Welcome! » Log In » Create A New Profile

Flash embeding problem

Posted by Claus 
Claus
Flash embeding problem
August 15, 2010 08:00PM

I'm using the latest 4.1.1 version of HTMLPurifier. I turned on "Output.FlashCompat" configuration option to true, but flash video not working properly in Google Chrome and not working at all in Mozilla Firefox. The problem is that HTMLPurifier strips attribute type="application/x-shockwave-flash" and puts embed into <!--[if IE]><![endif]--> comments.

Another problem appears than I try to resave flash generated by HTMLPurifier. It adds another <!--[if IE]><embed><![endif]--> block. So than I save html second time I have 2 <!--[if IE]><embed><![endif]--> blocks, than 3 and so on.

Could anybody help me?

Re: Flash embeding problem
August 15, 2010 08:06PM

Could you paste the input and outputs you get?

Claus
Re: Flash embeding problem
August 15, 2010 09:19PM

This is my configuration:

$config->set('HTML.Trusted', true);
$config->set('Output.FlashCompat', true);	
$config->set('Attr.EnableID', true);			
$config->set('HTML.Doctype', 'HTML 4.01 Transitional');

Input:

<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>

Output:

<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US" allowFullScreen="true" allowscriptaccess="always"><![endif]--></object>

Output after resaving:

<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US" allowFullScreen="true" allowscriptaccess="always"><![endif]--><!--[if IE]><embed width="640" height="385" src="http://www.youtube.com/v/mBxAikxSDWY?fs=1&amp;hl=en_US" allowFullScreen="true" allowscriptaccess="always"><![endif]--></object>
Re: Flash embeding problem
August 15, 2010 09:42PM

Hmm... I didn't test the combination of %Output.FlashCompat and %HTML.Trusted, so I guess it's not surprising that they don't quite work. Are you sure you need trusted functionality?

Edited 1 time(s). Last edit at 08/15/2010 09:44PM by Ambush Commander.

Claus
Re: Flash embeding problem
August 15, 2010 10:06PM

Without %HTML.Trusted object element will be stripped. And this is not an option for me to list allowed tags and attributes, because all tags should be allowed. I just don't understand why embed element is wrapped in comments.

Re: Flash embeding problem
August 15, 2010 10:14PM

If you just care about object, you should use %HTML.SafeObject.

Claus
Re: Flash embeding problem
August 15, 2010 10:20PM

With object everything is ok even with just %HTML.Trusted but embed is stripped. I tried to add %HTML.SafeEmbed but it changed attributes to allowscriptaccess="never" and allownetworking="internal".

Re: Flash embeding problem
August 15, 2010 10:26PM

The supported configuration is %HTML.SafeObject and %Output.FlashCompat, with %HTML.Trusted off and %HTML.SafeEmbed off. You could argue that %HTML.Trusted should work with %Output.FlashCompat too, but it doesn't yet. %HTML.SafeEmbed was generally poor and should be deprecated.

Claus
Re: Flash embeding problem
August 15, 2010 10:36PM

Ok. I've just tried the %HTML.SafeObject and %Output.FlashCompat combination, with %HTML.Trusted off and %HTML.SafeEmbed off. Everything ok, but attribute "allowFullScreen" is stripped. Is it possible to leave it?

Re: Flash embeding problem
August 15, 2010 10:43PM

Hmm, you'd probably have to patch the code, somewhere in htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php to allow that param. Full screen can be slightly dangerous.

Claus
Re: Flash embeding problem
August 15, 2010 11:10PM

Very strange security politics. I can configure everything with this library except flash. But thanks for your help.

Re: Flash embeding problem
August 15, 2010 11:15PM

This is probably more of an oversight on the library's part than security politics. :-)

Claus
Re: Flash embeding problem
August 15, 2010 11:21PM

Ok. I hope this will be fixed in future releases. Everything is great except flash. Thanks.

Re: Flash embeding problem
September 08, 2010 11:40PM
Colin Snover
Re: Flash embeding problem
September 16, 2010 02:37AM

Hi,

HTML Purifier is creating invalid <object> tags when SafeObject is enabled, causing certain Flash objects to only work in IE. Here is an example:

Input:

<object
    classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
    id="ooyalaPlayer_229z0_gbps1mrs" width="630" height="354"
    codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab"><param
    name="movie" value="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
    /><param name="bgcolor" value="#000000" /><param
    name="allowScriptAccess" value="always" /><param
    name="allowFullScreen" value="true" /><param name="flashvars"
    value="embedType=noscriptObjectTag&embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j"
    /><embed src="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2"
    bgcolor="#000000" width="630" height="354"
    name="ooyalaPlayer_229z0_gbps1mrs" align="middle" play="true"
    loop="false" allowscriptaccess="always" allowfullscreen="true"
    type="application/x-shockwave-flash"
    flashvars="&embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za"
    pluginspage="http://www.adobe.com/go/getflashplayer"></embed></object>

