htmlpurifier: allow safe <embed> and <object> tags

By turning 'HTML.SafeEmbed' and 'HTML.SafeObject' ON, we can avoid
having to write and maintain all kinds of filters.

I have deleted all of the filters that are no longer necessary.

Unfortunately, we have to keep two around, Skype and Twitter,
since their embed code includes Javascript.

LP: #604840
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

htdocs/lib/db/upgrade.php

@@ -2070,5 +2070,9 @@ function xmldb_core_upgrade($oldversion=0) {
         set_config('searchusernames', 1);
     }
 
+    if ($oldversion < 2010071500) {
+        reload_html_filters();
+    }
+
     return $status;
 }

htdocs/lib/htmlpurifiercustom/GoogleVideo.php

-<?php
-
-class HTMLPurifier_Filter_GoogleVideo extends HTMLPurifier_Filter
-{
-    
-    public $name = 'GoogleVideo';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed\b[^>]+\bsrc="http://video.google.com/googleplayer.swf\?(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)[^>]+>\s*</embed>#s';
-        $pre_replace = '<span class="googlevideo-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="googlevideo-embed">(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)</span>#';
-        $post_replace = '<object width="400" height="326" data="http://video.google.com/googleplayer.swf?\1">'.
-            '<param name="movie" value="http://video.google.com/googleplayer.swf?\1" />'.
-            '<!--[if IE]>'.
-            '<embed style="width:400px; height:326px;" '.
-            'id="VideoPlayback" '.
-            'type="application/x-shockwave-flash" '.
-            'src="http://video.google.com/googleplayer.swf?\1" '.
-            'flashvars="" '.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}
-

htdocs/lib/htmlpurifiercustom/SciVee.php

-<?php
-
-class HTMLPurifier_Filter_SciVee extends HTMLPurifier_Filter
-{
-    
-    public $name = 'SciVee';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<object [^>]+>.*?<embed src="http://www.scivee.tv/flash/embedPlayer.swf"[^>]+\bflashvars="(id=\d+&(?:amp;)?type=\d+)"[^>]*>\s*</embed>\s*</object>#s';
-        $pre_replace = '<span class="scivee-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="scivee-embed">(id=\d+&(?:amp;)?type=\d+)</span>#';
-        $post_replace = '<object width="480" height="400" '.
-            'data="http://www.scivee.tv/flash/embedPlayer.swf">'.
-            '<param name="movie" value="http://www.scivee.tv/flash/embedPlayer.swf" />'.
-            '<param name="allowscriptaccess" value="always" />'.
-            '<param name="flashvars" value="\1" />'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.scivee.tv/flash/embedPlayer.swf" width="480" height="400" flashvars="\1"></embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}

htdocs/lib/htmlpurifiercustom/SlideShare.php

-<?php
-
-class HTMLPurifier_Filter_SlideShare extends HTMLPurifier_Filter
-{
-
-    public $name = 'SlideShare';
-
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed\b[^>]+\bsrc="http://static\.slideshare(\.net|cdn\.com)/swf/ssplayer2\.swf\?(doc=[a-z0-9-]+)[^>]+>\s*</embed>#s';
-        $pre_replace = '<span class="slideshare-embed">\2</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="slideshare-embed">(doc=[a-z0-9-]+)</span>#';
-        $post_replace = '<object width="400" height="355" data="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1">'.
-            '<param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" />'.
-            '<!--[if IE]>'.
-            '<embed style="width:400px; height:355px;" '.
-            'id="VideoPlayback" '.
-            'type="application/x-shockwave-flash" '.
-            'src="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" '.
-            'flashvars="" '.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-        return $html;
-    }
-
-}
-

