diff options
Diffstat (limited to 'library/HTMLPurifier/Injector/SafeObject.php')
-rw-r--r-- | library/HTMLPurifier/Injector/SafeObject.php | 53 |
1 files changed, 42 insertions, 11 deletions
diff --git a/library/HTMLPurifier/Injector/SafeObject.php b/library/HTMLPurifier/Injector/SafeObject.php index 9e178ce01..3d17e07af 100644 --- a/library/HTMLPurifier/Injector/SafeObject.php +++ b/library/HTMLPurifier/Injector/SafeObject.php @@ -6,29 +6,61 @@ */ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector { + /** + * @type string + */ public $name = 'SafeObject'; + + /** + * @type array + */ public $needed = array('object', 'param'); + /** + * @type array + */ protected $objectStack = array(); - protected $paramStack = array(); - // Keep this synchronized with AttrTransform/SafeParam.php + /** + * @type array + */ + protected $paramStack = array(); + + /** + * Keep this synchronized with AttrTransform/SafeParam.php. + * @type array + */ protected $addParam = array( 'allowScriptAccess' => 'never', 'allowNetworking' => 'internal', ); + + /** + * @type array + */ protected $allowedParam = array( 'wmode' => true, 'movie' => true, 'flashvars' => true, 'src' => true, + 'allowFullScreen' => true, // if omitted, assume to be 'false' ); - public function prepare($config, $context) { + /** + * @param HTMLPurifier_Config $config + * @param HTMLPurifier_Context $context + * @return void + */ + public function prepare($config, $context) + { parent::prepare($config, $context); } - public function handleElement(&$token) { + /** + * @param HTMLPurifier_Token $token + */ + public function handleElement(&$token) + { if ($token->name == 'object') { $this->objectStack[] = $token; $this->paramStack[] = array(); @@ -50,16 +82,15 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector // attribute, which we need if a type is specified. This is // *very* Flash specific. if (!isset($this->objectStack[$i]->attr['data']) && - ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) { + ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src') + ) { $this->objectStack[$i]->attr['data'] = $token->attr['value']; } // Check if the parameter is the correct value but has not // already been added - if ( - !isset($this->paramStack[$i][$n]) && + if (!isset($this->paramStack[$i][$n]) && isset($this->addParam[$n]) && - $token->attr['name'] === $this->addParam[$n] - ) { + $token->attr['name'] === $this->addParam[$n]) { // keep token, and add to param stack $this->paramStack[$i][$n] = true; } elseif (isset($this->allowedParam[$n])) { @@ -75,7 +106,8 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector } } - public function handleEnd(&$token) { + public function handleEnd(&$token) + { // This is the WRONG way of handling the object and param stacks; // we should be inserting them directly on the relevant object tokens // so that the global stack handling handles it. @@ -84,7 +116,6 @@ class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector array_pop($this->paramStack); } } - } // vim: et sw=4 sts=4 |