Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
   1  <?php
   2  
   3  /**
   4   * Implements safety checks for safe iframes.
   5   *
   6   * @warning This filter is *critical* for ensuring that %HTML.SafeIframe
   7   * works safely.
   8   */
   9  class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
  10  {
  11      /**
  12       * @type string
  13       */
  14      public $name = 'SafeIframe';
  15  
  16      /**
  17       * @type bool
  18       */
  19      public $always_load = true;
  20  
  21      /**
  22       * @type string
  23       */
  24      protected $regexp = null;
  25  
  26      // XXX: The not so good bit about how this is all set up now is we
  27      // can't check HTML.SafeIframe in the 'prepare' step: we have to
  28      // defer till the actual filtering.
  29      /**
  30       * @param HTMLPurifier_Config $config
  31       * @return bool
  32       */
  33      public function prepare($config)
  34      {
  35          $this->regexp = $config->get('URI.SafeIframeRegexp');
  36          return true;
  37      }
  38  
  39      /**
  40       * @param HTMLPurifier_URI $uri
  41       * @param HTMLPurifier_Config $config
  42       * @param HTMLPurifier_Context $context
  43       * @return bool
  44       */
  45      public function filter(&$uri, $config, $context)
  46      {
  47          // check if filter not applicable
  48          if (!$config->get('HTML.SafeIframe')) {
  49              return true;
  50          }
  51          // check if the filter should actually trigger
  52          if (!$context->get('EmbeddedURI', true)) {
  53              return true;
  54          }
  55          $token = $context->get('CurrentToken', true);
  56          if (!($token && $token->name == 'iframe')) {
  57              return true;
  58          }
  59          // check if we actually have some whitelists enabled
  60          if ($this->regexp === null) {
  61              return false;
  62          }
  63          // actually check the whitelists
  64          return preg_match($this->regexp, $uri->toString());
  65      }
  66  }
  67  
  68  // vim: et sw=4 sts=4