htmlpurifier: allow safe <embed> and <object> tags

By turning 'HTML.SafeEmbed' and 'HTML.SafeObject' ON, we can avoid having to write and maintain all kinds of filters. I have deleted all of the filters that are no longer necessary. Unfortunately, we have to keep two around, Skype and Twitter, since their embed code includes Javascript. LP: #604840 Signed-off-by: Francois Marier <francois@catalyst.net.nz>

htmlpurifier: allow safe <embed> and <object> tags
By turning 'HTML.SafeEmbed' and 'HTML.SafeObject' ON, we can avoid having to write and maintain all kinds of filters. I have deleted all of the filters that are no longer necessary. Unfortunately, we have to keep two around, Skype and Twitter, since their embed code includes Javascript. LP: #604840 Signed-off-by: Francois Marier <francois@catalyst.net.nz>
b35d4411 · Francois Marier · 1335f009 · b35d4411 · 1335f009 · 1335f009
Commit b35d4411 authored Jul 15, 2010 by Francois Marier
9 changed files
--- a/htdocs/lib/db/upgrade.php
+++ b/htdocs/lib/db/upgrade.php
@@ -2070,5 +2070,9 @@ function xmldb_core_upgrade($oldversion=0) {
        set_config('searchusernames', 1);
    }

+    if ($oldversion < 2010071500) {
+        reload_html_filters();
+    }
+
    return $status;
 }
--- a/htdocs/lib/htmlpurifiercustom/GoogleVideo.php
+++ b/htdocs/lib/htmlpurifiercustom/GoogleVideo.php
-<?php
-
-class HTMLPurifier_Filter_GoogleVideo extends HTMLPurifier_Filter
-{
-    
-    public $name = 'GoogleVideo';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed\b[^>]+\bsrc="http://video.google.com/googleplayer.swf\?(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)[^>]+>\s*</embed>#s';
-        $pre_replace = '<span class="googlevideo-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="googlevideo-embed">(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)</span>#';
-        $post_replace = '<object width="400" height="326" data="http://video.google.com/googleplayer.swf?\1">'.
-            '<param name="movie" value="http://video.google.com/googleplayer.swf?\1" />'.
-            '<!--[if IE]>'.
-            '<embed style="width:400px; height:326px;" '.
-            'id="VideoPlayback" '.
-            'type="application/x-shockwave-flash" '.
-            'src="http://video.google.com/googleplayer.swf?\1" '.
-            'flashvars="" '.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}
-
--- a/htdocs/lib/htmlpurifiercustom/SciVee.php
+++ b/htdocs/lib/htmlpurifiercustom/SciVee.php
-<?php
-
-class HTMLPurifier_Filter_SciVee extends HTMLPurifier_Filter
-{
-    
-    public $name = 'SciVee';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<object [^>]+>.*?<embed src="http://www.scivee.tv/flash/embedPlayer.swf"[^>]+\bflashvars="(id=\d+&(?:amp;)?type=\d+)"[^>]*>\s*</embed>\s*</object>#s';
-        $pre_replace = '<span class="scivee-embed">\1</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="scivee-embed">(id=\d+&(?:amp;)?type=\d+)</span>#';
-        $post_replace = '<object width="480" height="400" '.
-            'data="http://www.scivee.tv/flash/embedPlayer.swf">'.
-            '<param name="movie" value="http://www.scivee.tv/flash/embedPlayer.swf" />'.
-            '<param name="allowscriptaccess" value="always" />'.
-            '<param name="flashvars" value="\1" />'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.scivee.tv/flash/embedPlayer.swf" width="480" height="400" flashvars="\1"></embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}
--- a/htdocs/lib/htmlpurifiercustom/SlideShare.php
+++ b/htdocs/lib/htmlpurifiercustom/SlideShare.php
-<?php
-
-class HTMLPurifier_Filter_SlideShare extends HTMLPurifier_Filter
-{
-
-    public $name = 'SlideShare';
-
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed\b[^>]+\bsrc="http://static\.slideshare(\.net|cdn\.com)/swf/ssplayer2\.swf\?(doc=[a-z0-9-]+)[^>]+>\s*</embed>#s';
-        $pre_replace = '<span class="slideshare-embed">\2</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="slideshare-embed">(doc=[a-z0-9-]+)</span>#';
-        $post_replace = '<object width="400" height="355" data="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1">'.
-            '<param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" />'.
-            '<!--[if IE]>'.
-            '<embed style="width:400px; height:355px;" '.
-            'id="VideoPlayback" '.
-            'type="application/x-shockwave-flash" '.
-            'src="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" '.
-            'flashvars="" '.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-        return $html;
-    }
-
-}
-
--- a/htdocs/lib/htmlpurifiercustom/TeacherTube.php
+++ b/htdocs/lib/htmlpurifiercustom/TeacherTube.php
-<?php
-
-class HTMLPurifier_Filter_TeacherTube extends HTMLPurifier_Filter
-{
-    
-    public $name = 'TeacherTube';
-    
-    public function preFilter($html, $config, $context) {
-        $pre_regex = '#<embed src="http://www.teachertube.com/(player/search|skin-p)/mediaplayer.swf" [^>]+\bfile=http://www.teachertube.com/flvideo/(\d+).flv\b[^>]+></embed>#s';
-        $pre_replace = '<span class="teachertube-embed">\2</span>';
-        return preg_replace($pre_regex, $pre_replace, $html);
-    }
-    
-    public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="teachertube-embed">(\d+)</span>#';
-        $post_replace = '<object width="425" height="350" data="http://www.teachertube.com/skin-p/mediaplayer.swf">'.
-            '<param name="movie" value="http://www.teachertube.com/skin-p/mediaplayer.swf" />'.
-            '<param name="flashvars" value="'.
-            'height=350&width=425'.
-            '&file=http://www.teachertube.com/flvideo/\1.flv'.
-            '&image=http://www.teachertube.com/thumb/\1.jpg'.
-            '&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
-            '&logo=http://www.teachertube.com/images/greylogo.swf'.
-            '&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
-            '&autostart=false&volume=80&overstretch=fit'.
-            '" />'.
-            '<!--[if IE]>'.
-            '<embed src="http://www.teachertube.com/skin-p/mediaplayer.swf" '.
-            'width="425" height="350" type="application/x-shockwave-flash" allowfullscreen="true" '.
-            'flashvars="'.
-            'height=350&width=425'.
-            '&file=http://www.teachertube.com/flvideo/\1.flv'.
-            '&image=http://www.teachertube.com/thumb/\1.jpg'.
-            '&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
-            '&logo=http://www.teachertube.com/images/greylogo.swf'.
-            '&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
-            '&autostart=false&volume=80&overstretch=fit'.
-            '">'.
-            '</embed>'.
-            '<![endif]-->'.
-            '</object>';
-        return preg_replace($post_regex, $post_replace, $html);
-    }
-    
-}
--- a/htdocs/lib/htmlpurifiercustom/filters.xml
+++ b/htdocs/lib/htmlpurifiercustom/filters.xml
 <?xml version="1.0" encoding="UTF-8" ?>
 <filters>
-    <filter>
-        <filename>GoogleVideo</filename>
-        <site>http://video.google.com</site>
-    </filter>
-    <filter>
-        <filename>TeacherTube</filename>
-        <site>http://www.teachertube.com</site>
-    </filter>
-    <filter>
-        <filename>SciVee</filename>
-        <site>http://www.scivee.tv</site>
-    </filter>
    <filter>
        <filename>Skype</filename>
        <site>http://skype.com</site>
@@ -20,8 +8,4 @@
        <filename>Twitter</filename>
        <site>http://twitter.com</site>
    </filter>
-    <filter>
-        <filename>SlideShare</filename>
-        <site>http://slideshare.net</site>
-    </filter>
 </filters>
--- a/htdocs/lib/upgrade.php
+++ b/htdocs/lib/upgrade.php
@@ -1045,8 +1045,6 @@ function reload_html_filters() {
        );
        log_info('- ' . $f->file);
    }
-    $filters[] = (object) array('site' => 'http://www.youtube.com', 'file' => 'YouTube');
-    log_info('- YouTube');
    set_config('filters', serialize($filters));
 }


