1 <?php 2 3 /** 4 * A "safe" script module. No inline JS is allowed, and pointed to JS 5 * files must match whitelist. 6 */ 7 class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule 8 { 9 /** 10 * @type string 11 */ 12 public $name = 'SafeScripting'; 13 14 /** 15 * @param HTMLPurifier_Config $config 16 */ 17 public function setup($config) 18 { 19 // These definitions are not intrinsically safe: the attribute transforms 20 // are a vital part of ensuring safety. 21 22 $allowed = $config->get('HTML.SafeScripting'); 23 $script = $this->addElement( 24 'script', 25 'Inline', 26 'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html 27 null, 28 array( 29 // While technically not required by the spec, we're forcing 30 // it to this value. 31 'type' => 'Enum#text/javascript', 32 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true) 33 ) 34 ); 35 $script->attr_transform_pre[] = 36 $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired(); 37 } 38 } 39 40 // vim: et sw=4 sts=4
title
Description
Body
title
Description
Body
title
Description
Body
title
Body