc.com/x/y/"', 'https://abc.com/x/y/a.gif' and 'https://abc.com/x/y/z/b.gif' become 'a.gif' and 'z/b.gif' respectively, while 'https://abc.com/x/c.gif' is not changed.

+

+  When making relative URLs absolute, only values for scheme, network location (host-name) and path values in the base URL are inherited. See section:- #5.5 for more about the URL specification as per RFC 1808:- http://www.ietf.org/rfc/rfc1808.txt.

+

+

+.. 3.4.5  Lower-cased, standard attribute values ...................o

+

+

+  Optionally, for standard-compliance, htmLawed (function 'hl_tag()') lower-cases standard attribute values to give, e.g., 'input type="password"' instead of 'input type="Password"', if '$config["lc_std_val"]' is '1'. Attribute values matching those listed below for any of the elements listed further below (plus those for the 'type' attribute of 'button' or 'input') are lower-cased:

+

+    all, auto, baseline, bottom, button, captions, center, chapters, char, checkbox, circle, col, colgroup, color, cols, data, date, datetime, datetime-local, default, descriptions, email, file, get, groups, hidden, image, justify, left, ltr, metadata, middle, month, none, number, object, password, poly, post, preserve, radio, range, rect, ref, reset, right, row, rowgroup, rows, rtl, search, submit, subtitles, tel, text, time, top, url, week

+

+    a, area, bdo, button, col, fieldset, form, img, input, object, ol, optgroup, option, param, script, select, table, td, textarea, tfoot, th, thead, tr, track, xml:space

+

+  The following `empty` (`minimized`) attributes are always assigned lower-cased values (same as the attribute names):

+

+    checkbox, checked, command, compact, declare, defer, default, disabled, hidden, inert, ismap, itemscope, multiple, nohref, noresize, noshade, nowrap, open, radio, readonly, required, reversed, selected

+

+

+.. 3.4.6  Transformation of deprecated attributes ..................o

+

+

+  If '$config["no_deprecated_attr"]' is '0', then deprecated attributes are removed and, in most cases, their values are transformed to CSS style properties and added to the 'style' attributes (function 'hl_tag()'). Except for 'bordercolor' for 'table', 'tr' and 'td', the scores of proprietary attributes that were never part of any cross-browser standard are not supported in this functionality.

+

+  *  align in caption, div, h, h2, h3, h4, h5, h6, hr, img, input, legend, object, p, table - for 'img' with value of 'left' or 'right', becomes, e.g., 'float: left'; for 'div' and 'table' with value 'center', becomes 'margin: auto'; all others become, e.g., 'text-align: right'

+  *  bgcolor in table, td, th and tr - E.g., 'bgcolor="#ffffff"' becomes 'background-color: #ffffff'

+  *  border in object - E.g., 'height="10"' becomes 'height: 10px'

+  *  bordercolor in table, td and tr - E.g., 'bordercolor=#999999' becomes 'border-color: #999999;'

+  *  compact in dl, ol and ul - 'font-size: 85%'

+  *  cellspacing in table - 'cellspacing="10"' becomes 'border-spacing: 10px'

+  *  clear in br - E.g., 'clear="all" becomes 'clear: both'

+  *  height in td and th - E.g., 'height= "10"' becomes 'height: 10px' and 'height="*"' becomes 'height: auto'

+  *  hspace in img and object - E.g., 'hspace="10"' becomes 'margin-left: 10px; margin-right: 10px'

+  *  language in script - 'language="VBScript"' becomes 'type="text/vbscript"'

+  *  name in a, form, iframe, img and map - E.g., 'name="xx"' becomes 'id="xx"'

+  *  noshade in hr - 'border-style: none; border: 0; background-color: gray; color: gray'

+  *  nowrap in td and th - 'white-space: nowrap'

+  *  size in hr - E.g., 'size="10"' becomes 'height: 10px'

+  *  vspace in img and object - E.g., 'vspace="10"' becomes 'margin-top: 10px; margin-bottom: 10px'

+  *  width in hr, pre, table, td and th - like 'height'

+

+  Example input:

+

+    <img src="j.gif" alt="image" name="dad's" /><img src="k.gif" alt="image" id="dad_off" name="dad" />

+    <br clear="left" />

+    <hr noshade size="1" />

+    <img name="img" src="i.gif" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" />

+    <table width="50em" align="center" bgcolor="red">

+     <tr>

+      <td width="20%">

+       <div align="center">

+        <h3 align="right">Section</h3>

+        <p align="right">Para</p>

+       </div>

+      </td>

+      <td width="*">

+      </td>

+     </tr>

+    </table>

+    <br clear="all" />

+

+  And the output with '$config["no_deprecated_attr"] = 1':

+

+    <img src="j.gif" alt="image" id="dad's" /><img src="k.gif" alt="image" id="dad_off" />

+    <br style="clear: left;" />

+    <hr style="border-style: none; border: 0; background-color: gray; color: gray; size: 1px;" />

+    <img src="i.gif" alt="image" width="10em" height="20" style="padding:5px; float: left; margin-left: 10px; margin-right: 10px; margin-top: 10px; margin-bottom: 10px; border: 1px;" id="img" />

+    <table width="50em" style="margin: auto; background-color: red;">

+     <tr>

+      <td style="width: 20%;">

+       <div style="margin: auto;">

+        <h3 style="text-align: right;">Section</h3>

+        <p style="text-align: right;">Para</p>

+       </div>

+      </td>

+      <td style="width: auto;">

+      </td>

+     </tr>

+    </table>

+    <br style="clear: both;" />

+

+  For 'lang', deprecated in XHTML 1.1, transformation is taken care of through '$config["xml:lang"]'; see section:- #3.4.1.

+

+  The attribute 'name' is deprecated in 'form', 'iframe', and 'img', and is replaced with 'id' if an 'id' attribute doesn't exist and if the 'name' value is appropriate for 'id' (i.e., doesn't have a non-word character like space). For such replacements for 'a' and 'map', for which the 'name' attribute is deprecated in XHTML 1.1, '$config["no_deprecated_attr"]' should be set to '2' (when set to '1', for these two elements, the 'name' attribute is retained).

+

+

+.. 3.4.7  Anti-spam & 'href' .......................................o

+

+

+  htmLawed (function 'hl_tag()') can check the 'href' attribute values (link addresses) as an anti-spam (email or link spam) measure.

+

+  If '$config["anti_mail_spam"]' is not '0', the '@' of email addresses in 'href' values like 'mailto:a@b.com' is replaced with text specified by '$config["anti_mail_spam"]'. The text should be of a form that makes it clear to others that the address needs to be edited before a mail is sent; e.g., '<remove_this_antispam>@' (makes the example address 'a<remove_this_antispam>@b.com').

+

+  For regular links, one can choose to have a 'rel' attribute with 'nofollow' in its value (which tells some search engines to not follow a link). This can discourage link spammers. Additionally, or as an alternative, one can choose to empty the 'href' value altogether (disable the link).

+

+  For use of these options, '$config["anti_link_spam"]' should be set as an array with values 'regex1' and 'regex2', both or one of which can be empty (like 'array("", "regex2")') to indicate that that option is not to be used. Otherwise, 'regex1' or 'regex2' should be PHP- and PCRE-compatible regular expression patterns: 'href' values will be matched against them and those matching the pattern will accordingly be treated.

+

+  Note that the regular expressions should have `delimiters`, and be well-formed and preferably fast. Absolute efficiency/accuracy is often not needed.

+

+  An example, to have a 'rel' attribute with 'nofollow' for all links, and to disable links that do not point to domains 'abc.com' and 'xyz.org':

+

+    $config["anti_link_spam"] = array('`.`', '`://\W*(?!(abc\.com|xyz\.org))`');

+

+

+.. 3.4.8  Inline style properties ..................................o

+

+

+  htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the 'style' attributes. (CSS properties like 'background-image' that accept URLs in their values are noted in section:- #5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting '$config["css_expression"]' to '1' (default setting). Note that when '$config["css_expression"]' is set to '1', htmLawed will remove '/*' from the 'style' values.

+

+  *Note*: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the 'style' attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off ('$config["schemes"] = "...style:*..."', see section:- #3.4.3, and '$config["css_expression"] = 0'). Alternately, admins can use their own custom function for finer handling of 'style' values through the 'hook_tag' parameter (see section:- #3.4.9).

+

+  It is also possible to have htmLawed let through any 'style' value by setting '$config["style_pass"]' to '1'.

+

+  As such, it is better to set up a CSS file with class declarations, disallow the 'style' attribute, set a '$spec' rule (see section:- #2.3) for 'class' for the 'oneof' or 'match' parameter, and ask writers to make use of the 'class' attribute.

+

+

+.. 3.4.9  Hook function for tag content ............................o

+

+

+  It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.).

+

+  When '$config' parameter 'hook_tag' is set to the name of a function, htmLawed (function 'hl_tag()') will pass on the element name, and the `finalized` attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like '<element_name attribute_1_name="attribute_1_value"...>' (for empty elements like 'img' and 'input', the element-closing slash '/' should also be included), etc.

+  

+  Any 'hook_tag' function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as 'a' in the closing '</a>' tag of the element '<a href="http://cnn.com">CNN</a>'. No other value is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like '</a>'). 

+

+  This is a *powerful functionality* that can be exploited for various objectives: consolidate-and-convert inline 'style' attributes to 'class', convert 'embed' elements to 'object', permit only one 'caption' element in a 'table' element, disallow embedding of certain types of media, *inject HTML*, use CSSTidy:- http://csstidy.sourceforge.net to sanitize 'style' attribute values, etc.

