Moodle 4.1 XRef and Diffs

Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Moodle 4.1 Database Schema (by Marcus Green)

/lib/htmlpurifier/HTMLPurifier/AttrTransform/ -> SafeParam.php (source)

Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401]

   1  <?php
   2  
   3  /**
   4   * Validates name/value pairs in param tags to be used in safe objects. This
   5   * will only allow name values it recognizes, and pre-fill certain attributes
   6   * with required values.
   7   *
   8   * @note
   9   *      This class only supports Flash. In the future, Quicktime support
  10   *      may be added.
  11   *
  12   * @warning
  13   *      This class expects an injector to add the necessary parameters tags.
  14   */
  15  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16  {
  17      /**
  18       * @type string
  19       */
  20      public $name = "SafeParam";
  21  
  22      /**
  23       * @type HTMLPurifier_AttrDef_URI
  24       */
  25      private $uri;
  26  
  27      /**
  28       * @type HTMLPurifier_AttrDef_Enum
  29       */
  30      public $wmode;
  31  
  32      public function __construct()
  33      {
  34          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  35          $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  36      }
  37  
  38      /**
  39       * @param array $attr
  40       * @param HTMLPurifier_Config $config
  41       * @param HTMLPurifier_Context $context
  42       * @return array
  43       */
  44      public function transform($attr, $config, $context)
  45      {
  46          // If we add support for other objects, we'll need to alter the
  47          // transforms.
  48          switch ($attr['name']) {
  49              // application/x-shockwave-flash
  50              // Keep this synchronized with Injector/SafeObject.php
  51              case 'allowScriptAccess':
  52                  $attr['value'] = 'never';
  53                  break;
  54              case 'allowNetworking':
  55                  $attr['value'] = 'internal';
  56                  break;
  57              case 'allowFullScreen':
  58                  if ($config->get('HTML.FlashAllowFullScreen')) {
  59                      $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  60                  } else {
  61                      $attr['value'] = 'false';
  62                  }
  63                  break;
  64              case 'wmode':
  65                  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  66                  break;
  67              case 'movie':
  68              case 'src':
  69                  $attr['name'] = "movie";
  70                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  71                  break;
  72              case 'flashvars':
  73                  // we're going to allow arbitrary inputs to the SWF, on
  74                  // the reasoning that it could only hack the SWF, not us.
  75                  break;
  76              // add other cases to support other param name/value pairs
  77              default:
  78                  $attr['name'] = $attr['value'] = null;
  79          }
  80          return $attr;
  81      }
  82  }
  83  
  84  // vim: et sw=4 sts=4