Fix standards-compliance issue with YouTube filter with double hyphens.

Thanks Pierre Attar for reporting.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>

NEWS

@@ -19,6 +19,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 - Fix improper removal of the contents of elements with only whitespace. Thanks
   Eric Wald for reporting.
 - Fix broken test suite in versions of PHP without spl_autoload_register()
+- Fix degenerate case with YouTube filter involving double hyphens.
+  Thanks Pierre Attar for reporting.
 . Add verbose mode to command line test runner, use (--verbose)
 . Turn on unit tests for UnitConverter
 . Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)

library/HTMLPurifier/Filter/YouTube.php

@@ -14,19 +14,27 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
 
     public function postFilter($html, $config, $context) {
         $post_regex = '#<span class="youtube-embed">([A-Za-z0-9\-_]+)</span>#';
-        $post_replace = '<object width="425" height="350" '.
+        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
-            'data="http://www.youtube.com/v/\1">'.
+    }
-            '<param name="movie" value="http://www.youtube.com/v/\1"></param>'.
+
+    protected function armorUrl($url) {
+        return str_replace('--', '-&#45;', $url);
+    }
+
+    protected function postFilterCallback($matches) {
+        $url = $this->armorUrl($matches[1]);
+        return '<object width="425" height="350" '.
+            'data="http://www.youtube.com/v/'.$url.'">'.
+            '<param name="movie" value="http://www.youtube.com/v/'.$url.'"></param>'.
             '<param name="wmode" value="transparent"></param>'.
             '<!--[if IE]>'.
-            '<embed src="http://www.youtube.com/v/\1"'.
+            '<embed src="http://www.youtube.com/v/'.$url.'"'.
             'type="application/x-shockwave-flash"'.
             'wmode="transparent" width="425" height="350" />'.
             '<![endif]-->'.
             '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
 
     }
+}
 
 // vim: et sw=4 sts=4

smoketests/preserveYouTube.php

@@ -6,7 +6,7 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
 ?><!DOCTYPE html
      PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html>
+<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
     <title>HTML Purifier Preserve YouTube Smoketest</title>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
 <h1>HTML Purifier Preserve YouTube Smoketest</h1>
 <?php
 
-$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/JzqumbhfxRo"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/JzqumbhfxRo" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>';
+$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>';
 
 $regular_purifier = new HTMLPurifier();