+

+  As an example, the custom hook code below can be used to force a series of specifically ordered 'id' attributes on all elements, and a specific 'param' element inside all 'object' elements:

+

+    function my_tag_function($element, $attribute_array=0){

+    

+      // If second argument is not received, it means a closing tag is being handled

+      if(is_numeric($attribute_array)){

+        return "</$element>";

+      }

+      

+      static $id = 0;

+      // Remove any duplicate element

+      if($element == 'param' && isset($attribute_array['allowscriptaccess'])){

+        return '';

+      }

+

+      $new_element = '';

+

+      // Force a serialized ID number

+      $attribute_array['id'] = 'my_'. $id;

+      ++$id;

+

+      // Inject param for allowscriptaccess

+      if($element == 'object'){

+        $new_element = '<param id="my_'. $id. '"; allowscriptaccess="never" />';

+        ++$id;

+      }

+

+      $string = '';

+      foreach($attribute_array as $k=>$v){

+        $string .= " {$k}=\"{$v}\"";

+      }

+      

+      static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1);

+

+      return "<{$element}{$string}". (array_key_exists($element, $empty_elements) ? ' /' : ''). '>'. $new_element;

+    }

+

+  The 'hook_tag' parameter is different from the 'hook' parameter (section:- #3.7).

+

+  Snippets of hook function code developed by others may be available on the htmLawed:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed website.

+

+

+-- 3.5  Simple configuration directive for most valid XHTML --------o

+

+

+  If '$config["valid_xhtml"]' is set to '1', some relevant '$config' parameters (indicated by '~' in section:- #2.2) are auto-adjusted. This allows one to pass the '$config' argument with a simpler value. If a value for a parameter auto-set through 'valid_xhtml' is still manually provided, then that value will over-ride the auto-set value.

+

+

+-- 3.6  Simple configuration directive for most `safe` HTML --------o

+

+

+  `Safe` HTML refers to HTML that is restricted to reduce the vulnerability for scripting attacks (such as XSS) based on HTML code which otherwise may still be legal and compliant with the HTML standard specifications. When elements such as 'script' and 'object', and attributes such as 'onmouseover' and 'style' are allowed in the input text, an input writer can introduce malevolent HTML code. Note that what is considered 'safe' depends on the nature of the web application and the trust-level accorded to its users.

+

+  htmLawed allows an admin to use '$config["safe"]' to auto-adjust multiple '$config' parameters (such as 'elements' which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by '"' in section:- #2.2). Thus, one can pass the '$config' argument with a simpler value. Having the 'safe' parameter set to '1' is equivalent to setting the following '$config' parameters to the noted values :

+  

+    cdata - 0

+    comment - 0

+    deny_attribute - on*

+    elements - * -applet -audio -canvas -embed -iframe -object -script -video

+    schemes - href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https

+

+  With 'safe' set to '1', htmLawed considers 'CDATA' sections and HTML comments as plain text, and prohibits the 'applet', 'audio', 'canvas', 'embed', 'iframe', 'object', 'script' and 'video' elements, and the 'on*' attributes like 'onclick'. ( There are '$config' parameters like 'css_expression' that are not affected by the value set for 'safe' but whose default values still contribute towards a more `safe` output.) Further, unless overridden by the value for parameter 'schemes' (see section:- #3.4.3), the schemes 'app', 'data' and 'javascript' are not permitted, and URLs with schemes are neutralized so that, e.g., 'style="moz-binding:url(http://danger)"' becomes 'style="moz-binding:url(denied:http://danger)"'.

+

+  Admins, however, may still want to completely deny the 'style' attribute, e.g., with code like

+

+    $processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style'));

+

+  Permitting the 'style' attribute brings in risks of `click-jacking`, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check 'style' values. It does provide ways for the code-developer implementing htmLawed to do such checks through the '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended. 

+  

+  If a value for a parameter auto-set through 'safe' is still manually provided, then that value can over-ride the auto-set value. E.g., with '$config["safe"] = 1' and '$config["elements"] = "* +script"', 'script', but not 'applet', is allowed. Such over-ride does not occur for 'deny_attribute' (for legacy reason) when comma-separated attribute names are provided as the value for this parameter (section:- #3.4); instead htmLawed will add 'on*' to the value provided for 'deny_attribute'.

+

+  A page illustrating the efficacy of htmLawed's anti-XSS abilities with 'safe' set to '1' against XSS vectors listed by RSnake:- http://ha.ckers.org/xss.html may be available here:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm.

+

+

+-- 3.7  Using a hook function --------------------------------------o

+

+

+  If '$config["hook"]' is not set to '0', then htmLawed will allow preliminarily processed input to be altered by a hook function named by '$config["hook"]' before starting the main work (but after handling of characters, entities, HTML comments and 'CDATA' sections -- see code for function 'htmLawed()').

+

+  The hook function also allows one to alter the `finalized` values of '$config' and '$spec'.

+

+  Note that the 'hook' parameter is different from the 'hook_tag' parameter (section:- #3.4.9).

+

+  Snippets of hook function code developed by others may be available on the htmLawed:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed website.

+

+

+-- 3.8  Obtaining `finalized` parameter values ---------------------o

+

+

+  htmLawed can assign the `finalized` '$config' and '$spec' values to a variable named by '$config["show_setting"]'. The variable, made global by htmLawed, is set as an array with three keys: 'config', with the '$config' value, 'spec', with the '$spec' value, and 'time', with a value that is the Unix time (the output of PHP's 'microtime()' function) when the value was assigned. Admins should use a PHP-compliant variable name (e.g., one that does not begin with a numerical digit) that does not conflict with variable names in their non-htmLawed code.

+

+  The values, which are also post-hook function (if any), can be used to auto-generate information (on, e.g., the elements that are permitted) for input writers.

+

+

+-- 3.9  Retaining non-HTML tags in input with mixed markup ---------o

+

+

+  htmLawed does not remove certain characters that, though invalid, are nevertheless `discouraged` in HTML documents as per the specifications (see section:- #5.1). This can be utilized to deal with input that contains mixed markup. Input that may have HTML markup as well as some other markup that is based on the '<', '>' and '&' characters is considered to have mixed markup. The non-HTML markup can be rather proprietary (like markup for emoticons/smileys), or standard (like MathML or SVG). Or it can be programming code meant for execution/evaluation (such as embedded PHP code).

+

+  To deal with such mixed markup, the input text can be pre-processed to hide the non-HTML markup by specifically replacing the '<', '>' and '&' characters with some of the HTML-discouraged characters (see section:- #3.1.2). Post-htmLawed processing, the replacements are reverted.

+

+  An example (mixed HTML and PHP code in input text):

+

+    $text = preg_replace('`<\?php(.+?)\?>`sm', "\x83?php\\1?\x84", $text);

+    $processed = htmLawed($text);

+    $processed = preg_replace('`\x83\?php(.+?)\?\x84`sm', '<?php$1?>', $processed);

+

+  This code will not work if '$config["clean_ms_char"]' is set to '1' (section:- #3.1), in which case one should instead deploy a hook function (section:- #3.7). (htmLawed internally uses certain control characters, code-points '1' to '7', and use of these characters as markers in the logic of hook functions may cause issues.)

+

+  Admins may also be able to use '$config["and_mark"]' to deal with such mixed markup; see section:- #3.2.

+ 

+

+== 4  Other =======================================================oo

+

+

+-- 4.1  Support -----------------------------------------------------

+

+

+  Software updates and forum-based community-support may be found at http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed. For general PHP issues (not htmLawed-specific), support may be found through internet searches and at http://php.net.

+

+

+-- 4.2  Known issues -----------------------------------------------o

+

+

+  See section:- #2.8.

+

+

+-- 4.3  Change-log -------------------------------------------------o

+

+

+  (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the 'htmLawed.php' file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)

+

+  `Version number - Release date. Notes`

+

+  1.2.5 - 24 September 2019. Fixes two bugs in 'font' tag transformation

+

+  1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in '$config["schemes"]' 

+

+  1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4

+    

+  1.2.4 - 31 August 2017. Removes use of PHP 'create_function' function and '$php_errormsg' reserved variable (deprecated in PHP 7.2)

+  

+  1.2.3 - 5 July 2017. New option value of '4' for '$config["comments"]' to stop enforcing a space character before the '-->' comment-closing marker

+  

+  1.2.2 - 25 May 2017. Fix for a bug in parsing '$spec' that got introduced in version 1.2; also, '$spec' is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules

+  

+  1.2.1.1 - 17 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes

+  

+  1.2.1 - 15 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes

+  

+  1.2 - 11 February 2017. (First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-* and microdata attributes; 'app', 'data', 'javascript' and 'tel' URL schemes (thus, 'javascript:' is not filtered in default mode). Removed support for code using Kses functions (see section:- #2.6). Changes in revisions to the beta releases are not noted here.

+

+  1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in '$spec'

+  

+  1.1.21 - 27 February 2016. Improvement and security fix in transforming 'font' element

+

+  1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML 4) standard 'allowfullscreen' attribute of 'iframe'

+    

+  1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc

+

+  1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags

+  

+  1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with 'e' modifier for compatibility with PHP 5.5.

+

+  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols

+  

+  1.1.15 - 11 August 2013. Improved tidying/prettifying functionality

+  

+  1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during 'tidying' when 'balance' is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like 'blockquote'

+  

+  1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes

+  

+  1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the 'face' attribute 

+    

+  1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. '$config["hook_tag"]', if specified, now receives names of elements in closing tags.

+  

+  1.1.10 - 22 October 2011. Fix for a bug in the 'tidy' functionality that caused the entire input to be replaced with a single space; new parameter, '$config["direct_list_nest"]' to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)

+  

+  1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of 'li' within 'dir'

+  

+  1.1.9.4 - 3 July 2010. Parameter 'schemes' now accepts '!' so any URL, even a local one, can be `denied`. An issue in which a second URL value in 'style' properties was not checked was fixed.

