Merge pull request #52 from shinsenter/develop

Fixed CVE-2019-18888

Author: shinsenter

composer.json

@@ -64,7 +64,7 @@
     "require":
     {
         "php": ">=5.6",
-        "symfony/http-foundation": ">2.6"
+        "symfony/polyfill-mbstring": "^1.0.0"
     },
     "minimum-stability": "dev",
     "prefer-stable": true,

composer.lock

@@ -209,7 +209,9 @@ protected function nodefer()
     {
         $no_libxml   = !$this->native_libxml;
         $request     = $this->http->request();
-        $has_nodefer = $request ? (bool) $request->get($this->no_defer_parameter) : false;
+        $has_nodefer = $request
+            ? (bool) $request->get($this->no_defer_parameter)
+            : !empty($_REQUEST[$this->no_defer_parameter]);
 
         return $has_nodefer || $no_libxml;
     }

src/Defer.php

@@ -14,7 +14,7 @@
 namespace shinsenter;
 
 if (!defined('DEFER_JS_ROOT')) {
-    define('DEFER_JS_ROOT', dirname(dirname(__FILE__)));
+    define('DEFER_JS_ROOT', dirname(__DIR__));
 }
 
 if (!defined('DEFER_JS_VERSION')) {
@@ -189,7 +189,7 @@ abstract class DeferInterface
     const IMG_XPATH        = '//*[(' . DEFER_IMG_TAGS . ') and ' . DEFER_IMG_IGNORE . ']';
     const IFRAME_XPATH     = '//*[(' . DEFER_IFRAME_TAGS . ') and ' . DEFER_IFRAME_IGNORE . ']';
     const BACKGROUND_XPATH = '//*[' . DEFER_JS_IGNORE . ' and @style and contains(@style,"url")]';
-    const NORMALIZE_XPATH  = '//text()[' . DEFER_MINIFY_HTML_IGNORE . ' and not(.=normalize-space(.))]';
+    const NORMALIZE_XPATH  = '//text()[not(.=normalize-space(.))]';
 
     // Variable holders
     public static $deferjs_script = null;

src/DeferInterface.php

@@ -49,13 +49,15 @@ protected function optimize()
 
         // Meta optimizations
         $this->addMissingMeta();
-        $this->addFingerprint();
 
         // Add custom splash screen
         $this->addCustomSplashScreen();
 
         // Minify
         $this->minifyOutputHTML();
+
+        // Footer
+        $this->addFingerprint();
     }
 
     /*
@@ -482,7 +484,7 @@ protected function optimizeStyleTags()
 
             // Update the node content
             if ($node->nodeValue != $code) {
-                $node->nodeValue = htmlspecialchars($code);
+                $node->nodeValue = $code;
             }
 
             // Defer the style tag if there is background url
@@ -512,7 +514,7 @@ protected function optimizeScriptTags()
             $code = $this->minifyInlineScript($node->nodeValue);
 
             if ($node->nodeValue != $code) {
-                $node->nodeValue = htmlspecialchars($code);
+                $node->nodeValue = $code;
             }
         }
     }
@@ -830,12 +832,12 @@ protected function getPreloadType($node)
     protected function addBackgroundColor($node)
     {
         if ($this->use_color_placeholder) {
-            if ($this->use_color_placeholder == 'grey') {
+            if ($this->use_color_placeholder === 'grey') {
                 // Light grey placeholder
-                $placeholder = 'background-color:hsl(0,0%,' . rand(95, 99) . '%);';
+                $placeholder = 'background-color:hsl(0,0%,' . rand(91, 99) . '%);';
             } else {
                 // Colorful placeholder
-                $placeholder = 'background-color:hsl(' . rand(1, 360) . ',100%,96%);';
+                $placeholder = 'background-color:hsl(' . rand(1, 360) . ',30%,96%);';
             }
 
             $style       = (string) $node->getAttribute(static::ATTR_STYLE);