While working on https://bugs.launchpad.net/mahara/+bug/1558387, Robert pointed out to me that we don't set URI.DefinitionRev. We also don't set URI.DefinitionID. Although the HTMLPurifier docs say that URI.DefinitionID is required if you have custom URIFilters (and our allowed iframe list is a custom URIFilter), it looks like the fallback behavior is that it generates a URI.DefinitionID based on a hash of the config. This has the effect that a new "Revision 1" URI config file is generated each time the allowed iframes list changes. It also results in an accumulation of old URI cache files in the dataroot/htmlpurifier directory, since they're all Revision 1, and all have different IDs.
I think the best approach here is to give the URI.DefinitionRev its own revision number, stored in the database, and increment it every time we change the allowed iframe list.
