Support flashvars.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2025-08-05 05:37:49 +02:00 · 2010-03-08 01:16:57 -05:00
parent 97125ed18b
commit dc90e8e85b
5 changed files with 9 additions and 2 deletions
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -39,6 +39,10 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
            case 'movie':
                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                break;
+            case 'flashvars':
+                // we're going to allow arbitrary inputs to the SWF, on
+                // the reasoning that it could only hack the SWF, not us.
+                break;
            // add other cases to support other param name/value pairs
            default:
                $attr['name'] = $attr['value'] = null;
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@@ -20,6 +20,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
    protected $allowedParam = array(
        'wmode' => true,
        'movie' => true,
+        'flashvars' => true,
    );

    public function prepare($config, $context) {