- 1) I want to allow my users to embed videos
2) I want to let them do so without having to do anything more than paste a URL into a CKEditor dialog
3) I want HTMLPurifier to filter the embed
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"> <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> <embed pluginspage="http://www.macromedia.com/go/getflashplayer" src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash"> </embed> </object>
<object width="425" height="350"> <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> <param name="wmode" value="transparent" /> <embed src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350" /> </object>
<object type="application/x-shockwave-flash" data="http://www.youtube.com/v/AyPzM5WK8ys"> <param value="never" name="allowScriptAccess" /> <param value="internal" name="allowNetworking" /> <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> <!--[if IE]> <embed src="http://www.youtube.com/v/AyPzM5WK8ys" allowScriptAccess="never" allowNetworking="internal" /> <![endif]--> </object>
<object data="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> <embed allownetworking="internal" allowscriptaccess="never" src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash"></embed> <!--[if IE]> <embed src="http://www.youtube.com/v/AyPzM5WK8ys" allowScriptAccess="never" allowNetworking="internal" /> <![endif]--> </object>
$config->set('HTML.AllowedElements', 'p,b,strong,i,em,u,a,ol,ul,li,hr,blockquote,img,table,tr,td,th,span,object,param,embed');
$config->set('HTML.AllowedAttributes', 'a.href,img.src,img.width,img.height,img.alt,img.title,span.class,object.style,object.data,object.width,object.height,param.name,param.value,embed.src,embed.type,embed.wmode,embed.width,embed.height');
$config->set('HTML.SafeObject', true);
$config->set('HTML.SafeEmbed', true);
$config->set('Output.FlashCompat', true);
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
require HTMLPurifier.php first, then :
$config->set('HTML.SafeObject', true); $config->set('HTML.SafeEmbed', true); $config->set('Output.FlashCompat', true); $config->set('HTML.Trusted', true); $config->set('Filter.YouTube', true);Dunno if you need any of the other stuff, 'HTML.Trusted', true takes care of most, if not all of the things you have listed as allowed elements.
I wouldn't use the above for input available to users who are not accountable - like users who are not logged in.
Cheers for the extra params needed to make flash work properly, I was looking for those sort of but semi not caring because I don't use flash or embeds. I did just test all the above and it does work in both source and WYSIWYG mode.
You'll need to write a fake object plugin or edit the CKEditor flash dialog plugin to deal with the code after html purifier makes it valid because the little red box (The fake object) Doesn't show after htmlpurifier has had it's way with it. It's still there though, look at the source.
Thanks,
Zanpakutō
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
http://htmlpurifier.org/phorum/read.php?2,4794
http://htmlpurifier.org/phorum/read.php?2,4715
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
EMBED is a valid HTML 5 tag and it is counter productive to filter it out here because without SafeEmbed true, htmlpurifier screws up the code generated by CKEditor's flash plugin.
That's hyperbole and if he thinks it should be called unsafe, he needs to change the API before he starts telling people to use it by the unsafe name. While it is slightly confusing to use the word trusted, It does exactly what I want it to do and that is to allow users who are trusted; because they have been provided with a login account, to post more types of tags than normal when HTML filtering is applied.
You need to realise here that the guy has very little interest in flash embeds and his software is designed to remove anything like that because he has deemed it categorically unsafe whilst using that to side step the issue that somewhere amongst all the embeds and objects, there is actually some valid code to be filtered out.
It's harsh to say this but I have come to the conclusion after reading those threads, that HTMLpurifier is not a suitable solution to the way I view the forward thinking web. Many of htmlfilter's rules are archaic, likely target browser specific bugs (Mainly IE I expect) many of which will now be fixed, so it is best to avoid it. Then you don't get tangled up in someone else's HTML filtering rules and their rhetoric about what you should or should not use on a web page.
It's probably going to be more productive to create something from W3C's unicorn and HTMLtidy, than rely on HTMLpurifier from now on, in my view.
The code I posted above works for me for now.
Thanks,
Zanpakutō