+  

+  1.1.9.3 - 17 May 2010. Checks for correct nesting of 'param'

+  

+  1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes

+  

+  1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for 'flashvars' attribute for 'embed'

+  

+  1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values

+

+  1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice

+

+  1.1.8 - 23 April 2009. Parameter 'deny_attribute' now accepts the wild-card '*', making it simpler to specify its value when all but a few attributes are being denied; fixed a bug in interpreting '$spec'

+

+  1.1.7 - 11-12 March 2009. Attributes globally denied through 'deny_attribute' can be allowed element-specifically through '$spec'; '$config["style_pass"]' allowing letting through any 'style' value introduced; altered logic to catch certain types of dynamic crafted CSS expressions

+

+  1.1.3-6 - 28-31 January - 4 February 2009. Altered logic to catch certain types of dynamic crafted CSS expressions

+

+  1.1.2 - 22 January 2009. Fixed bug in parsing of 'font' attributes during tag transformation

+  

+  1.1.1 - 27 September 2008. Better nesting correction when omitable closing tags are absent

+

+  1.1 - 29 June 2008. '$config["hook_tag"]' and '$config["tidy"]' introduced for custom tag/attribute check/modification/injection and output compaction/beautification; fixed a regex-in-$spec parsing bug

+

+  1.0.9 - 11 June 2008. Fix for a bug in checks for invalid HTML code-point entities

+

+  1.0.8 - 15 May 2008. Permit 'bordercolor' attribute for 'table', 'td' and 'tr'

+

+  1.0.7 - 1 May 2008. Support for 'wmode' attribute for 'embed'; '$config["show_setting"]' introduced; improved '$config["elements"]' evaluation

+

+  1.0.6 - 20 April 2008. '$config["and_mark"]' introduced

+

+  1.0.5 - 12 March 2008. 'style' URL schemes essentially disallowed when $config 'safe' is on; improved regex for CSS expression search

+

+  1.0.4 - 10 March 2008. Improved corrections for 'blockquote', 'form', 'map' and 'noscript'

+

+  1.0.3 - 3 March 2008. Character entities for soft-hyphens are now replaced with spaces (instead of being removed); fix for a bug allowing 'td' directly inside 'table'; '$config["safe"]' introduced

+

+  1.0.2 - 13 February 2008. Improved implementation of '$config["keep_bad"]'

+

+  1.0.1 - 7 November 2007. Improved regex for identifying URLs, protocols and dynamic expressions ('hl_tag()' and 'hl_prot()'); no error display with 'hl_regex()'

+

+  1.0 - 2 November 2007. First release

+

+

+-- 4.4  Testing ----------------------------------------------------o

+

+

+  To test htmLawed using a form interface, a demo:- htmLawedTest.php web-page is provided with the htmLawed distribution ('htmLawed.php' and 'htmLawedTest.php' should be in the same directory on the web-server). A file with test-cases:- htmLawed_TESTCASE.txt is also provided.

+

+

+-- 4.5  Upgrade, & old versions ------------------------------------o

+

+

+  Upgrading is as simple as replacing the previous version of 'htmLawed.php', assuming the file was not modified for customized features. As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.

+

+  *Note:* The following upgrades may affect the functionality of a specific htmLawed installation:

+

+  (1) From version 1.1-1.1.10 to 1.1.11 or later, if a 'hook_tag' function is in use: In version 1.1.11 and later, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a 'hook_tag' function receives only the element name. The 'hook_tag' function therefore may have to be edited. See section:- #3.4.9.

+  

+  (2) From version older than 1.2.beta to later, if htmLawed was used as Kses replacement with Kses code in use: In version 1.2.beta or later, htmLawed no longer provides direct support for code that uses Kses functions (see section:- #2.6).

+  

+  (3) From version older than 1.2 to later, if htmLawed is used without '$config["safe"]' set to 1: Unlike previous versions, htmLawed version 1.2 and later permit 'data' and 'javascript' URL schemes by default (see section:- #3.4.3).

+

+  Old versions of htmLawed may be available online. E.g., for version 1.0, check http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip; for 1.1.1, http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip; and for 1.1.22, http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip.

+

+

+-- 4.6  Comparison with 'HTMLPurifier' -----------------------------o

+

+

+  The HTMLPurifier PHP library by Edward Yang is a very good HTML filtering script that uses object oriented PHP code. Compared to htmLawed, it (as of year 2015):

+

+  *  does not support PHP versions older than 5.0 (HTMLPurifier dropped PHP 4 support after version 2)

+

+  *  is 15-20 times bigger (scores of files totalling more than 750 kb)

+

+  *  consumes 10-15 times more RAM memory (just including the HTMLPurifier files without calling the filter requires a few MBs of memory)

+

+  *  is expectedly slower

+

+  *  lacks many of the extra features of htmLawed (like entity conversions and code compaction/beautification)

+

+  *  has poor documentation

+

+  However, HTMLPurifier has finer checks for character encodings and attribute values, and can log warnings and errors. Visit the HTMLPurifier website:- http://htmlpurifier.org for updated information.

+

+

+-- 4.7  Use through application plug-ins/modules -------------------o

+

+

+  Plug-ins/modules to implement htmLawed in applications such as Drupal may have been developed. Check the application websites and the htmLawed forum:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed.

+

+

+-- 4.8  Use in non-PHP applications --------------------------------o

+

+

+  Non-PHP applications written in Python, Ruby, etc., may be able to use htmLawed through system calls to the PHP engine. Such code may have been documented on the internet. Also check the forum on the htmLawed site:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed.

+

+

+-- 4.9  Donate -----------------------------------------------------o

+

+

+  A donation in any currency and amount to appreciate or support this software can be sent by PayPal:- http://paypal.com to this email address: drpatnaik at yahoo dot com.

+

+

+-- 4.10  Acknowledgements ------------------------------------------o

+

+

+  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.

+

+  Thank you!

+

+

+== 5  Appendices ==================================================oo

+

+

+-- 5.1  Characters discouraged in XHTML -----------------------------

+

+

+  Characters represented by the following hexadecimal code-points are `not` invalid, even though some validators may issue messages stating otherwise.

+

+  '7f' to '84', '86' to '9f', 'fdd0' to 'fddf', '1fffe', '1ffff', '2fffe', '2ffff', '3fffe', '3ffff', '4fffe', '4ffff', '5fffe', '5ffff', '6fffe', '6ffff', '7fffe', '7ffff', '8fffe', '8ffff', '9fffe', '9ffff', 'afffe', 'affff', 'bfffe', 'bffff', 'cfffe', 'cffff', 'dfffe', 'dffff', 'efffe', 'effff', 'ffffe', 'fffff', '10fffe' and '10ffff'

+

+

+-- 5.2  Valid attribute-element combinations -----------------------o

+

+

+  *  includes deprecated attributes (marked '^'), attributes for microdata (marked '*'), the non-standard 'bordercolor', and new-in-HTML5 attributes (marked '~'); can have multiple comma-separated values (marked '%'); can have multiple space-separated values (marked '$')

+  *  only non-frameset, HTML body elements

+  *  'name' for 'a' and 'map', and 'lang' are invalid in XHTML 1.1

+  *  'target' is valid for 'a' in XHTML 1.1 and higher

+  *  'xml:space' is only for XHTML 1.1

+

+  abbr - td, th

+  accept - form, input

+  accept-charset - form

+  action - form

+  align - applet, caption^, col, colgroup, div^, embed, h1^, h2^, h3^, h4^, h5^, h6^, hr^, iframe, img^, input^, legend^, object^, p^, table^, tbody, td, tfoot, th, thead, tr

+  allowfullscreen - iframe

+  alt - applet, area, img, input

+  archive - applet, object

+  async~ - script

+  autocomplete~ - input

+  autofocus~ - button, input, keygen, select, textarea

+  autoplay~ - audio, video

+  axis - td, th

+  bgcolor - embed, table^, td^, th^, tr^

+  border - img, object^, table

+  bordercolor - table, td, tr

+  cellpadding - table

+  cellspacing - table

+  challenge~ - keygen

+  char - col, colgroup, tbody, td, tfoot, th, thead, tr

+  charoff - col, colgroup, tbody, td, tfoot, th, thead, tr

+  charset - a, script

+  checked - command, input

+  cite - blockquote, del, ins, q

+  classid - object

+  clear - br^

+  code - applet

+  codebase - object, applet

+  codetype - object

+  color - font

+  cols - textarea

+  colspan - td, th

+  compact - dir, dl^, menu, ol^, ul^

+  content - meta

+  controls~ - audio, video

+  coords - area, a

+  crossorigin~ - img

+  data - object

+  datetime - del, ins, time

+  declare - object

+  default~ - track

+  defer - script

+  dir - bdo

+  dirname~ - input, textarea

+  disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea

+  download~ - a

+  enctype - form

+  face - font

+  flashvars** - embed

+  for - label, output

+  form~ - button, fieldset, input, keygen, label, object, output, select, textarea

+  formaction~ - button, input

+  formenctype~ - button, input

+  formmethod~ - button, input

+  formnovalidate~ - button, input

+  formtarget~ - button, input

+  frame - table

+  frameborder - iframe

+  headers - td, th

+  height - applet, canvas, embed, iframe, img, input, object, td^, th^, video

+  high~ - meter

+  href - a, area, link

+  hreflang - a, area, link

+  hspace - applet, embed, img^, object^

+  icon~ - command

+  ismap - img, input

+  keytype~ - keygen

+  keyparams~ - keygen

+  kind~ - track

+  label - command, menu, option, optgroup, track

+  language - script^

+  list~ - input

+  longdesc - img, iframe

+  loop~ - audio, video

+  low~ - meter

+  marginheight - iframe

+  marginwidth - iframe

+  max~ - input, meter, progress

+  maxlength - input, textarea

+  media~ - a, area, link, source, style

+  mediagroup~ - audio, video

+  method - form

+  min~ - input, meter

+  model** - embed

+  multiple - input, select

+  muted~ - audio, video

+  name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea

+  nohref - area

+  noshade - hr^

+  novalidate~ - form

+  nowrap - td^, th^

+  object - applet

+  open~ - details

+  optimum~ - meter

+  pattern~ - input

+  ping~ - a, area

+  placeholder~ - input, textarea

+  pluginspage** - embed

+  pluginurl** - embed

+  poster~ - video

+  pqg~ - keygen

+  preload~ - audio, video

+  prompt - isindex

+  pubdate~ - time

+  radiogroup* - command

+  readonly - input, textarea

+  required~ - input, select, textarea

+  rel$ - a, area, link

+  rev - a

+  reversed~ - old

+  rows - textarea

+  rowspan - td, th

+  rules - table

+  sandbox~ - iframe

+  scope - td, th

+  scoped~ - style

+  scrolling - iframe

+  seamless~ - iframe

+  selected - option

+  shape - area, a

+  size - font, hr^, input, select

+  sizes~ - link

+  span - col, colgroup

+  src - audio, embed, iframe, img, input, script, source, track, video

+  srcdoc~ - iframe

+  srclang~ - track

+  srcset~% - img

+  standby - object

+  start - ol

+  step~ - input

+  summary - table

+  target - a, area, form

+  type - a, area, button, command, embed, input, li, link, menu, object, ol, param, script, source, style, ul

