html: Reduce dependency on htmlchars

Previously, html-like content would have to be run through Format::htmlchars before being passed to Format::sanitize, because things that looked like invalid html content would be removed.

html: Reduce dependency on htmlchars
2f62149d · Jared Hancock · c8a59047 · 2f62149d
Commit 2f62149d authored 11 years ago by Jared Hancock
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -206,7 +206,7 @@ class Format {
    function safe_html($html) {
        // Remove HEAD and STYLE sections
        $html = preg_replace(
-            array(':<(head|style).+</\1>:is',   # <head> and <style> sections
+            array(':<(head|style|script).+</\1>:is',   # <head> and <style> sections
                  ':<!\[[^]<]+\]>:',            # <![if !mso]> and friends
                  ':<!DOCTYPE[^>]+>:',          # <!DOCTYPE ... >
            ),
@@ -217,6 +217,7 @@ class Format {
            'balance' => 1, //balance and close unclosed tags.
            'comment' => 1, //Remove html comments (OUTLOOK LOVE THEM)
            'tidy' => -1,
+            'keep_bad' => 1,
            'deny_attribute' => 'id',
            'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; src: cid, http, https, data',
            'hook_tag' => function($e, $a=0) { return Format::__html_cleanup($e, $a); },