HTMLPurifier 4.4.0
|
00001 <?php 00002 00015 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform 00016 { 00017 public $name = "SafeParam"; 00018 private $uri; 00019 00020 public function __construct() { 00021 $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded 00022 $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); 00023 } 00024 00025 public function transform($attr, $config, $context) { 00026 // If we add support for other objects, we'll need to alter the 00027 // transforms. 00028 switch ($attr['name']) { 00029 // application/x-shockwave-flash 00030 // Keep this synchronized with Injector/SafeObject.php 00031 case 'allowScriptAccess': 00032 $attr['value'] = 'never'; 00033 break; 00034 case 'allowNetworking': 00035 $attr['value'] = 'internal'; 00036 break; 00037 case 'allowFullScreen': 00038 if ($config->get('HTML.FlashAllowFullScreen')) { 00039 $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; 00040 } else { 00041 $attr['value'] = 'false'; 00042 } 00043 break; 00044 case 'wmode': 00045 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); 00046 break; 00047 case 'movie': 00048 case 'src': 00049 $attr['name'] = "movie"; 00050 $attr['value'] = $this->uri->validate($attr['value'], $config, $context); 00051 break; 00052 case 'flashvars': 00053 // we're going to allow arbitrary inputs to the SWF, on 00054 // the reasoning that it could only hack the SWF, not us. 00055 break; 00056 // add other cases to support other param name/value pairs 00057 default: 00058 $attr['name'] = $attr['value'] = null; 00059 } 00060 return $attr; 00061 } 00062 } 00063 00064 // vim: et sw=4 sts=4