Welcome! » Log In » Create A New Profile

Generic video/embed filter?

Posted by zmonteca 
Re: Generic video/embed filter?
March 09, 2010 06:17PM

Wouldn't it make sense if we're using trusted, to allow more flexibility in params such as allowfullscreen?

Also, why is allowfullscreen a security risk?

Re: Generic video/embed filter?
March 09, 2010 06:30PM

Sorry; allowfullscreen should be allowed in %HTML.Trusted; but not allowed in %HTML.SafeObject. If your testing indicates otherwise there is probably a bug.

Re: Generic video/embed filter?
March 10, 2010 11:39AM

Yep, that was it. Now this makes perfect sense to me. Great work!

rocker
Re: Generic video/embed filter?
March 15, 2010 05:59AM

Ambush Commander, please, give me advice. I want to allow "flashvars" param in tag. How I could do it? I don`t want big security in embed, i just want to allow this param, because its very important. I tried to modify AttrTransform\SafeEmbed.php, but as I understood, $attr already contains only allowed tags.. So, please give me some tip how to allow this param. Big thx.

Re: Generic video/embed filter?
March 15, 2010 01:30PM
Curtis Gibby
Cannot set undefined directive Output.FlashCompat
March 29, 2010 10:01AM

After I download the latest dev version (2010-03-10) and try to output an embedded video (non-Youtube), I get the following warning:

Warning: Cannot set undefined directive Output.FlashCompat to value on line 10 in file /path/to/myfile.php in /path/to/htmlpurifier/library/HTMLPurifier/Config.php  on line 564

Config code:

$config = HTMLPurifier_Config::createDefault();
$config->set('Output.TidyFormat', true);
$config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('HTML.SafeEmbed', true);

That gives me an embed, but without the flashvars required to make the video work. I see other people are having success with HTML.SafeEmbed and Output.FlashCompat, but it seems that the version of the code that I have just doesn't recognize that FlashCompat exists. Any ideas?

Re: Cannot set undefined directive Output.FlashCompat
March 29, 2010 10:41AM

That error message implies that you're not actually using the development version?

Curtis Gibby
Re: Cannot set undefined directive Output.FlashCompat
March 29, 2010 11:48AM

Yeah, that's what I thought. Which file actually defines the new Output.FlashCompat directive? I tried to find it in the diffs to make sure that I was using the version that has that defined, but I didn't see it anywhere.

Thanks for your help!

Re: Cannot set undefined directive Output.FlashCompat
March 29, 2010 11:54AM

It's a little complicated, but you should have a file library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt

Curtis Gibby
Re: Cannot set undefined directive Output.FlashCompat
March 30, 2010 09:15AM

Okay, I reuploaded the dev branch to my server and the Output.FlashCompat error went away. Thanks for helping me troubleshoot it.

Next issue: even with that fixed, my embed is still getting its flashvars stripped out. It's the generic embed code generated by the JW Player. I understand not allowing script access or fullscreen, but it needs its flashvars. Object-based embeds work fine. Any ideas?

Input :

<embed src=&#039;http://www.curtisgibby.com/pages/player-viral.swf&#039; height=&#039;240&#039; width=&#039;320&#039; allowscriptaccess=&#039;always&#039; allowfullscreen=&#039;true&#039; flashvars=&#039;image=http%3A%2F%2Fwww.curtisgibby.com%2Fthumbs%2FEaster2009-NathanSwinging.jpg&file=http%3A%2F%2Fwww.curtisgibby.com%2Fpics%2FEaster2009-NathanSwinging.flv&plugins=viral-1d&#039;/>

Output :

<embed src=&#039;http://www.curtisgibby.com/pages/player-viral.swf&#039; height=&#039;240&#039; width=&#039;320&#039; allowscriptaccess=&#039;never&#039; allownetworking=&#039;internal&#039; type=&#039;application/x-shockwave-flash&#039;>

Config :

$config = HTMLPurifier_Config::createDefault();
$config->set(&#039;Output.TidyFormat&#039;, true);
$config->set(&#039;HTML.Doctype&#039;, &#039;HTML 4.01 Transitional&#039;);
$config->set(&#039;HTML.SafeObject&#039;, true);
$config->set(&#039;HTML.SafeEmbed&#039;, true);
$config->set(&#039;Output.FlashCompat&#039;, true);
$purifier = new HTMLPurifier($config);
Re: Cannot set undefined directive Output.FlashCompat
March 30, 2010 01:25PM

Drop %HTML.SafeEmbed, it doesn't do the right thing. I guess we need to match embed tags and build up the entire thing. Marking this as a bug.

Re: Generic video/embed filter?
March 30, 2010 01:34PM

Ok, I fixed the flashvars in embed issue, though you'll still need %HTML.Embed on.

Curtis Gibby
Re: Generic video/embed filter?
March 30, 2010 03:25PM

Fantastic, I appreciate it. I'm glad it wasn't just me, and that I was able to help improve the code by bringing this up.

