57 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			PHP
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			57 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			PHP
		
	
	
		
			Executable File
		
	
	
	
	
| <?php
 | |
| 
 | |
| /**
 | |
|  * Validates name/value pairs in param tags to be used in safe objects. This
 | |
|  * will only allow name values it recognizes, and pre-fill certain attributes
 | |
|  * with required values.
 | |
|  *
 | |
|  * @note
 | |
|  *      This class only supports Flash. In the future, Quicktime support
 | |
|  *      may be added.
 | |
|  *
 | |
|  * @warning
 | |
|  *      This class expects an injector to add the necessary parameters tags.
 | |
|  */
 | |
| class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
 | |
| {
 | |
|     public $name = "SafeParam";
 | |
|     private $uri;
 | |
| 
 | |
|     public function __construct() {
 | |
|         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
 | |
|     }
 | |
| 
 | |
|     public function transform($attr, $config, $context) {
 | |
|         // If we add support for other objects, we'll need to alter the
 | |
|         // transforms.
 | |
|         switch ($attr['name']) {
 | |
|             // application/x-shockwave-flash
 | |
|             // Keep this synchronized with Injector/SafeObject.php
 | |
|             case 'allowScriptAccess':
 | |
|                 $attr['value'] = 'never';
 | |
|                 break;
 | |
|             case 'allowNetworking':
 | |
|                 $attr['value'] = 'internal';
 | |
|                 break;
 | |
|             case 'wmode':
 | |
|                 $attr['value'] = 'window';
 | |
|                 break;
 | |
|             case 'movie':
 | |
|             case 'src':
 | |
|                 $attr['name'] = "movie";
 | |
|                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
 | |
|                 break;
 | |
|             case 'flashvars':
 | |
|                 // we're going to allow arbitrary inputs to the SWF, on
 | |
|                 // the reasoning that it could only hack the SWF, not us.
 | |
|                 break;
 | |
|             // add other cases to support other param name/value pairs
 | |
|             default:
 | |
|                 $attr['name'] = $attr['value'] = null;
 | |
|         }
 | |
|         return $attr;
 | |
|     }
 | |
| }
 | |
| 
 | |
| // vim: et sw=4 sts=4
 |