Commit b35d4411 authored by Francois Marier's avatar Francois Marier

htmlpurifier: allow safe <embed> and <object> tags

By turning 'HTML.SafeEmbed' and 'HTML.SafeObject' ON, we can avoid
having to write and maintain all kinds of filters.

I have deleted all of the filters that are no longer necessary.

Unfortunately, we have to keep two around, Skype and Twitter,
since their embed code includes Javascript.

LP: #604840
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent 1335f009
......@@ -2070,5 +2070,9 @@ function xmldb_core_upgrade($oldversion=0) {
set_config('searchusernames', 1);
}
if ($oldversion < 2010071500) {
reload_html_filters();
}
return $status;
}
<?php
class HTMLPurifier_Filter_GoogleVideo extends HTMLPurifier_Filter
{
public $name = 'GoogleVideo';
public function preFilter($html, $config, $context) {
$pre_regex = '#<embed\b[^>]+\bsrc="http://video.google.com/googleplayer.swf\?(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)[^>]+>\s*</embed>#s';
$pre_replace = '<span class="googlevideo-embed">\1</span>';
return preg_replace($pre_regex, $pre_replace, $html);
}
public function postFilter($html, $config, $context) {
$post_regex = '#<span class="googlevideo-embed">(doc[iI]d=[0-9\-]+(?:&(?:amp;)?hl=[a-z][a-z])?)</span>#';
$post_replace = '<object width="400" height="326" data="http://video.google.com/googleplayer.swf?\1">'.
'<param name="movie" value="http://video.google.com/googleplayer.swf?\1" />'.
'<!--[if IE]>'.
'<embed style="width:400px; height:326px;" '.
'id="VideoPlayback" '.
'type="application/x-shockwave-flash" '.
'src="http://video.google.com/googleplayer.swf?\1" '.
'flashvars="" '.
'</embed>'.
'<![endif]-->'.
'</object>';
return preg_replace($post_regex, $post_replace, $html);
}
}
<?php
class HTMLPurifier_Filter_SciVee extends HTMLPurifier_Filter
{
public $name = 'SciVee';
public function preFilter($html, $config, $context) {
$pre_regex = '#<object [^>]+>.*?<embed src="http://www.scivee.tv/flash/embedPlayer.swf"[^>]+\bflashvars="(id=\d+&(?:amp;)?type=\d+)"[^>]*>\s*</embed>\s*</object>#s';
$pre_replace = '<span class="scivee-embed">\1</span>';
return preg_replace($pre_regex, $pre_replace, $html);
}
public function postFilter($html, $config, $context) {
$post_regex = '#<span class="scivee-embed">(id=\d+&(?:amp;)?type=\d+)</span>#';
$post_replace = '<object width="480" height="400" '.
'data="http://www.scivee.tv/flash/embedPlayer.swf">'.
'<param name="movie" value="http://www.scivee.tv/flash/embedPlayer.swf" />'.
'<param name="allowscriptaccess" value="always" />'.
'<param name="flashvars" value="\1" />'.
'<!--[if IE]>'.
'<embed src="http://www.scivee.tv/flash/embedPlayer.swf" width="480" height="400" flashvars="\1"></embed>'.
'<![endif]-->'.
'</object>';
return preg_replace($post_regex, $post_replace, $html);
}
}
<?php
class HTMLPurifier_Filter_SlideShare extends HTMLPurifier_Filter
{
public $name = 'SlideShare';
public function preFilter($html, $config, $context) {
$pre_regex = '#<embed\b[^>]+\bsrc="http://static\.slideshare(\.net|cdn\.com)/swf/ssplayer2\.swf\?(doc=[a-z0-9-]+)[^>]+>\s*</embed>#s';
$pre_replace = '<span class="slideshare-embed">\2</span>';
return preg_replace($pre_regex, $pre_replace, $html);
}
public function postFilter($html, $config, $context) {
$post_regex = '#<span class="slideshare-embed">(doc=[a-z0-9-]+)</span>#';
$post_replace = '<object width="400" height="355" data="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1">'.
'<param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" />'.
'<!--[if IE]>'.
'<embed style="width:400px; height:355px;" '.
'id="VideoPlayback" '.
'type="application/x-shockwave-flash" '.
'src="http://static.slidesharecdn.com/swf/ssplayer2.swf?\1" '.
'flashvars="" '.
'</embed>'.
'<![endif]-->'.
'</object>';
return preg_replace($post_regex, $post_replace, $html);
return $html;
}
}
<?php
class HTMLPurifier_Filter_TeacherTube extends HTMLPurifier_Filter
{
