diff options
| author | Mike Macgirvin <mike@macgirvin.com> | 2010-09-08 20:14:17 -0700 |
|---|---|---|
| committer | Mike Macgirvin <mike@macgirvin.com> | 2010-09-08 20:14:17 -0700 |
| commit | ffb1997902facb36b78a7cfa522f41f2b3d71cda (patch) | |
| tree | e9fe47acf26c5fd2c742677f2610b60d3008eb26 /library/HTMLPurifier/AttrTransform/SafeParam.php | |
| parent | b49858b038a0a05bbe7685929e88071d0e125538 (diff) | |
| download | volse-hubzilla-ffb1997902facb36b78a7cfa522f41f2b3d71cda.tar.gz volse-hubzilla-ffb1997902facb36b78a7cfa522f41f2b3d71cda.tar.bz2 volse-hubzilla-ffb1997902facb36b78a7cfa522f41f2b3d71cda.zip | |
mistpark 2.0 infrasturcture lands
Diffstat (limited to 'library/HTMLPurifier/AttrTransform/SafeParam.php')
| -rw-r--r-- | library/HTMLPurifier/AttrTransform/SafeParam.php | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/library/HTMLPurifier/AttrTransform/SafeParam.php b/library/HTMLPurifier/AttrTransform/SafeParam.php new file mode 100644 index 000000000..3f992ec31 --- /dev/null +++ b/library/HTMLPurifier/AttrTransform/SafeParam.php @@ -0,0 +1,56 @@ +<?php + +/** + * Validates name/value pairs in param tags to be used in safe objects. This + * will only allow name values it recognizes, and pre-fill certain attributes + * with required values. + * + * @note + * This class only supports Flash. In the future, Quicktime support + * may be added. + * + * @warning + * This class expects an injector to add the necessary parameters tags. + */ +class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform +{ + public $name = "SafeParam"; + private $uri; + + public function __construct() { + $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded + } + + public function transform($attr, $config, $context) { + // If we add support for other objects, we'll need to alter the + // transforms. + switch ($attr['name']) { + // application/x-shockwave-flash + // Keep this synchronized with Injector/SafeObject.php + case 'allowScriptAccess': + $attr['value'] = 'never'; + break; + case 'allowNetworking': + $attr['value'] = 'internal'; + break; + case 'wmode': + $attr['value'] = 'window'; + break; + case 'movie': + case 'src': + $attr['name'] = "movie"; + $attr['value'] = $this->uri->validate($attr['value'], $config, $context); + break; + case 'flashvars': + // we're going to allow arbitrary inputs to the SWF, on + // the reasoning that it could only hack the SWF, not us. + break; + // add other cases to support other param name/value pairs + default: + $attr['name'] = $attr['value'] = null; + } + return $attr; + } +} + +// vim: et sw=4 sts=4 |