strip script and style tags from parsed html

Mf2/Parser.php

@@ -715,17 +715,26 @@ public function parseE(\DOMElement $e) {
 		// TODO: as it is this is not relative to only children, make this .// and rerun tests
 		$this->resolveChildUrls($e);
 
+		$this->removeTags($e, 'script');
+		$this->removeTags($e, 'style');
+
 		$html = '';
 		foreach ($e->childNodes as $node) {
 			$html .= $node->C14N();
 		}
 
 		return array(
 			'html' => $html,
-			'value' => unicodeTrim($this->textContent($e))
+			'value' => unicodeTrim($this->innerText($e))
 		);
 	}
 
+	private function removeTags(\DOMElement &$e, $tagName) {
+		while(($r = $e->getElementsByTagName($tagName)) && $r->length) {
+			$r->item(0)->parentNode->removeChild($r->item(0));
+		}
+	}
+
 	/**
 	 * Recursively parse microformats
 	 *

tests/Mf2/ParserTest.php

@@ -314,4 +314,51 @@ public function testParseHcardInCategory() {
 		$this->assertArrayHasKey('url', $output['items'][0]['properties']['category'][0]['properties']);
 		$this->assertEquals('http://b.example.com/', $output['items'][0]['properties']['category'][0]['properties']['url'][0]);
 	}
+
+	public function testScriptTagContentsRemovedFromTextValue() {
+		$input = <<<EOT
+<div class="h-entry">
+	<div class="p-content">
+		<b>Hello World</b>
+		<script>alert("hi");</script>
+	</div>
+</div>
+EOT;
+
+		$parser = new Parser($input);
+		$output = $parser->parse();
+
+		$this->assertContains('h-entry', $output['items'][0]['type']);
+		$this->assertContains('Hello World', $output['items'][0]['properties']['content'][0]);
+		$this->assertNotContains('alert', $output['items'][0]['properties']['content'][0]);
+	}
+
+	public function testScriptTagContentsRemovedFromHTMLValue() {
+		$input = <<<EOT
+<div class="h-entry">
+	<div class="e-content">
+		<b>Hello World</b>
+		<script>alert("hi");</script>
+		<style>body{ visibility: hidden; }</style>
+		<p>
+			<script>alert("hi");</script>
+			<style>body{ visibility: hidden; }</style>
+		</p>
+	</div>
+</div>
+EOT;
+
+		$parser = new Parser($input);
+		$output = $parser->parse();
+
+		$this->assertContains('h-entry', $output['items'][0]['type']);
+		$this->assertContains('Hello World', $output['items'][0]['properties']['content'][0]['value']);
+		$this->assertContains('<b>Hello World</b>', $output['items'][0]['properties']['content'][0]['html']);
+		# The script and style tags should be removed from both HTML and plaintext results
+		$this->assertNotContains('alert', $output['items'][0]['properties']['content'][0]['html']);
+		$this->assertNotContains('alert', $output['items'][0]['properties']['content'][0]['value']);
+		$this->assertNotContains('visibility', $output['items'][0]['properties']['content'][0]['html']);
+		$this->assertNotContains('visibility', $output['items'][0]['properties']['content'][0]['value']);
+	}
+
 }

tests/Mf2/URLTest.php

@@ -212,9 +212,6 @@ public function testData() {
 			array('relative add host from base',
 				'http://www.example.com', 'server.php', 'http://www.example.com/server.php'),
 
-			array('relative add scheme host user from base',
-				'http://user:@www.example.com', 'server.php', 'http://user:@www.example.com/server.php'),
-
 			array('relative add scheme host pass from base',
 				'http://:[email protected]', 'server.php', 'http://:[email protected]/server.php'),
 
@@ -256,6 +253,15 @@ public function testData() {
 
 		);
 
+		// PHP 5.4 and before returns a different result, but either are acceptable
+		if(PHP_MAJOR_VERSION <= 5 && PHP_MINOR_VERSION <= 4) {
+			$cases[] = array('relative add scheme host user from base',
+				'http://user:@www.example.com', 'server.php', 'http://[email protected]/server.php');
+		} else {
+			$cases[] = array('relative add scheme host user from base',
+				'http://user:@www.example.com', 'server.php', 'http://user:@www.example.com/server.php');
+		}
+
 		// Test cases from RFC
 		// http://tools.ietf.org/html/rfc3986#section-5.4