Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
  • Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
  • PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
   1  <?php
   2  
   3  /**

   4   * Implements safety checks for safe iframes.

   5   *

   6   * @warning This filter is *critical* for ensuring that %HTML.SafeIframe

   7   * works safely.

   8   */
   9  class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
  10  {
  11      /**

  12       * @type string

  13       */
  14      public $name = 'SafeIframe';
  15  
  16      /**

  17       * @type bool

  18       */
  19      public $always_load = true;
  20  
  21      /**

  22       * @type string

  23       */
  24      protected $regexp = null;
  25  
  26      // XXX: The not so good bit about how this is all set up now is we

  27      // can't check HTML.SafeIframe in the 'prepare' step: we have to

  28      // defer till the actual filtering.

  29      /**

  30       * @param HTMLPurifier_Config $config

  31       * @return bool

  32       */
  33      public function prepare($config)
  34      {
  35          $this->regexp = $config->get('URI.SafeIframeRegexp');
  36          return true;
  37      }
  38  
  39      /**

  40       * @param HTMLPurifier_URI $uri

  41       * @param HTMLPurifier_Config $config

  42       * @param HTMLPurifier_Context $context

  43       * @return bool

  44       */
  45      public function filter(&$uri, $config, $context)
  46      {
  47          // check if filter not applicable

  48          if (!$config->get('HTML.SafeIframe')) {
  49              return true;
  50          }
  51          // check if the filter should actually trigger

  52          if (!$context->get('EmbeddedURI', true)) {
  53              return true;
  54          }
  55          $token = $context->get('CurrentToken', true);
  56          if (!($token && $token->name == 'iframe')) {
  57              return true;
  58          }
  59          // check if we actually have some whitelists enabled

  60          if ($this->regexp === null) {
  61              return false;
  62          }
  63          // actually check the whitelists

  64          return preg_match($this->regexp, $uri->toString());
  65      }
  66  }
  67  
  68  // vim: et sw=4 sts=4