[3.1.1] Implement SafeEmbed. Also, miscellaneous bugfixes.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1781 48356398-32a2-884e-a903-53898d9a118a

NEWS

@@ -19,7 +19,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   a URIFilter as such.
 ! Allow modules to define injectors via $info_injector. Injectors are 
   automatically disabled if injector's needed elements are not found.
-! Support for "safe" objects added [info on how to enable needed]
+! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
 - Disable percent height/width attributes for img
 - AttrValidator operations are now atomic; updates to attributes are not
   manifest in token until end of operations. This prevents naughty internal

configdoc/usage.xml

@@ -173,6 +173,16 @@
    <line>220</line>
   </file>
  </directive>
+ <directive id="HTML.SafeObject">
+  <file name="HTMLPurifier/HTMLModuleManager.php">
+   <line>225</line>
+  </file>
+ </directive>
+ <directive id="HTML.SafeEmbed">
+  <file name="HTMLPurifier/HTMLModuleManager.php">
+   <line>228</line>
+  </file>
+ </directive>
  <directive id="Attr.IDBlacklist">
   <file name="HTMLPurifier/IDAccumulator.php">
    <line>26</line>
@@ -317,6 +327,9 @@
   <file name="HTMLPurifier/HTMLModule/Image.php">
    <line>14</line>
   </file>
+  <file name="HTMLPurifier/HTMLModule/SafeEmbed.php">
+   <line>13</line>
+  </file>
   <file name="HTMLPurifier/HTMLModule/SafeObject.php">
    <line>19</line>
   </file>

library/HTMLPurifier.includes.php

@@ -118,6 +118,7 @@ require 'HTMLPurifier/AttrTransform/ImgSpace.php';
 require 'HTMLPurifier/AttrTransform/Lang.php';
 require 'HTMLPurifier/AttrTransform/Length.php';
 require 'HTMLPurifier/AttrTransform/Name.php';
+require 'HTMLPurifier/AttrTransform/SafeEmbed.php';
 require 'HTMLPurifier/AttrTransform/SafeObject.php';
 require 'HTMLPurifier/AttrTransform/SafeParam.php';
 require 'HTMLPurifier/AttrTransform/ScriptRequired.php';
@@ -145,6 +146,7 @@ require 'HTMLPurifier/HTMLModule/Object.php';
 require 'HTMLPurifier/HTMLModule/Presentation.php';
 require 'HTMLPurifier/HTMLModule/Proprietary.php';
 require 'HTMLPurifier/HTMLModule/Ruby.php';
+require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
 require 'HTMLPurifier/HTMLModule/SafeObject.php';
 require 'HTMLPurifier/HTMLModule/Scripting.php';
 require 'HTMLPurifier/HTMLModule/StyleAttribute.php';

library/HTMLPurifier.safe-includes.php

@@ -112,6 +112,7 @@ require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
 require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php';
@@ -139,6 +140,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';

library/HTMLPurifier/AttrTransform/SafeEmbed.php

@@ -0,0 +1,13 @@
+<?php
+
+class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform 
+{
+    public $name = "SafeEmbed";
+
+    public function transform($attr, $config, $context) {
+        $attr['allowscriptaccess'] = 'never';
+        $attr['allownetworking'] = 'internal';
+        $attr['type'] = 'application/x-shockwave-flash';
+        return $attr;
+    }
+}

library/HTMLPurifier/AttrTransform/SafeParam.php

@@ -17,11 +17,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
     public $name = "SafeParam";
     private $uri;
     
-    function __construct() {
+    public function __construct() {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
     }
     
-    function transform($attr, $config, $context) {
+    public function transform($attr, $config, $context) {
         // If we add support for other objects, we'll need to alter the
         // transforms.
         switch ($attr['name']) {

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt

@@ -0,0 +1,13 @@
+HTML.SafeEmbed
+TYPE: bool
+VERSION: 3.1.1
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit embed tags in documents, with a number of extra
+    security features added to prevent script execution. This is similar to
+    what websites like MySpace do to embed tags. Embed is a proprietary
+    element and will cause your website to stop validating. You probably want
+    to enable this with %HTML.SafeObject.
+    <strong>Highly experimental.</strong>
+</p>

