HTMLPurifier 4.4.0
|
00001 <?php 00002 00007 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector 00008 { 00009 public $name = 'SafeObject'; 00010 public $needed = array('object', 'param'); 00011 00012 protected $objectStack = array(); 00013 protected $paramStack = array(); 00014 00015 // Keep this synchronized with AttrTransform/SafeParam.php 00016 protected $addParam = array( 00017 'allowScriptAccess' => 'never', 00018 'allowNetworking' => 'internal', 00019 ); 00020 protected $allowedParam = array( 00021 'wmode' => true, 00022 'movie' => true, 00023 'flashvars' => true, 00024 'src' => true, 00025 'allowFullScreen' => true, // if omitted, assume to be 'false' 00026 ); 00027 00028 public function prepare($config, $context) { 00029 parent::prepare($config, $context); 00030 } 00031 00032 public function handleElement(&$token) { 00033 if ($token->name == 'object') { 00034 $this->objectStack[] = $token; 00035 $this->paramStack[] = array(); 00036 $new = array($token); 00037 foreach ($this->addParam as $name => $value) { 00038 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value)); 00039 } 00040 $token = $new; 00041 } elseif ($token->name == 'param') { 00042 $nest = count($this->currentNesting) - 1; 00043 if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') { 00044 $i = count($this->objectStack) - 1; 00045 if (!isset($token->attr['name'])) { 00046 $token = false; 00047 return; 00048 } 00049 $n = $token->attr['name']; 00050 // We need this fix because YouTube doesn't supply a data 00051 // attribute, which we need if a type is specified. This is 00052 // *very* Flash specific. 00053 if (!isset($this->objectStack[$i]->attr['data']) && 00054 ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) { 00055 $this->objectStack[$i]->attr['data'] = $token->attr['value']; 00056 } 00057 // Check if the parameter is the correct value but has not 00058 // already been added 00059 if ( 00060 !isset($this->paramStack[$i][$n]) && 00061 isset($this->addParam[$n]) && 00062 $token->attr['name'] === $this->addParam[$n] 00063 ) { 00064 // keep token, and add to param stack 00065 $this->paramStack[$i][$n] = true; 00066 } elseif (isset($this->allowedParam[$n])) { 00067 // keep token, don't do anything to it 00068 // (could possibly check for duplicates here) 00069 } else { 00070 $token = false; 00071 } 00072 } else { 00073 // not directly inside an object, DENY! 00074 $token = false; 00075 } 00076 } 00077 } 00078 00079 public function handleEnd(&$token) { 00080 // This is the WRONG way of handling the object and param stacks; 00081 // we should be inserting them directly on the relevant object tokens 00082 // so that the global stack handling handles it. 00083 if ($token->name == 'object') { 00084 array_pop($this->objectStack); 00085 array_pop($this->paramStack); 00086 } 00087 } 00088 00089 } 00090 00091 // vim: et sw=4 sts=4