Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
   1  <?php
   2  
   3  /*
   4  
   5  WARNING: THIS MODULE IS EXTREMELY DANGEROUS AS IT ENABLES INLINE SCRIPTING
   6  INSIDE HTML PURIFIER DOCUMENTS. USE ONLY WITH TRUSTED USER INPUT!!!
   7  
   8  */
   9  
  10  /**
  11   * XHTML 1.1 Scripting module, defines elements that are used to contain
  12   * information pertaining to executable scripts or the lack of support
  13   * for executable scripts.
  14   * @note This module does not contain inline scripting elements
  15   */
  16  class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule
  17  {
  18      /**
  19       * @type string
  20       */
  21      public $name = 'Scripting';
  22  
  23      /**
  24       * @type array
  25       */
  26      public $elements = array('script', 'noscript');
  27  
  28      /**
  29       * @type array
  30       */
  31      public $content_sets = array('Block' => 'script | noscript', 'Inline' => 'script | noscript');
  32  
  33      /**
  34       * @type bool
  35       */
  36      public $safe = false;
  37  
  38      /**
  39       * @param HTMLPurifier_Config $config
  40       */
  41      public function setup($config)
  42      {
  43          // TODO: create custom child-definition for noscript that
  44          // auto-wraps stray #PCDATA in a similar manner to
  45          // blockquote's custom definition (we would use it but
  46          // blockquote's contents are optional while noscript's contents
  47          // are required)
  48  
  49          // TODO: convert this to new syntax, main problem is getting
  50          // both content sets working
  51  
  52          // In theory, this could be safe, but I don't see any reason to
  53          // allow it.
  54          $this->info['noscript'] = new HTMLPurifier_ElementDef();
  55          $this->info['noscript']->attr = array(0 => array('Common'));
  56          $this->info['noscript']->content_model = 'Heading | List | Block';
  57          $this->info['noscript']->content_model_type = 'required';
  58  
  59          $this->info['script'] = new HTMLPurifier_ElementDef();
  60          $this->info['script']->attr = array(
  61              'defer' => new HTMLPurifier_AttrDef_Enum(array('defer')),
  62              'src' => new HTMLPurifier_AttrDef_URI(true),
  63              'type' => new HTMLPurifier_AttrDef_Enum(array('text/javascript'))
  64          );
  65          $this->info['script']->content_model = '#PCDATA';
  66          $this->info['script']->content_model_type = 'optional';
  67          $this->info['script']->attr_transform_pre[] =
  68          $this->info['script']->attr_transform_post[] =
  69              new HTMLPurifier_AttrTransform_ScriptRequired();
  70      }
  71  }
  72  
  73  // vim: et sw=4 sts=4