--- a/htdocs/lib/version.php
+++ b/htdocs/lib/version.php
@@ -28,7 +28,7 @@
 defined('INTERNAL') || die();

 $config = new StdClass;
-$config->version = 2010071300;
+$config->version = 2010071500;
 $config->release = '1.3.0beta3dev';
 $config->minupgradefrom = 2008040200;
 $config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';

--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -2441,17 +2441,21 @@ function clean_html($text) {
    require_once('htmlpurifier/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Cache.SerializerPath', get_config('dataroot') . 'htmlpurifier');
-
-    $config->set('Core.Encoding', 'UTF-8');
    $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
    $config->set('AutoFormat.Linkify', true);

+    // Permit embedding contents from other sites
+    $config->set('HTML.SafeEmbed', true);
+    $config->set('HTML.SafeObject', true);
+    $config->set('Output.FlashCompat', true);
+
    $customfilters = array();
    if (get_config('filters')) {
        foreach (unserialize(get_config('filters')) as $filter) {
-            if ($filter->file == 'YouTube') {
-                $config->set('Filter.YouTube', true);
-            } else {
+            // These filters are no longer necessary and have been removed
+            $builtinfilters = array('YouTube', 'TeacherTube', 'SlideShare', 'SciVee', 'GoogleVideo');
+
+            if (!in_array($filter->file, $builtinfilters)) {
                require_once(get_config('libroot') . 'htmlpurifiercustom/' . $filter->file . '.php');
                $classname = 'HTMLPurifier_Filter_' . $filter->file;
                $customfilters[] = new $classname();