Current state of embeded content

Hi, I am interested in working on a feature that allows users to:

1.) embed swf files

and more specifically

2.) embed the swf file of the JW Flv player (to show flv movies hosted on my server).

I have been searching through the forums and I trying to find out how much of this is already in place (as not to re-invent the wheel). I have found various classes already made, but I don't know which, if any, is suited for my purpose:

1.) SafeEmbed and SafeObject

2.) The second post here: http://htmlpurifier.org/phorum/read.php?2,1102,1102 If this one works, do I need to apply the injector patch seen here:

http://htmlpurifier.org/phorum/read.php?3,921,946#msg-946

3.) Maybe a modified version of the youtube class you made?

Thanks for getting me started in the right direction.

Assuming you don't need flashvars, SafeEmbed/SafeObject will do the trick. (2) is out of date, and (3) would work, but would be hacky. If you need flashvars, come and help out on http://htmlpurifier.org/phorum/read.php?5,2239

Ah yes, flash vars would be needed. I'll try to help out as much as I can.

The way I understand it is that you will still turn on SafeEmbed/SafeObject, and the new project will simply allow the flashvars. Is that right?

Thanks

Yep. And then eventually we'll get it incorporated into the core, where you can set an extra configuration directive to allow flashvars. If we want to get fancy, we can let users configure which flashvars to allow.

Is there a way to allow flashvars? SafeObject and SafeEmbed work for me but not with flashvars and I need those working. I can't find a workaround. Anyone?

Thanks, Denny

Hello,

If you're looking for the easiest way of implementing flashvars, hacking something onto the SafeEmbed and SafeObject classes would probably work. However, I recommend you take a look at the patch here and see if you would be interested in helping see it to completion (as progress on it has somewhat stalled).

I'm happy to report that a solution has hit the HTML Purifier development branch! You can check out the code from http://repo.or.cz/w/htmlpurifier.git and you can enable it using this code:

<pre><![CDATA[ $config->set('HTML.SafeObject', true); $config->set('Output.FlashCompat', true); ]]></pre>

If you were using %HTML.SafeEmbed, that code is no longer necessary and you should disable it. Please let me know if there are any bugs!

FlashCompat does not work. Here is my config. If I enable SafeEmbed, I see the Flash player, but if I disable it, nothing is rendered at all. I'm trying to make a TED video embed work. I also had to edit source code to set allowscriptaccess to true.

Instead of making this really difficult, and trying to filter it perfectly, why not just add a config parameter such as HTML.IgnoreObjectTag = true, that way, it completely skips over the tag and lets the user put whatever they want in it. The amount of params and attributes that can be added are too many to try to filter out. I think you're trying to be too nazi with the embed stuff... just allow HTMLPurifier completely skips over the tag entirely if someone wants it to. I've spent hours upon hours trying to get this to work... it's ridiculous.

$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
        $config->set('HTML.Doctype', 'XHTML 1.1'); // replace with your doctype
        $config->set('HTML.TidyLevel', 'heavy'); // burn baby burn!
        $config->set('HTML.SafeObject', true);
        // $config->set('HTML.SafeEmbed', true);
        $config->set('Output.FlashCompat', true);
        $config->set('HTML.AllowedAttributes', 'src, href, width, height, alt, codebase, classid, value, name, flashvars, allowfullscreen, bgcolor, wmode, type'); // strip all html attributes, mostly for style and class
        // $config->set('HTML.AllowedAttributes', array('src', 'href', 'width', 'height', 'alt', 'codebase', 'classid', 'value', 'name', 'flashvars', 'allowfullscreen', 'bgcolor', 'wmode', 'type'));
        $config->set('HTML.MaxImgLength', '445');
        $config->set('URI.DisableExternalResources', false);
        $config->set('URI.DisableResources', false);
        $config->set('HTML.AllowedElements', 'p, b, a[href], i, ul, li, ol, blockquote, object, img, strong, em, param, embed');
        // $config->set('HTML.AllowedElements', array('p', 'b', 'a[href]', 'i', 'ul', 'li', 'ol', 'blockquote', 'object', 'img', 'strong', 'em', 'param', 'embed'));
        $config->set('AutoFormat.AutoParagraph', true);
        $config->set('AutoFormat.RemoveEmpty', true); // remove empty tag pairs
        $config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); // remove empty, even if it contains an  

