It is no exaggeration when I say that more than half of the support requests on HTML Purifier are for Flash. I don't hold any especial fondness for the technology: from a purely security standpoint—that is, after all, what HTML Purifier is about, right?—the platform is an utterly byzantine, a twisty maze of flags and syntax and variations that make it really hard to whitelist properly. I'd be much happier if no one used the damn software, and support for it shows in HTML Purifier; if you would like to support flash videos, you either:
- Hack around it manually using a filter which needs to be custom tailored for each website you wish to support, or
- Use SafeObject and SafeEmbed.
From an end-user perspective, I've basically become convinced that the filter approach is not scalable; people expect to be able to include videos from any website. Thus, work needs to be devoted to SafeObject and SafeEmbed to make them more robust. Specifically, we need:
- Support for the
flashvarsparameter, which some flash players use in order to specify what content is being played, - Support for Internet Explorer compatibility code, which gets specifically removed right now since we don't understand Internet Explorer conditional comments, and
- Better documentation about what is up with all of the different ways of setting up flash.
I'm working on a patch as we speak to make flashvars happen. I have no idea if this is going to introduce a security vulnerability, although my gut feeling is that anything a user could have done with a flashvar, they could have done with a malicious swf file.
For compatibility code, there was a patch being bandied around on the forums for some time now. I spent a few hours looking at it, and decided that the approach was wrong and am scrapping it. I'll be adding a special hack to make Internet Explorer compatible code generated if we see an object tag.
And of course, everyone loves documentation. I'll be drawing up another document about using SafeObject and SafeEmbed effectively once these changes are released.
Thank you all for being patient!