0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-05 06:01:52 +00:00

Fix #57, make flashvars check (and others) case-insensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
This commit is contained in:
Edward Z. Yang 2016-03-27 15:56:30 -07:00
parent b4981c3395
commit 43a9f052fd
3 changed files with 14 additions and 3 deletions

1
NEWS
View File

@ -26,6 +26,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
infinite loop when the directory exists but is not listable. (#49) infinite loop when the directory exists but is not listable. (#49)
- Don't match for <body> inside comments with - Don't match for <body> inside comments with
%Core.ConvertDocumentToFragment. (#67) %Core.ConvertDocumentToFragment. (#67)
- SafeObject is now less case sensitive. (#57)
4.7.0, released 2015-08-04 4.7.0, released 2015-08-04
# opacity is now considered a "tricky" CSS property rather than a # opacity is now considered a "tricky" CSS property rather than a

View File

@ -36,6 +36,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
); );
/** /**
* These are all lower-case keys.
* @type array * @type array
*/ */
protected $allowedParam = array( protected $allowedParam = array(
@ -43,7 +44,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
'movie' => true, 'movie' => true,
'flashvars' => true, 'flashvars' => true,
'src' => true, 'src' => true,
'allowFullScreen' => true, // if omitted, assume to be 'false' 'allowfullscreen' => true, // if omitted, assume to be 'false'
); );
/** /**
@ -93,9 +94,11 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
$token->attr['name'] === $this->addParam[$n]) { $token->attr['name'] === $this->addParam[$n]) {
// keep token, and add to param stack // keep token, and add to param stack
$this->paramStack[$i][$n] = true; $this->paramStack[$i][$n] = true;
} elseif (isset($this->allowedParam[$n])) { } elseif (isset($this->allowedParam[strtolower($n)])) {
// keep token, don't do anything to it // keep token, don't do anything to it
// (could possibly check for duplicates here) // (could possibly check for duplicates here)
// Note: In principle, parameters should be case sensitive.
// But it seems they are not really; so accept any case.
} else { } else {
$token = false; $token = false;
} }

View File

@ -57,7 +57,7 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
public function testIgnoreBogusData() public function testIgnoreBogusData()
{ {
$this->assertResult( $this->assertResult(
'<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>', '<object><param name="allowscriptaccess" value="always" /><param name="allowNetworking" value="always" /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
); );
} }
@ -94,6 +94,13 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
); );
} }
public function testCaseInsensitive()
{
$this->assertResult(
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashVars" value="a" /><param name="FlashVars" value="b" /></object>'
);
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4