Generic video/embed filter?

Wouldn't it make sense if we're using trusted, to allow more flexibility in params such as allowfullscreen?

Also, why is allowfullscreen a security risk?

Sorry; allowfullscreen should be allowed in %HTML.Trusted; but not allowed in %HTML.SafeObject. If your testing indicates otherwise there is probably a bug.

Yep, that was it. Now this makes perfect sense to me. Great work!

Ambush Commander, please, give me advice. I want to allow "flashvars" param in tag. How I could do it? I don`t want big security in embed, i just want to allow this param, because its very important. I tried to modify AttrTransform\SafeEmbed.php, but as I understood, $attr already contains only allowed tags.. So, please give me some tip how to allow this param. Big thx.

Try the solution here: http://htmlpurifier.org/phorum/read.php?3,4324,4334#msg-4334

After I download the latest dev version (2010-03-10) and try to output an embedded video (non-Youtube), I get the following warning:

Warning: Cannot set undefined directive Output.FlashCompat to value on line 10 in file /path/to/myfile.php in /path/to/htmlpurifier/library/HTMLPurifier/Config.php  on line 564

Config code:

$config = HTMLPurifier_Config::createDefault();
$config->set('Output.TidyFormat', true);
$config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('HTML.SafeEmbed', true);

That gives me an embed, but without the flashvars required to make the video work. I see other people are having success with HTML.SafeEmbed and Output.FlashCompat, but it seems that the version of the code that I have just doesn't recognize that FlashCompat exists. Any ideas?

That error message implies that you're not actually using the development version?

Yeah, that's what I thought. Which file actually defines the new Output.FlashCompat directive? I tried to find it in the diffs to make sure that I was using the version that has that defined, but I didn't see it anywhere.

Thanks for your help!

It's a little complicated, but you should have a file library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt

Okay, I reuploaded the dev branch to my server and the Output.FlashCompat error went away. Thanks for helping me troubleshoot it.

Next issue: even with that fixed, my embed is still getting its flashvars stripped out. It's the generic embed code generated by the JW Player. I understand not allowing script access or fullscreen, but it needs its flashvars. Object-based embeds work fine. Any ideas?

Input :

<embed src='http://www.curtisgibby.com/pages/player-viral.swf' height='240' width='320' allowscriptaccess='always' allowfullscreen='true' flashvars='image=http%3A%2F%2Fwww.curtisgibby.com%2Fthumbs%2FEaster2009-NathanSwinging.jpg&file=http%3A%2F%2Fwww.curtisgibby.com%2Fpics%2FEaster2009-NathanSwinging.flv&plugins=viral-1d'/>

Output :

<embed src='http://www.curtisgibby.com/pages/player-viral.swf' height='240' width='320' allowscriptaccess='never' allownetworking='internal' type='application/x-shockwave-flash'>

Config :

$config = HTMLPurifier_Config::createDefault();
$config->set('Output.TidyFormat', true);
$config->set('HTML.Doctype', 'HTML 4.01 Transitional');
$config->set('HTML.SafeObject', true);
$config->set('HTML.SafeEmbed', true);
$config->set('Output.FlashCompat', true);
$purifier = new HTMLPurifier($config);

Drop %HTML.SafeEmbed, it doesn't do the right thing. I guess we need to match embed tags and build up the entire thing. Marking this as a bug.

Ok, I fixed the flashvars in embed issue, though you'll still need %HTML.Embed on.

Fantastic, I appreciate it. I'm glad it wasn't just me, and that I was able to help improve the code by bringing this up.

I don't see those changes in the Git repo yet. Are you going to commit them so I can pull the new version?

Whoops, forgot to do that. Should be pushed now.

Thanks, Edward.

I've updated my site with the latest "flashvars"-enabled code, but that parameter is still getting stripped out of my embed -- same results as before. (Both with and without %HTML.SafeObject enabled.) Can someone else confirm that a JW embed does work with the parameters described as above?

I tested locally and all of the relevant attributes seem to have been preserved. I bet you need to flush your cache; run php maintenance/flush.php

Running the flush gave me an error on the command line, but after I physically deleted the HTML Purifier directory on my server and re-uploaded it, I was able to get it to work. Thanks for your help in getting this up and running. Great tool you guys have built here.

Hello,

I have the latest version from git. I am using the drupal module. I have set SafeEmbed and SafeObject on. I have "Trusted" off. I also have FlashCompat on. I have cleared all caches.

But the embed tag is still getting stripped out.

Is there some other setting I need to deal with?

Thanks

Todd

Can you post your code?

well I am using the Drupal module, so I am guessing you want to see the code that I using, not my implementation code.

Here is it is

<embed allowfullscreen="true" allowscriptaccess="always" height="400" src="http://blip.tv/play/hb0hgdL%2BFQA%2Em4v" type="application/x-shockwave-flash" width="600"></embed>

Thanks

Todd

Delete the htmlpurifier folder containing the library, and then reupload the Git version?

I deleted the "library" folder and re-uploaded the one from git, I cleared all caches and still no movies :>(

Thanks

Todd

What happens if you turn FlashCompat off? What happens if you turn Trusted on?

Turning "trusted" and "flashCompat" on or off in any combinatino has no effect.

If use " the object tag comes through but it is stripped of its parameters. Also embed is removed, but I have seen embed just be commented out for IE too, (not seeing that now)

before

<object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/A_L8sW_ULH8&amp;hl=en_US&amp;fs=1&amp;" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed allowfullscreen="true" allowscriptaccess="always" height="385" src="http://www.youtube.com/v/A_L8sW_ULH8&amp;hl=en_US&amp;fs=1&amp;" type="application/x-shockwave-flash" width="480"></embed></object>

after

<object height="385" width="480" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="" /></object>

Todd

Got it!

you must have DisableExternalResources set to "off"!

Todd

to recap... settings that are working for me.

SafeEmbed - "yes" SafeObject - "yes" Trusted - "No" DisableExternalResources - "No"

Drupal Module 6.x-2.1 (http://drupal.org/project/htmlpurifier) Latest git version from Tue, 30 Mar 2010 17:33:13 +0000

Finally - Drupal, CKeditor, IMCE and HTMLPurifier - all playing nice with one another!

Thanks very much for a nice bit o work!

Todd

Clarification

"Latest git version from Tue, 30 Mar 2010 17:33:13 +0000"

refers the the HTML Purifier itself, not the drupal module.

Glad that you figured it out.

See below. Miss-post.

There's a bug on line 145 of the Generator when using FlashCompat for embed objects.

Once the

<!--[if IE]><![endif]-->

is included, each additional time the filter is run it will keep appending that string.

For example, if the filter is run 2x, this is the resulting code:

<object width="640" height="385">
  <param name="movie" value="http://www.youtube.com/v/2mNB_VG_shc&hl=en_US&fs=1&" />
  <param name="allowFullScreen" value="true" />
  <param name="allowscriptaccess" value="always" />
  <!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/2mNB_VG_shc&amp;hl=en_US&amp;fs=1&amp;" allowFullScreen="true" allowscriptaccess="always" /><![endif]--><!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/2mNB_VG_shc&amp;hl=en_US&amp;fs=1&amp;" allowFullScreen="true" allowscriptaccess="always" /><![endif]-->
</object>