aboutsummaryrefslogtreecommitdiffstats
path: root/library/HTMLPurifier/HTMLModule/SafeScripting.php
diff options
context:
space:
mode:
Diffstat (limited to 'library/HTMLPurifier/HTMLModule/SafeScripting.php')
-rw-r--r--library/HTMLPurifier/HTMLModule/SafeScripting.php40
1 files changed, 40 insertions, 0 deletions
diff --git a/library/HTMLPurifier/HTMLModule/SafeScripting.php b/library/HTMLPurifier/HTMLModule/SafeScripting.php
new file mode 100644
index 000000000..0330cd97f
--- /dev/null
+++ b/library/HTMLPurifier/HTMLModule/SafeScripting.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * A "safe" script module. No inline JS is allowed, and pointed to JS
+ * files must match whitelist.
+ */
+class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
+{
+ /**
+ * @type string
+ */
+ public $name = 'SafeScripting';
+
+ /**
+ * @param HTMLPurifier_Config $config
+ */
+ public function setup($config)
+ {
+ // These definitions are not intrinsically safe: the attribute transforms
+ // are a vital part of ensuring safety.
+
+ $allowed = $config->get('HTML.SafeScripting');
+ $script = $this->addElement(
+ 'script',
+ 'Inline',
+ 'Empty',
+ null,
+ array(
+ // While technically not required by the spec, we're forcing
+ // it to this value.
+ 'type' => 'Enum#text/javascript',
+ 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+ )
+ );
+ $script->attr_transform_pre[] =
+ $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
+ }
+}
+
+// vim: et sw=4 sts=4