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt

@@ -0,0 +1,13 @@
+HTML.SafeObject
+TYPE: bool
+VERSION: 3.1.1
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Whether or not to permit object tags in documents, with a number of extra
+    security features added to prevent script execution. This is similar to
+    what websites like MySpace do to object tags. You may also want to 
+    enable %HTML.SafeEmbed for maximum interoperability with Internet Explorer,
+    although embed tags will cause your website to stop validating.
+    <strong>Highly experimental.</strong>
+</p>

library/HTMLPurifier/HTMLModule/SafeEmbed.php

@@ -0,0 +1,31 @@
+<?php
+
+/**
+ * A "safe" embed module. See SafeObject. This is a proprietary element.
+ */
+class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule
+{
+    
+    public $name = 'SafeEmbed';
+    
+    public function setup($config) {
+        
+        $max = $config->get('HTML', 'MaxImgLength');
+        $embed = $this->addElement(
+            'embed', 'Inline', 'Empty', 'Common',
+            array(
+                'src*' => 'URI#embedded',
+                'type' => 'Enum#application/x-shockwave-flash',
+                'width' => 'Pixels#' . $max,
+                'height' => 'Pixels#' . $max,
+                'allowscriptaccess' => 'Enum#never',
+                'allownetworking' => 'Enum#internal',
+                'wmode' => 'Enum#window',
+                'name' => 'ID',
+            )
+        );
+        $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed();
+        
+    }
+    
+}

library/HTMLPurifier/HTMLModule/SafeObject.php

@@ -28,7 +28,7 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
                 'type'   => 'Enum#application/x-shockwave-flash',
                 'width'  => 'Pixels#' . $max,
                 'height' => 'Pixels#' . $max,
-                'data'   => 'Text'
+                'data'   => 'URI#embedded'
             )
         );
         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();

library/HTMLPurifier/HTMLModuleManager.php

@@ -221,6 +221,14 @@ class HTMLPurifier_HTMLModuleManager
             $modules[] = 'Proprietary';
         }
         
+        // add SafeObject/Safeembed modules
+        if ($config->get('HTML', 'SafeObject')) {
+            $modules[] = 'SafeObject';
+        }
+        if ($config->get('HTML', 'SafeEmbed')) {
+            $modules[] = 'SafeEmbed';
+        }
+        
         foreach ($modules as $module) {
             $this->processModule($module);
             $this->modules[$module]->setup($config);

library/HTMLPurifier/URIFilter/SecureMunge.php

@@ -20,7 +20,7 @@ class HTMLPurifier_URIFilter_SecureMunge extends HTMLPurifier_URIFilter
         if ($context->get('EmbeddedURI', true)) return true; // abort for embedded URIs
         $scheme_obj = $uri->getSchemeObj($config, $context);
         if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (is_null($uri->host) || empty($scheme_obj->browsable)) {
+        if (is_null($uri->host) || empty($scheme_obj->browsable) || $context->get('EmbeddedURI', true)) {
             return true;
         }
         $string = $uri->toString();

tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php

@@ -0,0 +1,41 @@
+<?php
+
+class HTMLPurifier_HTMLModule_SafeEmbedTest extends HTMLPurifier_HTMLModuleHarness
+{
+    
+    function setUp() {
+        parent::setUp();
+        $this->config->set('HTML', 'DefinitionID', 'HTMLPurifier_HTMLModule_SafeEmbedTest');
+        $def = $this->config->getHTMLDefinition(true);
+        $def->manager->addModule('SafeEmbed');
+    }
+    
+    function testMinimal() {
+        $this->assertResult(
+            '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" />',
+            '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" allowscriptaccess="never" allownetworking="internal" type="application/x-shockwave-flash" />'
+        );
+    }
+    
+    function testYouTube() {
+        $this->assertResult(
+            '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed>',
+            '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" />'
+        );
+    }
+    
+    function testMalicious() {
+        $this->assertResult(
+            '<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="9999999" height="3499994" allowscriptaccess="always" allownetworking="always" />',
+            '<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="1200" height="1200" allowscriptaccess="never" allownetworking="internal" />'
+        );
+    }
+    
+    function testFull() {
+        $this->assertResult(
+            '<b><embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="24" height="23" allowscriptaccess="never" allownetworking="internal" wmode="window" /></b>'
+        );
+    }
+    
+}
+

tests/HTMLPurifierTest.php

@@ -194,5 +194,25 @@ alert("<This is compatible with XHTML>");
         );
     }
     
+    function test_safeObjectAndEmbed() {
+        $this->config->set('HTML', 'SafeObject', true);
+        $this->config->set('HTML', 'SafeEmbed', true);
+        $this->assertPurification(
+            '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
+            '<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
+        );
+    }
+    
+    function test_safeObjectAndEmbedWithSecureMunge() {
+        $this->config->set('HTML', 'SafeObject', true);
+        $this->config->set('HTML', 'SafeEmbed', true);
+        $this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
+        $this->config->set('URI', 'SecureMungeSecretKey', 'foo');
+        $this->assertPurification(
+            '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
+            '<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
+        );
+    }
+    
 }