Administrator / test_1

Blame view

vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php 2.48 KB
Edit Raw Normal View History
70f4f18b   Administrator   first_commit 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
  <?php
  
  /**
   * Validates name/value pairs in param tags to be used in safe objects. This
   * will only allow name values it recognizes, and pre-fill certain attributes
   * with required values.
   *
   * @note
   *      This class only supports Flash. In the future, Quicktime support
   *      may be added.
   *
   * @warning
   *      This class expects an injector to add the necessary parameters tags.
   */
  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  {
      /**
       * @type string
       */
      public $name = "SafeParam";
  
      /**
       * @type HTMLPurifier_AttrDef_URI
       */
      private $uri;
  
      public function __construct()
      {
          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
          $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
      }
  
      /**
       * @param array $attr
       * @param HTMLPurifier_Config $config
       * @param HTMLPurifier_Context $context
       * @return array
       */
      public function transform($attr, $config, $context)
      {
          // If we add support for other objects, we'll need to alter the
          // transforms.
          switch ($attr['name']) {
              // application/x-shockwave-flash
              // Keep this synchronized with Injector/SafeObject.php
              case 'allowScriptAccess':
                  $attr['value'] = 'never';
                  break;
              case 'allowNetworking':
                  $attr['value'] = 'internal';
                  break;
              case 'allowFullScreen':
                  if ($config->get('HTML.FlashAllowFullScreen')) {
                      $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
                  } else {
                      $attr['value'] = 'false';
                  }
                  break;
              case 'wmode':
                  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
                  break;
              case 'movie':
              case 'src':
                  $attr['name'] = "movie";
                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                  break;
              case 'flashvars':
                  // we're going to allow arbitrary inputs to the SWF, on
                  // the reasoning that it could only hack the SWF, not us.
                  break;
              // add other cases to support other param name/value pairs
              default:
                  $attr['name'] = $attr['value'] = null;
          }
          return $attr;
      }
  }
  
  // vim: et sw=4 sts=4