htmlpurifier/library/HTMLPurifier/HTMLModule/Iframe.php

<?php

/**
 * XHTML 1.1 Iframe Module provides inline frames.
 *
 * @note This module is not considered safe unless an Iframe
 * whitelisting mechanism is specified.  Currently, the only
 * such mechanism is %URL.SafeIframeRegexp
 */
class HTMLPurifier_HTMLModule_Iframe extends HTMLPurifier_HTMLModule
{

    public $name = 'Iframe';
    public $safe = false;

    public function setup($config) {
        if ($config->get('HTML.SafeIframe')) {
            $this->safe = true;
        }
        $this->addElement(
            'iframe', 'Inline', 'Flow', 'Common',
            array(
                'src' => 'URI#embedded',
                'width' => 'Length',
                'height' => 'Length',
                'name' => 'ID',
                'scrolling' => 'Enum#yes,no,auto',
                'frameborder' => 'Enum#0,1',
                'longdesc' => 'URI',
                'marginheight' => 'Pixels',
                'marginwidth' => 'Pixels',
            )
        );
    }

}

// vim: et sw=4 sts=4
Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage. The purpose of this addition is twofold. In trusted mode, iframes are now unconditionally allowed. However, many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format, which is useful functionality in untrusted mode. You can specify iframes as trusted elements with %HTML.SafeIframe; however, you need to additionally specify a whitelist mechanism such as %URI.SafeIframeRegexp to say what iframe embeds are OK (by default everything is rejected). Note: As iframes are invalid in strict doctypes, you will not be able to use them there. We also added an always_load parameter to URIFilters in order to support the strange nature of the SafeIframe URIFilter (it always needs to be loaded, due to the inability of accessing the %HTML.SafeIframe directive to see if it's needed!) We expect this URIFilter can expand in the future to offer more complex validation mechanisms. Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com> Signed-off-by: Edward Z. Yang <ezyang@mit.edu> 2011-02-14 01:47:01 +00:00			`<?php`

			`/**`
			`* XHTML 1.1 Iframe Module provides inline frames.`
			`*`
			`* @note This module is not considered safe unless an Iframe`
			`* whitelisting mechanism is specified. Currently, the only`
			`* such mechanism is %URL.SafeIframeRegexp`
			`*/`
			`class HTMLPurifier_HTMLModule_Iframe extends HTMLPurifier_HTMLModule`
			`{`

			`public $name = 'Iframe';`
			`public $safe = false;`

			`public function setup($config) {`
			`if ($config->get('HTML.SafeIframe')) {`
			`$this->safe = true;`
			`}`
			`$this->addElement(`
			`'iframe', 'Inline', 'Flow', 'Common',`
			`array(`
			`'src' => 'URI#embedded',`
			`'width' => 'Length',`
			`'height' => 'Length',`
			`'name' => 'ID',`
			`'scrolling' => 'Enum#yes,no,auto',`
			`'frameborder' => 'Enum#0,1',`
			`'longdesc' => 'URI',`
			`'marginheight' => 'Pixels',`
			`'marginwidth' => 'Pixels',`
			`)`
			`);`
			`}`

			`}`

			`// vim: et sw=4 sts=4`