diff --git a/extlib/Michelf/License.md b/extlib/Michelf/License.md
index 027becbd58..8a5b85447e 100644
--- a/extlib/Michelf/License.md
+++ b/extlib/Michelf/License.md
@@ -1,5 +1,5 @@
PHP Markdown Lib
-Copyright (c) 2004-2013 Michel Fortin
+Copyright (c) 2004-2014 Michel Fortin
.+?)}sx', - array(&$this, '_doBlockQuotes_callback2'), $bq); + array($this, '_doBlockQuotes_callback2'), $bq); return "\n". $this->hashBlock("
\n$bq\n")."\n\n"; } @@ -1255,6 +1263,33 @@ class Markdown implements MarkdownInterface { $text = str_replace('"', '"', $text); return $text; } + + + protected function encodeURLAttribute($url, &$text = null) { + # + # Encode text for a double-quoted HTML attribute containing a URL, + # applying the URL filter if set. Also generates the textual + # representation for the URL (removing mailto: or tel:) storing it in $text. + # This function is *not* suitable for attributes enclosed in single quotes. + # + if ($this->url_filter_func) + $url = call_user_func($this->url_filter_func, $url); + + if (preg_match('{^mailto:}i', $url)) + $url = $this->encodeEntityObfuscatedAttribute($url, $text, 7); + else if (preg_match('{^tel:}i', $url)) + { + $url = $this->encodeAttribute($url); + $text = substr($url, 4); + } + else + { + $url = $this->encodeAttribute($url); + $text = $url; + } + + return $url; + } protected function encodeAmpsAndAngles($text) { @@ -1279,8 +1314,8 @@ class Markdown implements MarkdownInterface { protected function doAutoLinks($text) { - $text = preg_replace_callback('{<((https?|ftp|dict):[^\'">\s]+)>}i', - array(&$this, '_doAutoLinks_url_callback'), $text); + $text = preg_replace_callback('{<((https?|ftp|dict|tel):[^\'">\s]+)>}i', + array($this, '_doAutoLinks_url_callback'), $text); # Email addresses: $text = preg_replace_callback('{ @@ -1301,49 +1336,47 @@ class Markdown implements MarkdownInterface { ) > }xi', - array(&$this, '_doAutoLinks_email_callback'), $text); - $text = preg_replace_callback('{<(tel:([^\'">\s]+))>}i',array(&$this, '_doAutoLinks_tel_callback'), $text); + array($this, '_doAutoLinks_email_callback'), $text); return $text; } - protected function _doAutoLinks_tel_callback($matches) { - $url = $this->encodeAttribute($matches[1]); - $tel = $this->encodeAttribute($matches[2]); - $link = "$tel"; - return $this->hashPart($link); - } protected function _doAutoLinks_url_callback($matches) { - $url = $this->encodeAttribute($matches[1]); - $link = "$url"; + $url = $this->encodeURLAttribute($matches[1], $text); + $link = "$text"; return $this->hashPart($link); } protected function _doAutoLinks_email_callback($matches) { - $address = $matches[1]; - $link = $this->encodeEmailAddress($address); + $addr = $matches[1]; + $url = $this->encodeURLAttribute("mailto:$addr", $text); + $link = "$text"; return $this->hashPart($link); } - protected function encodeEmailAddress($addr) { + protected function encodeEntityObfuscatedAttribute($text, &$tail = null, $head_length = 0) { # - # Input: an email address, e.g. "foo@example.com" + # Input: some text to obfuscate, e.g. "mailto:foo@example.com" # - # Output: the email address as a mailto link, with each character - # of the address encoded as either a decimal or hex entity, in - # the hopes of foiling most address harvesting spam bots. E.g.: + # Output: the same text but with most characters encoded as either a + # decimal or hex entity, in the hopes of foiling most address + # harvesting spam bots. E.g.: # - # + # m + # + # Note: the additional output $tail is assigned the same value as the + # ouput, minus the number of characters specified by $head_length. # # Based by a filter by Matthew Wickline, posted to BBEdit-Talk. - # With some optimizations by Milian Wolff. + # With some optimizations by Milian Wolff. Forced encoding of HTML + # attribute special characters by Allan Odgaard. # - $addr = "mailto:" . $addr; - $chars = preg_split('/(? $char) { $ord = ord($char); # Ignore non-ascii chars. @@ -1351,17 +1384,17 @@ class Markdown implements MarkdownInterface { $r = ($seed * (1 + $key)) % 100; # Pseudo-random function. # roughly 10% raw, 45% hex, 45% dec # '@' *must* be encoded. I insist. - if ($r > 90 && $char != '@') /* do nothing */; + # '"' and '>' have to be encoded inside the attribute + if ($r > 90 && strpos('@"&>', $char) === false) /* do nothing */; else if ($r < 45) $chars[$key] = ''.dechex($ord).';'; else $chars[$key] = ''.$ord.';'; } } - - $addr = implode('', $chars); - $text = implode('', array_slice($chars, 7)); # text without `mailto:` - $addr = "$text"; - return $addr; + $text = implode('', $chars); + $tail = $head_length ? implode('', array_slice($chars, $head_length)) : $text; + + return $text; } @@ -1470,7 +1503,7 @@ class Markdown implements MarkdownInterface { # appropriate number of space between each blocks. $text = preg_replace_callback('/^.*\t.