Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.2.x will end 22 April 2024 (12 months).
  • Bug fixes for security issues in 4.2.x will end 7 October 2024 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.1.x is supported too.
   1  <?php
   2  
   3  /**
   4   * A "safe" script module. No inline JS is allowed, and pointed to JS
   5   * files must match whitelist.
   6   */
   7  class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
   8  {
   9      /**
  10       * @type string
  11       */
  12      public $name = 'SafeScripting';
  13  
  14      /**
  15       * @param HTMLPurifier_Config $config
  16       */
  17      public function setup($config)
  18      {
  19          // These definitions are not intrinsically safe: the attribute transforms
  20          // are a vital part of ensuring safety.
  21  
  22          $allowed = $config->get('HTML.SafeScripting');
  23          $script = $this->addElement(
  24              'script',
  25              'Inline',
  26              'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
  27              null,
  28              array(
  29                  // While technically not required by the spec, we're forcing
  30                  // it to this value.
  31                  'type' => 'Enum#text/javascript',
  32                  'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
  33              )
  34          );
  35          $script->attr_transform_pre[] =
  36          $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
  37      }
  38  }
  39  
  40  // vim: et sw=4 sts=4