Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.10.x will end 8 November 2021 (12 months).
  • Bug fixes for security issues in 3.10.x will end 9 May 2022 (18 months).
  • PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.
   1  <?php
   2  
   3  /**

   4   * A "safe" object module. In theory, objects permitted by this module will

   5   * be safe, and untrusted users can be allowed to embed arbitrary flash objects

   6   * (maybe other types too, but only Flash is supported as of right now).

   7   * Highly experimental.

   8   */
   9  class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  10  {
  11      /**

  12       * @type string

  13       */
  14      public $name = 'SafeObject';
  15  
  16      /**

  17       * @param HTMLPurifier_Config $config

  18       */
  19      public function setup($config)
  20      {
  21          // These definitions are not intrinsically safe: the attribute transforms

  22          // are a vital part of ensuring safety.

  23  
  24          $max = $config->get('HTML.MaxImgLength');
  25          $object = $this->addElement(
  26              'object',
  27              'Inline',
  28              'Optional: param | Flow | #PCDATA',
  29              'Common',
  30              array(
  31                  // While technically not required by the spec, we're forcing

  32                  // it to this value.

  33                  'type' => 'Enum#application/x-shockwave-flash',
  34                  'width' => 'Pixels#' . $max,
  35                  'height' => 'Pixels#' . $max,
  36                  'data' => 'URI#embedded',
  37                  'codebase' => new HTMLPurifier_AttrDef_Enum(
  38                      array(
  39                          'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
  40                      )
  41                  ),
  42              )
  43          );
  44          $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  45  
  46          $param = $this->addElement(
  47              'param',
  48              false,
  49              'Empty',
  50              false,
  51              array(
  52                  'id' => 'ID',
  53                  'name*' => 'Text',
  54                  'value' => 'Text'
  55              )
  56          );
  57          $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  58          $this->info_injector[] = 'SafeObject';
  59      }
  60  }
  61  
  62  // vim: et sw=4 sts=4