Welcome! » Log In » Create A New Profile

Generic video/embed filter?

Posted by zmonteca 
Generic video/embed filter?
August 07, 2009 07:42PM

I have read over oodles of posts here and have been unable to find exactly what i'm looking for. I'm looking for something more generic than the YouTube filter in the core of HTMLPurify. The reason for this is I need to support numerous videos, most of the sites would be unknown. Additionally, supporting the flashvars tag is imperative.

Can anyone provide any insight on this?

As it stands now, I have this config and flashvars is filtered out:

require_once 'HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'UTF-8');
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
// $config->set('Output.TidyFormat', true);
$config->set('AutoFormat.AutoParagraph', true);
$config->set('AutoFormat.DisplayLinkURI', true);
$config->set('AutoFormat.Linkify', true);
$config->set('AutoFormat.RemoveEmpty', true);
$config->set('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions', array('td', 'th'));
$config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true);
$config->set('HTML.SafeObject', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.Trusted', true);
$config->set('HTML.TidyLevel', 'light');
$config->set('HTML.EnableAttrID', true);
// $config->set('HTML.Allowed', 'flashvars', 'object', 'embed', 'param');
$config->set('HTML.Allowed', array('param', 'object', 'embed', 'flashvars'));
$config->set('Cache.SerializerPath', Base::clientPath().Cache::DIRECTORY);
$config->set('Filter.YouTube', true);
// $config->set('Filter.Embed', true);
// $config->set('Filter.Playlist', true);

$purifier = new HTMLPurifier($config);
$this->post_data[$var_name] = $purifier->purify($post_value);

On a side note, I was _trying_ to write my own filter, but could never get it to run. Is there something I need to do to activate the plugin?

Re: Generic video/embed filter?
August 07, 2009 07:42PM

Thanks in advance for any help!

Re: Generic video/embed filter?
August 07, 2009 08:48PM

There is no generic filter currently available. Which sites do you wish to support?

Re: Generic video/embed filter?
August 10, 2009 12:35PM

That's the thing, I don't know what sites the users are going to be using. It's too wide of an array of sites. I know that I can trust they are posting videos that won't have xss or other hacks in them.

Any thoughts?

Bryan Casler
Re: Generic video/embed filter?
December 09, 2009 04:18PM

This is the problem I am currently facing, but I can say that 90% of videos are coming from (in order of importance)

Youtube, DemocracyNow, Vimeo, Blip.tv

Also, when I post a youtube video the video becomes double posted.

Input

<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/5FXftDcwL-w&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/5FXftDcwL-w&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>

Output

<object height="344" width="425" data="http://www.youtube.com/v/5FXftDcwL-w&amp;hl=en_US&amp;fs=1&amp;" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/5FXftDcwL-w&amp;hl=en_US&amp;fs=1&amp;" /></object><embed height="344" src="http://www.youtube.com/v/5FXftDcwL-w&amp;hl=en_US&amp;fs=1&amp;" type="application/x-shockwave-flash" width="425" allowscriptaccess="never" allownetworking="internal" />
Re: Generic video/embed filter?
December 10, 2009 11:18PM

That's kind of odd; I wonder why the embed is floating to the outside of the object tag. What technique are you using?

Sardar
Re: Generic video/embed filter?
March 01, 2010 11:50PM

Have the same problems using safeObject and safeEmbed options. Also can't add object and embed to allowed tag list. Wonder if so huge lib can't help to add any embed/object code just removing XSS. If anybody knows please explain how I can do it. Thanks in advance!

Matt
Re: Generic video/embed filter?
March 05, 2010 11:45AM

What's going on here:

Working external flash, without purifier:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" type="application/x-shockwave-flash" width="480"></embed></object>

Dead (not showing flash) with SafeObject and SafeEmbed:

<object width="480" height="385" type="application/x-shockwave-flash"><param value="never" name="allowScriptAccess"><param value="internal" name="allowNetworking"><embed width="480" height="385" allownetworking="internal" allowscriptaccess="never" type="application/x-shockwave-flash" src="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en"></object>

I notice it removed all the original params. Why? That's probably critical.

Why on earth is there no option to allow flash, i.e. for semi-trusted site admins?

Re: Generic video/embed filter?
March 05, 2010 11:55AM

SafeObject and SafeEmbed is a hacked up solution that only partially does the right thing with respect to embedding things, as you guys have shown.

The parameters you're asking for have known XSS vulnerabilities in them. An implementation will have to think very carefully about what it wants to accept for them.

This has been on my TODO list for a while. It will eventually get done, but it requires more legwork than you might think.

Re: Generic video/embed filter?
March 08, 2010 02:04AM

I'm happy to report that a solution has hit the HTML Purifier development branch! You can check out the code from http://repo.or.cz/w/htmlpurifier.git and you can enable it using this code:

$config->set(&#039;HTML.SafeObject&#039;, true);
$config->set(&#039;Output.FlashCompat&#039;, true);

If you were using %HTML.SafeEmbed, that code is no longer necessary and you should disable it. Please let me know if there are any bugs!

rocker
Re: Generic video/embed filter?
March 09, 2010 10:29AM

amazing! big thx to Edward Z. Yang for last changes.

Re: Generic video/embed filter?
March 09, 2010 12:46PM

With this, are we still required to use the Filters (Filter.YouTube) or should this implicitly work for _all_ flash objects?