+  typemustmatch~ - object

+  usemap - img, input, object

+  valign - col, colgroup, tbody, td, tfoot, th, thead, tr

+  value - button, data, input, li, meter, option, param, progress

+  valuetype - param

+  vspace - applet, embed, img^, object^

+  width - applet, canvas, col, colgroup, embed, hr^, iframe, img, input, object, pre^, table, td^, th^, video

+  wmode - embed

+  wrap~ - textarea

+

+  The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:

+

+  accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space

+

+  Custom `data-*` attributes, where the first three characters of the value of `star` (*) after lower-casing do not equal 'xml' and the value of `star` does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.

+  

+

+-- 5.3  CSS 2.1 properties accepting URLs --------------------------o

+

+

+  background

+  background-image

+  content

+  cue-after

+  cue-before

+  cursor

+  list-style

+  list-style-image

+  play-during

+

+

+-- 5.4  Microsoft Windows 1252 character replacements --------------o

+

+

+  Key: 'd' double, 'l' left, 'q' quote, 'r' right, 's.' single

+

+  Code-point (decimal) - hexadecimal value - replacement entity - represented character

+

+  127 - 7f - (removed) - (not used)

+  128 - 80 - &#8364; - euro

+  129 - 81 - (removed) - (not used)

+  130 - 82 - &#8218; - baseline s. q

+  131 - 83 - &#402; - florin

+  132 - 84 - &#8222; - baseline d q

+  133 - 85 - &#8230; - ellipsis

+  134 - 86 - &#8224; - dagger

+  135 - 87 - &#8225; - d dagger

+  136 - 88 - &#710; - circumflex accent

+  137 - 89 - &#8240; - permile

+  138 - 8a - &#352; - S Hacek

+  139 - 8b - &#8249; - l s. guillemet

+  140 - 8c - &#338; - OE ligature

+  141 - 8d - (removed) - (not used)

+  142 - 8e - &#381; - Z dieresis

+  143 - 8f - (removed) - (not used)

+  144 - 90 - (removed) - (not used)

+  145 - 91 - &#8216; - l s. q

+  146 - 92 - &#8217; - r s. q

+  147 - 93 - &#8220; - l d q

+  148 - 94 - &#8221; - r d q

+  149 - 95 - &#8226; - bullet

+  150 - 96 - &#8211; - en dash

+  151 - 97 - &#8212; - em dash

+  152 - 98 - &#732; - tilde accent

+  153 - 99 - &#8482; - trademark

+  154 - 9a - &#353; - s Hacek

+  155 - 9b - &#8250; - r s. guillemet

+  156 - 9c - &#339; - oe ligature

+  157 - 9d - (removed) - (not used)

+  158 - 9e - &#382; - z dieresis

+  159 - 9f - &#376; - Y dieresis

+

+

+-- 5.5  URL format -------------------------------------------------o

+

+

+  An `absolute` URL has a 'protocol' or 'scheme', a 'network location' or 'hostname', and, optional 'path', 'parameters', 'query' and 'fragment' segments. Thus, an absolute URL has this generic structure:

+

+    (scheme) : (//network location) /(path) ;(parameters) ?(query) #(fragment)

+

+  The schemes can only contain letters, digits, '+', '.' and '-'. Hostname is the portion after the '//' and up to the first '/' (if any; else, up to the end) when ':' is followed by a '//' (e.g., 'abc.com' in 'ftp://abc.com/def'); otherwise, it consists of everything after the ':' (e.g., 'def@abc.com' in mailto:def@abc.com').

+

+  `Relative` URLs do not have explicit schemes and network locations; such values are inherited from a `base` URL.

+

+

+-- 5.6  Brief on htmLawed code -------------------------------------o

+

+

+  Much of the code's logic and reasoning can be understood from the documentation above.

+

+  The *output* of htmLawed is a text string containing the processed input. There is no custom error tracking.

+

+  *Function arguments* for htmLawed are:

+

+  *  '$in' - first argument; a text string; the *input text* to be processed. Any extraneous slashes added by PHP when `magic quotes` are enabled should be removed beforehand using PHP's 'stripslashes()' function.

+

+  *  '$config' - second argument; an associative array; optional; named '$C' within htmLawed code. The array has keys with names like 'balance' and 'keep_bad', and the values, which can be boolean, string, or array, depending on the key, are read to accordingly set the *configurable parameters* (indicated by the keys). All configurable parameters receive some default value if the value to be used is not specified by the user through '$config'. `Finalized` '$config' is thus a filtered and possibly larger array.

+

+  *  '$spec' - third argument; a text string; optional. The string has rules, written in an htmLawed-designated format, *specifying* element-specific attribute and attribute value restrictions. Function 'hl_spec()' is used to convert the string to an associative-array, named '$S' within htmLawed code, for internal use. `Finalized` '$spec' is thus an array.

+

+  `Finalized` '$config' and '$spec' are made *global variables* while htmLawed is at work. Values of any pre-existing global variables with same names are noted, and their values are restored after htmLawed finishes processing the input (to capture the `finalized` values, the 'show_settings' parameter of '$config' should be used). Depending on '$config', another global variable 'hl_Ids', to track 'id' attribute values for uniqueness, may be set. Unlike the other two variables, this one is not reset (or unset) post-processing.

+

+  Except for the main 'htmLawed()' function, htmLawed's functions are *name-spaced* using the 'hl_' prefix. The *functions* and their roles are:

+

+  *  'hl_attrval' - check attribute values against '$spec'

+  *  'hl_bal' - balance tags and ensure proper nesting

+  *  'hl_cmtcd' - handle CDATA sections and HTML comments

+  *  'hl_ent' - handle character entities

+  *  'hl_prot' - check a URL scheme/protocol

+  *  'hl_regex' - check syntax of a regular expression

+  *  'hl_spec' - convert user-supplied '$spec' value to one used internally

+  *  'hl_tag' - handle element tags and attributes

+  *  'hl_tag2' - transform element tags

+  *  'hl_tidy' - compact/beautify HTML 

+  *  'hl_version' - report htmLawed version

+  *  'htmLawed' - main function

+

+  'htmLawed()' finalizes '$spec' (with the help of 'hl_spec()') and '$config', and globalizes them. Finalization of '$config' involves setting default values if an inappropriate or invalid one is supplied. This includes calling 'hl_regex()' to check well-formedness of regular expression patterns if such expressions are user-supplied through '$config'. 'htmLawed()' then removes invalid characters like nulls and 'x01' and appropriately handles entities using 'hl_ent()'. HTML comments and CDATA sections are identified and treated as per '$config' with the help of 'hl_cmtcd()'. When retained, the '<' and '>' characters identifying them, and the '<', '>' and '&' characters inside them, are replaced with control characters (code-points '1' to '5') till any tag balancing is completed.

+

+  After this `initial processing` 'htmLawed()' identifies tags using regex and processes them with the help of 'hl_tag()' --  a large function that analyzes tag content, filtering it as per HTML standards, '$config' and '$spec'. Among other things, 'hl_tag()' transforms deprecated elements using 'hl_tag2()', removes attributes from closing tags, checks attribute values as per '$spec' rules using 'hl_attrval()', and checks URL protocols using 'hl_prot()'. 'htmLawed()' performs tag balancing and nesting checks with a call to 'hl_bal()', and optionally compacts/beautifies the output with proper white-spacing with a call to 'hl_tidy()'. The latter temporarily replaces white-space, and '<', '>' and '&' characters inside 'pre', 'script' and 'textarea' elements, and HTML comments and CDATA sections with control characters (code-points '1' to '5', and '7').

+

+  htmLawed permits the use of custom code or *hook functions* at two stages. The first, called inside 'htmLawed()', allows the input text as well as the finalized '$config' and '$spec' values to be altered right after the initial processing (see section:- #3.7). The second is called by 'hl_tag()' once the tag content is finalized (see section:- #3.4.9).

+

+  The functionality of htmLawed is dictated by the external HTML standards. The code of htmLawed is thus written for a clear-cut aim, with not much concern for tweaking by other developers. The code is only minimally annotated with comments -- it is not meant to instruct. PHP developers familiar with the HTML specifications will see the logic, and others can always refer to the htmLawed documentation.

