Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.0.x will end 8 May 2023 (12 months).
  • Bug fixes for security issues in 4.0.x will end 13 November 2023 (18 months).
  • PHP version: minimum PHP 7.3.0 Note: the minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is also supported.
   1  <?php
   2  
   3  /*

   4  

   5  WARNING: THIS MODULE IS EXTREMELY DANGEROUS AS IT ENABLES INLINE SCRIPTING

   6  INSIDE HTML PURIFIER DOCUMENTS. USE ONLY WITH TRUSTED USER INPUT!!!

   7  

   8  */
   9  
  10  /**

  11   * XHTML 1.1 Scripting module, defines elements that are used to contain

  12   * information pertaining to executable scripts or the lack of support

  13   * for executable scripts.

  14   * @note This module does not contain inline scripting elements

  15   */
  16  class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule
  17  {
  18      /**

  19       * @type string

  20       */
  21      public $name = 'Scripting';
  22  
  23      /**

  24       * @type array

  25       */
  26      public $elements = array('script', 'noscript');
  27  
  28      /**

  29       * @type array

  30       */
  31      public $content_sets = array('Block' => 'script | noscript', 'Inline' => 'script | noscript');
  32  
  33      /**

  34       * @type bool

  35       */
  36      public $safe = false;
  37  
  38      /**

  39       * @param HTMLPurifier_Config $config

  40       */
  41      public function setup($config)
  42      {
  43          // TODO: create custom child-definition for noscript that

  44          // auto-wraps stray #PCDATA in a similar manner to

  45          // blockquote's custom definition (we would use it but

  46          // blockquote's contents are optional while noscript's contents

  47          // are required)

  48  
  49          // TODO: convert this to new syntax, main problem is getting

  50          // both content sets working

  51  
  52          // In theory, this could be safe, but I don't see any reason to

  53          // allow it.

  54          $this->info['noscript'] = new HTMLPurifier_ElementDef();
  55          $this->info['noscript']->attr = array(0 => array('Common'));
  56          $this->info['noscript']->content_model = 'Heading | List | Block';
  57          $this->info['noscript']->content_model_type = 'required';
  58  
  59          $this->info['script'] = new HTMLPurifier_ElementDef();
  60          $this->info['script']->attr = array(
  61              'defer' => new HTMLPurifier_AttrDef_Enum(array('defer')),
  62              'src' => new HTMLPurifier_AttrDef_URI(true),
  63              'type' => new HTMLPurifier_AttrDef_Enum(array('text/javascript'))
  64          );
  65          $this->info['script']->content_model = '#PCDATA';
  66          $this->info['script']->content_model_type = 'optional';
  67          $this->info['script']->attr_transform_pre[] =
  68          $this->info['script']->attr_transform_post[] =
  69              new HTMLPurifier_AttrTransform_ScriptRequired();
  70      }
  71  }
  72  
  73  // vim: et sw=4 sts=4