From dc90e8e85b8fcac4fd88cdf8c337103cbcc336f9 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Mon, 8 Mar 2010 01:16:57 -0500
Subject: [PATCH] Support flashvars.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 NEWS                                             | 1 +
 TODO                                             | 3 ++-
 library/HTMLPurifier/AttrTransform/SafeParam.php | 4 ++++
 library/HTMLPurifier/Injector/SafeObject.php     | 1 +
 tests/HTMLPurifier/HTMLModule/SafeObjectTest.php | 2 +-
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 0863cf29..f8dae82f 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Support YouTube slideshows that contain /cp/ in their URL.
 ! Support for data: URI scheme; not enabled by default, add it using
   %URI.AllowedSchemes
+! Support flashvars when using %HTML.SafeObject
 
 4.0.0, released 2009-07-07
 # APIs for ConfigSchema subsystem have substantially changed. See
diff --git a/TODO b/TODO
index a99d2d95..f09261c3 100644
--- a/TODO
+++ b/TODO
@@ -20,10 +20,11 @@ Things to do as soon as possible:
 
  - Fix ImgRequired to handle data correctly
  - Think about allowing explicit order of operations hooks for transforms
- - Make flashvars work
  - Inputs don't do the right thing with submit
  - Fix "<.<" bug (trailing < is removed if not EOD)
  - http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308
+ - Build in better internal state dumps and debugging tools for remote
+   debugging
 
 FUTURE VERSIONS
 ---------------
diff --git a/library/HTMLPurifier/AttrTransform/SafeParam.php b/library/HTMLPurifier/AttrTransform/SafeParam.php
index 94e8052a..6451404c 100644
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -39,6 +39,10 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
             case 'movie':
                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                 break;
+            case 'flashvars':
+                // we're going to allow arbitrary inputs to the SWF, on
+                // the reasoning that it could only hack the SWF, not us.
+                break;
             // add other cases to support other param name/value pairs
             default:
                 $attr['name'] = $attr['value'] = null;
diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php
index 34158286..4939f277 100644
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@@ -20,6 +20,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
     protected $allowedParam = array(
         'wmode' => true,
         'movie' => true,
+        'flashvars' => true,
     );
 
     public function prepare($config, $context) {
diff --git a/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php b/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
index 653a528b..667a8a83 100644
--- a/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
+++ b/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
@@ -34,7 +34,7 @@ class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarn
 
     function testFull() {
         $this->assertResult(
-            '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
+            '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
         );
     }