diff options
author | friendica <info@friendica.com> | 2012-05-12 17:57:41 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2012-07-18 20:40:31 +1000 |
commit | 7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a (patch) | |
tree | a9c3d91209cff770bb4b613b1b95e61a7bbc5a2b /lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php | |
parent | cd727cb26b78a1dade09d510b071446898477356 (diff) | |
download | volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.gz volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.bz2 volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.zip |
some important stuff we'll need
Diffstat (limited to 'lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php')
-rw-r--r-- | lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php new file mode 100644 index 000000000..c1d8b0412 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php @@ -0,0 +1,91 @@ +<?php + +/** + * Adds important param elements to inside of object in order to make + * things safe. + */ +class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector +{ + public $name = 'SafeObject'; + public $needed = array('object', 'param'); + + protected $objectStack = array(); + protected $paramStack = array(); + + // Keep this synchronized with AttrTransform/SafeParam.php + protected $addParam = array( + 'allowScriptAccess' => 'never', + 'allowNetworking' => 'internal', + ); + protected $allowedParam = array( + 'wmode' => true, + 'movie' => true, + 'flashvars' => true, + 'src' => true, + 'allowFullScreen' => true, // if omitted, assume to be 'false' + ); + + public function prepare($config, $context) { + parent::prepare($config, $context); + } + + public function handleElement(&$token) { + if ($token->name == 'object') { + $this->objectStack[] = $token; + $this->paramStack[] = array(); + $new = array($token); + foreach ($this->addParam as $name => $value) { + $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value)); + } + $token = $new; + } elseif ($token->name == 'param') { + $nest = count($this->currentNesting) - 1; + if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') { + $i = count($this->objectStack) - 1; + if (!isset($token->attr['name'])) { + $token = false; + return; + } + $n = $token->attr['name']; + // We need this fix because YouTube doesn't supply a data + // attribute, which we need if a type is specified. This is + // *very* Flash specific. + if (!isset($this->objectStack[$i]->attr['data']) && + ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) { + $this->objectStack[$i]->attr['data'] = $token->attr['value']; + } + // Check if the parameter is the correct value but has not + // already been added + if ( + !isset($this->paramStack[$i][$n]) && + isset($this->addParam[$n]) && + $token->attr['name'] === $this->addParam[$n] + ) { + // keep token, and add to param stack + $this->paramStack[$i][$n] = true; + } elseif (isset($this->allowedParam[$n])) { + // keep token, don't do anything to it + // (could possibly check for duplicates here) + } else { + $token = false; + } + } else { + // not directly inside an object, DENY! + $token = false; + } + } + } + + public function handleEnd(&$token) { + // This is the WRONG way of handling the object and param stacks; + // we should be inserting them directly on the relevant object tokens + // so that the global stack handling handles it. + if ($token->name == 'object') { + array_pop($this->objectStack); + array_pop($this->paramStack); + } + } + +} + +// vim: et sw=4 sts=4 |