mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-09 15:28:40 +00:00
Code Releases Activity

[1.4.1] docs/enduser-youtube.html updated according to new functionality and YouTube IDs can have underscores and dashes

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@686 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2007-01-21 21:45:14 +00:00
parent 2d49299621
commit 96ac7e8797
3 changed files with 28 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -9,6 +9,10 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. Internal change . Internal change
========================== ==========================
1.4.1, released 2007-01-21
! docs/enduser-youtube.html updated according to new functionality
- YouTube IDs can have underscores and dashes
1.4.0, released 2007-01-21 1.4.0, released 2007-01-21
! Implemented list-style-image, URIs now allowed in list-style ! Implemented list-style-image, URIs now allowed in list-style
! Implemented background-image, background-repeat, background-attachment ! Implemented background-image, background-repeat, background-attachment

73
docs/enduser-youtube.html
View File

@ -37,7 +37,7 @@ from a specific website, it probably is okay. If no amount of pleading will
convince the people upstairs that they should just settle with just linking convince the people upstairs that they should just settle with just linking
to their movies, you may find this technique very useful.</p> to their movies, you may find this technique very useful.</p>
<h2>Sample</h2> <h2>Looking in</h2>
<p>Below is custom code that allows users to embed <p>Below is custom code that allows users to embed
YouTube videos. This is not favoritism: this trick can easily be adapted for YouTube videos. This is not favoritism: this trick can easily be adapted for
@ -69,55 +69,27 @@ into your documents. YouTube's code goes like this:</p>
<p>What point 2 means is that if we have code like <code>&lt;span <p>What point 2 means is that if we have code like <code>&lt;span
class=&quot;embed-youtube&quot;&gt;AyPzM5WK8ys&lt;/span&gt;</code> your class=&quot;embed-youtube&quot;&gt;AyPzM5WK8ys&lt;/span&gt;</code> your
application can reconstruct the full object from this small snippet that application can reconstruct the full object from this small snippet that
passes through HTML Purifier <em>unharmed</em>.</p> passes through HTML Purifier <em>unharmed</em>.
<a href="http://hp.jpsband.org/svnroot/htmlpurifier/trunk/library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p>
<pre> <p>And the corresponding usage:</p>
&lt;?php
class HTMLPurifierX_PreserveYouTube extends HTMLPurifier <pre>&lt;?php
{ // assuming $purifier is an instance of HTMLPurifier
function purify($html, $config = null) { require_once 'HTMLPurifier/Filter/YouTube.php';
$pre_regex = '#&lt;object[^&gt;]+&gt;.+?'. $purifier-&gt;addFilter(new HTMLPurifier_Filter_YouTube());
'http://www.youtube.com/v/([A-Za-z0-9]+).+?&lt;/object&gt;#'; ?&gt;</pre>
$pre_replace = '&lt;span class=&quot;youtube-embed&quot;&gt;\1&lt;/span&gt;';
$html = preg_replace($pre_regex, $pre_replace, $html);
$html = parent::purify($html, $config);
$post_regex = '#&lt;span class=&quot;youtube-embed&quot;&gt;([A-Za-z0-9]+)&lt;/span&gt;#';
$post_replace = '&lt;object width=&quot;425&quot; height=&quot;350&quot; '.
'data=&quot;http://www.youtube.com/v/\1&quot;&gt;'.
'&lt;param name=&quot;movie&quot; value=&quot;http://www.youtube.com/v/\1&quot;&gt;&lt;/param&gt;'.
'&lt;param name=&quot;wmode&quot; value=&quot;transparent&quot;&gt;&lt;/param&gt;'.
'&lt;!--[if IE]&gt;'.
'&lt;embed src=&quot;http://www.youtube.com/v/\1&quot;'.
'type=&quot;application/x-shockwave-flash&quot;'.
'wmode=&quot;transparent&quot; width=&quot;425&quot; height=&quot;350&quot; /&gt;'.
'&lt;![endif]--&gt;'.
'&lt;/object&gt;';
$html = preg_replace($post_regex, $post_replace, $html);
return $html;
}
}
$purifier = new HTMLPurifierX_PreserveYouTube(); <p>There is a bit going in the two code snippets, so let's explain.</p>
$html_still_with_youtube = $purifier->purify($html_with_youtube);
?&gt;
</pre>
<p>There is a bit going on here, so let's explain.</p>
<ol> <ol>
<li>The class uses the prefix <code>HTMLPurifierX</code> because it's <li>This is a Filter object, which intercepts the HTML that is
userspace code. Don't use <code>HTMLPurifier</code> in front of your coming into and out of the purifier. You can add as many
class, since it might clobber another class in the library.</li> filter objects as you like. <code>preFilter()</code>
<li>In order to keep the interface compatible, we've extended HTMLPurifier processes the code before it gets purified, and <code>postFilter()</code>
into a new class that preserves the YouTube videos. This means that processes the code afterwards. So, we'll use <code>preFilter()</code> to
all you have to do is replace all instances of replace the object tag with a <code>span</code>, and <code>postFilter()</code>
<code>new HTMLPurifier</code> to <code>new to restore it.</li>
HTMLPurifierX_PreserveYouTube</code>. There's other ways to go about
doing this: if you were calling a function that wrapped HTML Purifier,
you could paste the PHP right there. If you wanted to be really
fancy, you could make a decorator for HTMLPurifier.</li>
<li>The first preg_replace call replaces any YouTube code users may have <li>The first preg_replace call replaces any YouTube code users may have
embedded into the benign span tag. Span is used because it is inline, embedded into the benign span tag. Span is used because it is inline,
and objects are inline too. We are very careful to be extremely and objects are inline too. We are very careful to be extremely
@ -165,17 +137,16 @@ it is important that you are cognizant of the risk.</p>
<p>This should go without saying, but if you're going to adapt this code <p>This should go without saying, but if you're going to adapt this code
for Google Video or the like, make sure you do it <em>right</em>. It's for Google Video or the like, make sure you do it <em>right</em>. It's
extremely easy to allow a character too many in the final section and extremely easy to allow a character too many in <code>postFilter()</code> and
suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML
Purifier may be well written, but it cannot guard against vulnerabilities Purifier may be well written, but it cannot guard against vulnerabilities
introduced after it has finished.</p> introduced after it has finished.</p>
<h2>Future plans</h2> <h2>Help out!</h2>
<p>This functionality is part of the core library, using the <p>If you write a filter for your favorite video destination (or anything
HTMLPurifier_Filter class to acheive the desired effect. Our implementation like that, for that matter), send it over and it might get included
is slightly different, and this page will be updated to reflect that with the core!</p>
once 1.4.0 is released.</p>
</body> </body>
</html> </html>

