2008-06-10 00:13:44 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Adds important param elements to inside of object in order to make
|
|
|
|
* things safe.
|
|
|
|
*/
|
|
|
|
class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
|
|
|
|
{
|
2013-07-16 13:56:14 +02:00
|
|
|
/**
|
|
|
|
* @type string
|
|
|
|
*/
|
2008-06-10 00:13:44 +00:00
|
|
|
public $name = 'SafeObject';
|
2013-07-16 13:56:14 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @type array
|
|
|
|
*/
|
2008-06-10 00:13:44 +00:00
|
|
|
public $needed = array('object', 'param');
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
/**
|
|
|
|
* @type array
|
|
|
|
*/
|
2008-06-10 00:13:44 +00:00
|
|
|
protected $objectStack = array();
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
/**
|
|
|
|
* @type array
|
|
|
|
*/
|
|
|
|
protected $paramStack = array();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Keep this synchronized with AttrTransform/SafeParam.php.
|
|
|
|
* @type array
|
|
|
|
*/
|
2008-06-10 00:13:44 +00:00
|
|
|
protected $addParam = array(
|
|
|
|
'allowScriptAccess' => 'never',
|
|
|
|
'allowNetworking' => 'internal',
|
|
|
|
);
|
2013-07-16 13:56:14 +02:00
|
|
|
|
|
|
|
/**
|
2016-03-27 15:56:30 -07:00
|
|
|
* These are all lower-case keys.
|
2013-07-16 13:56:14 +02:00
|
|
|
* @type array
|
|
|
|
*/
|
2008-06-10 00:13:44 +00:00
|
|
|
protected $allowedParam = array(
|
|
|
|
'wmode' => true,
|
|
|
|
'movie' => true,
|
2010-03-08 01:16:57 -05:00
|
|
|
'flashvars' => true,
|
2010-03-09 17:29:38 -05:00
|
|
|
'src' => true,
|
2016-03-27 15:56:30 -07:00
|
|
|
'allowfullscreen' => true, // if omitted, assume to be 'false'
|
2008-06-10 00:13:44 +00:00
|
|
|
);
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
/**
|
|
|
|
* @param HTMLPurifier_Config $config
|
|
|
|
* @param HTMLPurifier_Context $context
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function prepare($config, $context)
|
|
|
|
{
|
2008-06-10 00:13:44 +00:00
|
|
|
parent::prepare($config, $context);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
/**
|
|
|
|
* @param HTMLPurifier_Token $token
|
|
|
|
*/
|
|
|
|
public function handleElement(&$token)
|
|
|
|
{
|
2008-06-10 00:13:44 +00:00
|
|
|
if ($token->name == 'object') {
|
|
|
|
$this->objectStack[] = $token;
|
|
|
|
$this->paramStack[] = array();
|
|
|
|
$new = array($token);
|
|
|
|
foreach ($this->addParam as $name => $value) {
|
|
|
|
$new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
|
|
|
|
}
|
|
|
|
$token = $new;
|
|
|
|
} elseif ($token->name == 'param') {
|
|
|
|
$nest = count($this->currentNesting) - 1;
|
|
|
|
if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
|
|
|
|
$i = count($this->objectStack) - 1;
|
|
|
|
if (!isset($token->attr['name'])) {
|
|
|
|
$token = false;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
$n = $token->attr['name'];
|
2008-06-11 23:12:38 +00:00
|
|
|
// We need this fix because YouTube doesn't supply a data
|
|
|
|
// attribute, which we need if a type is specified. This is
|
|
|
|
// *very* Flash specific.
|
2010-03-09 17:29:38 -05:00
|
|
|
if (!isset($this->objectStack[$i]->attr['data']) &&
|
2013-07-16 13:56:14 +02:00
|
|
|
($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
|
|
|
|
) {
|
2008-06-11 23:12:38 +00:00
|
|
|
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
|
|
|
|
}
|
2008-06-10 00:13:44 +00:00
|
|
|
// Check if the parameter is the correct value but has not
|
|
|
|
// already been added
|
2013-07-16 13:56:14 +02:00
|
|
|
if (!isset($this->paramStack[$i][$n]) &&
|
2008-06-10 00:13:44 +00:00
|
|
|
isset($this->addParam[$n]) &&
|
2013-07-16 13:56:14 +02:00
|
|
|
$token->attr['name'] === $this->addParam[$n]) {
|
2008-06-10 00:13:44 +00:00
|
|
|
// keep token, and add to param stack
|
|
|
|
$this->paramStack[$i][$n] = true;
|
2016-03-27 15:56:30 -07:00
|
|
|
} elseif (isset($this->allowedParam[strtolower($n)])) {
|
2008-06-10 00:13:44 +00:00
|
|
|
// keep token, don't do anything to it
|
|
|
|
// (could possibly check for duplicates here)
|
2016-03-27 15:56:30 -07:00
|
|
|
// Note: In principle, parameters should be case sensitive.
|
|
|
|
// But it seems they are not really; so accept any case.
|
2008-06-10 00:13:44 +00:00
|
|
|
} else {
|
|
|
|
$token = false;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// not directly inside an object, DENY!
|
|
|
|
$token = false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function handleEnd(&$token)
|
|
|
|
{
|
Implement Injector->handleEnd, with lots of refactoring for injector.
Previous design of injector streaming involved editability only to start, empty
and text tokens, because they could be safely modified without causing formedness
errors. By modifying notifyEnd to operate before MakeWellFormed's safeguards
kick into effect, it can be converted into a handle function, allowing for
arbitrary modification of end tags.
This change involved quite a bit of restructuring of the MakeWellFormed code,
including the moving of end of document tags to inside the loop, so rewinding
on those tags would be functional, increased reuse of the end tag codepath by
code that inserts end tags (as they could be changed out from under you), and
processToken modified to have an extra parameter to force re-processing of
a token if the original token was an end token.
We're not exactly sure if handleEnd works at this point, but the important
talking point about this refactoring is that nothing else broke. Also, a number
of convenience functions were moved from AutoParagraph to the Injector
supertype (specifically: forward, forwardToEndToken, backward, and current).
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-10-01 00:54:51 -04:00
|
|
|
// This is the WRONG way of handling the object and param stacks;
|
|
|
|
// we should be inserting them directly on the relevant object tokens
|
|
|
|
// so that the global stack handling handles it.
|
2008-06-10 00:13:44 +00:00
|
|
|
if ($token->name == 'object') {
|
|
|
|
array_pop($this->objectStack);
|
|
|
|
array_pop($this->paramStack);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-12-06 04:24:59 -05:00
|
|
|
// vim: et sw=4 sts=4
|