I'm not have any success with the example posted above:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&amp;hl=en" type="application/x-shockwave-flash" width="480"></embed></object>
Re: Generic video/embed filter?
March 09, 2010 12:51PM

Ooh, I didn't realize people used param src. Let me fix that.

Re: Generic video/embed filter?
March 09, 2010 12:55PM

What about the filters enabled? Is that still required?

Here are my configs, which leave me with completely stripped out code in my data:

The code is stripped with my filters enabled and disabled.

					$config->set(&#039;Core.Encoding&#039;, &#039;UTF-8&#039;);
					$config->set(&#039;HTML.Doctype&#039;, &#039;XHTML 1.0 Transitional&#039;);
					$config->set(&#039;Output.TidyFormat&#039;, true);
					// $config->set(&#039;AutoFormat.AutoParagraph&#039;, true); // This directive turns on auto-paragraphing, where double newlines are converted in to paragraphs whenever possible.
					// $config->set(&#039;AutoFormat.DisplayLinkURI&#039;, false); // For example, example becomes example (http://example.com).
					$config->set(&#039;AutoFormat.Linkify&#039;, true); // auto-linking http, ftp and https URLs. a tags with the href attribute must be allowed.
					$config->set(&#039;AutoFormat.RemoveEmpty&#039;, true);
					$config->set(&#039;AutoFormat.RemoveEmpty.RemoveNbsp&#039;, true);
					$config->set(&#039;AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions&#039;, array(&#039;td&#039;, &#039;th&#039;));
					$config->set(&#039;HTML.SafeObject&#039;, true);
					$config->set(&#039;Output.FlashCompat&#039;, true);
					// $config->set(&#039;HTML.SafeEmbed&#039;, true);
					$config->set(&#039;HTML.Trusted&#039;, true);
					$config->set(&#039;HTML.TidyLevel&#039;, &#039;light&#039;);
					$config->set(&#039;Attr.EnableID&#039;, true);
					$config->set(&#039;Cache.SerializerPath&#039;, Base::clientPath().Cache::DIRECTORY);
					$config->set(&#039;Filter.YouTube&#039;, true);
					$config->set(&#039;Filter.Video&#039;, true);

Also just noticed this in the logs:

[09-Mar-2010 12:04:19] PHP Notice: Undefined variable: compat_token in ./library/HTMLPurifier/Generator.php on line 146 [09-Mar-2010 12:04:19] PHP Warning: Cannot generate HTML from non-HTMLPurifier_Token object in ./library/HTMLPurifier/Generator.php on line 114

Re: Generic video/embed filter?
March 09, 2010 01:05PM

I don't believe filters are necessary with the new code.

Re: Generic video/embed filter?
March 09, 2010 01:07PM

Well in that case, I'm having zero success with the new implementation.

Re: Generic video/embed filter?
March 09, 2010 01:16PM

As I said, the code you posted doesn't work with the new system. Wait for a patch.

Re: Generic video/embed filter?
March 09, 2010 01:20PM

OK. I'm just trying to be verbose. What I was trying to say is that the latest from git is not allowing me to embed any objects, not just the one above. Take, for example, any youtube video:

<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
Re: Generic video/embed filter?
March 09, 2010 01:23PM

Hmm, that's exceedingly strange. I'll look into it.

Re: Generic video/embed filter?
March 09, 2010 01:24PM

Thanks.

Re: Generic video/embed filter?
March 09, 2010 03:18PM

Ok. What happens if you turn off %Output.TidyFormat, %HTML.SafeObject and your filters?

Re: Generic video/embed filter?
March 09, 2010 03:25PM

I have success with both off and TidyFormat ON and SafeObject OFF. However, both ON does NOT work.

Re: Generic video/embed filter?
March 09, 2010 03:27PM

Ok. I bet %HTML.Trusted and %HTML.SafeObject are clobbering each other; they both define definitions for object; one is more permissive than the other.

Re: Generic video/embed filter?
March 09, 2010 03:32PM

With both Trusted and SafeObject off, It doesn't work.

With both Trusted and SafeObject on, It doesn't work.

With Trusted on and SafeObject off, it does work.

Re: Generic video/embed filter?
March 09, 2010 03:38PM

Right. And I'm cooking up a patch that will make it work with %HTML.SafeObject only. I hope you're using %HTML.Trusted with &lt;em&gt;trusted&lt;/em&gt; users.

Re: Generic video/embed filter?
March 09, 2010 03:40PM

Terrific.

Yes, I'm using Trusted with a application that only paid users have access to.

Re: Generic video/embed filter?
March 09, 2010 05:33PM

Pushed a new version. Please try it out.

Re: Generic video/embed filter?
March 09, 2010 05:43PM

Does not work with Trusted and SafeObject on.

It appears that some params are still being stripped out (see below). Was that the intent?

<object width="480" height="400"><param name="movie" value="http://www.scivee.tv/flash/embedCast.swf" /><param name="allowfullscreen" value="true" /><param name="flashvars" value="id=13328&type=2" /><embed src="http://www.scivee.tv/flash/embedCast.swf" allowfullscreen="true" width="480" height="400" flashvars="id=13328&type=2"></embed></object>

The example using param src works perfectly now, though.

Re: Generic video/embed filter?
March 09, 2010 05:54PM

Possibly; I assume you're referring to allowfullscreen. Security risk, definitely.

You're not supposed to use Trusted and SafeObject at the same time. Pick one or the other.

Re: Generic video/embed filter?
March 09, 2010 06:15PM

OK. Thanks.

Sorry, you do not have permission to post/reply in this forum.