1 Topic by Nico (edited by Nico 2009-03-12 23:32:36)

  • Nico
  • Member
  • Offline

Topic: Authorizing Flash objects?

Hello,

Very good job !

Sorry, I speak very little English :/ (Thanks Google translate )

To purify the HTML that I recover by XML script I tested several (tidy, htmlpurifier, ...) and each time the code was valid W3C output truncated but sometimes a portion of the content removed and ultimately meaningless.

I am pleased to find that filters htmLawed without breaking the content that I get by XML !

Question : How to allow flash ?

Original code :

<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="600" height="600">
         <param name="movie" value="http://the host.ltd/file.swf"/>
                        
<param name="type" value="application/x-shockwave-flash" />

          <param name="pluginspage" value="http://www.macromedia.com/go/getflashplayer/" />
           <param name="menu" value="false" />
         <embed src="http://the host.ltd/file.swf" menu="false" type="application/x-shockwave-flash" width="600" height="600" pluginspage="http://www.macromedia.com/go/getflashplayer">
         </embed>
      </object>

After htmLawed parse :

<param name="movie" value="http://the host.ltd/file.swf" /> 
<param name="type" value="application/x-shockwave-flash" /> 
<param name="pluginspage" value="http://www.macromedia.com/go/getflashplayer/" /> 
<param name="menu" value="false" />

I would like this type of code is not filtered (leaving the original code, with the object and embed tags).

Solution exists please ?

   
Thank you in advance for your help

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Authorizing Flash objects?

By default htmLawed will permit 'object' and 'embed'. Those elements in your sample code will pass through the filter without any problem. It seems you have htmLawed running in 'safe mode', which disallows 'object' and 'embed'.

However, to allow the 'clsid' property in the 'classid' attribute of the 'object' element, you have to set the parameter 'schemes' properly which dictates what protocols [schemes] are allowed in the various attributes. By default, htmLawed only permits aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, and telnet in 'href', and file, http, and https in all other attributes.

Following should work for you:

$config['schemes'] = 'classid:clsid, href: http, https, ssh, telnet; *:file, http, https';
... // ending configuration

$out = htmLawed($in, $config);

3 Reply by Nico (edited by Nico 2009-03-13 00:30:01)

  • Nico
  • Member
  • Offline

Re: Authorizing Flash objects?

Thanks for you help.

Yes is my config : 'safe'=>1, // Dangerous elements and attributes thus not allowed

I tested the schemes it does not work, it lacks the object and embed tags.

My code :

// Set htmLawed; some configuration need not be specified because the default behavior is good enough
        $config = array(
            'schemes' => 'classid:clsid, href: http, https, ssh, telnet; *:file, http, https',
            'safe'=>1, // Dangerous elements and attributes thus not allowed
            'elements'=>'* -th -tfoot -thead -col -colgroup -caption', // All except table-related are OK
            'deny_attribute'=>'class, id, style' // None of the allowed elements can have these attributes
        );
            $spec = 'a = title, href;'; // The 'a' element can have only these attributes

        // The filtering
        $str = htmLawed($str, $config, $spec);

I am in error?

4 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Authorizing Flash objects?

With 'safe' set to 1, some elements, including 'object' and 'embed', are not permitted. You have to remove 'safe' or set it to 0.

If you have the time, do look at the documentation if you want to know what 'safe' is for, how you can deny, for instance, 'script', and so on.

5 Reply by Nico (edited by Nico 2009-03-13 01:15:46)

  • Nico
  • Member
  • Offline

Re: Authorizing Flash objects?

I already watched the (big) documentation but I am afraid of evil configure, the safe default value is fine for my usage.

I think it better for me to do a preg_replace () to temporarily replace before parsing tags <object(.*?)> and <embed(.*?)> => #sep#object(.*?)#/sep# and #sep#embed(.*?)#/sep# => htmLawed work => I  replace <embed(.*?)> and <object(.*?)> after parsing

Thank you very much for you help patnaik ;)

6 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Authorizing Flash objects?

Your strategy seems fine.

But, note that 'safe' => 1 is a shortcut to specify other configuration parameters. Thus, you can achieve the effect of 'safe', while still allowing 'object' and 'embed' by using:

$config = array(
 'comments'=>0,
 'cdata'=>0,
 'deny_attribute'=>'on*',
 'elements'=>'*-applet-iframe-script', // object, embed allowed
 'schemes'=>'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https' // clsid allowed in class
;)

7 Reply by Nico (edited by Nico 2009-03-13 09:55:16)

  • Nico
  • Member
  • Offline

Re: Authorizing Flash objects?

Ok thank you it will be useful :)

For now I leave with safe => 1, because I know that if the default configuration evolving future following a future type of vulnerability XSS, I will update htmLawed and I do not need to worrying about filtering rules.

But I look a little more about the documentation to understand how htmLawed.