[3.1.1] Implement SafeEmbed. Also, miscellaneous bugfixes.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1781 48356398-32a2-884e-a903-53898d9a118a

library/HTMLPurifier/AttrTransform/SafeEmbed.php

@@ -0,0 +1,13 @@
+<?php
+
+class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform 
+{
+    public $name = "SafeEmbed";
+
+    public function transform($attr, $config, $context) {
+        $attr['allowscriptaccess'] = 'never';
+        $attr['allownetworking'] = 'internal';
+        $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrTransform/SafeParam.php

@@ -17,11 +17,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
     public $name = "SafeParam";
     private $uri;
     
-    function __construct() {
+    public function __construct() {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
     }
     
-    function transform($attr, $config, $context) {
+    public function transform($attr, $config, $context) {
         // If we add support for other objects, we'll need to alter the
         // transforms.
         switch ($attr['name']) {

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt

@@ -0,0 +1,13 @@
+HTML.SafeEmbed
+TYPE: bool
+VERSION: 3.1.1
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit embed tags in documents, with a number of extra
+    security features added to prevent script execution. This is similar to
+    what websites like MySpace do to embed tags. Embed is a proprietary
+    element and will cause your website to stop validating. You probably want
+    to enable this with %HTML.SafeObject.
+    <strong>Highly experimental.</strong>
+</p>

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt

@@ -0,0 +1,13 @@
+HTML.SafeObject
+TYPE: bool
+VERSION: 3.1.1
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit object tags in documents, with a number of extra
+    security features added to prevent script execution. This is similar to
+    what websites like MySpace do to object tags. You may also want to 
+    enable %HTML.SafeEmbed for maximum interoperability with Internet Explorer,
+    although embed tags will cause your website to stop validating.
+    <strong>Highly experimental.</strong>
+</p>

library/HTMLPurifier/HTMLModule/SafeEmbed.php

@@ -0,0 +1,31 @@
+<?php
+
+/**
+ * A "safe" embed module. See SafeObject. This is a proprietary element.
+ */
+class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule
+{
+    
+    public $name = 'SafeEmbed';
+    
+    public function setup($config) {
+        
+        $max = $config->get('HTML', 'MaxImgLength');
+        $embed = $this->addElement(
+            'embed', 'Inline', 'Empty', 'Common',
+            array(
+                'src*' => 'URI#embedded',
+                'type' => 'Enum#application/x-shockwave-flash',
+                'width' => 'Pixels#' . $max,
+                'height' => 'Pixels#' . $max,
+                'allowscriptaccess' => 'Enum#never',
+                'allownetworking' => 'Enum#internal',
+                'wmode' => 'Enum#window',
+                'name' => 'ID',
+            )
+        );
+        $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed();
+        
+    }
+    
+}

library/HTMLPurifier/HTMLModule/SafeObject.php

@@ -28,7 +28,7 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
                 'type'   => 'Enum#application/x-shockwave-flash',
                 'width'  => 'Pixels#' . $max,
                 'height' => 'Pixels#' . $max,
-                'data'   => 'Text'
+                'data'   => 'URI#embedded'
             )
         );
         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();

library/HTMLPurifier/HTMLModuleManager.php

@@ -221,6 +221,14 @@ class HTMLPurifier_HTMLModuleManager
             $modules[] = 'Proprietary';
         }
         
+        // add SafeObject/Safeembed modules
+        if ($config->get('HTML', 'SafeObject')) {
+            $modules[] = 'SafeObject';
+        }
+        if ($config->get('HTML', 'SafeEmbed')) {
+            $modules[] = 'SafeEmbed';
+        }
+        
         foreach ($modules as $module) {
             $this->processModule($module);
             $this->modules[$module]->setup($config);

library/HTMLPurifier/URIFilter/SecureMunge.php

@@ -20,7 +20,7 @@ class HTMLPurifier_URIFilter_SecureMunge extends HTMLPurifier_URIFilter
         if ($context->get('EmbeddedURI', true)) return true; // abort for embedded URIs
         $scheme_obj = $uri->getSchemeObj($config, $context);
         if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (is_null($uri->host) || empty($scheme_obj->browsable)) {
+        if (is_null($uri->host) || empty($scheme_obj->browsable) || $context->get('EmbeddedURI', true)) {
             return true;
         }
         $string = $uri->toString();