]>
Commit | Line | Data |
---|---|---|
f45a286b AD |
1 | <?php |
2 | ||
3 | /** | |
4 | * Validates name/value pairs in param tags to be used in safe objects. This | |
5 | * will only allow name values it recognizes, and pre-fill certain attributes | |
6 | * with required values. | |
7 | * | |
8 | * @note | |
9 | * This class only supports Flash. In the future, Quicktime support | |
10 | * may be added. | |
11 | * | |
12 | * @warning | |
13 | * This class expects an injector to add the necessary parameters tags. | |
14 | */ | |
15 | class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform | |
16 | { | |
17 | public $name = "SafeParam"; | |
18 | private $uri; | |
19 | ||
20 | public function __construct() { | |
21 | $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded | |
f4f0f80d | 22 | $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); |
f45a286b AD |
23 | } |
24 | ||
25 | public function transform($attr, $config, $context) { | |
26 | // If we add support for other objects, we'll need to alter the | |
27 | // transforms. | |
28 | switch ($attr['name']) { | |
29 | // application/x-shockwave-flash | |
30 | // Keep this synchronized with Injector/SafeObject.php | |
31 | case 'allowScriptAccess': | |
32 | $attr['value'] = 'never'; | |
33 | break; | |
34 | case 'allowNetworking': | |
35 | $attr['value'] = 'internal'; | |
36 | break; | |
f4f0f80d AD |
37 | case 'allowFullScreen': |
38 | if ($config->get('HTML.FlashAllowFullScreen')) { | |
39 | $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; | |
40 | } else { | |
41 | $attr['value'] = 'false'; | |
42 | } | |
43 | break; | |
f45a286b | 44 | case 'wmode': |
f4f0f80d | 45 | $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); |
f45a286b AD |
46 | break; |
47 | case 'movie': | |
f4f0f80d AD |
48 | case 'src': |
49 | $attr['name'] = "movie"; | |
f45a286b AD |
50 | $attr['value'] = $this->uri->validate($attr['value'], $config, $context); |
51 | break; | |
f4f0f80d AD |
52 | case 'flashvars': |
53 | // we're going to allow arbitrary inputs to the SWF, on | |
54 | // the reasoning that it could only hack the SWF, not us. | |
55 | break; | |
f45a286b AD |
56 | // add other cases to support other param name/value pairs |
57 | default: | |
58 | $attr['name'] = $attr['value'] = null; | |
59 | } | |
60 | return $attr; | |
61 | } | |
62 | } | |
63 | ||
64 | // vim: et sw=4 sts=4 |