The Limit HTML tags filter is breaking calls to embedded video.

My embed code:

<object width = "512" height = "328" > <param name = "movie" value = "http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" > </param><param name="flashvars" value="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" /> <param name="allowFullScreen" value="true"></param > <param name = "allowscriptaccess" value = "always" > </param><param name="wmode" value="transparent"></param ><embed src="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" flashvars="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0" type="application/x-shockwave-flash" allowscriptaccess="always" wmode="transparent" allowfullscreen="true" width="512" height="328" bgcolor="#000000"></embed></object>

What's being outputted after the filter runs:

<object width="512" height="328" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
<param name="movie" value="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf" />
<param name="flashvars" value="//watch.weta.org/videoPlayerInfo/2332285454&amp;player=viral&amp;end=0" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="wmode" value="transparent" />
<!--[if !IE]>-->
<object width="512" height="328" type="application/x-shockwave-flash" data="http://dgjigvacl6ipj.cloudfront.net/media/swf/PBSPlayer.swf">
<param name="flashvars" value="//watch.weta.org/videoPlayerInfo/2332285454&amp;player=viral&amp;end=0" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="wmode" value="transparent" />
<!--<![endif]-->

<!--[if !IE]>-->
</object>
<!--<![endif]-->
</object>

Note that in the flashvars param, value="video=http://watch.weta.org/videoPlayerInfo/2332285454&player=viral&end=0 is being converted to value="//watch.weta.org/videoPlayerInfo/2332285454&amp;player=viral&amp;end=0".

I believe this is similar to what's happening in #812590: HTML Filter breaks the classid attribute of the object tag, and that drupal_strip_dangerous_protocols() is stripping out everything prior to and including the colon.

Comments

Version: 7.21 » 7.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.