Make SafeScripting case-sensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>

NEWS

@@ -10,7 +10,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ==========================
 
 4.10.1, unknown release date
-(nothing here yet)
+# SafeScripting is now case-sensitive (previously it was
+  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
+  for reporting.
 
 4.10.0, released 2018-02-22
 # PHP 5.3 is no longer officially supported by HTML Purifier

library/HTMLPurifier/HTMLModule/SafeScripting.php

@@ -29,7 +29,7 @@ class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
                 // While technically not required by the spec, we're forcing
                 // it to this value.
                 'type' => 'Enum#text/javascript',
-                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
             )
         );
         $script->attr_transform_pre[] =

tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php

@@ -38,6 +38,10 @@ class HTMLPurifier_HTMLModule_SafeScriptingTest extends HTMLPurifier_HTMLModuleH
             '<script type="text/javascript" src="http://localhost/foobar.js" />',
             ''
         );
+        $this->assertResult(
+            '<script type="text/javascript" src="http://localhost/FOO.JS" />',
+            ''
+        );
     }
 
 }