From 3dfcd016d3ab0316e746bc4d67dc3b2ee3c26fc7 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Fri, 12 Dec 2008 16:27:23 -0500
Subject: [PATCH] Fix standards-compliance issue with YouTube filter with
 double hyphens. Thanks Pierre Attar for reporting.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
---
 NEWS                                    |  2 ++
 library/HTMLPurifier/Filter/YouTube.php | 20 ++++++++++++++------
 smoketests/preserveYouTube.php          |  4 ++--
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/NEWS b/NEWS
index a8d67fea..7398a75f 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 - Fix improper removal of the contents of elements with only whitespace. Thanks
   Eric Wald for reporting.
 - Fix broken test suite in versions of PHP without spl_autoload_register()
+- Fix degenerate case with YouTube filter involving double hyphens.
+  Thanks Pierre Attar for reporting.
 . Add verbose mode to command line test runner, use (--verbose)
 . Turn on unit tests for UnitConverter
 . Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)
diff --git a/library/HTMLPurifier/Filter/YouTube.php b/library/HTMLPurifier/Filter/YouTube.php
index df20d09f..17c38d65 100644
--- a/library/HTMLPurifier/Filter/YouTube.php
+++ b/library/HTMLPurifier/Filter/YouTube.php
@@ -14,19 +14,27 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
 
     public function postFilter($html, $config, $context) {
         $post_regex = '#<span class="youtube-embed">([A-Za-z0-9\-_]+)</span>#';
-        $post_replace = '<object width="425" height="350" '.
-            'data="http://www.youtube.com/v/\1">'.
-            '<param name="movie" value="http://www.youtube.com/v/\1"></param>'.
+        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
+    }
+
+    protected function armorUrl($url) {
+        return str_replace('--', '-&#45;', $url);
+    }
+
+    protected function postFilterCallback($matches) {
+        $url = $this->armorUrl($matches[1]);
+        return '<object width="425" height="350" '.
+            'data="http://www.youtube.com/v/'.$url.'">'.
+            '<param name="movie" value="http://www.youtube.com/v/'.$url.'"></param>'.
             '<param name="wmode" value="transparent"></param>'.
             '<!--[if IE]>'.
-            '<embed src="http://www.youtube.com/v/\1"'.
+            '<embed src="http://www.youtube.com/v/'.$url.'"'.
             'type="application/x-shockwave-flash"'.
             'wmode="transparent" width="425" height="350" />'.
             '<![endif]-->'.
             '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
 
+    }
 }
 
 // vim: et sw=4 sts=4
diff --git a/smoketests/preserveYouTube.php b/smoketests/preserveYouTube.php
index cfa600a3..52f04a02 100644
--- a/smoketests/preserveYouTube.php
+++ b/smoketests/preserveYouTube.php
@@ -6,7 +6,7 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
 ?><!DOCTYPE html
      PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html>
+<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
     <title>HTML Purifier Preserve YouTube Smoketest</title>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
 <h1>HTML Purifier Preserve YouTube Smoketest</h1>
 <?php
 
-$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/JzqumbhfxRo"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/JzqumbhfxRo" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>';
+$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>';
 
 $regular_purifier = new HTMLPurifier();