Integrate HTML Purifier

[thomasb]

Use ​http://htmlpurifier.org instead of the internal functions to clean up HTML mail contents. Add the path to the installed package to config.

[thomasb]

Not a Bug but a Feature Request

[thomasb]

Should also fix #1484701

[till]

I'm removing this from 0.1-stable because (afaik) 0.1-stable needs to run ob PHP4 too, and htmlpurifier runs on php5 only.

[thomasb]

Washtml does a good job for the moment.

[ilifeis]

I agree with Thomasb, Washtml does a good job because I tried to use htmlpurifier it use more power and slower than Washtml.
If need to change I think htmlawed is suitable than html purifier.

[michaelc]

Refs #1484781. I emailed the author of HTML Purifier for an (potentially biased, but extremely experienced) opinion regarding WasHTML. The content of his message below:

Preliminary thoughts:

Probable security hole:
- The url() in CSS is notoriously difficult to get right, and in
  particular I don't see any handling for backslashes or quoting
  rules (well, he does "quote it", but using HTML quoting for CSS is
  not really correct...)

Overall design:
+1 for using DOMDocument
-1 for placing user data in comments. There are /a lot/ of ways to break
   out of comments that aren't affected by htmlspecialchars; they're
   kind of their own proprietary browser wonderland
-1 for character encoding obliviousness
-1 for not enforcing validity on the attribute level (of course, this one's
   usually not a reasonable demand :-)

Feel free to share; it'll probably be a while before I get around to
writing a full entry.

Cheers,
Edward