SafeParam.php 2.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. <?php
  2. /**
  3. * Validates name/value pairs in param tags to be used in safe objects. This
  4. * will only allow name values it recognizes, and pre-fill certain attributes
  5. * with required values.
  6. *
  7. * @note
  8. * This class only supports Flash. In the future, Quicktime support
  9. * may be added.
  10. *
  11. * @warning
  12. * This class expects an injector to add the necessary parameters tags.
  13. */
  14. class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  15. {
  16. /**
  17. * @type string
  18. */
  19. public $name = "SafeParam";
  20. /**
  21. * @type HTMLPurifier_AttrDef_URI
  22. */
  23. private $uri;
  24. public function __construct()
  25. {
  26. $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  27. $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  28. }
  29. /**
  30. * @param array $attr
  31. * @param HTMLPurifier_Config $config
  32. * @param HTMLPurifier_Context $context
  33. * @return array
  34. */
  35. public function transform($attr, $config, $context)
  36. {
  37. // If we add support for other objects, we'll need to alter the
  38. // transforms.
  39. switch ($attr['name']) {
  40. // application/x-shockwave-flash
  41. // Keep this synchronized with Injector/SafeObject.php
  42. case 'allowScriptAccess':
  43. $attr['value'] = 'never';
  44. break;
  45. case 'allowNetworking':
  46. $attr['value'] = 'internal';
  47. break;
  48. case 'allowFullScreen':
  49. if ($config->get('HTML.FlashAllowFullScreen')) {
  50. $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  51. } else {
  52. $attr['value'] = 'false';
  53. }
  54. break;
  55. case 'wmode':
  56. $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  57. break;
  58. case 'movie':
  59. case 'src':
  60. $attr['name'] = "movie";
  61. $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  62. break;
  63. case 'flashvars':
  64. // we're going to allow arbitrary inputs to the SWF, on
  65. // the reasoning that it could only hack the SWF, not us.
  66. break;
  67. // add other cases to support other param name/value pairs
  68. default:
  69. $attr['name'] = $attr['value'] = null;
  70. }
  71. return $attr;
  72. }
  73. }
  74. // vim: et sw=4 sts=4