summaryrefslogtreecommitdiff
path: root/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php')
-rw-r--r--[-rwxr-xr-x]lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php6
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php
index 341582868..c1d8b0412 100755..100644
--- a/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php
+++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php
@@ -20,6 +20,9 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
protected $allowedParam = array(
'wmode' => true,
'movie' => true,
+ 'flashvars' => true,
+ 'src' => true,
+ 'allowFullScreen' => true, // if omitted, assume to be 'false'
);
public function prepare($config, $context) {
@@ -47,7 +50,8 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
// We need this fix because YouTube doesn't supply a data
// attribute, which we need if a type is specified. This is
// *very* Flash specific.
- if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') {
+ if (!isset($this->objectStack[$i]->attr['data']) &&
+ ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
}
// Check if the parameter is the correct value but has not
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 14:07:09 +0000