public $name = 'TeacherTube';
public function preFilter($html, $config, $context) {
$pre_regex = '#<embed src="http://www.teachertube.com/(player/search|skin-p)/mediaplayer.swf" [^>]+\bfile=http://www.teachertube.com/flvideo/(\d+).flv\b[^>]+></embed>#s';
$pre_replace = '<span class="teachertube-embed">\2</span>';
return preg_replace($pre_regex, $pre_replace, $html);
}
public function postFilter($html, $config, $context) {
$post_regex = '#<span class="teachertube-embed">(\d+)</span>#';
$post_replace = '<object width="425" height="350" data="http://www.teachertube.com/skin-p/mediaplayer.swf">'.
'<param name="movie" value="http://www.teachertube.com/skin-p/mediaplayer.swf" />'.
'<param name="flashvars" value="'.
'height=350&width=425'.
'&file=http://www.teachertube.com/flvideo/\1.flv'.
'&image=http://www.teachertube.com/thumb/\1.jpg'.
'&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
'&logo=http://www.teachertube.com/images/greylogo.swf'.
'&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
'&autostart=false&volume=80&overstretch=fit'.
'" />'.
'<!--[if IE]>'.
'<embed src="http://www.teachertube.com/skin-p/mediaplayer.swf" '.
'width="425" height="350" type="application/x-shockwave-flash" allowfullscreen="true" '.
'flashvars="'.
'height=350&width=425'.
'&file=http://www.teachertube.com/flvideo/\1.flv'.
'&image=http://www.teachertube.com/thumb/\1.jpg'.
'&location=http://www.teachertube.com/skin-p/mediaplayer.swf'.
'&logo=http://www.teachertube.com/images/greylogo.swf'.
'&frontcolor=0xffffff&backcolor=0x000000&lightcolor=0xFF0000&screencolor=0xffffff'.
'&autostart=false&volume=80&overstretch=fit'.
'">'.
'</embed>'.
'<![endif]-->'.
'</object>';
return preg_replace($post_regex, $post_replace, $html);
}
}
<?xml version="1.0" encoding="UTF-8" ?>
<filters>
<filter>
<filename>GoogleVideo</filename>
<site>http://video.google.com</site>
</filter>
<filter>
<filename>TeacherTube</filename>
<site>http://www.teachertube.com</site>
</filter>
<filter>
<filename>SciVee</filename>
<site>http://www.scivee.tv</site>
</filter>
<filter>
<filename>Skype</filename>
<site>http://skype.com</site>
......@@ -20,8 +8,4 @@
<filename>Twitter</filename>
<site>http://twitter.com</site>
</filter>
<filter>
<filename>SlideShare</filename>
<site>http://slideshare.net</site>
</filter>
</filters>
......@@ -1045,8 +1045,6 @@ function reload_html_filters() {
);
log_info('- ' . $f->file);
}
$filters[] = (object) array('site' => 'http://www.youtube.com', 'file' => 'YouTube');
log_info('- YouTube');
set_config('filters', serialize($filters));
}
......
......@@ -28,7 +28,7 @@
defined('INTERNAL') || die();
$config = new StdClass;
$config->version = 2010071300;
$config->version = 2010071500;
$config->release = '1.3.0beta3dev';
$config->minupgradefrom = 2008040200;
$config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';
......
......@@ -2441,17 +2441,21 @@ function clean_html($text) {
require_once('htmlpurifier/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('Cache.SerializerPath', get_config('dataroot') . 'htmlpurifier');
$config->set('Core.Encoding', 'UTF-8');
$config->set('HTML.Doctype', 'HTML 4.01 Transitional');
$config->set('AutoFormat.Linkify', true);
// Permit embedding contents from other sites
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$customfilters = array();
if (get_config('filters')) {
foreach (unserialize(get_config('filters')) as $filter) {
if ($filter->file == 'YouTube') {
$config->set('Filter.YouTube', true);
} else {
// These filters are no longer necessary and have been removed
$builtinfilters = array('YouTube', 'TeacherTube', 'SlideShare', 'SciVee', 'GoogleVideo');
if (!in_array($filter->file, $builtinfilters)) {
require_once(get_config('libroot') . 'htmlpurifiercustom/' . $filter->file . '.php');
$classname = 'HTMLPurifier_Filter_' . $filter->file;
$customfilters[] = new $classname();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment