63 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			63 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| 
 | |
| /**
 | |
|  * A "safe" object module. In theory, objects permitted by this module will
 | |
|  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
 | |
|  * (maybe other types too, but only Flash is supported as of right now).
 | |
|  * Highly experimental.
 | |
|  */
 | |
| class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
 | |
| {
 | |
|     /**
 | |
|      * @type string
 | |
|      */
 | |
|     public $name = 'SafeObject';
 | |
| 
 | |
|     /**
 | |
|      * @param HTMLPurifier_Config $config
 | |
|      */
 | |
|     public function setup($config)
 | |
|     {
 | |
|         // These definitions are not intrinsically safe: the attribute transforms
 | |
|         // are a vital part of ensuring safety.
 | |
| 
 | |
|         $max = $config->get('HTML.MaxImgLength');
 | |
|         $object = $this->addElement(
 | |
|             'object',
 | |
|             'Inline',
 | |
|             'Optional: param | Flow | #PCDATA',
 | |
|             'Common',
 | |
|             array(
 | |
|                 // While technically not required by the spec, we're forcing
 | |
|                 // it to this value.
 | |
|                 'type' => 'Enum#application/x-shockwave-flash',
 | |
|                 'width' => 'Pixels#' . $max,
 | |
|                 'height' => 'Pixels#' . $max,
 | |
|                 'data' => 'URI#embedded',
 | |
|                 'codebase' => new HTMLPurifier_AttrDef_Enum(
 | |
|                     array(
 | |
|                         'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
 | |
|                     )
 | |
|                 ),
 | |
|             )
 | |
|         );
 | |
|         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
 | |
| 
 | |
|         $param = $this->addElement(
 | |
|             'param',
 | |
|             false,
 | |
|             'Empty',
 | |
|             false,
 | |
|             array(
 | |
|                 'id' => 'ID',
 | |
|                 'name*' => 'Text',
 | |
|                 'value' => 'Text'
 | |
|             )
 | |
|         );
 | |
|         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
 | |
|         $this->info_injector[] = 'SafeObject';
 | |
|     }
 | |
| }
 | |
| 
 | |
| // vim: et sw=4 sts=4
 |