| 1 |
efrain |
1 |
<?php
|
|
|
2 |
|
|
|
3 |
/**
|
|
|
4 |
* Validates name/value pairs in param tags to be used in safe objects. This
|
|
|
5 |
* will only allow name values it recognizes, and pre-fill certain attributes
|
|
|
6 |
* with required values.
|
|
|
7 |
*
|
|
|
8 |
* @note
|
|
|
9 |
* This class only supports Flash. In the future, Quicktime support
|
|
|
10 |
* may be added.
|
|
|
11 |
*
|
|
|
12 |
* @warning
|
|
|
13 |
* This class expects an injector to add the necessary parameters tags.
|
|
|
14 |
*/
|
|
|
15 |
class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
|
|
|
16 |
{
|
|
|
17 |
/**
|
|
|
18 |
* @type string
|
|
|
19 |
*/
|
|
|
20 |
public $name = "SafeParam";
|
|
|
21 |
|
|
|
22 |
/**
|
|
|
23 |
* @type HTMLPurifier_AttrDef_URI
|
|
|
24 |
*/
|
|
|
25 |
private $uri;
|
|
|
26 |
|
|
|
27 |
/**
|
|
|
28 |
* @type HTMLPurifier_AttrDef_Enum
|
|
|
29 |
*/
|
|
|
30 |
public $wmode;
|
|
|
31 |
|
|
|
32 |
public function __construct()
|
|
|
33 |
{
|
|
|
34 |
$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
|
|
|
35 |
$this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
|
|
|
36 |
}
|
|
|
37 |
|
|
|
38 |
/**
|
|
|
39 |
* @param array $attr
|
|
|
40 |
* @param HTMLPurifier_Config $config
|
|
|
41 |
* @param HTMLPurifier_Context $context
|
|
|
42 |
* @return array
|
|
|
43 |
*/
|
|
|
44 |
public function transform($attr, $config, $context)
|
|
|
45 |
{
|
|
|
46 |
// If we add support for other objects, we'll need to alter the
|
|
|
47 |
// transforms.
|
|
|
48 |
switch ($attr['name']) {
|
|
|
49 |
// application/x-shockwave-flash
|
|
|
50 |
// Keep this synchronized with Injector/SafeObject.php
|
|
|
51 |
case 'allowScriptAccess':
|
|
|
52 |
$attr['value'] = 'never';
|
|
|
53 |
break;
|
|
|
54 |
case 'allowNetworking':
|
|
|
55 |
$attr['value'] = 'internal';
|
|
|
56 |
break;
|
|
|
57 |
case 'allowFullScreen':
|
|
|
58 |
if ($config->get('HTML.FlashAllowFullScreen')) {
|
|
|
59 |
$attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
|
|
|
60 |
} else {
|
|
|
61 |
$attr['value'] = 'false';
|
|
|
62 |
}
|
|
|
63 |
break;
|
|
|
64 |
case 'wmode':
|
|
|
65 |
$attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
|
|
|
66 |
break;
|
|
|
67 |
case 'movie':
|
|
|
68 |
case 'src':
|
|
|
69 |
$attr['name'] = "movie";
|
|
|
70 |
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
|
|
|
71 |
break;
|
|
|
72 |
case 'flashvars':
|
|
|
73 |
// we're going to allow arbitrary inputs to the SWF, on
|
|
|
74 |
// the reasoning that it could only hack the SWF, not us.
|
|
|
75 |
break;
|
|
|
76 |
// add other cases to support other param name/value pairs
|
|
|
77 |
default:
|
|
|
78 |
$attr['name'] = $attr['value'] = null;
|
|
|
79 |
}
|
|
|
80 |
return $attr;
|
|
|
81 |
}
|
|
|
82 |
}
|
|
|
83 |
|
|
|
84 |
// vim: et sw=4 sts=4
|