Fix #57, make flashvars check (and others) case-insensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>

NEWS

@@ -26,6 +26,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   infinite loop when the directory exists but is not listable. (#49)
 - Don't match for <body> inside comments with
   %Core.ConvertDocumentToFragment. (#67)
+- SafeObject is now less case sensitive. (#57)
 
 4.7.0, released 2015-08-04
 # opacity is now considered a "tricky" CSS property rather than a

library/HTMLPurifier/Injector/SafeObject.php

@@ -36,6 +36,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
     );
 
     /**
+     * These are all lower-case keys.
      * @type array
      */
     protected $allowedParam = array(
@@ -43,7 +44,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
         'movie' => true,
         'flashvars' => true,
         'src' => true,
-        'allowFullScreen' => true, // if omitted, assume to be 'false'
+        'allowfullscreen' => true, // if omitted, assume to be 'false'
     );
 
     /**
@@ -93,9 +94,11 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
                     $token->attr['name'] === $this->addParam[$n]) {
                     // keep token, and add to param stack
                     $this->paramStack[$i][$n] = true;
-                } elseif (isset($this->allowedParam[$n])) {
+                } elseif (isset($this->allowedParam[strtolower($n)])) {
                     // keep token, don't do anything to it
                     // (could possibly check for duplicates here)
+                    // Note: In principle, parameters should be case sensitive.
+                    // But it seems they are not really; so accept any case.
                 } else {
                     $token = false;
                 }

tests/HTMLPurifier/Injector/SafeObjectTest.php

@@ -57,7 +57,7 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
     public function testIgnoreBogusData()
     {
         $this->assertResult(
-            '<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>',
+            '<object><param name="allowscriptaccess" value="always" /><param name="allowNetworking" value="always" /></object>',
             '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
         );
     }
@@ -94,6 +94,13 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
         );
     }
 
+    public function testCaseInsensitive()
+    {
+        $this->assertResult(
+            '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashVars" value="a" /><param name="FlashVars" value="b" /></object>'
+        );
+    }
+
 }
 
 // vim: et sw=4 sts=4