The top embed code works, because it's not being parsed with Purifier, the bottom one does not, work. It renders the Flash player, but as you can see it's stripped the flashvars from the embed param. If I turn off SafeEmbed, it returns a blank screen, not even the butchered tag you see here.

http://img683.imageshack.us/img683/9758/picture16w.png

Hey, thanks for the bug report. I'll look more closely at this and see if I can cook up a fix that keeps up security. I do have one comment:

I think you're trying to be too nazi with the embed stuff... just allow HTMLPurifier completely skips over the tag entirely if someone wants it to.

I disagree; I think this is what precisely makes HTML Purifier good. If you're going to let HTML Purifier skip over object tags, you might as well not use HTML Purifier at all (certainly a reasonable proposition for many use-cases).

HTML Purifier, Standards-Compliant HTML Filtering

What happens if you punt the %HTML.AllowedElements and %HTML.AllowedAttributes lines?

HTML Purifier, Standards-Compliant HTML Filtering

YouTube videos work with the AllowedElements/Attributes, and it works without them too. It is the TED video in this case that has the Flash vars re-written.

I did a test of the TED video (using the embed code they provide on their website) with a very minimal configuration; just SafeObject and FlashCompat, and it worked fine in Firefox, which, judging from the screenshot, is what you're using. That's pretty surprising!

HTML Purifier, Standards-Compliant HTML Filtering

Can you post the exact config you're using? Thanks

Sure thing.

<pre><![CDATA[<?php require_once 'library/HTMLPurifier.auto.php'; $ted = <<<EOF <!--copy and paste--><object width="446" height="326"><param name="movie" value="http://video.ted.com/assets/player/swf/EmbedPlayer.swf"></param><param name="allowFullScreen" value="true" /><param name="wmode" value="transparent"></param><param name="bgColor" value="#ffffff"></param> <param name="flashvars" value="vu=http://video.ted.com/talks/dynamic/EricMead_2009P-medium.flv&su=http://images.ted.com/images/ted/tedindex/embed-posters/EricMead-2009P.embed_thumbnail.jpg&vw=432&vh=240&ap=0&ti=792&introDuration=16500&adDuration=4000&postAdDuration=2000&adKeys=talk=eric_mead_the_magic_of_the_placebo;year=2009;theme=master_storytellers;theme=the_creative_spark;theme=how_the_mind_works;theme=new_on_ted_com;theme=spectacular_performance;event=TEDMED+2009;&preAdTag=tconf.ted/embed;tile=1;sz=512x288;" /><embed src="http://video.ted.com/assets/player/swf/EmbedPlayer.swf" pluginspace="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" bgColor="#ffffff" width="446" height="326" allowFullScreen="true" flashvars="vu=http://video.ted.com/talks/dynamic/EricMead_2009P-medium.flv&su=http://images.ted.com/images/ted/tedindex/embed-posters/EricMead-2009P.embed_thumbnail.jpg&vw=432&vh=240&ap=0&ti=792&introDuration=16500&adDuration=4000&postAdDuration=2000&adKeys=talk=eric_mead_the_magic_of_the_placebo;year=2009;theme=master_storytellers;theme=the_creative_spark;theme=how_the_mind_works;theme=new_on_ted_com;theme=spectacular_performance;event=TEDMED+2009;"></embed></object> EOF; $config = HTMLPurifier_Config::createDefault(); $config->set('Output.FlashCompat', true); $config->set('HTML.SafeObject', true); $purifier = new HTMLPurifier($config); echo $purifier->purify($ted);]]></pre>