0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-03-11 17:18:44 +00:00

Support flashvars.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2010-03-08 01:16:57 -05:00
parent 97125ed18b
commit dc90e8e85b
5 changed files with 9 additions and 2 deletions

1
NEWS
View File

@ -14,6 +14,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Support YouTube slideshows that contain /cp/ in their URL. ! Support YouTube slideshows that contain /cp/ in their URL.
! Support for data: URI scheme; not enabled by default, add it using ! Support for data: URI scheme; not enabled by default, add it using
%URI.AllowedSchemes %URI.AllowedSchemes
! Support flashvars when using %HTML.SafeObject
4.0.0, released 2009-07-07 4.0.0, released 2009-07-07
# APIs for ConfigSchema subsystem have substantially changed. See # APIs for ConfigSchema subsystem have substantially changed. See

3
TODO
View File

@ -20,10 +20,11 @@ Things to do as soon as possible:
- Fix ImgRequired to handle data correctly - Fix ImgRequired to handle data correctly
- Think about allowing explicit order of operations hooks for transforms - Think about allowing explicit order of operations hooks for transforms
- Make flashvars work
- Inputs don't do the right thing with submit - Inputs don't do the right thing with submit
- Fix "<.<" bug (trailing < is removed if not EOD) - Fix "<.<" bug (trailing < is removed if not EOD)
- http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308 - http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308
- Build in better internal state dumps and debugging tools for remote
debugging
FUTURE VERSIONS FUTURE VERSIONS
--------------- ---------------

View File

@ -39,6 +39,10 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
case 'movie': case 'movie':
$attr['value'] = $this->uri->validate($attr['value'], $config, $context); $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
break; break;
case 'flashvars':
// we're going to allow arbitrary inputs to the SWF, on
// the reasoning that it could only hack the SWF, not us.
break;
// add other cases to support other param name/value pairs // add other cases to support other param name/value pairs
default: default:
$attr['name'] = $attr['value'] = null; $attr['name'] = $attr['value'] = null;

View File

@ -20,6 +20,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
protected $allowedParam = array( protected $allowedParam = array(
'wmode' => true, 'wmode' => true,
'movie' => true, 'movie' => true,
'flashvars' => true,
); );
public function prepare($config, $context) { public function prepare($config, $context) {

View File

@ -34,7 +34,7 @@ class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarn
function testFull() { function testFull() {
$this->assertResult( $this->assertResult(
'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>' '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
); );
} }