+

+___________________________________________________________________oo

+

+

+@@description: htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter

+@@encoding: utf-8

+@@keywords: htmLawed, HTM, HTML, HTML5, HTML 5, XHTML, XHTML5, HTML Tidy, converter, filter, formatter, purifier, sanitizer, XSS, input, PHP, software, code, script, security, cross-site scripting, hack, sanitize, remove, standards, tags, attributes, elements, Aria, Ruby, data attributes, tidy, indent, auto-indent, prettify, pretty print

+@@language: en

+@@title: htmLawed documentation

diff --git a/lib/htmlawed/htmLawed_TESTCASE.txt b/lib/htmlawed/htmLawed_TESTCASE.txt
index 24b00e7..2e64421 100755
--- a/lib/htmlawed/htmLawed_TESTCASE.txt
+++ b/lib/htmlawed/htmLawed_TESTCASE.txt
@@ -1,455 +1,455 @@
-/*
-htmLawed_TESTCASE.txt, 24 September 2019
-To test htmLawed
-Copyright Santosh Patnaik
-Dual licensed with LGPL 3 and GPL 2+
-A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed
-*/
-
-This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.
-
-************************************************
-when viewing this file in a web browser, set the
-character encoding to Unicode/UTF-8
-************************************************
-
---------------------- start --------------------
-
-<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br />
-
-<h6>Attributes</h6>
-
-<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br />
-<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled />, <input type="text" disabled="DISABLED" />, <input type="text" disabled="1" /><br />
-<strong>Required:</strong> <img />, <img alt="image" /><br />
-<strong>Quote & space variation:</strong> <a id=id1 name=xy>a</a>, <a id='id2' name="xy">a</a>, <a   id=' id3 ' name = "n"  >a</a><br />
-<strong>Invalid:</strong> <a id="id4" src="s">a</a><br />
-<strong>Duplicated:</strong> <a id="id5" id="id6">a</a><br />
-<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr noshade="noshade" /><br />
-<strong>Casing:</strong> <a HREF=""></a><br />
-<strong>Custom:</strong> <img alt="image" my:data="portrait" /><br />
-<strong>Data-*:</strong> <a data-xml="x" data-xmnt="x" data-xmlnt="x" data-xmn:t="x" data-12="x"  data-רש="x" data-xmxm="x">a</a><br />
-<strong>Admin-restricted?:</strong> <a href="x" onclick="alert();"></a>
-
-<h6>Attribute values</h6>
-
-<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a id="id8"></a><br />
-(try 'my_' for prefix)<br />
-<strong>Double-quotes in value:</strong><a title=ab"c"></a>, <a title="ab"c"></a>, <a title='ab"c'></a><br />
-(try filter for CSS expression)<br />
-<strong>CSS expression</strong>: <div style="prop:expression();"></div><div style="prop:expression()"></div><div style="prop: expression();"></div><div style="prop : expression()"></div><div style="prop:expression(js);"></div><div style="prop:expression(js;)"></div><div style="prop: expression('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop&#x3a;expression( 'js&#x40; );"></div><br />
-<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br />
-(try 'maxlen', 'maxval', etc., for 'input' in '$spec')
-
-<h6>Blockquotes</h6>
-
-<blockquote>abc</blockquote><br />
-<blockquote>abc<div>def</div></blockquote><br />
-<blockquote><div>abc</div>def</blockquote><br />
-<blockquote>abc<div>def</div>ghi</blockquote><br />
-abc<div>def</div>ghi<br />
-<blockquote>QQQ<div>x</div><!-- comment --></blockquote><br />
-<blockquote><div>x</div><!-- comment -->QQQ</blockquote><br />
-<blockquote><!-- comment --><div>x</div>QQQ<div>x</div></blockquote><br />
-<blockquote><div>x<!-- comment --></div>QQQ</blockquote><p>x</p><br />
-<br />
-(try with blockquote parent)
-
-<h6>CDATA sections</h6>
-
-<strong>Special characters inside:</strong> <![CDATA[ ]]> ]]>, <![CDATA[ 3 < 4 > 3.5, & 4 &gt; 4 ]]><br />
-<strong>Normal:</strong> <![CDATA[ check ]]>, <em>CDATA follows:<![CDATA[ check ]]></em><br />
-<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, <![CDATA check ]]>, < ![CDATA check ] ]><br />
-<strong>Invalid:</strong> <em <![CDATA[ check ]]>>CDATA in tag content</em>, <table><![CDATA[ check ]]><tr><td>text not allowed</td></tr></table>
-
-<h6>Complex-1: deprecated elements</h6>
-
-<center>
-The PHP <s>software</s> script used for this <strike>web-page</strike> webpage is <font style="font-weight: bold " face=arial size='+3' color   =  "red  ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>.
-</center>
-
-<h6>Complex-2: deprecated attributes</h6>
-
-<img src="s" alt="a" name="n" /><img src="s" alt="a" id="id9" name="n" />
-<br clear="left" />
-<hr noshade size="1" />
-<img name="id10" src="s" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" />
-<table width="50em" align="center" bgcolor="red">
-     <tr>
-      <td width="20%">
-       <div align="center">
-        <h3 align="right">Section</h3>
-        <p align="right">Para</p>
-        <ol type="a" start="e"><li value="x"><a name="x">First</a> <a name="x" id="id11">item</a></li></ol>
-       </div>
-      </td>
-      <td width="*">
-       <ol type="1"><li>First item</li></ol>
-      </td>
-     </tr>
-    </table>
-<br clear="all" />
-
-<h6>Complex-3: embed, object, area</h6>
-
-<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ"></param><embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed></object><br />
-
-<embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed><br />
-
-<object data="1.gif" type="image/gif" usemap="#map1"><map name="map1">
-<p>navigate the site: <a href="1" shape="REct" coOrds="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p>
-<area href="5" shape="Rect" coords="0,0,118,28">
-</map></object>
-
-<param name="name">value</param>
-
-<object id="obj1">
-   <param name="param1">
-   <object id="obj2">
-      <param name="param2">
-   </object>
-</object>
-
-<h6>Complex-4: nested and other tables</h6>
-
-<table border="1" bgcolor="red"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" bgcolor="green"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br />
-<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br />
-<strong>Missing tr:</strong> <table><td>Well</td></table><br />
-
-<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6>
-
-(Try different 'keep_bad' values)
-<*> Pseudotags <*>
-<xml>Non-HTML tag xml</xml>
-<p>
-Disallowed tag p
-</p>
-<ul>Bad<li>OK</li></ul>
-
-<h6>Elements</h6>
-
-<strong>Unbalanced:</strong> <a href="h"><em>check</a></em><br />
-<strong>Non-XHTML:</strong> <div><center><dir></dir></center></div><br />
-<strong>Malformed:</strong> < a href=""></a>, <a href=""  ></a>, <a href=""     ></a>, <a href=""
-></a>, <a href="">< /a>, < a href=""></a >, <img src="s" alt="a"   />, <img src="s" alt="a"/ >, <imgsrc="s" alt="a" /><br />
-<strong>Invalid:</strong> <image src="s" alt="a" /><br />
-<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a"></img>, <img src="s" alt="a">text</img><br />
-<strong>Content invalid:</strong> <a href="h">1<a>2</a></a><br />
-<strong>Content invalid?:</strong> <form></form><br /> (try setting 'form' as parent)<br />
-<strong>Casing:</strong> <A href=""></a><br />
-<strong>Check for tidy:</strong> <br /><hr /></div><hr /></div><hr /></div><div>hi</div>
-
-<h6>Entities</h6>
-
-<strong>Special:</strong> &amp; 3 < 2 & 5>4 and j >i >a & i<j>a<br />
-<strong>Padding:</strong> &#00066; &#066; &#x00066; &#x066; &#x003; &#0003;<br />
-<strong>Malformed:</strong> & #x27;, &x27;, &#x27; &TILDE;, &tilde<br />
-<strong>Invalid:</strong> &#x3;, &#55296;, &#03;, &#1114112;, &#xffff, &bad;<br />
-<strong>Discouraged characters:</strong> &#x7f;, &#132;, &#64992;, &#1114110;<br />
-<strong>Context:</strong> '&gt;', &lt;?<br />
-<strong>Casing:</strong> &#X27;, &#x27;, &TILDE;, &tilde;
-<br />
-(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)
-
-<h6>Format</h6>
-
-<strong>Valid but ill-formatted:</strong> text <!-- comment -->
-text <!--
-A   c  o  m  m  e  n  t -->
-<script>
-        <![CDATA[
-                code
-        ]]>
-</script><!-- comment --><![CDATA[ cdata ]]> <a>text</b> text<pre id="none">p r e</pre>
-<textarea>text</textarea>         <textarea>
-          text  text  
-</textarea>             text  text <br /><hr />
-text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em>
-text <img src="none" alt="none" />      <b>t<em> e <strong> x </strong> t</em></b>
-        <a href="a">    text <img src="none" alt="none" />      <b>t <em> e <strong> x </strong> t</em></b>
-        </a>
-<span style="background-color: yellow;">text <img src="none" alt="none" />      <b> <em> t e <strong> x </strong> t</em></b></span>
-<script>script</script>
-<div>
-        <pre id="none">p <a>r</a> e <!-- comment --> </pre>
-                <pre>
-                                pre
-                </pre>
-</div>
-<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div>
-(try to compact or beautify)
-
-<h6>Forms</h6>
-
-(note nesting of 'form', missing required attributes, etc.)<br />
-<form>
-<script type="text/javascript">s</script>
-<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1"></fieldset>
-<input name="h" type="checkbox" value="h" tabindex="20"> h
-<textarea name="t">t</textarea>
-<form action="a" method="get"></form></form><br />
-<form action="b" method="get"><p><input type="text" value="i" /></form><br />
-<form>B:<input type="text" value="b" />C:<input type="text" value="c" /></form><br />
-(try each of these lines separately)<br />
