fix: Normalize param's names of "safe" object

library/HTMLPurifier/AttrTransform/SafeParam.php

@@ -45,23 +45,27 @@ public function transform($attr, $config, $context)
     {
         // If we add support for other objects, we'll need to alter the
         // transforms.
-        switch ($attr['name']) {
+        switch (strtolower($attr['name'])) {
             // application/x-shockwave-flash
             // Keep this synchronized with Injector/SafeObject.php
-            case 'allowScriptAccess':
+            case 'allowscriptaccess':
+                $attr['name'] = 'allowScriptAccess';
                 $attr['value'] = 'never';
                 break;
-            case 'allowNetworking':
+            case 'allownetworking':
+                $attr['name'] = 'allowNetworking';
                 $attr['value'] = 'internal';
                 break;
-            case 'allowFullScreen':
+            case 'allowfullscreen':
+                $attr['name'] = 'allowFullScreen';
                 if ($config->get('HTML.FlashAllowFullScreen')) {
                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
                 } else {
                     $attr['value'] = 'false';
                 }
                 break;
             case 'wmode':
+                $attr['name'] = 'wmode';
                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
                 break;
             case 'movie':
@@ -70,12 +74,13 @@ public function transform($attr, $config, $context)
                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                 break;
             case 'flashvars':
+                $attr['name'] = "flashvars";
                 // we're going to allow arbitrary inputs to the SWF, on
                 // the reasoning that it could only hack the SWF, not us.
                 break;
             // add other cases to support other param name/value pairs
             default:
-                $attr['name'] = $attr['value'] = null;
+                $attr['name'] = $attr['value'] = '';
         }
         return $attr;
     }

library/HTMLPurifier/Injector/SafeObject.php

@@ -35,6 +35,12 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
         'allowNetworking' => 'internal',
     );
 
+    /**
+     * Lower-cased map for $addParam
+     * @type array
+     */
+    protected $addParamMap = array();
+
     /**
      * These are all lower-case keys.
      * @type array
@@ -47,6 +53,13 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
         'allowfullscreen' => true, // if omitted, assume to be 'false'
     );
 
+    public function __construct()
+    {
+        foreach (array_keys($this->addParam) as $name) {
+            $this->addParamMap[strtolower($name)] = $name;
+        }
+    }
+
     /**
      * @param HTMLPurifier_Config $config
      * @param HTMLPurifier_Context $context
@@ -64,11 +77,13 @@ public function handleElement(&$token)
     {
         if ($token->name == 'object') {
             $this->objectStack[] = $token;
-            $this->paramStack[] = array();
+            $paramStack = array();
             $new = array($token);
             foreach ($this->addParam as $name => $value) {
                 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
+                $paramStack[strtolower($name)] = true;
             }
+            $this->paramStack[] = $paramStack;
             $token = $new;
         } elseif ($token->name == 'param') {
             $nest = count($this->currentNesting) - 1;
@@ -78,23 +93,24 @@ public function handleElement(&$token)
                     $token = false;
                     return;
                 }
-                $n = $token->attr['name'];
+                $n = strtolower($token->attr['name']);
                 // We need this fix because YouTube doesn't supply a data
                 // attribute, which we need if a type is specified. This is
                 // *very* Flash specific.
                 if (!isset($this->objectStack[$i]->attr['data']) &&
-                    ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
+                    ($n == 'movie' || $n == 'src')
                 ) {
                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];
                 }
+                /** @TODO: fix comment */
                 // Check if the parameter is the correct value but has not
                 // already been added
                 if (!isset($this->paramStack[$i][$n]) &&
-                    isset($this->addParam[$n]) &&
-                    $token->attr['name'] === $this->addParam[$n]) {
+                    isset($this->addParamMap[$n]) &&
+                    $token->attr['value'] === $this->addParam[$this->addParamMap[$n]]) {
                     // keep token, and add to param stack
                     $this->paramStack[$i][$n] = true;
-                } elseif (isset($this->allowedParam[strtolower($n)])) {
+                } elseif (isset($this->allowedParam[$n])) {
                     // keep token, don't do anything to it
                     // (could possibly check for duplicates here)
                     // Note: In principle, parameters should be case sensitive.

tests/HTMLPurifier/HTMLModule/SafeObjectTest.php

@@ -51,6 +51,22 @@ public function testFullScreen()
         );
     }
 
+    public function testParamsNamesNormalization()
+    {
+        $this->assertResult(
+'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar">
+<param name="allowscriptaccess" value="dummyValue" />
+<param name="flashVars" value="foobarbaz=bally" />
+<param name="allowfullscreen" value="true" />
+</object></b>',
+'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" />
+
+<param name="flashvars" value="foobarbaz=bally" />
+<param name="allowFullScreen" value="false" />
+</object></b>'
+        );
+    }
+
 }
 
 // vim: et sw=4 sts=4