mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-10 15:48:42 +00:00
4d612d5a77
When specifying source material for <object> tags, you must use data inside the object tag as well as specify movie in a param. If you specify a src (which is the appropriate markup for <embed>) we now convert and fill in the other attributes appropriately. Also, fix a PHP warning in Generator code. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
57 lines
1.8 KiB
PHP
57 lines
1.8 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Validates name/value pairs in param tags to be used in safe objects. This
|
|
* will only allow name values it recognizes, and pre-fill certain attributes
|
|
* with required values.
|
|
*
|
|
* @note
|
|
* This class only supports Flash. In the future, Quicktime support
|
|
* may be added.
|
|
*
|
|
* @warning
|
|
* This class expects an injector to add the necessary parameters tags.
|
|
*/
|
|
class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
|
|
{
|
|
public $name = "SafeParam";
|
|
private $uri;
|
|
|
|
public function __construct() {
|
|
$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
|
|
}
|
|
|
|
public function transform($attr, $config, $context) {
|
|
// If we add support for other objects, we'll need to alter the
|
|
// transforms.
|
|
switch ($attr['name']) {
|
|
// application/x-shockwave-flash
|
|
// Keep this synchronized with Injector/SafeObject.php
|
|
case 'allowScriptAccess':
|
|
$attr['value'] = 'never';
|
|
break;
|
|
case 'allowNetworking':
|
|
$attr['value'] = 'internal';
|
|
break;
|
|
case 'wmode':
|
|
$attr['value'] = 'window';
|
|
break;
|
|
case 'movie':
|
|
case 'src':
|
|
$attr['name'] = "movie";
|
|
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
|
break;
|
|
case 'flashvars':
|
|
// we're going to allow arbitrary inputs to the SWF, on
|
|
// the reasoning that it could only hack the SWF, not us.
|
|
break;
|
|
// add other cases to support other param name/value pairs
|
|
default:
|
|
$attr['name'] = $attr['value'] = null;
|
|
}
|
|
return $attr;
|
|
}
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|