From 4d612d5a7730858465fefb22f75d8cec08337e21 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Tue, 9 Mar 2010 17:29:38 -0500 Subject: [PATCH] Improve handling of malformed object parameters. When specifying source material for tags, you must use data inside the object tag as well as specify movie in a param. If you specify a src (which is the appropriate markup for ) we now convert and fill in the other attributes appropriately. Also, fix a PHP warning in Generator code. Signed-off-by: Edward Z. Yang --- TODO | 1 + library/HTMLPurifier/AttrTransform/SafeParam.php | 2 ++ library/HTMLPurifier/Generator.php | 2 +- library/HTMLPurifier/HTMLModule/SafeObject.php | 5 ++++- library/HTMLPurifier/Injector/SafeObject.php | 4 +++- smoketests/preserveYouTube.php | 16 ++++++---------- 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/TODO b/TODO index 2a282f55..891fcf5d 100644 --- a/TODO +++ b/TODO @@ -18,6 +18,7 @@ Things to do as soon as possible: - Fix "<.<" bug (trailing < is removed if not EOD) - Build in better internal state dumps and debugging tools for remote debugging + - Allowed/Allowed* have strange interactions when both set FUTURE VERSIONS --------------- diff --git a/library/HTMLPurifier/AttrTransform/SafeParam.php b/library/HTMLPurifier/AttrTransform/SafeParam.php index 6451404c..3f992ec3 100644 --- a/library/HTMLPurifier/AttrTransform/SafeParam.php +++ b/library/HTMLPurifier/AttrTransform/SafeParam.php @@ -37,6 +37,8 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform $attr['value'] = 'window'; break; case 'movie': + case 'src': + $attr['name'] = "movie"; $attr['value'] = $this->uri->validate($attr['value'], $config, $context); break; case 'flashvars': diff --git a/library/HTMLPurifier/Generator.php b/library/HTMLPurifier/Generator.php index dcc22af1..4a624172 100644 --- a/library/HTMLPurifier/Generator.php +++ b/library/HTMLPurifier/Generator.php @@ -142,8 +142,8 @@ class HTMLPurifier_Generator if ($name == "movie") $name = "src"; $compat_token->attr[$name] = $val; } + $_extra = ""; } - $_extra = ""; } return $_extra . 'name . '>'; diff --git a/library/HTMLPurifier/HTMLModule/SafeObject.php b/library/HTMLPurifier/HTMLModule/SafeObject.php index 33bac00c..64ab8c07 100644 --- a/library/HTMLPurifier/HTMLModule/SafeObject.php +++ b/library/HTMLPurifier/HTMLModule/SafeObject.php @@ -28,7 +28,10 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule 'type' => 'Enum#application/x-shockwave-flash', 'width' => 'Pixels#' . $max, 'height' => 'Pixels#' . $max, - 'data' => 'URI#embedded' + 'data' => 'URI#embedded', + 'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000', + 'codebase' => new HTMLPurifier_AttrDef_Enum(array( + 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')), ) ); $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php index 4939f277..9e178ce0 100644 --- a/library/HTMLPurifier/Injector/SafeObject.php +++ b/library/HTMLPurifier/Injector/SafeObject.php @@ -21,6 +21,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector 'wmode' => true, 'movie' => true, 'flashvars' => true, + 'src' => true, ); public function prepare($config, $context) { @@ -48,7 +49,8 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector // We need this fix because YouTube doesn't supply a data // attribute, which we need if a type is specified. This is // *very* Flash specific. - if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') { + if (!isset($this->objectStack[$i]->attr['data']) && + ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) { $this->objectStack[$i]->attr['data'] = $token->attr['value']; } // Check if the parameter is the correct value but has not diff --git a/smoketests/preserveYouTube.php b/smoketests/preserveYouTube.php index af538a20..d114dbe8 100644 --- a/smoketests/preserveYouTube.php +++ b/smoketests/preserveYouTube.php @@ -17,14 +17,15 @@ echo ''; $string = ' -'; + + + + + +'; $regular_purifier = new HTMLPurifier(); -$youtube_purifier = new HTMLPurifier(array( - 'Filter.YouTube' => true, -)); - $safeobject_purifier = new HTMLPurifier(array( 'HTML.SafeObject' => true, 'Output.FlashCompat' => true, @@ -42,11 +43,6 @@ if (isset($_GET['break'])) echo $string; echo $regular_purifier->purify($string); ?> -

With YouTube exception

-
purify($string); -?>
-

With SafeObject exception and flash compatibility

purify($string);