0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-09 15:28:40 +00:00

Fix #57, make flashvars check (and others) case-insensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
This commit is contained in:
Edward Z. Yang 2016-03-27 15:56:30 -07:00
parent b4981c3395
commit 43a9f052fd
3 changed files with 14 additions and 3 deletions

1
NEWS
View File

@ -26,6 +26,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
infinite loop when the directory exists but is not listable. (#49)
- Don't match for <body> inside comments with
%Core.ConvertDocumentToFragment. (#67)
- SafeObject is now less case sensitive. (#57)
4.7.0, released 2015-08-04
# opacity is now considered a "tricky" CSS property rather than a

View File

@ -36,6 +36,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
);
/**
* These are all lower-case keys.
* @type array
*/
protected $allowedParam = array(
@ -43,7 +44,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
'movie' => true,
'flashvars' => true,
'src' => true,
'allowFullScreen' => true, // if omitted, assume to be 'false'
'allowfullscreen' => true, // if omitted, assume to be 'false'
);
/**
@ -93,9 +94,11 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
$token->attr['name'] === $this->addParam[$n]) {
// keep token, and add to param stack
$this->paramStack[$i][$n] = true;
} elseif (isset($this->allowedParam[$n])) {
} elseif (isset($this->allowedParam[strtolower($n)])) {
// keep token, don't do anything to it
// (could possibly check for duplicates here)
// Note: In principle, parameters should be case sensitive.
// But it seems they are not really; so accept any case.
} else {
$token = false;
}

View File

@ -57,7 +57,7 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
public function testIgnoreBogusData()
{
$this->assertResult(
'<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>',
'<object><param name="allowscriptaccess" value="always" /><param name="allowNetworking" value="always" /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
@ -94,6 +94,13 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
);
}
public function testCaseInsensitive()
{
$this->assertResult(
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashVars" value="a" /><param name="FlashVars" value="b" /></object>'
);
}
}
// vim: et sw=4 sts=4