Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
  • Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
  • PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
   1  <?php
   2  
   3  /**

   4   * A "safe" script module. No inline JS is allowed, and pointed to JS

   5   * files must match whitelist.

   6   */
   7  class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
   8  {
   9      /**

  10       * @type string

  11       */
  12      public $name = 'SafeScripting';
  13  
  14      /**

  15       * @param HTMLPurifier_Config $config

  16       */
  17      public function setup($config)
  18      {
  19          // These definitions are not intrinsically safe: the attribute transforms

  20          // are a vital part of ensuring safety.

  21  
  22          $allowed = $config->get('HTML.SafeScripting');
  23          $script = $this->addElement(
  24              'script',
  25              'Inline',
  26              'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
  27              null,
  28              array(
  29                  // While technically not required by the spec, we're forcing

  30                  // it to this value.

  31                  'type' => 'Enum#text/javascript',
  32                  'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
  33              )
  34          );
  35          $script->attr_transform_pre[] =
  36          $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
  37      }
  38  }
  39  
  40  // vim: et sw=4 sts=4