Output:

<object width="630" height="354" type="application/x-shockwave-flash" data="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"><param value="never" name="allowScriptAccess"><param value="internal" name="allowNetworking"><param value="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" name="movie"><param value="embedType=noscriptObjectTag&amp;embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j" name="flashvars"><!--[if IE]><embed width="630" height="354" src="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" allowScriptAccess="never" allowNetworking="internal" flashvars="embedType=noscriptObjectTag&amp;embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j" /><![endif]--></object>

Output without FlashCompat:

<object width="630" height="354" type="application/x-shockwave-flash" data="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"><param value="never" name="allowScriptAccess"><param value="internal" name="allowNetworking"><param value="http://player.example.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" name="movie"><param value="true" name="allowFullScreen"><param value="embedType=noscriptObjectTag&amp;embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j" name="flashvars"></object>

The classid in the original code is invalid. It works because non-IE browers fall back to the inner <embed>, and IE understands the proprietary value in the classid attribute. By leaving the classid but stripping the <embed>, HTML Purifier creates a broken object for all browsers except IE. The classid is not by IE; it works just fine setting only the type.

The correct, standards-compliant <object> tag for a Flash object that works in both IE and non-IE browsers should have only width, height, data, and type attributes. For the above example, it would be:

<object width="630" height="354" type="application/x-shockwave-flash" data="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2"><param value="never" name="allowScriptAccess"><param value="internal" name="allowNetworking"><param value="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&amp;version=2" name="movie"><param value="true" name="allowFullScreen"><param value="embedType=noscriptObjectTag&amp;embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j" name="flashvars"></object>

It would be great to see a quick fix introduced in 4.2.1 for this issue, which would also allow FlashCompat to be removed.

Regards,

P.S. Akismet thinks this my message is spam so I had to mangle some stuff to get it to post.

Re: Flash embeding problem
September 16, 2010 02:31PM

Thanks for the in-depth analysis of the issue. I will look at it closely.

Re: Flash embeding problem
September 17, 2010 05:48PM

My understanding is that the code you suggest is not liked because it breaks streaming of videos on Internet Explorer. http://www.alistapart.com/articles/flashembedcagematch/ It might be better than what we have now, but this is a complicated design space.

Colin Snover
Re: Flash embeding problem
September 19, 2010 08:10PM

The suggested code does not break video streaming. The SWF format has the ability to begin playback and display a preloader or similar before the entire SWF has loaded; this is what stops working. Any content loaded after the initial SWF will function identically across all browsers.

I think it is fair to say that over 99% of embedded content these days is *not* content that would be affected, since most embedded content is a video player (YouTube, Vimeo, whatever).

Regards,

Re: Flash embeding problem
September 19, 2010 08:37PM

Ah, that's interesting! In that case it might be a reasonable tradeoff to make. Ideally speaking, though, it would be nice if we could make this completely configurable, so the user could pick what template they wanted inserted into their HTML for whatever Flash object they embedded.

Colin Snover
Re: Flash embeding problem
September 21, 2010 01:57PM

Ideally, IE would not defer initialisation of objects. But I digress. ;) The other other option would be something like:

<!--[if IE]><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="640" height="272"><![endif]-->
<!--[if !IE]><!--><object type="application/x-shockwave-flash" data="movie.swf" width="640" height="272"><!--<![endif]-->
    <param name="movie" value="movie.swf" />
    <param name="wmode" value="opaque" />
    …
</object>

Which is the briefest version that should work everywhere (though I have not tested this exact code). Either way, currently, embeds break pretty often, so an interim fix would be appreciated sooner rather than later.

Regards,

Re: Flash embeding problem
September 21, 2010 02:13PM

Well, there's things HTML Purifier can control, and things HTML Purifier can't. ;-)

I'm willing to put this in on an accelerated timeframe if you're willing to do the testing legwork. :-) Otherwise, I'd like to fix it by method of create configuration option. :-) (And make the default less stupid, which dovetails with your proposal.)

Colin Snover
Re: Flash embeding problem
September 22, 2010 02:57PM

Yeah, I can do some testing to get this out the door quicker.

Re: Flash embeding problem
September 27, 2010 06:16PM

I am willing to help with testing, too. I initially &lt;a href=&quot;http://cksource.com/forums/viewtopic.php?f=6&amp;t=20276&quot;&gt;misattributed this&lt;/a&gt; as being an incompatibility between CKEditor's flash insert dialog and HTMLPurifier.

