htmlpurifier/docs/code-quality.txt

Code Quality Issues

Okay, face it.  Programmers can get lazy, cut corners, or make mistakes. They
also can do quick prototypes, and then forget to rewrite them later.  Well,
while I can't list mistakes in here, I can list prototype-like segments
of code that should be aggressively refactored after the beta is released.
This does not list optimization issues, that needs to be done after intense
profiling.

Here we go:

AttrDef
    Class - doesn't support Unicode characters, uses regular expressions
    Lang - code duplication, premature optimization, doesn't consult official
        lists
    Pixels/Length/MultiLength - implemented according to HTML spec (excludes
        code reuse in CSS)
    URI - multiple regular expressions, needs host validation routines factored
        out for mailto scheme, IPv6 validation is broken (fringe), unintuitive
        variable overwriting, missing validation for query, fragment and path,
        no percent-encode fixing
    CSS - parser doesn't accept advanced CSS (fringe)
    Number - constructor interface is inconsistent with Integer
AttrTransform - doesn't accept AttrContext, non-validating
ChildDef - not-allowed nodes translated to text, likely invalid handling
Config - "load configuration" hooks missing, rich set* accessors missing,
    needs redefined relationship with the definitions
Strategy
    FixNesting - cannot bubble nodes out of structures
    MakeWellFormed - insufficient automatic closing definitions (check HTML
        spec for optional end tags).
    RemoveForeignElements - should be run in parallel with MakeWellFormed
URIScheme - needs to have callable generic checks
    ftp - missing typecode check
    mailto - doesn't validate emails
    news - doesn't validate opaque path
    nntp - doesn't constrain path
EOL