See Release Notes
Long Term Support Release
Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401]
1 <?php 2 3 /** 4 * Validates name/value pairs in param tags to be used in safe objects. This 5 * will only allow name values it recognizes, and pre-fill certain attributes 6 * with required values. 7 * 8 * @note 9 * This class only supports Flash. In the future, Quicktime support 10 * may be added. 11 * 12 * @warning 13 * This class expects an injector to add the necessary parameters tags. 14 */ 15 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform 16 { 17 /** 18 * @type string 19 */ 20 public $name = "SafeParam"; 21 22 /** 23 * @type HTMLPurifier_AttrDef_URI 24 */ 25 private $uri; 26 27 /** 28 * @type HTMLPurifier_AttrDef_Enum 29 */ 30 public $wmode; 31 32 public function __construct() 33 { 34 $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded 35 $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); 36 } 37 38 /** 39 * @param array $attr 40 * @param HTMLPurifier_Config $config 41 * @param HTMLPurifier_Context $context 42 * @return array 43 */ 44 public function transform($attr, $config, $context) 45 { 46 // If we add support for other objects, we'll need to alter the 47 // transforms. 48 switch ($attr['name']) { 49 // application/x-shockwave-flash 50 // Keep this synchronized with Injector/SafeObject.php 51 case 'allowScriptAccess': 52 $attr['value'] = 'never'; 53 break; 54 case 'allowNetworking': 55 $attr['value'] = 'internal'; 56 break; 57 case 'allowFullScreen': 58 if ($config->get('HTML.FlashAllowFullScreen')) { 59 $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; 60 } else { 61 $attr['value'] = 'false'; 62 } 63 break; 64 case 'wmode': 65 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); 66 break; 67 case 'movie': 68 case 'src': 69 $attr['name'] = "movie"; 70 $attr['value'] = $this->uri->validate($attr['value'], $config, $context); 71 break; 72 case 'flashvars': 73 // we're going to allow arbitrary inputs to the SWF, on 74 // the reasoning that it could only hack the SWF, not us. 75 break; 76 // add other cases to support other param name/value pairs 77 default: 78 $attr['name'] = $attr['value'] = null; 79 } 80 return $attr; 81 } 82 } 83 84 // vim: et sw=4 sts=4
title
Description
Body
title
Description
Body
title
Description
Body
title
Body