news/2010/0308-state-of-the-flash.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xmlns:xc="urn:xhtml-compiler"
   8   xc:news="yes"
   9   xml:lang="en">
  10 <head>
  11   <title>State of the Flash - News - HTML Purifier</title>
  12   <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  13 </head>
  14 <body>
  15
  16 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
  17
  18 <div id="main">
  19 <h1 id="title">State of the Flash</h1>
  20
  21 <div id="content">
  22   <p>
  23     It is no exaggeration when I say that more than half of the support
  24     requests on HTML Purifier are for Flash.  I don't hold any especial
  25     fondness for the technology: from a purely security
  26     standpoint&mdash;that is, after all, what HTML Purifier is about,
  27     right?&mdash;the platform is an utterly byzantine, a twisty maze of
  28     flags and syntax and variations that make it really hard to
  29     whitelist properly.  I'd be much happier if no one used the damn
  30     software, and support for it shows in HTML Purifier; if you would
  31     like to support flash videos, you either:
  32   </p>
  33   <ul>
  34     <li>Hack around it manually using a filter which needs to be custom
  35     tailored for each website you wish to support, or</li>
  36     <li>Use SafeObject and SafeEmbed.</li>
  37   </ul>
  38   <p>
  39     From an end-user perspective, I've basically become convinced that
  40     the filter approach is not scalable; people expect to be able to
  41     include videos from any website.  Thus, work needs to be devoted to
  42     SafeObject and SafeEmbed to make them more robust.  Specifically, we
  43     need:
  44   </p>
  45   <ul>
  46     <li>Support for the <code>flashvars</code> parameter, which some
  47     flash players use in order to specify what content is being
  48     played,</li>
  49     <li>Support for Internet Explorer compatibility code, which gets
  50     specifically removed right now since we don't understand Internet
  51     Explorer conditional comments, and</li>
  52     <li>Better documentation about what is up with all of the different
  53     ways of setting up flash.</li>
  54   </ul>
  55   <p>
  56     I'm working on a patch as we speak to make flashvars happen.  I
  57     have no idea if this is going to introduce a security vulnerability,
  58     although my gut feeling is that anything a user could have done with
  59     a flashvar, they could have done with a malicious swf file.
  60   </p>
  61   <p>
  62     For compatibility code, there was a patch being bandied around on
  63     the forums for some time now.  I spent a few hours looking at it,
  64     and decided that the approach was wrong and am scrapping it.  I'll
  65     be adding a special hack to make Internet Explorer compatible code
  66     generated if we see an object tag.
  67   </p>
  68   <p>
  69     And of course, everyone loves documentation.  I'll be drawing up
  70     another document about using SafeObject and SafeEmbed effectively
  71     once these changes are released.
  72   </p>
  73   <p>
  74     Thank you all for being patient!
  75   </p>
  76 </div>
  77 </div>
  78 </body>
  79 </html>