*$/m', - array(&$this, '_detab_callback'), $text); + array($this, '_detab_callback'), $text); return $text; } @@ -1510,7 +1543,7 @@ class Markdown implements MarkdownInterface { # Swap back in all the tags hashed by _HashHTMLBlocks. # return preg_replace_callback('/(.)\x1A[0-9]+\1/', - array(&$this, '_unhash_callback'), $text); + array($this, '_unhash_callback'), $text); } protected function _unhash_callback($matches) { return $this->html_hashes[$matches[0]]; @@ -1645,9 +1678,9 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { ### Extra Attribute Parser ### # Expression to use to catch attributes (includes the braces) - protected $id_class_attr_catch_re = '\{((?:[ ]*[#.][-_:a-zA-Z0-9]+){1,})[ ]*\}'; + protected $id_class_attr_catch_re = '\{((?:[ ]*[#.a-z][-_:a-zA-Z0-9=]+){1,})[ ]*\}'; # Expression to use when parsing in a context when no capture is desired - protected $id_class_attr_nocatch_re = '\{(?:[ ]*[#.][-_:a-zA-Z0-9]+){1,}[ ]*\}'; + protected $id_class_attr_nocatch_re = '\{(?:[ ]*[#.a-z][-_:a-zA-Z0-9=]+){1,}[ ]*\}'; protected function doExtraAttributes($tag_name, $attr) { # @@ -1659,17 +1692,21 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { if (empty($attr)) return ""; # Split on components - preg_match_all('/[#.][-_:a-zA-Z0-9]+/', $attr, $matches); + preg_match_all('/[#.a-z][-_:a-zA-Z0-9=]+/', $attr, $matches); $elements = $matches[0]; # handle classes and ids (only first id taken into account) $classes = array(); + $attributes = array(); $id = false; foreach ($elements as $element) { if ($element{0} == '.') { $classes[] = substr($element, 1); } else if ($element{0} == '#') { if ($id === false) $id = substr($element, 1); + } else if (strpos($element, '=') > 0) { + $parts = explode('=', $element, 2); + $attributes[] = $parts[0] . '="' . $parts[1] . '"'; } } @@ -1681,6 +1718,9 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { if (!empty($classes)) { $attr_str .= ' class="'.implode(" ", $classes).'"'; } + if (!$this->no_markup && !empty($attributes)) { + $attr_str .= ' '.implode(" ", $attributes); + } return $attr_str; } @@ -1716,7 +1756,7 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { (?:[ ]* '.$this->id_class_attr_catch_re.' )? # $5 = extra id & class attr (?:\n+|\Z) }xm', - array(&$this, '_stripLinkDefinitions_callback'), + array($this, '_stripLinkDefinitions_callback'), $text); return $text; } @@ -1733,17 +1773,17 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { ### HTML Block Parser ### # Tags that are always treated as block tags: - protected $block_tags_re = 'p|div|h[1-6]|blockquote|pre|table|dl|ol|ul|address|form|fieldset|iframe|hr|legend|article|section|nav|aside|hgroup|header|footer|figcaption'; + protected $block_tags_re = 'p|div|h[1-6]|blockquote|pre|table|dl|ol|ul|address|form|fieldset|iframe|hr|legend|article|section|nav|aside|hgroup|header|footer|figcaption|figure'; # Tags treated as block tags only if the opening tag is alone on its line: - protected $context_block_tags_re = 'script|noscript|ins|del|iframe|object|source|track|param|math|svg|canvas|audio|video'; + protected $context_block_tags_re = 'script|noscript|style|ins|del|iframe|object|source|track|param|math|svg|canvas|audio|video'; # Tags where markdown="1" default to span mode: protected $contain_span_tags_re = 'p|h[1-6]|li|dd|dt|td|th|legend|address'; # Tags which must not have their contents modified, no matter where # they appear: - protected $clean_tags_re = 'script|math|svg'; + protected $clean_tags_re = 'script|style|math|svg'; # Tags that do not need to be closed. protected $auto_close_tags_re = 'hr|img|param|source|track'; @@ -2227,7 +2267,7 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { \] ) }xs', - array(&$this, '_doAnchors_reference_callback'), $text); + array($this, '_doAnchors_reference_callback'), $text); # # Next, inline-style links: [link text](url "optional title") @@ -2255,7 +2295,7 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { (?:[ ]? '.$this->id_class_attr_catch_re.' )? # $8 = id/class attributes ) }xs', - array(&$this, '_doAnchors_inline_callback'), $text); + array($this, '_doAnchors_inline_callback'), $text); # # Last, handle reference-style shortcuts: [link text] @@ -2269,7 +2309,7 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { \] ) }xs', - array(&$this, '_doAnchors_reference_callback'), $text); + array($this, '_doAnchors_reference_callback'), $text); $this->in_anchor = false; return $text; @@ -2290,7 +2330,7 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { if (isset($this->urls[$link_id])) { $url = $this->urls[$link_id]; - $url = $this->encodeAttribute($url); + $url = $this->encodeURLAttribute($url); $result = "titles[$link_id] ) ) { @@ -2317,8 +2357,13 @@ abstract class _MarkdownExtra_TmpImpl extends \Michelf\Markdown { $title =& $matches[7]; $attr = $this->doExtraAttributes("a", $dummy =& $matches[8]); + // if the URL was of the form