-<form action="a">what<br />
-<form action="a">what
-(try with container as div and as form)<br />
-<form>c <a>a</a> <b>b</b><input /><script>s</script>
-
-<h6>HTML comments (also CDATA)</h6>
-
-<strong>Script inside:</strong> <!--[if gte IE 4]>
-<SCRIPT>alert('XSS');</SCRIPT>
-<![endif]--><br />
-<strong>Special characters inside: <!-- <![CDATA check ]]> -->, <!-- 3 < 4 > 3.5, & 4 &gt; 4 -->, <!-- che--ck -->, <!--[if !IE]> <--><a>c</a><!--> <![endif]--><br />
-<strong>Normal:</strong> <!-- check -->, <!--check -->, <em>comment:<!-- check --></em><!-- check -->, <table><!-- check --><tr><td>text not allowed</td></tr></table><br />
-<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, < ![CDATA check ] ]><br />
-Invalid:</strong> <em <!-- check -->>comment in tag content</em>, <!--check-->
-
-<h6>HTML5</h6>
-
-<strong>figure and figcaption:</strong> <figure><img src="picture.jpg" alt="picture"><figcaption>Caption for the awesome picture</figcaption></figure>
-<strong>article:</strong> <h1>A</h1><p>B</p><article><h2>C</h2></article><article><h2>E</h2><p>F</p><p>G</p></article>
-<strong>meter</strong>: <p>Heat <meter min="100" max="200" value="150">150</meter>.</p>
-<strong>datalist</strong>: <input list="b" /><datalist id="b"><option value="c"><option value="d"></datalist>
-
-<h6>Ins-Del</h6>
-
-(depending on context, these elements can be of either block or inline type)<br />
-<p><ins datetime="d" cite="c"><div>block</div></ins></p><br />
-<p><del>d</del></p><br />
-<p><ins><del>d</del></ins></p><div><ins><p><del><div>d</div></del></p></ins></div><ins><div>d</div></ins>
-
-<h6>Lists</h6>
-
-<strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br />
-<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />
-<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b<dd>second</dl><br />
-<strong>Definition lists, nested</strong>: <dl>
- <dt>T1</dt>
- <dd>D1</dd>
- <dt>T2</dt>
- <dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>
- <dt>T3</dt>
- <dd>D3</dd>
- <dt>T4</dt>
- <dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>
-</dl><br />
-<strong>Definition lists, nested, close-tags omitted</strong>: <dl>
- <dt>T1
- <dd>D1</dd>
- <dt>T2</dt>
- <dd>D2<dl><dt>t1<dd>d1<dt>t2</dt><dd>d2</dd></dl></dd>
- <dt>T3
- <dd>D3
- <dt>T4
- <dd>D4<dl><dt>t1<dd>d1</dl></dd>
-</dl><br />
-<strong>Nested</strong>: <ul>
- <li>l1</li>
- <li>l2<ol><li>lo1</li><li>lo2</li></ol></li>
- <li>l3</li>
- <li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li>
-</ul><br />
-<strong>Nested, directly</strong>: <ul>
- <li>l1</li>
- <ol>l2</ol>
- <li>l3</li>
-</ul><br />
-<strong>Nested, close-tags omitted</strong>: <ul>
- <li>l1</li>
- <li>l2<ol><li>lo1<li>lo2</ol>
- <li>l3
- <li>l4<ol><li>lo3<li>lo4<ol><li>lo5</ol></ol>
-</ul><br />
-<strong>Complex</strong>:
-<ol><script></script><li><table><tr><td>
-<ul><li id="search" class="widget widget_search">                       <form id="searchform" method="get" action="http://kohei.us">
-                        <div>
-
-                        <input type="text" name="s" id="s" size="15" /><br />
-                        <input type="submit" value="Search" />
-                        </div>
-                        </form>
-                </li></ul>
-</td></tr></table></li></ol>
-<strong>Menu</strong>: <menu type="toolbar"><li><menu label="File">
-      <button type="button" onclick="new()">New...</button>
-    </menu></li><li><menu label="Edit"><button type="button" onclick="cut()">Cut...</button></menu></li>
-    </menu>
-
-<h6>Microdata</h6>
-
-<div itemscope itemtype="http://data-vocabulary.org/Person"> 
-I am <span itemprop="name">X</span> but people call me <span itemprop="nickname">Y</span>. 
-Find me at <a href="http://www.xy.com" itemprop="url">www.xy.com</a>
-</div>
-
-<h6>Microsoft Word</h6>
-
-<strong>Proprietary tag</strong>: <p class=3DMsoNormal><o:p>&nbsp;</o:p></p><br />
-<strong>XML declaration</strong>: <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><br />
-<strong>XML-invalid character code-point (may not replicate)</strong>: <p class=3DMsoNormal>“Where is he?” asked both Mary – the one so lovely – and Jane.</p>
-
-<h6>Nesting</h6>
-
-<strong>Block or inline a</strong>: <p><a href="link">text</a></p><a href="link"><div>hi</div></a><br />
-
-<h6>Non-English text-1</h6>
-
-Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br />
-გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br />
-večjezično računalništvo<br />
-<a title="อ.อ่าง">อ.อ่าง</a><br />
-<a title="הירשמו
-כעת לכנס ">Зарегистрируйтесь сейчас
-на Десятую Международную Конференцию по</a><br />
-(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)
-
-<h6>Non-English text-2: entities</h6>
-
-&#29992;&#32479;&#19968;&#30721;<br />
-&#4306;&#4311;&#4334;&#4317;&#4309;&#4311;<br />
-Inscreva-se agora para a D&#233;cima Confer&#234;ncia Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de mar&#231;o de 1997 em Mainz
-na Alemanha.
-
-<h6>Ruby</h6>
-
-(need compatible browser)<br />
-<ruby xml:lang="ja">
-  <rbc>
-    <rb>斎</rb>
-    <rb>藤</rb>
-    <rb>信</rb>
-    <rb>男</rb>
-  </rbc>
-  <rtc class="reading">
-    <rt>さい</rt>
-    <rt>とう</rt>
-    <rt>のぶ</rt>
-    <rt>お</rt>
-  </rtc>
-  <rtc class="annotation">
-    <rt rbspan="4" xml:lang="en">W3C Associate Chairman</rt>
-  </rtc>
-</ruby><br />
-<ruby>
-  <rb>WWW</rb>
-  <rp>(</rp><rt>World Wide Web</rt><rp>)</rp>
-</ruby><br />
-<ruby>
-  A
-  <rp>(</rp><rt>aaa</rt><rp>)</rp>
-</ruby>
-
-
-<h6>Tables</h6>
-
-<strong>Omitted closing tags:</strong> <table>
-<colgroup><col style="x" /><col style="y" />
-<thead>
-<tr><th>h1c1<th>h1c2
-<tbody>
-<tr><td>r1c1<td>r1c2
-<tr><td>r2c1<td>r2c2
-</table><br />
-<strong>Nested, omitted closing tags:</strong> <table>
-<colgroup><col style="x" /><col style="y" />
-<thead>
-<tr><th>h1c1<th>h1c2
-<tbody>
-<tr><td>r1c1<td>r1c2<table>
-<colgroup><col style="x" /><col style="y" />
-<thead>
-<tr><th>h1c1<th>h1c2
-<tbody>
-<tr><td>r1c1<td>r1c2
-<tr><td>r2c1<td>r2c2
-</table>
-<tr><td>r2c1<td>r2c2
-</table><br />
-
-<h6>Tag transformation</h6>
-<strong>Font element with malicious code:</strong> <p><font color="z-index:123;width:100%;height:100%;position:fixed;top:0;left:0;background-size:cover;background-attachment:fixed;background-image:url(https://i.imgur.com/VQ30s65.png)"></font></p><br />
-<strong>Font element intended as 'inline' element:</strong> <p><font color='red'>hi</font></p><br />
-<strong>Font element intended as 'block' element:</strong> <div><font color='red'><div>hi</div></font></div><br />
-<strong>Font element intended as 'block' element:</strong> <center><font color='red' face="serif, 'Times'"><div>hi</div><div>QQQ</div></font></center><br />
-
-<h6>Tidy</h6>
-<strong>White-space handling:</strong> abc<em> def </em> ghi   abc <em>def</em> ghi
-
-<h6>URLs</h6>
-
-<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br />
-(try base URL value of 'http://a.com/b/')<br />
-<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL(&quot;a.gif&quot;);"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
-<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
-<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
-<strong>Soft-hyphen:</strong> <a href="http://q=ídis­c">ídis­c</a>
-
-<h6>XSS</h6>
-
-<img alt="<img onmouseover=confirm(1)//"<"">
-'';!--"<xss>=&{()}<br />
-<img src="javascript%3Aalert('xss');" /><br />
-<img src="javascript:alert('xss');" /><br />
-<img src="java script:alert('xss');" /><br />
-<img
-src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />
-<font color='#FF6699"onmouseover="alert(1)//'>test</font>
-<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
-<div style="javascript:alert('xss');"></div><br />
-<div style="background-image:url(javascript:alert('xss'));"></div><br />
-<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />
-<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />
-<script a=">" src="http://ha.ckers.org/xss.js"></script><br />
-<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
-<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />
-<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert
-%28%27xss%3f%29%29">x</a><br />
-<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>
-<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />
-<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />
-<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />
-<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />
-<strong>Bad IE7:</strong> <a style="background:url('java
-script:eval(document.all.mycode.expr)')">hi</a><br />
-
-<h6>Other</h6>
-
-3 < 4 <br />
-3 > 4 <br />
-  > 3 <br />
-<._.> hi! <br />
-<<< ALERT >>> <br />
-<![if !vml]> some stuff <![endif]> <br />
-<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> <br />
-<uml:ns ns = "urn:www"> <br />
-<uml:ns ns = 'urn:www'> <br />
-if(13<age AND 21>age){say 'teen'} <br />
-age >51 and a smoking history of >51 pack-years <b>was</b> <br />
-age > 51 and a smoking history of >51 pack-years <b>was</b> <br />
-age <51 and a smoking history of <51 pack-years <b>was</b> <br />
-age < 51 and a smoking history of < 51 pack-years <b>was</b> <br />
-<b>age >51 and a smoking history of >51 pack-years</b> <br />
-<b>age > 51 and a smoking history of >51 pack-years</b> <br />
-<b>age <51 and a smoking history of <51 pack-years</b> <br />
-<b>age < 51 and a smoking history of < 51 pack-years</b> <br />
+/*

