| 1 |
efrain |
1 |
<?php
|
|
|
2 |
|
|
|
3 |
/**
|
|
|
4 |
* A "safe" script module. No inline JS is allowed, and pointed to JS
|
|
|
5 |
* files must match whitelist.
|
|
|
6 |
*/
|
|
|
7 |
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
|
|
|
8 |
{
|
|
|
9 |
/**
|
|
|
10 |
* @type string
|
|
|
11 |
*/
|
|
|
12 |
public $name = 'SafeScripting';
|
|
|
13 |
|
|
|
14 |
/**
|
|
|
15 |
* @param HTMLPurifier_Config $config
|
|
|
16 |
*/
|
|
|
17 |
public function setup($config)
|
|
|
18 |
{
|
|
|
19 |
// These definitions are not intrinsically safe: the attribute transforms
|
|
|
20 |
// are a vital part of ensuring safety.
|
|
|
21 |
|
|
|
22 |
$allowed = $config->get('HTML.SafeScripting');
|
|
|
23 |
$script = $this->addElement(
|
|
|
24 |
'script',
|
|
|
25 |
'Inline',
|
|
|
26 |
'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
|
|
|
27 |
null,
|
|
|
28 |
array(
|
|
|
29 |
// While technically not required by the spec, we're forcing
|
|
|
30 |
// it to this value.
|
|
|
31 |
'type' => 'Enum#text/javascript',
|
|
|
32 |
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
|
|
|
33 |
)
|
|
|
34 |
);
|
|
|
35 |
$script->attr_transform_pre[] =
|
|
|
36 |
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
|
|
|
37 |
}
|
|
|
38 |
}
|
|
|
39 |
|
|
|
40 |
// vim: et sw=4 sts=4
|