Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.10.x will end 8 November 2021 (12 months).
  • Bug fixes for security issues in 3.10.x will end 9 May 2022 (18 months).
  • PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.

Differences Between: [Versions 310 and 401] [Versions 310 and 402] [Versions 310 and 403]

   1  <?php
   2  
   3  /**

   4   * Validates name/value pairs in param tags to be used in safe objects. This

   5   * will only allow name values it recognizes, and pre-fill certain attributes

   6   * with required values.

   7   *

   8   * @note

   9   *      This class only supports Flash. In the future, Quicktime support

  10   *      may be added.

  11   *

  12   * @warning

  13   *      This class expects an injector to add the necessary parameters tags.

  14   */
  15  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16  {
  17      /**

  18       * @type string

  19       */
  20      public $name = "SafeParam";
  21  
  22      /**

  23       * @type HTMLPurifier_AttrDef_URI

  24       */
  25      private $uri;
  26  
  27      public function __construct()
  28      {
  29          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded

  30          $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  31      }
  32  
  33      /**

  34       * @param array $attr

  35       * @param HTMLPurifier_Config $config

  36       * @param HTMLPurifier_Context $context

  37       * @return array

  38       */
  39      public function transform($attr, $config, $context)
  40      {
  41          // If we add support for other objects, we'll need to alter the

  42          // transforms.

  43          switch ($attr['name']) {
  44              // application/x-shockwave-flash

  45              // Keep this synchronized with Injector/SafeObject.php

  46              case 'allowScriptAccess':
  47                  $attr['value'] = 'never';
  48                  break;
  49              case 'allowNetworking':
  50                  $attr['value'] = 'internal';
  51                  break;
  52              case 'allowFullScreen':
  53                  if ($config->get('HTML.FlashAllowFullScreen')) {
  54                      $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  55                  } else {
  56                      $attr['value'] = 'false';
  57                  }
  58                  break;
  59              case 'wmode':
  60                  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  61                  break;
  62              case 'movie':
  63              case 'src':
  64                  $attr['name'] = "movie";
  65                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  66                  break;
  67              case 'flashvars':
  68                  // we're going to allow arbitrary inputs to the SWF, on

  69                  // the reasoning that it could only hack the SWF, not us.

  70                  break;
  71              // add other cases to support other param name/value pairs

  72              default:
  73                  $attr['name'] = $attr['value'] = null;
  74          }
  75          return $attr;
  76      }
  77  }
  78  
  79  // vim: et sw=4 sts=4