From cec7a1c087c918b9bcce6c23a5af05b6b557d00b Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang"
Below is custom code that allows users to embed YouTube videos. This is not favoritism: this trick can easily be adapted for @@ -69,55 +69,27 @@ into your documents. YouTube's code goes like this:
What point 2 means is that if we have code like <span
class="embed-youtube">AyPzM5WK8ys</span>
your
application can reconstruct the full object from this small snippet that
-passes through HTML Purifier unharmed.
-<?php +- -And the corresponding usage:
-class HTMLPurifierX_PreserveYouTube extends HTMLPurifier -{ - function purify($html, $config = null) { - $pre_regex = '#<object[^>]+>.+?'. - 'http://www.youtube.com/v/([A-Za-z0-9]+).+?</object>#'; - $pre_replace = '<span class="youtube-embed">\1</span>'; - $html = preg_replace($pre_regex, $pre_replace, $html); - $html = parent::purify($html, $config); - $post_regex = '#<span class="youtube-embed">([A-Za-z0-9]+)</span>#'; - $post_replace = '<object width="425" height="350" '. - 'data="http://www.youtube.com/v/\1">'. - '<param name="movie" value="http://www.youtube.com/v/\1"></param>'. - '<param name="wmode" value="transparent"></param>'. - '<!--[if IE]>'. - '<embed src="http://www.youtube.com/v/\1"'. - 'type="application/x-shockwave-flash"'. - 'wmode="transparent" width="425" height="350" />'. - '<![endif]-->'. - '</object>'; - $html = preg_replace($post_regex, $post_replace, $html); - return $html; - } -} +<?php + // assuming $purifier is an instance of HTMLPurifier + require_once 'HTMLPurifier/Filter/YouTube.php'; + $purifier->addFilter(new HTMLPurifier_Filter_YouTube()); +?>-$purifier = new HTMLPurifierX_PreserveYouTube(); -$html_still_with_youtube = $purifier->purify($html_with_youtube); - -?> -
There is a bit going on here, so let's explain.
+There is a bit going in the two code snippets, so let's explain.
HTMLPurifierX
because it's
- userspace code. Don't use HTMLPurifier
in front of your
- class, since it might clobber another class in the library.new HTMLPurifier
to new
- HTMLPurifierX_PreserveYouTube
. There's other ways to go about
- doing this: if you were calling a function that wrapped HTML Purifier,
- you could paste the PHP right there. If you wanted to be really
- fancy, you could make a decorator for HTMLPurifier.preFilter()
+ processes the code before it gets purified, and postFilter()
+ processes the code afterwards. So, we'll use preFilter()
to
+ replace the object tag with a span
, and postFilter()
+ to restore it.This should go without saying, but if you're going to adapt this code
for Google Video or the like, make sure you do it right. It's
-extremely easy to allow a character too many in the final section and
+extremely easy to allow a character too many in postFilter()
and
suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML
Purifier may be well written, but it cannot guard against vulnerabilities
introduced after it has finished.
This functionality is part of the core library, using the -HTMLPurifier_Filter class to acheive the desired effect. Our implementation -is slightly different, and this page will be updated to reflect that -once 1.4.0 is released.
+If you write a filter for your favorite video destination (or anything +like that, for that matter), send it over and it might get included +with the core!