Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
The Limit HTML tags filter is breaking calls to embedded video.
My embed code:
<object width = "512" height = "328" > <param name = "movie" value = "http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" > </param><param name="flashvars" value="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" /> <param name="allowFullScreen" value="true"></param > <param name = "allowscriptaccess" value = "always" > </param><param name="wmode" value="transparent"></param ><embed src="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" flashvars="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" type="application/x-shockwave-flash" allowscriptaccess="always" wmode="transparent" allowfullscreen="true" width="512" height="328" bgcolor="#000000"></embed></object>
What's being outputted after the filter runs:
<object width="512" height="328" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
<param name="movie" value="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" />
<param name="flashvars" value="//watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="wmode" value="transparent" />
<!--[if !IE]>-->
<object width="512" height="328" type="application/x-shockwave-flash" data="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf">
<param name="flashvars" value="//watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="wmode" value="transparent" />
<!--<![endif]-->
<!--[if !IE]>-->
</object>
<!--<![endif]-->
</object>
Note that in the flashvars param, value="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0
is being converted to value="//watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0"
.
I believe this is similar to what's happening in #812590: HTML Filter breaks the classid attribute of the object tag, and that drupal_strip_dangerous_protocols() is stripping out everything prior to and including the colon.
Comments