![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=3420
[commit: http://hg.dwscoalition.org/dw-free/rev/4bb19bbdda27]
http://bugs.dwscoalition.org/show_bug.cgi?id=3420
Rewrite parameters for flash to make sure that it can't redirect main window
without our taking action, and to prevent pop-ups.
Patch by![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
exor674.
Files modified:
http://bugs.dwscoalition.org/show_bug.cgi?id=3420
Rewrite parameters for flash to make sure that it can't redirect main window
without our taking action, and to prevent pop-ups.
Patch by
exor674.Files modified:
- cgi-bin/LJ/CleanHTML.pm
- t/clean-embed.t
- t/clean-event.t
--------------------------------------------------------------------------------
diff -r d4bb3eb3d448 -r 4bb19bbdda27 cgi-bin/LJ/CleanHTML.pm
--- a/cgi-bin/LJ/CleanHTML.pm Tue Feb 15 11:28:27 2011 +0800
+++ b/cgi-bin/LJ/CleanHTML.pm Thu Jan 27 17:16:54 2011 +0000
@@ -130,6 +130,7 @@ sub clean
my $noexpand_embedded = $opts->{'noexpandembedded'} || $opts->{'textonly'} || 0;
my $transform_embed_nocheck = $opts->{'transform_embed_nocheck'} || 0;
my $transform_embed_wmode = $opts->{'transform_embed_wmode'};
+ my $rewrite_embed_param = $opts->{rewrite_embed_param} || 0;
my $remove_colors = $opts->{'remove_colors'} || 0;
my $remove_sizes = $opts->{'remove_sizes'} || 0;
my $remove_fonts = $opts->{'remove_fonts'} || 0;
@@ -360,6 +361,14 @@ sub clean
});
next TOKEN;
}
+ }
+
+ if ( $tag eq "embed" && $rewrite_embed_param ) {
+ $attr->{allowscriptaccess} = "sameDomain" if exists $attr->{allowscriptaccess} && $attr->{allowscriptaccess} ne 'never';
+ }
+
+ if ( $tag eq "param" && $rewrite_embed_param && $opencount{object} && lc( $attr->{name} ) eq 'allowscriptaccess' ) {
+ $attr->{value} = "sameDomain" if $attr->{value} ne 'never';
}
if ($tag eq "span" && lc $attr->{class} eq "ljuser" && ! $noexpand_embedded) {
@@ -1466,6 +1475,7 @@ sub clean_event
'remove_fonts' => $opts->{'remove_fonts'} ? 1 : 0,
'transform_embed_nocheck' => $opts->{'transform_embed_nocheck'} ? 1 : 0,
'transform_embed_wmode' => $opts->{'transform_embed_wmode'},
+ rewrite_embed_param => $opts->{rewrite_embed_param} ? 1 : 0,
'suspend_msg' => $opts->{'suspend_msg'} ? 1 : 0,
'unsuspend_supportid' => $opts->{'unsuspend_supportid'},
to_external_site => $opts->{to_external_site} ? 1 : 0,
@@ -1497,6 +1507,7 @@ sub clean_embed {
extractimages => 0,
noexpandembedded => 1,
transform_embed_nocheck => 1,
+ rewrite_embed_param => 1,
});
}
diff -r d4bb3eb3d448 -r 4bb19bbdda27 t/clean-embed.t
--- a/t/clean-embed.t Tue Feb 15 11:28:27 2011 +0800
+++ b/t/clean-embed.t Thu Jan 27 17:16:54 2011 +0000
@@ -1,7 +1,7 @@
# -*-perl-*-
use strict;
-use Test::More tests => 23;
+use Test::More tests => 25;
use lib "$ENV{LJHOME}/cgi-bin";
require 'ljlib.pl';
@@ -27,10 +27,21 @@ note("simple object");
$clean->();
is( $orig_post, $clean_post, "basic <object>" );
+note("<object> and <embed> tags, params different case");
+$orig_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowScrIpTaccess" value="always"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowScrIptAccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowScrIpTaccess" value="sameDomain"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="sameDomain" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean->();
+is( $orig_post, $clean_post, "<object> and <embed> tags" );
note("<object> and <embed> tags");
$orig_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
-$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="sameDomain"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="sameDomain" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean->();
+is( $orig_post, $clean_post, "<object> and <embed> tags" );
+
+note("<object> and <embed> tags, keep never");
+$orig_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="never"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="never" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="never"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="never" allowfullscreen="true" width="640" height="385"></embed></object>};
$clean->();
is( $orig_post, $clean_post, "<object> and <embed> tags" );
@@ -52,7 +63,7 @@ my $id = "ABC123abc-_";
my $id = "ABC123abc-_";
note("trusted site: youtube");
$orig_post = qq{<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/$id?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/$id?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
-$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/$id?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/$id?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean_post = qq{<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/$id?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="sameDomain"></param><embed src="http://www.youtube.com/v/$id?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="sameDomain" allowfullscreen="true" width="640" height="385"></embed></object>};
$clean->();
is( $orig_post, $clean_post, "old-style embeds" );
diff -r d4bb3eb3d448 -r 4bb19bbdda27 t/clean-event.t
--- a/t/clean-event.t Tue Feb 15 11:28:27 2011 +0800
+++ b/t/clean-event.t Thu Jan 27 17:16:54 2011 +0000
@@ -171,4 +171,12 @@ is( $orig_post, $cut_text, "Text under o
$clean->( { cut_retrieve => 2 } );
is( $orig_post, $cut_text, "Text under inner cut, HTML" );
+# embed tags
+
+note("<object> and <embed> tags");
+$orig_post = qq{<object width="640" height="385"><param name="movie" value="http://www.example.com/video"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.example.com/video" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>};
+$clean_post = qq{};
+$clean->();
+is( $orig_post, $clean_post, "<object> and <embed> tags" );
+
1;
--------------------------------------------------------------------------------