Re: Flash embeding problem
September 27, 2010 08:19PM

Ok. So what the testing would involve is the proposed HTML snippet, and making sure it works on the relevant browser and operating system combinations of today. If you find someone who's already done it, great, we're done.

Re: Flash embeding problem
September 27, 2010 09:55PM

I can personally only test on FF3.6 and IE8. But I (or anybody, for that matter) can test just about any browser via http://browsershots.org/

Re: Flash embeding problem
September 27, 2010 10:04PM

Browsershots... isn't very useful for Flash...

Re: Flash embeding problem
September 28, 2010 01:15AM

One of the issues here is that the video player is not displaying at all in Firefox, Navigator, and possibly others. That is something that can be evaluated relatively quickly across a large variety of browser/OS permutations via browsershots.

Also, below is the output of CKEditor's flash dialog. If you refer to my post in the CKEditor forum (linked above), I note that I can get either CKEditor or HTMLPurifer to produce a viable object block (in FF and IE), the combination of the two fails to produce a viable object block in FF.

&lt;pre&gt;&lt;![CDATA[ &lt;object classid=&quot;clsid:d27cdb6e-ae6d-11cf-96b8-444553540000&quot; codebase=&quot;http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0&quot;&gt; &lt;param name=&quot;movie&quot; value=&quot;http://www.youtube.com/v/AyPzM5WK8ys&quot; /&gt; &lt;embed pluginspage=&quot;http://www.macromedia.com/go/getflashplayer&quot; src=&quot;http://www.youtube.com/v/AyPzM5WK8ys&quot; type=&quot;application/x-shockwave-flash&quot;&gt;&lt;/embed&gt; &lt;/object&gt; ]]&gt;&lt;/pre&gt;

Re: Flash embeding problem
September 28, 2010 12:09PM

Basically, I want to sanity check:

&amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;!--[if IE]&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;object classid=&amp;amp;amp;amp;quot;clsid:D27CDB6E-AE6D-11cf-96B8-444553540000&amp;amp;amp;amp;quot; width=&amp;amp;amp;amp;quot;640&amp;amp;amp;amp;quot; height=&amp;amp;amp;amp;quot;272&amp;amp;amp;amp;quot;&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;![endif]--&amp;amp;amp;amp;gt; &amp;amp;amp;amp;amp;lt;!--[if !IE]&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;!--&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;object type=&amp;amp;amp;amp;quot;application/x-shockwave-flash&amp;amp;amp;amp;quot; data=&amp;amp;amp;amp;quot;movie.swf&amp;amp;amp;amp;quot; width=&amp;amp;amp;amp;quot;640&amp;amp;amp;amp;quot; height=&amp;amp;amp;amp;quot;272&amp;amp;amp;amp;quot;&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;!--&amp;amp;amp;amp;amp;lt;![endif]--&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;![CDATA[ &amp;amp;amp;amp;lt;param name=&amp;amp;amp;amp;quot;movie&amp;amp;amp;amp;quot; value=&amp;amp;amp;amp;quot;movie.swf&amp;amp;amp;amp;quot; /&amp;amp;amp;amp;gt; &amp;amp;amp;amp;lt;param name=&amp;amp;amp;amp;quot;wmode&amp;amp;amp;amp;quot; value=&amp;amp;amp;amp;quot;opaque&amp;amp;amp;amp;quot; /&amp;amp;amp;amp;gt; … &amp;amp;amp;amp;lt;/object&amp;amp;amp;amp;gt;]]&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;gt;

before we push it out. I know that the current setup is broken under certain situations. Furthermore, we need to make sure that HTML Purifier can parse that strange code so that running the purifier on purified output results in no change.

Colin Snover
Re: Flash embeding problem
September 28, 2010 05:04PM

I have created a testcase and a browsershots for the testcase. There will be no difference across OS for the same browser engine so there is no need to test that.

The biggest difficulty is in ensuring that HTML Purifier understands and can purify IE conditional code. It should probably be able to do that already anyway, since purifying conditional code by removing the comments will break IE, and leaving comments in means that IE is potentially served dangerous code. (Of course, this is not necessary to output working code, it only becomes a problem if we want to make sure that inputting the output of HTML Purifier into HTML Purifier outputs the same code.)

Regards,

Re: Flash embeding problem
September 29, 2010 09:07AM

What HTML Purifier currently does is unconditionally strips out IE conditional comments, and then attempts to reconstruct them when it regenerates HTML from the object tag. This doesn't work in all cases.

Sorry, you do not have permission to post/reply in this forum.