Refactor 'evil attributes' sanitization logic
Turned out pretty much impossible to do remove 'evil attributes'
with just one pattern - it either breaks something else, hits
pcre.backtrack_limit or causes PHP to segfault.
No benchmarks made, but there shouldn't be any performance
regressions since we're now trying to strip attributes only
after it is determined that they are inside a tag; up until
now this was done seprately for _sanitize_naughty_html()
and _remove_evil_attributes().
2 files changed