From 0229458f8f897b44a6903469c2ad94e4bced6bc5 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Mon, 8 Mar 2010 01:56:40 -0500
Subject: [PATCH] Implement Internet Explorer compatibility code for embedded
 content.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 NEWS                                          |   2 +
 configdoc/usage.xml                           |  15 ++++--
 library/HTMLPurifier/ConfigSchema/schema.ser  | Bin 13152 -> 13244 bytes
 .../ConfigSchema/schema/HTML.SafeEmbed.txt    |   7 ++-
 .../ConfigSchema/schema/HTML.SafeObject.txt   |   7 ++-
 .../schema/Output.FlashCompat.txt             |  11 +++++
 library/HTMLPurifier/Generator.php            |  43 +++++++++++++++++-
 smoketests/preserveYouTube.php                |  10 ++++
 8 files changed, 81 insertions(+), 14 deletions(-)
 create mode 100644 library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt

diff --git a/NEWS b/NEWS
index f8dae82f..3f058881 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Support for data: URI scheme; not enabled by default, add it using
   %URI.AllowedSchemes
 ! Support flashvars when using %HTML.SafeObject
+! Support for Internet Explorer compatibility with %HTML.SafeObject
+  using %Output.FlashCompat.
 
 4.0.0, released 2009-07-07
 # APIs for ConfigSchema subsystem have substantially changed. See
diff --git a/configdoc/usage.xml b/configdoc/usage.xml
index f2d5843e..e0c48384 100644
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@@ -85,22 +85,27 @@
  </directive>
  <directive id="Output.CommentScriptContents">
   <file name="HTMLPurifier/Generator.php">
-   <line>45</line>
+   <line>56</line>
   </file>
  </directive>
  <directive id="Output.SortAttr">
   <file name="HTMLPurifier/Generator.php">
-   <line>46</line>
+   <line>57</line>
+  </file>
+ </directive>
+ <directive id="Output.FlashCompat">
+  <file name="HTMLPurifier/Generator.php">
+   <line>58</line>
   </file>
  </directive>
  <directive id="Output.TidyFormat">
   <file name="HTMLPurifier/Generator.php">
-   <line>75</line>
+   <line>87</line>
   </file>
  </directive>
  <directive id="Output.Newline">
   <file name="HTMLPurifier/Generator.php">
-   <line>89</line>
+   <line>101</line>
   </file>
  </directive>
  <directive id="HTML.BlockWrapper">
@@ -320,7 +325,7 @@
  </directive>
  <directive id="Attr.DefaultInvalidImageAlt">
   <file name="HTMLPurifier/AttrTransform/ImgRequired.php">
-   <line>32</line>
+   <line>33</line>
   </file>
  </directive>
  <directive id="HTML.Attr.Name.UseCDATA">
diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser
index 082680cbf81edefb86ca08c588041f295809f28c..22b8d54a59f17f73071055bc601d5a5f3a3f6b31 100644
GIT binary patch
delta 143
zcmaEmwkLgpDYK!0!Q}PwvYVv^F7ilOSSk6JmK2nh=(*)27H2r;=N2TEC|M_28EjVM
mz0E{|;;BrNYvm0YjW@5C-zR{}+)OL;$%?$<n;Q%sFaZFF4KKw2

delta 56
zcmdm!{vd6FDU+q;W;ua(Jeys3uQMTWCNfRlEpNzZG+9nSb~Bg4LV?LHyuzFB7(8GC
E05#JS761SM

diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
index f635a685..cdda09a4 100644
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
@@ -7,8 +7,7 @@ DEFAULT: false
     Whether or not to permit embed tags in documents, with a number of extra
     security features added to prevent script execution. This is similar to
     what websites like MySpace do to embed tags. Embed is a proprietary
-    element and will cause your website to stop validating. You probably want
-    to enable this with %HTML.SafeObject.
-    <strong>Highly experimental.</strong>
-</p>
+    element and will cause your website to stop validating; you should
+    see if you can use %Output.FlashCompat with %HTML.SafeObject instead
+    first.</p>
 --# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
index 32967b88..ceb342e2 100644
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
@@ -6,9 +6,8 @@ DEFAULT: false
 <p>
     Whether or not to permit object tags in documents, with a number of extra
     security features added to prevent script execution. This is similar to
-    what websites like MySpace do to object tags. You may also want to
-    enable %HTML.SafeEmbed for maximum interoperability with Internet Explorer,
-    although embed tags will cause your website to stop validating.
-    <strong>Highly experimental.</strong>
+    what websites like MySpace do to object tags.  You should also enable
+    %Output.FlashCompat in order to generate Internet Explorer
+    compatibility code for your object tags.
 </p>
 --# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt b/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt
new file mode 100644
index 00000000..93398e85
--- /dev/null
+++ b/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt
@@ -0,0 +1,11 @@
+Output.FlashCompat
+TYPE: bool
+VERSION: 4.1.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+  If true, HTML Purifier will generate Internet Explorer compatibility
+  code for all object code.  This is highly recommended if you enable
+  %HTML.SafeObject.
+</p>
+--# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/Generator.php b/library/HTMLPurifier/Generator.php
index 24bd8a54..dcc22af1 100644
--- a/library/HTMLPurifier/Generator.php
+++ b/library/HTMLPurifier/Generator.php
@@ -31,6 +31,17 @@ class HTMLPurifier_Generator
      */
     private $_sortAttr;
 
+    /**
+     * Cache of %Output.FlashCompat
+     */
+    private $_flashCompat;
+
+    /**
+     * Stack for keeping track of object information when outputting IE
+     * compatibility code.
+     */
+    private $_flashStack = array();
+
     /**
      * Configuration for the generator
      */
@@ -44,6 +55,7 @@ class HTMLPurifier_Generator
         $this->config = $config;
         $this->_scriptFix = $config->get('Output.CommentScriptContents');
         $this->_sortAttr = $config->get('Output.SortAttr');
+        $this->_flashCompat = $config->get('Output.FlashCompat');
         $this->_def = $config->getHTMLDefinition();
         $this->_xhtml = $this->_def->doctype->xml;
     }
@@ -104,12 +116,41 @@ class HTMLPurifier_Generator
 
         } elseif ($token instanceof HTMLPurifier_Token_Start) {
             $attr = $this->generateAttributes($token->attr, $token->name);
+            if ($this->_flashCompat) {
+                if ($token->name == "object") {
+                    $flash = new stdclass();
+                    $flash->attr = $token->attr;
+                    $flash->param = array();
+                    $this->_flashStack[] = $flash;
+                }
+            }
             return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>';
 
         } elseif ($token instanceof HTMLPurifier_Token_End) {
-            return '</' . $token->name . '>';
+            $_extra = '';
+            if ($this->_flashCompat) {
+                if ($token->name == "object" && !empty($this->_flashStack)) {
+                    $flash = array_pop($this->_flashStack);
+                    $compat_token = new HTMLPurifier_Token_Empty("embed");
+                    foreach ($flash->attr as $name => $val) {
+                        if ($name == "classid") continue;
+                        if ($name == "type") continue;
+                        if ($name == "data") $name = "src";
+                        $compat_token->attr[$name] = $val;
+                    }
+                    foreach ($flash->param as $name => $val) {
+                        if ($name == "movie") $name = "src";
+                        $compat_token->attr[$name] = $val;
+                    }
+                }
+                $_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
+            }
+            return $_extra . '</' . $token->name . '>';
 
         } elseif ($token instanceof HTMLPurifier_Token_Empty) {
+            if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) {
+                $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value'];
+            }
             $attr = $this->generateAttributes($token->attr, $token->name);
              return '<' . $token->name . ($attr ? ' ' : '') . $attr .
                 ( $this->_xhtml ? ' /': '' ) // <br /> v. <br>
diff --git a/smoketests/preserveYouTube.php b/smoketests/preserveYouTube.php
index c1b74dbe..af538a20 100644
--- a/smoketests/preserveYouTube.php
+++ b/smoketests/preserveYouTube.php
@@ -25,6 +25,11 @@ $youtube_purifier = new HTMLPurifier(array(
     'Filter.YouTube' => true,
 ));
 
+$safeobject_purifier = new HTMLPurifier(array(
+    'HTML.SafeObject' => true,
+    'Output.FlashCompat' => true,
+));
+
 ?>
 <h2>Unpurified</h2>
 <p><a href="?break">Click here to see the unpurified version (breaks validation).</a></p>
@@ -42,6 +47,11 @@ echo $regular_purifier->purify($string);
 echo $youtube_purifier->purify($string);
 ?></div>
 
+<h2>With SafeObject exception and flash compatibility</h2>
+<div><?php
+echo $safeobject_purifier->purify($string);
+?></div>
+
 </body>
 </html>
 <?php