diff --git a/main/inc/lib/formvalidator/Rule/allowed_tags.inc.php b/main/inc/lib/formvalidator/Rule/allowed_tags.inc.php index 59c42d93bd..3a674458b6 100755 --- a/main/inc/lib/formvalidator/Rule/allowed_tags.inc.php +++ b/main/inc/lib/formvalidator/Rule/allowed_tags.inc.php @@ -300,7 +300,7 @@ $allowed_tags_student['embed']['type'] = array(); $allowed_tags_student['embed']['src'] = array(); $allowed_tags_student['embed']['flashvars'] = array(); $allowed_tags_student['embed']['allowscriptaccess'] = array(); -//$allowed_tags_student['embed']['allowfullscreen'] = array(); +$allowed_tags_student['embed']['allowfullscreen'] = array(); //$allowed_tags_student['embed']['bgcolor'] = array(); //$allowed_tags_student['embed']['pluginspage'] = array(); diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php old mode 100755 new mode 100644 index 4da449981f..38bbdd5f1b --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php @@ -8,6 +8,11 @@ class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform $attr['allowscriptaccess'] = 'never'; $attr['allownetworking'] = 'internal'; $attr['type'] = 'application/x-shockwave-flash'; + + if (!$config->get('HTML.FlashAllowFullScreen') || !$attr['allowfullscreen'] == 'true') { + unset($attr['allowfullscreen']); + } + return $attr; } } diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php index 4ceea62c0a..1a5124d062 100644 --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php @@ -29,12 +29,15 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform // application/x-shockwave-flash // Keep this synchronized with Injector/SafeObject.php case 'allowScriptAccess': + case 'allowscriptaccess': $attr['value'] = 'never'; break; case 'allowNetworking': + case 'allownetworking': $attr['value'] = 'internal'; break; case 'allowFullScreen': + case 'allowfullscreen': if ($config->get('HTML.FlashAllowFullScreen')) { $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; } else { diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php index 9f3758a322..c99ad97aa6 100644 --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php @@ -11,9 +11,7 @@ class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule public function setup($config) { $max = $config->get('HTML.MaxImgLength'); - $embed = $this->addElement( - 'embed', 'Inline', 'Empty', 'Common', - array( + $attr = array( 'src*' => 'URI#embedded', 'type' => 'Enum#application/x-shockwave-flash', 'width' => 'Pixels#' . $max, @@ -23,7 +21,13 @@ class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule 'flashvars' => 'Text', 'wmode' => 'Enum#window,transparent,opaque', 'name' => 'ID', - ) + ); + if ($config->get('HTML.FlashAllowFullScreen')) { + $attr['allowfullscreen'] = 'Enum#true,false'; + } + + $embed = $this->addElement( + 'embed', 'Inline', 'Empty', 'Common', $attr ); $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed(); diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php index 4d6c977340..34765265da 100644 --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php @@ -16,6 +16,9 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector protected $addParam = array( 'allowScriptAccess' => 'never', 'allowNetworking' => 'internal', + 'allowscriptaccess' => 'never', + 'allownetworking' => 'internal', + ); protected $allowedParam = array( 'wmode' => true, @@ -23,6 +26,7 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector 'flashvars' => true, 'src' => true, 'allowFullScreen' => true, // if omitted, assume to be 'false' + 'allowfullscreen' => true, // if omitted, assume to be 'false' ); public function prepare($config, $context) { diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php index 454b83916b..517a3906f0 100755 --- a/main/inc/lib/security.lib.php +++ b/main/inc/lib/security.lib.php @@ -254,6 +254,7 @@ class Security { mkdir($cache_dir, 0777); } $config = HTMLPurifier_Config::createDefault(); + //$config->set('Cache.DefinitionImpl', null); // Enable this line for testing purposes, for turning off caching. Don't forget to disable this line later! $config->set('Cache.SerializerPath', $cache_dir); $config->set('Core.Encoding', api_get_system_encoding()); $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');