mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-03-11 17:18:44 +00:00
Support flashvars.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
97125ed18b
commit
dc90e8e85b
1
NEWS
1
NEWS
@ -14,6 +14,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
! Support YouTube slideshows that contain /cp/ in their URL.
|
! Support YouTube slideshows that contain /cp/ in their URL.
|
||||||
! Support for data: URI scheme; not enabled by default, add it using
|
! Support for data: URI scheme; not enabled by default, add it using
|
||||||
%URI.AllowedSchemes
|
%URI.AllowedSchemes
|
||||||
|
! Support flashvars when using %HTML.SafeObject
|
||||||
|
|
||||||
4.0.0, released 2009-07-07
|
4.0.0, released 2009-07-07
|
||||||
# APIs for ConfigSchema subsystem have substantially changed. See
|
# APIs for ConfigSchema subsystem have substantially changed. See
|
||||||
|
3
TODO
3
TODO
@ -20,10 +20,11 @@ Things to do as soon as possible:
|
|||||||
|
|
||||||
- Fix ImgRequired to handle data correctly
|
- Fix ImgRequired to handle data correctly
|
||||||
- Think about allowing explicit order of operations hooks for transforms
|
- Think about allowing explicit order of operations hooks for transforms
|
||||||
- Make flashvars work
|
|
||||||
- Inputs don't do the right thing with submit
|
- Inputs don't do the right thing with submit
|
||||||
- Fix "<.<" bug (trailing < is removed if not EOD)
|
- Fix "<.<" bug (trailing < is removed if not EOD)
|
||||||
- http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308
|
- http://htmlpurifier.org/phorum/read.php?5,2267,4308#msg-4308
|
||||||
|
- Build in better internal state dumps and debugging tools for remote
|
||||||
|
debugging
|
||||||
|
|
||||||
FUTURE VERSIONS
|
FUTURE VERSIONS
|
||||||
---------------
|
---------------
|
||||||
|
@ -39,6 +39,10 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
|
|||||||
case 'movie':
|
case 'movie':
|
||||||
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
||||||
break;
|
break;
|
||||||
|
case 'flashvars':
|
||||||
|
// we're going to allow arbitrary inputs to the SWF, on
|
||||||
|
// the reasoning that it could only hack the SWF, not us.
|
||||||
|
break;
|
||||||
// add other cases to support other param name/value pairs
|
// add other cases to support other param name/value pairs
|
||||||
default:
|
default:
|
||||||
$attr['name'] = $attr['value'] = null;
|
$attr['name'] = $attr['value'] = null;
|
||||||
|
@ -20,6 +20,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
|
|||||||
protected $allowedParam = array(
|
protected $allowedParam = array(
|
||||||
'wmode' => true,
|
'wmode' => true,
|
||||||
'movie' => true,
|
'movie' => true,
|
||||||
|
'flashvars' => true,
|
||||||
);
|
);
|
||||||
|
|
||||||
public function prepare($config, $context) {
|
public function prepare($config, $context) {
|
||||||
|
@ -34,7 +34,7 @@ class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarn
|
|||||||
|
|
||||||
function testFull() {
|
function testFull() {
|
||||||
$this->assertResult(
|
$this->assertResult(
|
||||||
'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" /><param name="wmode" value="window" /></object></b>'
|
'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" /><param name="wmode" value="window" /></object></b>'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user