Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401]

   1  <?php
   2  
   3  /**
   4   * Validates name/value pairs in param tags to be used in safe objects. This
   5   * will only allow name values it recognizes, and pre-fill certain attributes
   6   * with required values.
   7   *
   8   * @note
   9   *      This class only supports Flash. In the future, Quicktime support
  10   *      may be added.
  11   *
  12   * @warning
  13   *      This class expects an injector to add the necessary parameters tags.
  14   */
  15  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16  {
  17      /**
  18       * @type string
  19       */
  20      public $name = "SafeParam";
  21  
  22      /**
  23       * @type HTMLPurifier_AttrDef_URI
  24       */
  25      private $uri;
  26  
  27      /**
  28       * @type HTMLPurifier_AttrDef_Enum
  29       */
  30      public $wmode;
  31  
  32      public function __construct()
  33      {
  34          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  35          $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  36      }
  37  
  38      /**
  39       * @param array $attr
  40       * @param HTMLPurifier_Config $config
  41       * @param HTMLPurifier_Context $context
  42       * @return array
  43       */
  44      public function transform($attr, $config, $context)
  45      {
  46          // If we add support for other objects, we'll need to alter the
  47          // transforms.
  48          switch ($attr['name']) {
  49              // application/x-shockwave-flash
  50              // Keep this synchronized with Injector/SafeObject.php
  51              case 'allowScriptAccess':
  52                  $attr['value'] = 'never';
  53                  break;
  54              case 'allowNetworking':
  55                  $attr['value'] = 'internal';
  56                  break;
  57              case 'allowFullScreen':
  58                  if ($config->get('HTML.FlashAllowFullScreen')) {
  59                      $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  60                  } else {
  61                      $attr['value'] = 'false';
  62                  }
  63                  break;
  64              case 'wmode':
  65                  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  66                  break;
  67              case 'movie':
  68              case 'src':
  69                  $attr['name'] = "movie";
  70                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  71                  break;
  72              case 'flashvars':
  73                  // we're going to allow arbitrary inputs to the SWF, on
  74                  // the reasoning that it could only hack the SWF, not us.
  75                  break;
  76              // add other cases to support other param name/value pairs
  77              default:
  78                  $attr['name'] = $attr['value'] = null;
  79          }
  80          return $attr;
  81      }
  82  }
  83  
  84  // vim: et sw=4 sts=4