mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 08:21:52 +00:00
Improve handling of malformed object parameters.
When specifying source material for <object> tags, you must use data inside the object tag as well as specify movie in a param. If you specify a src (which is the appropriate markup for <embed>) we now convert and fill in the other attributes appropriately. Also, fix a PHP warning in Generator code. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
63a854ee5d
commit
4d612d5a77
1
TODO
1
TODO
@ -18,6 +18,7 @@ Things to do as soon as possible:
|
|||||||
- Fix "<.<" bug (trailing < is removed if not EOD)
|
- Fix "<.<" bug (trailing < is removed if not EOD)
|
||||||
- Build in better internal state dumps and debugging tools for remote
|
- Build in better internal state dumps and debugging tools for remote
|
||||||
debugging
|
debugging
|
||||||
|
- Allowed/Allowed* have strange interactions when both set
|
||||||
|
|
||||||
FUTURE VERSIONS
|
FUTURE VERSIONS
|
||||||
---------------
|
---------------
|
||||||
|
@ -37,6 +37,8 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
|
|||||||
$attr['value'] = 'window';
|
$attr['value'] = 'window';
|
||||||
break;
|
break;
|
||||||
case 'movie':
|
case 'movie':
|
||||||
|
case 'src':
|
||||||
|
$attr['name'] = "movie";
|
||||||
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
||||||
break;
|
break;
|
||||||
case 'flashvars':
|
case 'flashvars':
|
||||||
|
@ -142,8 +142,8 @@ class HTMLPurifier_Generator
|
|||||||
if ($name == "movie") $name = "src";
|
if ($name == "movie") $name = "src";
|
||||||
$compat_token->attr[$name] = $val;
|
$compat_token->attr[$name] = $val;
|
||||||
}
|
}
|
||||||
|
$_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
|
||||||
}
|
}
|
||||||
$_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
|
|
||||||
}
|
}
|
||||||
return $_extra . '</' . $token->name . '>';
|
return $_extra . '</' . $token->name . '>';
|
||||||
|
|
||||||
|
@ -28,7 +28,10 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
|
|||||||
'type' => 'Enum#application/x-shockwave-flash',
|
'type' => 'Enum#application/x-shockwave-flash',
|
||||||
'width' => 'Pixels#' . $max,
|
'width' => 'Pixels#' . $max,
|
||||||
'height' => 'Pixels#' . $max,
|
'height' => 'Pixels#' . $max,
|
||||||
'data' => 'URI#embedded'
|
'data' => 'URI#embedded',
|
||||||
|
'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000',
|
||||||
|
'codebase' => new HTMLPurifier_AttrDef_Enum(array(
|
||||||
|
'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
|
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
|
||||||
|
@ -21,6 +21,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
|
|||||||
'wmode' => true,
|
'wmode' => true,
|
||||||
'movie' => true,
|
'movie' => true,
|
||||||
'flashvars' => true,
|
'flashvars' => true,
|
||||||
|
'src' => true,
|
||||||
);
|
);
|
||||||
|
|
||||||
public function prepare($config, $context) {
|
public function prepare($config, $context) {
|
||||||
@ -48,7 +49,8 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
|
|||||||
// We need this fix because YouTube doesn't supply a data
|
// We need this fix because YouTube doesn't supply a data
|
||||||
// attribute, which we need if a type is specified. This is
|
// attribute, which we need if a type is specified. This is
|
||||||
// *very* Flash specific.
|
// *very* Flash specific.
|
||||||
if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') {
|
if (!isset($this->objectStack[$i]->attr['data']) &&
|
||||||
|
($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
|
||||||
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
|
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
|
||||||
}
|
}
|
||||||
// Check if the parameter is the correct value but has not
|
// Check if the parameter is the correct value but has not
|
||||||
|
@ -17,14 +17,15 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
|
|||||||
|
|
||||||
$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
|
$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
|
||||||
|
|
||||||
<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>';
|
<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>
|
||||||
|
|
||||||
|
<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
|
||||||
|
|
||||||
|
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&hl=en" type="application/x-shockwave-flash" width="480"></embed></object>
|
||||||
|
';
|
||||||
|
|
||||||
$regular_purifier = new HTMLPurifier();
|
$regular_purifier = new HTMLPurifier();
|
||||||
|
|
||||||
$youtube_purifier = new HTMLPurifier(array(
|
|
||||||
'Filter.YouTube' => true,
|
|
||||||
));
|
|
||||||
|
|
||||||
$safeobject_purifier = new HTMLPurifier(array(
|
$safeobject_purifier = new HTMLPurifier(array(
|
||||||
'HTML.SafeObject' => true,
|
'HTML.SafeObject' => true,
|
||||||
'Output.FlashCompat' => true,
|
'Output.FlashCompat' => true,
|
||||||
@ -42,11 +43,6 @@ if (isset($_GET['break'])) echo $string;
|
|||||||
echo $regular_purifier->purify($string);
|
echo $regular_purifier->purify($string);
|
||||||
?></div>
|
?></div>
|
||||||
|
|
||||||
<h2>With YouTube exception</h2>
|
|
||||||
<div><?php
|
|
||||||
echo $youtube_purifier->purify($string);
|
|
||||||
?></div>
|
|
||||||
|
|
||||||
<h2>With SafeObject exception and flash compatibility</h2>
|
<h2>With SafeObject exception and flash compatibility</h2>
|
||||||
<div><?php
|
<div><?php
|
||||||
echo $safeobject_purifier->purify($string);
|
echo $safeobject_purifier->purify($string);
|
||||||
|
Loading…
Reference in New Issue
Block a user