diff --git a/library/HTMLPurifier/AttrTransform/SafeParam.php b/library/HTMLPurifier/AttrTransform/SafeParam.php
index 1033106b3..d0f5ed0f0 100644
--- a/library/HTMLPurifier/AttrTransform/SafeParam.php
+++ b/library/HTMLPurifier/AttrTransform/SafeParam.php
@@ -45,16 +45,19 @@ public function transform($attr, $config, $context)
{
// If we add support for other objects, we'll need to alter the
// transforms.
- switch ($attr['name']) {
+ switch (strtolower($attr['name'])) {
// application/x-shockwave-flash
// Keep this synchronized with Injector/SafeObject.php
- case 'allowScriptAccess':
+ case 'allowscriptaccess':
+ $attr['name'] = 'allowScriptAccess';
$attr['value'] = 'never';
break;
- case 'allowNetworking':
+ case 'allownetworking':
+ $attr['name'] = 'allowNetworking';
$attr['value'] = 'internal';
break;
- case 'allowFullScreen':
+ case 'allowfullscreen':
+ $attr['name'] = 'allowFullScreen';
if ($config->get('HTML.FlashAllowFullScreen')) {
$attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
} else {
@@ -62,6 +65,7 @@ public function transform($attr, $config, $context)
}
break;
case 'wmode':
+ $attr['name'] = 'wmode';
$attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
break;
case 'movie':
@@ -70,12 +74,13 @@ public function transform($attr, $config, $context)
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
break;
case 'flashvars':
+ $attr['name'] = "flashvars";
// we're going to allow arbitrary inputs to the SWF, on
// the reasoning that it could only hack the SWF, not us.
break;
// add other cases to support other param name/value pairs
default:
- $attr['name'] = $attr['value'] = null;
+ $attr['name'] = $attr['value'] = '';
}
return $attr;
}
diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php
index 317f7864d..214be5d2e 100644
--- a/library/HTMLPurifier/Injector/SafeObject.php
+++ b/library/HTMLPurifier/Injector/SafeObject.php
@@ -35,6 +35,12 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
'allowNetworking' => 'internal',
);
+ /**
+ * Lower-cased map for $addParam
+ * @type array
+ */
+ protected $addParamMap = array();
+
/**
* These are all lower-case keys.
* @type array
@@ -47,6 +53,13 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
'allowfullscreen' => true, // if omitted, assume to be 'false'
);
+ public function __construct()
+ {
+ foreach (array_keys($this->addParam) as $name) {
+ $this->addParamMap[strtolower($name)] = $name;
+ }
+ }
+
/**
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
@@ -64,11 +77,13 @@ public function handleElement(&$token)
{
if ($token->name == 'object') {
$this->objectStack[] = $token;
- $this->paramStack[] = array();
+ $paramStack = array();
$new = array($token);
foreach ($this->addParam as $name => $value) {
$new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
+ $paramStack[strtolower($name)] = true;
}
+ $this->paramStack[] = $paramStack;
$token = $new;
} elseif ($token->name == 'param') {
$nest = count($this->currentNesting) - 1;
@@ -78,23 +93,24 @@ public function handleElement(&$token)
$token = false;
return;
}
- $n = $token->attr['name'];
+ $n = strtolower($token->attr['name']);
// We need this fix because YouTube doesn't supply a data
// attribute, which we need if a type is specified. This is
// *very* Flash specific.
if (!isset($this->objectStack[$i]->attr['data']) &&
- ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
+ ($n == 'movie' || $n == 'src')
) {
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
}
+ /** @TODO: fix comment */
// Check if the parameter is the correct value but has not
// already been added
if (!isset($this->paramStack[$i][$n]) &&
- isset($this->addParam[$n]) &&
- $token->attr['name'] === $this->addParam[$n]) {
+ isset($this->addParamMap[$n]) &&
+ $token->attr['value'] === $this->addParam[$this->addParamMap[$n]]) {
// keep token, and add to param stack
$this->paramStack[$i][$n] = true;
- } elseif (isset($this->allowedParam[strtolower($n)])) {
+ } elseif (isset($this->allowedParam[$n])) {
// keep token, don't do anything to it
// (could possibly check for duplicates here)
// Note: In principle, parameters should be case sensitive.
diff --git a/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php b/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
index 81d4c9a9c..a164df4e6 100644
--- a/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
+++ b/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php
@@ -51,6 +51,22 @@ public function testFullScreen()
);
}
+ public function testParamsNamesNormalization()
+ {
+ $this->assertResult(
+'',
+''
+ );
+ }
+
}
// vim: et sw=4 sts=4