+htmLawed_TESTCASE.txt, 24 September 2019

+To test htmLawed

+Copyright Santosh Patnaik

+Dual licensed with LGPL 3 and GPL 2+

+A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed

+*/

+

+This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit.

+

+************************************************

+when viewing this file in a web browser, set the

+character encoding to Unicode/UTF-8

+************************************************

+

+--------------------- start --------------------

+

+<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br />

+

+<h6>Attributes</h6>

+

+<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br />

+<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled />, <input type="text" disabled="DISABLED" />, <input type="text" disabled="1" /><br />

+<strong>Required:</strong> <img />, <img alt="image" /><br />

+<strong>Quote & space variation:</strong> <a id=id1 name=xy>a</a>, <a id='id2' name="xy">a</a>, <a   id=' id3 ' name = "n"  >a</a><br />

+<strong>Invalid:</strong> <a id="id4" src="s">a</a><br />

+<strong>Duplicated:</strong> <a id="id5" id="id6">a</a><br />

+<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr noshade="noshade" /><br />

+<strong>Casing:</strong> <a HREF=""></a><br />

+<strong>Custom:</strong> <img alt="image" my:data="portrait" /><br />

+<strong>Data-*:</strong> <a data-xml="x" data-xmnt="x" data-xmlnt="x" data-xmn:t="x" data-12="x"  data-רש="x" data-xmxm="x">a</a><br />

+<strong>Admin-restricted?:</strong> <a href="x" onclick="alert();"></a>

+

+<h6>Attribute values</h6>

+

+<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a id="id8"></a><br />

+(try 'my_' for prefix)<br />

+<strong>Double-quotes in value:</strong><a title=ab"c"></a>, <a title="ab"c"></a>, <a title='ab"c'></a><br />

+(try filter for CSS expression)<br />

+<strong>CSS expression</strong>: <div style="prop:expression();"></div><div style="prop:expression()"></div><div style="prop: expression();"></div><div style="prop : expression()"></div><div style="prop:expression(js);"></div><div style="prop:expression(js;)"></div><div style="prop: expression('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop&#x3a;expression( 'js&#x40; );"></div><br />

+<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br />

+(try 'maxlen', 'maxval', etc., for 'input' in '$spec')

+

+<h6>Blockquotes</h6>

+

+<blockquote>abc</blockquote><br />

+<blockquote>abc<div>def</div></blockquote><br />

+<blockquote><div>abc</div>def</blockquote><br />

+<blockquote>abc<div>def</div>ghi</blockquote><br />

+abc<div>def</div>ghi<br />

+<blockquote>QQQ<div>x</div><!-- comment --></blockquote><br />

+<blockquote><div>x</div><!-- comment -->QQQ</blockquote><br />

+<blockquote><!-- comment --><div>x</div>QQQ<div>x</div></blockquote><br />

+<blockquote><div>x<!-- comment --></div>QQQ</blockquote><p>x</p><br />

+<br />

+(try with blockquote parent)

+

+<h6>CDATA sections</h6>

+

+<strong>Special characters inside:</strong> <![CDATA[ ]]> ]]>, <![CDATA[ 3 < 4 > 3.5, & 4 &gt; 4 ]]><br />

+<strong>Normal:</strong> <![CDATA[ check ]]>, <em>CDATA follows:<![CDATA[ check ]]></em><br />

+<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, <![CDATA check ]]>, < ![CDATA check ] ]><br />

+<strong>Invalid:</strong> <em <![CDATA[ check ]]>>CDATA in tag content</em>, <table><![CDATA[ check ]]><tr><td>text not allowed</td></tr></table>

+

+<h6>Complex-1: deprecated elements</h6>

+

+<center>

+The PHP <s>software</s> script used for this <strike>web-page</strike> webpage is <font style="font-weight: bold " face=arial size='+3' color   =  "red  ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>.

+</center>

+

+<h6>Complex-2: deprecated attributes</h6>

+

+<img src="s" alt="a" name="n" /><img src="s" alt="a" id="id9" name="n" />

+<br clear="left" />

+<hr noshade size="1" />

+<img name="id10" src="s" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" />

+<table width="50em" align="center" bgcolor="red">

+     <tr>

+      <td width="20%">

+       <div align="center">

+        <h3 align="right">Section</h3>

+        <p align="right">Para</p>

+        <ol type="a" start="e"><li value="x"><a name="x">First</a> <a name="x" id="id11">item</a></li></ol>

+       </div>

+      </td>

+      <td width="*">

+       <ol type="1"><li>First item</li></ol>

+      </td>

+     </tr>

+    </table>

+<br clear="all" />

+

+<h6>Complex-3: embed, object, area</h6>

+

+<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ"></param><embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed></object><br />

+

+<embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed><br />

+

+<object data="1.gif" type="image/gif" usemap="#map1"><map name="map1">

+<p>navigate the site: <a href="1" shape="REct" coOrds="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p>

+<area href="5" shape="Rect" coords="0,0,118,28">

+</map></object>

+

+<param name="name">value</param>

+

+<object id="obj1">

+   <param name="param1">

+   <object id="obj2">

+      <param name="param2">

+   </object>

+</object>

+

+<h6>Complex-4: nested and other tables</h6>

+

+<table border="1" bgcolor="red"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" bgcolor="green"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br />

+<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br />

+<strong>Missing tr:</strong> <table><td>Well</td></table><br />

+

+<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6>

+

+(Try different 'keep_bad' values)

+<*> Pseudotags <*>

+<xml>Non-HTML tag xml</xml>

+<p>

+Disallowed tag p

+</p>

+<ul>Bad<li>OK</li></ul>

+

+<h6>Elements</h6>

+

+<strong>Unbalanced:</strong> <a href="h"><em>check</a></em><br />

+<strong>Non-XHTML:</strong> <div><center><dir></dir></center></div><br />

+<strong>Malformed:</strong> < a href=""></a>, <a href=""  ></a>, <a href=""     ></a>, <a href=""

+></a>, <a href="">< /a>, < a href=""></a >, <img src="s" alt="a"   />, <img src="s" alt="a"/ >, <imgsrc="s" alt="a" /><br />

+<strong>Invalid:</strong> <image src="s" alt="a" /><br />

+<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a"></img>, <img src="s" alt="a">text</img><br />

+<strong>Content invalid:</strong> <a href="h">1<a>2</a></a><br />

+<strong>Content invalid?:</strong> <form></form><br /> (try setting 'form' as parent)<br />

+<strong>Casing:</strong> <A href=""></a><br />

+<strong>Check for tidy:</strong> <br /><hr /></div><hr /></div><hr /></div><div>hi</div>

+

+<h6>Entities</h6>

+

+<strong>Special:</strong> &amp; 3 < 2 & 5>4 and j >i >a & i<j>a<br />

+<strong>Padding:</strong> &#00066; &#066; &#x00066; &#x066; &#x003; &#0003;<br />

+<strong>Malformed:</strong> & #x27;, &x27;, &#x27; &TILDE;, &tilde<br />

+<strong>Invalid:</strong> &#x3;, &#55296;, &#03;, &#1114112;, &#xffff, &bad;<br />

+<strong>Discouraged characters:</strong> &#x7f;, &#132;, &#64992;, &#1114110;<br />

+<strong>Context:</strong> '&gt;', &lt;?<br />

+<strong>Casing:</strong> &#X27;, &#x27;, &TILDE;, &tilde;

+<br />

+(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions)

+

+<h6>Format</h6>

+

+<strong>Valid but ill-formatted:</strong> text <!-- comment -->

+text <!--

+A   c  o  m  m  e  n  t -->

+<script>

+        <![CDATA[

+                code

+        ]]>

+</script><!-- comment --><![CDATA[ cdata ]]> <a>text</b> text<pre id="none">p r e</pre>

+<textarea>text</textarea>         <textarea>

+          text  text  

+</textarea>             text  text <br /><hr />

+text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em>

+text <img src="none" alt="none" />      <b>t<em> e <strong> x </strong> t</em></b>

+        <a href="a">    text <img src="none" alt="none" />      <b>t <em> e <strong> x </strong> t</em></b>

+        </a>

+<span style="background-color: yellow;">text <img src="none" alt="none" />      <b> <em> t e <strong> x </strong> t</em></b></span>

+<script>script</script>

+<div>

+        <pre id="none">p <a>r</a> e <!-- comment --> </pre>

+                <pre>

+                                pre

+                </pre>

+</div>

+<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div>

+(try to compact or beautify)

+

+<h6>Forms</h6>

+

+(note nesting of 'form', missing required attributes, etc.)<br />

+<form>

+<script type="text/javascript">s</script>

+<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1"></fieldset>

+<input name="h" type="checkbox" value="h" tabindex="20"> h

+<textarea name="t">t</textarea>

+<form action="a" method="get"></form></form><br />

+<form action="b" method="get"><p><input type="text" value="i" /></form><br />

+<form>B:<input type="text" value="b" />C:<input type="text" value="c" /></form><br />

+(try each of these lines separately)<br />

+<form action="a">what<br />

+<form action="a">what

+(try with container as div and as form)<br />

+<form>c <a>a</a> <b>b</b><input /><script>s</script>

+

+<h6>HTML comments (also CDATA)</h6>

+

+<strong>Script inside:</strong> <!--[if gte IE 4]>

+<SCRIPT>alert('XSS');</SCRIPT>

+<![endif]--><br />

+<strong>Special characters inside: <!-- <![CDATA check ]]> -->, <!-- 3 < 4 > 3.5, & 4 &gt; 4 -->, <!-- che--ck -->, <!--[if !IE]> <--><a>c</a><!--> <![endif]--><br />

+<strong>Normal:</strong> <!-- check -->, <!--check -->, <em>comment:<!-- check --></em><!-- check -->, <table><!-- check --><tr><td>text not allowed</td></tr></table><br />

+<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, < ![CDATA check ] ]><br />

+Invalid:</strong> <em <!-- check -->>comment in tag content</em>, <!--check-->

+

+<h6>HTML5</h6>

+

+<strong>figure and figcaption:</strong> <figure><img src="picture.jpg" alt="picture"><figcaption>Caption for the awesome picture</figcaption></figure>

+<strong>article:</strong> <h1>A</h1><p>B</p><article><h2>C</h2></article><article><h2>E</h2><p>F</p><p>G</p></article>