I don't see those changes in the Git repo yet. Are you going to commit them so I can pull the new version?

Re: Generic video/embed filter?
March 30, 2010 03:29PM

Whoops, forgot to do that. Should be pushed now.

Curtis Gibby
Re: Generic video/embed filter?
March 30, 2010 07:10PM

Thanks, Edward.

I've updated my site with the latest "flashvars"-enabled code, but that parameter is still getting stripped out of my embed -- same results as before. (Both with and without %HTML.SafeObject enabled.) Can someone else confirm that a JW embed does work with the parameters described as above?

Re: Generic video/embed filter?
March 31, 2010 12:17PM

I tested locally and all of the relevant attributes seem to have been preserved. I bet you need to flush your cache; run php maintenance/flush.php

Curtis Gibby
Re: Generic video/embed filter?
April 01, 2010 08:14AM

Running the flush gave me an error on the command line, but after I physically deleted the HTML Purifier directory on my server and re-uploaded it, I was able to get it to work. Thanks for your help in getting this up and running. Great tool you guys have built here.

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 04:01PM

Hello,

I have the latest version from git. I am using the drupal module. I have set SafeEmbed and SafeObject on. I have "Trusted" off. I also have FlashCompat on. I have cleared all caches.

But the embed tag is still getting stripped out.

Is there some other setting I need to deal with?

Thanks

Todd

Re: Generic video/embed filter?
April 10, 2010 04:19PM

Can you post your code?

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 04:29PM

well I am using the Drupal module, so I am guessing you want to see the code that I using, not my implementation code.

Here is it is

<embed allowfullscreen="true" allowscriptaccess="always" height="400" src="http://blip.tv/play/hb0hgdL%2BFQA%2Em4v" type="application/x-shockwave-flash" width="600"></embed>

Thanks

Todd

Re: Generic video/embed filter?
April 10, 2010 04:39PM

Delete the htmlpurifier folder containing the library, and then reupload the Git version?

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 04:57PM

I deleted the "library" folder and re-uploaded the one from git, I cleared all caches and still no movies :>(

Thanks

Todd

Re: Generic video/embed filter?
April 10, 2010 05:04PM

What happens if you turn FlashCompat off? What happens if you turn Trusted on?

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 05:21PM

Turning "trusted" and "flashCompat" on or off in any combinatino has no effect.

If use " the object tag comes through but it is stripped of its parameters. Also embed is removed, but I have seen embed just be commented out for IE too, (not seeing that now)

before

<object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/A_L8sW_ULH8&amp;hl=en_US&amp;fs=1&amp;" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed allowfullscreen="true" allowscriptaccess="always" height="385" src="http://www.youtube.com/v/A_L8sW_ULH8&amp;hl=en_US&amp;fs=1&amp;" type="application/x-shockwave-flash" width="480"></embed></object>

after

<object height="385" width="480" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="" /></object>

Todd

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 05:25PM

Got it!

you must have DisableExternalResources set to "off"!

Todd

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 05:33PM

to recap... settings that are working for me.

SafeEmbed - "yes" SafeObject - "yes" Trusted - "No" DisableExternalResources - "No"

Drupal Module 6.x-2.1 (http://drupal.org/project/htmlpurifier) Latest git version from Tue, 30 Mar 2010 17:33:13 +0000

Finally - Drupal, CKeditor, IMCE and HTMLPurifier - all playing nice with one another!

Thanks very much for a nice bit o work!

Todd

Todd Geist
Re: Generic video/embed filter?
April 10, 2010 05:36PM

Clarification

"Latest git version from Tue, 30 Mar 2010 17:33:13 +0000"

refers the the HTML Purifier itself, not the drupal module.

Re: Generic video/embed filter?
April 10, 2010 05:41PM

Glad that you figured it out.

Re: Generic video/embed filter?
June 15, 2010 03:41PM

See below. Miss-post.

Re: Generic video/embed filter?
June 15, 2010 03:41PM

There's a bug on line 145 of the Generator when using FlashCompat for embed objects.

Once the

<!--[if IE]><![endif]-->

is included, each additional time the filter is run it will keep appending that string.

For example, if the filter is run 2x, this is the resulting code:

<object width="640" height="385">
  <param name="movie" value="http://www.youtube.com/v/2mNB_VG_shc&hl=en_US&fs=1&" />
  <param name="allowFullScreen" value="true" />
  <param name="allowscriptaccess" value="always" />
  <!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/2mNB_VG_shc&amp;hl=en_US&amp;fs=1&amp;" allowFullScreen="true" allowscriptaccess="always" /><![endif]--><!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/2mNB_VG_shc&amp;hl=en_US&amp;fs=1&amp;" allowFullScreen="true" allowscriptaccess="always" /><![endif]-->
</object>
Sorry, you do not have permission to post/reply in this forum.