HTMLPurifier 4.4.0
|
00001 <?php 00002 00003 /* 00004 00005 WARNING: THIS MODULE IS EXTREMELY DANGEROUS AS IT ENABLES INLINE SCRIPTING 00006 INSIDE HTML PURIFIER DOCUMENTS. USE ONLY WITH TRUSTED USER INPUT!!! 00007 00008 */ 00009 00016 class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule 00017 { 00018 public $name = 'Scripting'; 00019 public $elements = array('script', 'noscript'); 00020 public $content_sets = array('Block' => 'script | noscript', 'Inline' => 'script | noscript'); 00021 public $safe = false; 00022 00023 public function setup($config) { 00024 // TODO: create custom child-definition for noscript that 00025 // auto-wraps stray #PCDATA in a similar manner to 00026 // blockquote's custom definition (we would use it but 00027 // blockquote's contents are optional while noscript's contents 00028 // are required) 00029 00030 // TODO: convert this to new syntax, main problem is getting 00031 // both content sets working 00032 00033 // In theory, this could be safe, but I don't see any reason to 00034 // allow it. 00035 $this->info['noscript'] = new HTMLPurifier_ElementDef(); 00036 $this->info['noscript']->attr = array( 0 => array('Common') ); 00037 $this->info['noscript']->content_model = 'Heading | List | Block'; 00038 $this->info['noscript']->content_model_type = 'required'; 00039 00040 $this->info['script'] = new HTMLPurifier_ElementDef(); 00041 $this->info['script']->attr = array( 00042 'defer' => new HTMLPurifier_AttrDef_Enum(array('defer')), 00043 'src' => new HTMLPurifier_AttrDef_URI(true), 00044 'type' => new HTMLPurifier_AttrDef_Enum(array('text/javascript')) 00045 ); 00046 $this->info['script']->content_model = '#PCDATA'; 00047 $this->info['script']->content_model_type = 'optional'; 00048 $this->info['script']->attr_transform_pre['type'] = 00049 $this->info['script']->attr_transform_post['type'] = 00050 new HTMLPurifier_AttrTransform_ScriptRequired(); 00051 } 00052 } 00053 00054 // vim: et sw=4 sts=4