Support flashvars.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-12-22 08:21:52 +00:00 · 2010-03-08 01:16:57 -05:00 · 2010-03-08 01:16:57 -05:00 · dc90e8e85b
commit dc90e8e85b
parent 97125ed18b
5 changed files with 9 additions and 2 deletions
--- a/1
+++ b/1
@ -14,6 +14,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Support YouTube slideshows that contain /cp/ in their URL.
 ! Support for data: URI scheme; not enabled by default, add it using
  %URI.AllowedSchemes
+! Support flashvars when using %HTML.SafeObject

 4.0.0, released 2009-07-07
 # APIs for ConfigSchema subsystem have substantially changed. See
--- a/3
+++ b/3
@ -20,10 +20,11 @@ Things to do as soon as possible:

 - Fix ImgRequired to handle data correctly
 - Think about allowing explicit order of operations hooks for transforms
- - Make flashvars work
 - Inputs don't do the right thing with submit
 - Fix "<.<" bug (trailing < is removed if not EOD)
 - http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308
+ - Build in better internal state dumps and debugging tools for remote
+   debugging

 FUTURE VERSIONS
 ---------------
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@ -39,6 +39,10 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
            case 'movie':
                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                break;
+            case 'flashvars':
+                // we're going to allow arbitrary inputs to the SWF, on
+                // the reasoning that it could only hack the SWF, not us.
+                break;
            // add other cases to support other param name/value pairs
            default:
                $attr['name'] = $attr['value'] = null;
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@ -20,6 +20,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
    protected $allowedParam = array(
        'wmode' => true,
        'movie' => true,
+        'flashvars' => true,
    );

    public function prepare($config, $context) {
--- a/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
+++ b/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
@ -34,7 +34,7 @@ class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarn

    function testFull() {
        $this->assertResult(
-            '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
+            '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
        );
    }