From 43a9f052fd3fe3159fcc87d95c179bcc122e5760 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Sun, 27 Mar 2016 15:56:30 -0700
Subject: [PATCH] Fix #57, make flashvars check (and others) case-insensitive.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS                                           | 1 +
 library/HTMLPurifier/Injector/SafeObject.php   | 7 +++++--
 tests/HTMLPurifier/Injector/SafeObjectTest.php | 9 ++++++++-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 58c4ee18..dc059946 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   infinite loop when the directory exists but is not listable. (#49)
 - Don't match for <body> inside comments with
   %Core.ConvertDocumentToFragment. (#67)
+- SafeObject is now less case sensitive. (#57)
 
 4.7.0, released 2015-08-04
 # opacity is now considered a "tricky" CSS property rather than a
diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php
index 3d17e07a..317f7864 100644
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@@ -36,6 +36,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
     );
 
     /**
+     * These are all lower-case keys.
      * @type array
      */
     protected $allowedParam = array(
@@ -43,7 +44,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
         'movie' => true,
         'flashvars' => true,
         'src' => true,
-        'allowFullScreen' => true, // if omitted, assume to be 'false'
+        'allowfullscreen' => true, // if omitted, assume to be 'false'
     );
 
     /**
@@ -93,9 +94,11 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
                     $token->attr['name'] === $this->addParam[$n]) {
                     // keep token, and add to param stack
                     $this->paramStack[$i][$n] = true;
-                } elseif (isset($this->allowedParam[$n])) {
+                } elseif (isset($this->allowedParam[strtolower($n)])) {
                     // keep token, don't do anything to it
                     // (could possibly check for duplicates here)
+                    // Note: In principle, parameters should be case sensitive.
+                    // But it seems they are not really; so accept any case.
                 } else {
                     $token = false;
                 }
diff --git a/tests/HTMLPurifier/Injector/SafeObjectTest.php b/tests/HTMLPurifier/Injector/SafeObjectTest.php
index f5283063..b780375a 100644
--- a/tests/HTMLPurifier/Injector/SafeObjectTest.php
+++ b/tests/HTMLPurifier/Injector/SafeObjectTest.php
@@ -57,7 +57,7 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
     public function testIgnoreBogusData()
     {
         $this->assertResult(
-            '<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>',
+            '<object><param name="allowscriptaccess" value="always" /><param name="allowNetworking" value="always" /></object>',
             '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
         );
     }
@@ -94,6 +94,13 @@ class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
         );
     }
 
+    public function testCaseInsensitive()
+    {
+        $this->assertResult(
+            '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashVars" value="a" /><param name="FlashVars" value="b" /></object>'
+        );
+    }
+
 }
 
 // vim: et sw=4 sts=4
-- 
2.11.4.GIT