From 4d612d5a7730858465fefb22f75d8cec08337e21 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Tue, 9 Mar 2010 17:29:38 -0500
Subject: [PATCH] Improve handling of malformed object parameters.

When specifying source material for <object> tags, you must use
data inside the object tag as well as specify movie in a param.
If you specify a src (which is the appropriate markup for <embed>)
we now convert and fill in the other attributes appropriately.

Also, fix a PHP warning in Generator code.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 TODO                                             |  1 +
 library/HTMLPurifier/AttrTransform/SafeParam.php |  2 ++
 library/HTMLPurifier/Generator.php               |  2 +-
 library/HTMLPurifier/HTMLModule/SafeObject.php   |  5 ++++-
 library/HTMLPurifier/Injector/SafeObject.php     |  4 +++-
 smoketests/preserveYouTube.php                   | 16 ++++++----------
 6 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/TODO b/TODO
index 2a282f55..891fcf5d 100644
--- a/TODO
+++ b/TODO
@@ -18,6 +18,7 @@ Things to do as soon as possible:
  - Fix "<.<" bug (trailing < is removed if not EOD)
  - Build in better internal state dumps and debugging tools for remote
    debugging
+ - Allowed/Allowed* have strange interactions when both set
 
 FUTURE VERSIONS
 ---------------
diff --git a/library/HTMLPurifier/AttrTransform/SafeParam.php b/library/HTMLPurifier/AttrTransform/SafeParam.php
index 6451404c..3f992ec3 100644
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -37,6 +37,8 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
                 $attr['value'] = 'window';
                 break;
             case 'movie':
+            case 'src':
+                $attr['name'] = "movie";
                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                 break;
             case 'flashvars':
diff --git a/library/HTMLPurifier/Generator.php b/library/HTMLPurifier/Generator.php
index dcc22af1..4a624172 100644
--- a/library/HTMLPurifier/Generator.php
+++ b/library/HTMLPurifier/Generator.php
@@ -142,8 +142,8 @@ class HTMLPurifier_Generator
                         if ($name == "movie") $name = "src";
                         $compat_token->attr[$name] = $val;
                     }
+                    $_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
                 }
-                $_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
             }
             return $_extra . '</' . $token->name . '>';
 
diff --git a/library/HTMLPurifier/HTMLModule/SafeObject.php b/library/HTMLPurifier/HTMLModule/SafeObject.php
index 33bac00c..64ab8c07 100644
--- a/library/HTMLPurifier/HTMLModule/SafeObject.php
+++ b/library/HTMLPurifier/HTMLModule/SafeObject.php
@@ -28,7 +28,10 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
                 'type'   => 'Enum#application/x-shockwave-flash',
                 'width'  => 'Pixels#' . $max,
                 'height' => 'Pixels#' . $max,
-                'data'   => 'URI#embedded'
+                'data'   => 'URI#embedded',
+                'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000',
+                'codebase' => new HTMLPurifier_AttrDef_Enum(array(
+                    'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
             )
         );
         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php
index 4939f277..9e178ce0 100644
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@@ -21,6 +21,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
         'wmode' => true,
         'movie' => true,
         'flashvars' => true,
+        'src' => true,
     );
 
     public function prepare($config, $context) {
@@ -48,7 +49,8 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
                 // We need this fix because YouTube doesn't supply a data
                 // attribute, which we need if a type is specified. This is
                 // *very* Flash specific.
-                if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') {
+                if (!isset($this->objectStack[$i]->attr['data']) &&
+                    ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];
                 }
                 // Check if the parameter is the correct value but has not
diff --git a/smoketests/preserveYouTube.php b/smoketests/preserveYouTube.php
index af538a20..d114dbe8 100644
--- a/smoketests/preserveYouTube.php
+++ b/smoketests/preserveYouTube.php
@@ -17,13 +17,14 @@ echo '<?xml version="1.0" encoding="UTF-8" ?>';
 
 $string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
 
-<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>';
+<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object>
 
-$regular_purifier = new HTMLPurifier();
+<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
 
-$youtube_purifier = new HTMLPurifier(array(
-    'Filter.YouTube' => true,
-));
+<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" type="application/x-shockwave-flash" width="480"></embed></object>
+';
+
+$regular_purifier = new HTMLPurifier();
 
 $safeobject_purifier = new HTMLPurifier(array(
     'HTML.SafeObject' => true,
@@ -42,11 +43,6 @@ if (isset($_GET['break'])) echo $string;
 echo $regular_purifier->purify($string);
 ?></div>
 
-<h2>With YouTube exception</h2>
-<div><?php
-echo $youtube_purifier->purify($string);
-?></div>
-
 <h2>With SafeObject exception and flash compatibility</h2>
 <div><?php
 echo $safeobject_purifier->purify($string);
-- 
2.11.4.GIT