doxygen/html/Injector_2SafeObject_8php_source.html

00001 <?php
00002
00007 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
00008 {
00009     public $name = 'SafeObject';
00010     public $needed = array('object', 'param');
00011
00012     protected $objectStack = array();
00013     protected $paramStack  = array();
00014
00015     // Keep this synchronized with AttrTransform/SafeParam.php
00016     protected $addParam = array(
00017         'allowScriptAccess' => 'never',
00018         'allowNetworking' => 'internal',
00019     );
00020     protected $allowedParam = array(
00021         'wmode' => true,
00022         'movie' => true,
00023         'flashvars' => true,
00024         'src' => true,
00025         'allowFullScreen' => true, // if omitted, assume to be 'false'
00026     );
00027
00028     public function prepare($config, $context) {
00029         parent::prepare($config, $context);
00030     }
00031
00032     public function handleElement(&$token) {
00033         if ($token->name == 'object') {
00034             $this->objectStack[] = $token;
00035             $this->paramStack[] = array();
00036             $new = array($token);
00037             foreach ($this->addParam as $name => $value) {
00038                 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
00039             }
00040             $token = $new;
00041         } elseif ($token->name == 'param') {
00042             $nest = count($this->currentNesting) - 1;
00043             if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
00044                 $i = count($this->objectStack) - 1;
00045                 if (!isset($token->attr['name'])) {
00046                     $token = false;
00047                     return;
00048                 }
00049                 $n = $token->attr['name'];
00050                 // We need this fix because YouTube doesn't supply a data
00051                 // attribute, which we need if a type is specified. This is
00052                 // *very* Flash specific.
00053                 if (!isset($this->objectStack[$i]->attr['data']) &&
00054                     ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
00055                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];
00056                 }
00057                 // Check if the parameter is the correct value but has not
00058                 // already been added
00059                 if (
00060                     !isset($this->paramStack[$i][$n]) &&
00061                     isset($this->addParam[$n]) &&
00062                     $token->attr['name'] === $this->addParam[$n]
00063                 ) {
00064                     // keep token, and add to param stack
00065                     $this->paramStack[$i][$n] = true;
00066                 } elseif (isset($this->allowedParam[$n])) {
00067                     // keep token, don't do anything to it
00068                     // (could possibly check for duplicates here)
00069                 } else {
00070                     $token = false;
00071                 }
00072             } else {
00073                 // not directly inside an object, DENY!
00074                 $token = false;
00075             }
00076         }
00077     }
00078
00079     public function handleEnd(&$token) {
00080         // This is the WRONG way of handling the object and param stacks;
00081         // we should be inserting them directly on the relevant object tokens
00082         // so that the global stack handling handles it.
00083         if ($token->name == 'object') {
00084             array_pop($this->objectStack);
00085             array_pop($this->paramStack);
00086         }
00087     }
00088
00089 }
00090
00091 // vim: et sw=4 sts=4