Check object whitelist in HTMLFilter class, not EmbedFilter class

common/framework/security/htmlfilter.php

@@ -369,6 +369,22 @@ class HTMLFilter
 		}
 	}
 	
+	/**
+	 * Get the object whitelist as a regular expression.
+	 * 
+	 * @return string
+	 */
+	protected static function _getObjectWhitelist()
+	{
+		$domains = \EmbedFilter::getInstance()->getWhiteUrlList();
+		$result = array();
+		foreach($domains as $domain)
+		{
+			$result[] = preg_quote($domain, '%');
+		}
+		return '%^https?://(' . implode('|', $result) . ')%';
+	}
+	
 	/**
 	 * Get the iframe whitelist as a regular expression.
 	 * 
@@ -415,6 +431,21 @@ class HTMLFilter
 			return htmlspecialchars($matches[0], ENT_QUOTES, 'UTF-8');
 		}, $content);
 		
+		// Remove object and embed URLs that are not allowed.
+		$whitelist = self::_getObjectWhitelist();
+		$content = preg_replace_callback('!<(object|embed|param)([^>]+)>!i', function($matches) use($whitelist) {
+			return preg_replace_callback('!([a-zA-Z0-9_-]+)="([^"]+)"!', function($attr) use($whitelist) {
+				if (in_array($attr[1], array('data', 'src', 'href', 'url', 'movie', 'source')))
+				{
+					if (!preg_match($whitelist, htmlspecialchars_decode($attr[2])))
+					{
+						return $attr[1] . '=""';
+					}
+				}
+				return $attr[0];
+			}, $matches[0]);
+		}, $content);
+		
 		// Remove link URLs that may be CSRF attempts.
 		$content = preg_replace_callback('!\b(src|href|data|value)="([^"]+)"!i', function($matches) use($allow_acts, $deny_acts) {
 			$url = preg_replace('!\s+!', '', htmlspecialchars_decode(rawurldecode($matches[2])));