+<strong>meter</strong>: <p>Heat <meter min="100" max="200" value="150">150</meter>.</p>

+<strong>datalist</strong>: <input list="b" /><datalist id="b"><option value="c"><option value="d"></datalist>

+

+<h6>Ins-Del</h6>

+

+(depending on context, these elements can be of either block or inline type)<br />

+<p><ins datetime="d" cite="c"><div>block</div></ins></p><br />

+<p><del>d</del></p><br />

+<p><ins><del>d</del></ins></p><div><ins><p><del><div>d</div></del></p></ins></div><ins><div>d</div></ins>

+

+<h6>Lists</h6>

+

+<strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br />

+<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br />

+<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b<dd>second</dl><br />

+<strong>Definition lists, nested</strong>: <dl>

+ <dt>T1</dt>

+ <dd>D1</dd>

+ <dt>T2</dt>

+ <dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd>

+ <dt>T3</dt>

+ <dd>D3</dd>

+ <dt>T4</dt>

+ <dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd>

+</dl><br />

+<strong>Definition lists, nested, close-tags omitted</strong>: <dl>

+ <dt>T1

+ <dd>D1</dd>

+ <dt>T2</dt>

+ <dd>D2<dl><dt>t1<dd>d1<dt>t2</dt><dd>d2</dd></dl></dd>

+ <dt>T3

+ <dd>D3

+ <dt>T4

+ <dd>D4<dl><dt>t1<dd>d1</dl></dd>

+</dl><br />

+<strong>Nested</strong>: <ul>

+ <li>l1</li>

+ <li>l2<ol><li>lo1</li><li>lo2</li></ol></li>

+ <li>l3</li>

+ <li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li>

+</ul><br />

+<strong>Nested, directly</strong>: <ul>

+ <li>l1</li>

+ <ol>l2</ol>

+ <li>l3</li>

+</ul><br />

+<strong>Nested, close-tags omitted</strong>: <ul>

+ <li>l1</li>

+ <li>l2<ol><li>lo1<li>lo2</ol>

+ <li>l3

+ <li>l4<ol><li>lo3<li>lo4<ol><li>lo5</ol></ol>

+</ul><br />

+<strong>Complex</strong>:

+<ol><script></script><li><table><tr><td>

+<ul><li id="search" class="widget widget_search">                       <form id="searchform" method="get" action="http://kohei.us">

+                        <div>

+

+                        <input type="text" name="s" id="s" size="15" /><br />

+                        <input type="submit" value="Search" />

+                        </div>

+                        </form>

+                </li></ul>

+</td></tr></table></li></ol>

+<strong>Menu</strong>: <menu type="toolbar"><li><menu label="File">

+      <button type="button" onclick="new()">New...</button>

+    </menu></li><li><menu label="Edit"><button type="button" onclick="cut()">Cut...</button></menu></li>

+    </menu>

+

+<h6>Microdata</h6>

+

+<div itemscope itemtype="http://data-vocabulary.org/Person"> 

+I am <span itemprop="name">X</span> but people call me <span itemprop="nickname">Y</span>. 

+Find me at <a href="http://www.xy.com" itemprop="url">www.xy.com</a>

+</div>

+

+<h6>Microsoft Word</h6>

+

+<strong>Proprietary tag</strong>: <p class=3DMsoNormal><o:p>&nbsp;</o:p></p><br />

+<strong>XML declaration</strong>: <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><br />

+<strong>XML-invalid character code-point (may not replicate)</strong>: <p class=3DMsoNormal>“Where is he?” asked both Mary – the one so lovely – and Jane.</p>

+

+<h6>Nesting</h6>

+

+<strong>Block or inline a</strong>: <p><a href="link">text</a></p><a href="link"><div>hi</div></a><br />

+

+<h6>Non-English text-1</h6>

+

+Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br />

+გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br />

+večjezično računalništvo<br />

+<a title="อ.อ่าง">อ.อ่าง</a><br />

+<a title="הירשמו

+כעת לכנס ">Зарегистрируйтесь сейчас

+на Десятую Международную Конференцию по</a><br />

+(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.)

+

+<h6>Non-English text-2: entities</h6>

+

+&#29992;&#32479;&#19968;&#30721;<br />

+&#4306;&#4311;&#4334;&#4317;&#4309;&#4311;<br />

+Inscreva-se agora para a D&#233;cima Confer&#234;ncia Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de mar&#231;o de 1997 em Mainz

+na Alemanha.

+

+<h6>Ruby</h6>

+

+(need compatible browser)<br />

+<ruby xml:lang="ja">

+  <rbc>

+    <rb>斎</rb>

+    <rb>藤</rb>

+    <rb>信</rb>

+    <rb>男</rb>

+  </rbc>

+  <rtc class="reading">

+    <rt>さい</rt>

+    <rt>とう</rt>

+    <rt>のぶ</rt>

+    <rt>お</rt>

+  </rtc>

+  <rtc class="annotation">

+    <rt rbspan="4" xml:lang="en">W3C Associate Chairman</rt>

+  </rtc>

+</ruby><br />

+<ruby>

+  <rb>WWW</rb>

+  <rp>(</rp><rt>World Wide Web</rt><rp>)</rp>

+</ruby><br />

+<ruby>

+  A

+  <rp>(</rp><rt>aaa</rt><rp>)</rp>

+</ruby>

+

+

+<h6>Tables</h6>

+

+<strong>Omitted closing tags:</strong> <table>

+<colgroup><col style="x" /><col style="y" />

+<thead>

+<tr><th>h1c1<th>h1c2

+<tbody>

+<tr><td>r1c1<td>r1c2

+<tr><td>r2c1<td>r2c2

+</table><br />

+<strong>Nested, omitted closing tags:</strong> <table>

+<colgroup><col style="x" /><col style="y" />

+<thead>

+<tr><th>h1c1<th>h1c2

+<tbody>

+<tr><td>r1c1<td>r1c2<table>

+<colgroup><col style="x" /><col style="y" />

+<thead>

+<tr><th>h1c1<th>h1c2

+<tbody>

+<tr><td>r1c1<td>r1c2

+<tr><td>r2c1<td>r2c2

+</table>

+<tr><td>r2c1<td>r2c2

+</table><br />

+

+<h6>Tag transformation</h6>

+<strong>Font element with malicious code:</strong> <p><font color="z-index:123;width:100%;height:100%;position:fixed;top:0;left:0;background-size:cover;background-attachment:fixed;background-image:url(https://i.imgur.com/VQ30s65.png)"></font></p><br />

+<strong>Font element intended as 'inline' element:</strong> <p><font color='red'>hi</font></p><br />

+<strong>Font element intended as 'block' element:</strong> <div><font color='red'><div>hi</div></font></div><br />

+<strong>Font element intended as 'block' element:</strong> <center><font color='red' face="serif, 'Times'"><div>hi</div><div>QQQ</div></font></center><br />

+

+<h6>Tidy</h6>

+<strong>White-space handling:</strong> abc<em> def </em> ghi   abc <em>def</em> ghi

+

+<h6>URLs</h6>

+

+<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br />

+(try base URL value of 'http://a.com/b/')<br />

+<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL(&quot;a.gif&quot;);"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />

+<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />

+<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />

+<strong>Soft-hyphen:</strong> <a href="http://q=ídis­c">ídis­c</a>

+

+<h6>XSS</h6>

+

+<img alt="<img onmouseover=confirm(1)//"<"">

+'';!--"<xss>=&{()}<br />

+<img src="javascript%3Aalert('xss');" /><br />

+<img src="javascript:alert('xss');" /><br />

+<img src="java script:alert('xss');" /><br />

+<img

+src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41; /><br />

+<font color='#FF6699"onmouseover="alert(1)//'>test</font>

+<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>

+<div style="javascript:alert('xss');"></div><br />

+<div style="background-image:url(javascript:alert('xss'));"></div><br />

+<div style="background-image:url(&quot;javascript:alert('xss')&quot; );"></div><br />

+<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br />

+<script a=">" src="http://ha.ckers.org/xss.js"></script><br />

+<div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />

+<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br />

+<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert

+%28%27xss%3f%29%29">x</a><br />

+<strong>Opera:</strong> <a href="\xE2\x80\x83javascript:alert(123)">link</a>

+<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp&#x72;ession(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: &#101;xpression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/&#69;xpression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Exp&#x72;ession(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br />

+<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br />

+<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br />

+<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br />

+<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br />

+<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>x</a><br />

+<strong>Bad IE7:</strong> <a style="background:&#69;xpre\ssion(alert('xss'));">hi</a><br />

+<strong>Bad IE7:</strong> <a style="background:expre&#x5c;ssion(alert('xss'));">hi</a><br />

+<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br />

+<strong>Bad IE7:</strong> <a style="xss:e&#92;&#48;&#48;&#55;&#56;pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br />

+<strong>Bad IE7:</strong> <a style="background:url('java

+script:eval(document.all.mycode.expr)')">hi</a><br />

+

+<h6>Other</h6>

+

+3 < 4 <br />

+3 > 4 <br />

+  > 3 <br />

+<._.> hi! <br />

+<<< ALERT >>> <br />

+<![if !vml]> some stuff <![endif]> <br />

+<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> <br />

+<uml:ns ns = "urn:www"> <br />

+<uml:ns ns = 'urn:www'> <br />

+if(13<age AND 21>age){say 'teen'} <br />

+age >51 and a smoking history of >51 pack-years <b>was</b> <br />

+age > 51 and a smoking history of >51 pack-years <b>was</b> <br />

+age <51 and a smoking history of <51 pack-years <b>was</b> <br />

+age < 51 and a smoking history of < 51 pack-years <b>was</b> <br />

+<b>age >51 and a smoking history of >51 pack-years</b> <br />

+<b>age > 51 and a smoking history of >51 pack-years</b> <br />

+<b>age <51 and a smoking history of <51 pack-years</b> <br />

+<b>age < 51 and a smoking history of < 51 pack-years</b> <br />