htdocs/lib/htmlpurifiercustom/TeacherTube.php

-<?php
-
-class HTMLPurifier_Filter_TeacherTube extends HTMLPurifier_Filter
-{
-    
-    public $name = 'TeacherTube';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed src="http://www.teachertube.com/(player/search|skin-p)/mediaplayer.swf" [^>]+\bfile=http://www.teachertube.com/flvideo/(\d+).flv\b[^>]+></embed>#s';
-        $pre_replace = '<span class="teachertube-embed">\2</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="teachertube-embed">(\d+)</span>#';
-        $post_replace = '<object width="425" height="350" data="http://www.teachertube.com/skin-p/mediaplayer.swf">'.
-            '<param name="movie" value="http://www.teachertube.com/skin-p/mediaplayer.swf" />'.
-            '<param name="flashvars" value="'.
-            'height=350&width=425'.
-            '&file=http://www.teachertube.com/flvideo/\1.flv'.
-            '&image=http://www.teachertube.com/thumb/\1.jpg'.
-            '&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
-            '&logo=http://www.teachertube.com/images/greylogo.swf'.
-            '&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
-            '&autostart=false&volume=80&overstretch=fit'.
-            '" />'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.teachertube.com/skin-p/mediaplayer.swf" '.
-            'width="425" height="350" type="application/x-shockwave-flash" allowfullscreen="true" '.
-            'flashvars="'.
-            'height=350&width=425'.
-            '&file=http://www.teachertube.com/flvideo/\1.flv'.
-            '&image=http://www.teachertube.com/thumb/\1.jpg'.
-            '&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
-            '&logo=http://www.teachertube.com/images/greylogo.swf'.
-            '&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
-            '&autostart=false&volume=80&overstretch=fit'.
-            '">'.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}

htdocs/lib/htmlpurifiercustom/filters.xml

 <?xml version="1.0" encoding="UTF-8" ?>
 <filters>
-    <filter>
-        <filename>GoogleVideo</filename>
-        <site>http://video.google.com</site>
-    </filter>
-    <filter>
-        <filename>TeacherTube</filename>
-        <site>http://www.teachertube.com</site>
-    </filter>
-    <filter>
-        <filename>SciVee</filename>
-        <site>http://www.scivee.tv</site>
-    </filter>
     <filter>
         <filename>Skype</filename>
         <site>http://skype.com</site>
@@ -20,8 +8,4 @@
         <filename>Twitter</filename>
         <site>http://twitter.com</site>
     </filter>
-    <filter>
-        <filename>SlideShare</filename>
-        <site>http://slideshare.net</site>
-    </filter>
 </filters>

htdocs/lib/upgrade.php

@@ -1045,8 +1045,6 @@ function reload_html_filters() {
         );
         log_info('- ' . $f->file);
     }
-    $filters[] = (object) array('site' => 'http://www.youtube.com', 'file' => 'YouTube');
-    log_info('- YouTube');
     set_config('filters', serialize($filters));
 }
 

htdocs/lib/version.php

@@ -28,7 +28,7 @@
 defined('INTERNAL') || die();
 
 $config = new StdClass;
-$config->version = 2010071300;
+$config->version = 2010071500;
 $config->release = '1.3.0beta3dev';
 $config->minupgradefrom = 2008040200;
 $config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';

htdocs/lib/web.php

@@ -2441,17 +2441,21 @@ function clean_html($text) {
     require_once('htmlpurifier/HTMLPurifier.auto.php');
     $config = HTMLPurifier_Config::createDefault();
     $config->set('Cache.SerializerPath', get_config('dataroot') . 'htmlpurifier');
-
-    $config->set('Core.Encoding', 'UTF-8');
     $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
     $config->set('AutoFormat.Linkify', true);
 
+    // Permit embedding contents from other sites
+    $config->set('HTML.SafeEmbed', true);
+    $config->set('HTML.SafeObject', true);
+    $config->set('Output.FlashCompat', true);
+
     $customfilters = array();
     if (get_config('filters')) {
         foreach (unserialize(get_config('filters')) as $filter) {
-            if ($filter->file == 'YouTube') {
-                $config->set('Filter.YouTube', true);
-            } else {
+            // These filters are no longer necessary and have been removed
+            $builtinfilters = array('YouTube', 'TeacherTube', 'SlideShare', 'SciVee', 'GoogleVideo');
+
+            if (!in_array($filter->file, $builtinfilters)) {
                 require_once(get_config('libroot') . 'htmlpurifiercustom/' . $filter->file . '.php');
                 $classname = 'HTMLPurifier_Filter_' . $filter->file;
                 $customfilters[] = new $classname();