4
library/HTMLPurifier/Filter/YouTube.php
View File

@ -9,13 +9,13 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
function preFilter($html, $config, &$context) { function preFilter($html, $config, &$context) {
$pre_regex = '#<object[^>]+>.+?'. $pre_regex = '#<object[^>]+>.+?'.
'http://www.youtube.com/v/([A-Za-z0-9]+).+?</object>#'; 'http://www.youtube.com/v/([A-Za-z0-9\-_]+).+?</object>#';
$pre_replace = '<span class="youtube-embed">\1</span>'; $pre_replace = '<span class="youtube-embed">\1</span>';
return preg_replace($pre_regex, $pre_replace, $html); return preg_replace($pre_regex, $pre_replace, $html);
} }
function postFilter($html, $config, &$context) { function postFilter($html, $config, &$context) {
$post_regex = '#<span class="youtube-embed">([A-Za-z0-9]+)</span>#'; $post_regex = '#<span class="youtube-embed">([A-Za-z0-9\-_]+)</span>#';
$post_replace = '<object width="425" height="350" '. $post_replace = '<object width="425" height="350" '.
'data="http://www.youtube.com/v/\1">'. 'data="http://www.youtube.com/v/\1">'.
'<param name="movie" value="http://www.youtube.com/v/\1"></param>'. '<param name="movie" value="http://www.youtube.com/v/\1"></param>'.