[tt-rss.git] / lib / htmlpurifier / library / HTMLPurifier / HTMLModule / SafeObject.php

<?php

/**
 * A "safe" object module. In theory, objects permitted by this module will
 * be safe, and untrusted users can be allowed to embed arbitrary flash objects
 * (maybe other types too, but only Flash is supported as of right now).
 * Highly experimental.
 */
class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
{

    public $name = 'SafeObject';

    public function setup($config) {

        // These definitions are not intrinsically safe: the attribute transforms
        // are a vital part of ensuring safety.

        $max = $config->get('HTML.MaxImgLength');
        $object = $this->addElement(
            'object',
            'Inline',
            'Optional: param | Flow | #PCDATA',
            'Common',
            array(
                // While technically not required by the spec, we're forcing
                // it to this value.
                'type'   => 'Enum#application/x-shockwave-flash',
                'width'  => 'Pixels#' . $max,
                'height' => 'Pixels#' . $max,
                'data'   => 'URI#embedded',
                'codebase' => new HTMLPurifier_AttrDef_Enum(array(
                    'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
            )
        );
        $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();

        $param = $this->addElement('param', false, 'Empty', false,
            array(
                'id' => 'ID',
                'name*' => 'Text',
                'value' => 'Text'
            )
        );
        $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
        $this->info_injector[] = 'SafeObject';

    }

}

// vim: et sw=4 sts=4
Commit	Line	Data
f45a286b AD	1	<?php
	2
	3	/**
	4	* A "safe" object module. In theory, objects permitted by this module will
	5	* be safe, and untrusted users can be allowed to embed arbitrary flash objects
	6	* (maybe other types too, but only Flash is supported as of right now).
	7	* Highly experimental.
	8	*/
	9	class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
	10	{
	11
	12	public $name = 'SafeObject';
	13
	14	public function setup($config) {
	15
	16	// These definitions are not intrinsically safe: the attribute transforms
	17	// are a vital part of ensuring safety.
	18
f4f0f80d	19	$max = $config->get('HTML.MaxImgLength');
f45a286b AD	20	$object = $this->addElement(
	21	'object',
	22	'Inline',
	23	'Optional: param \| Flow \| #PCDATA',
	24	'Common',
	25	array(
	26	// While technically not required by the spec, we're forcing
	27	// it to this value.
	28	'type' => 'Enum#application/x-shockwave-flash',
	29	'width' => 'Pixels#' . $max,
	30	'height' => 'Pixels#' . $max,
f4f0f80d AD	31	'data' => 'URI#embedded',
	32	'codebase' => new HTMLPurifier_AttrDef_Enum(array(
	33	'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
f45a286b AD	34	)
	35	);
	36	$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
	37
	38	$param = $this->addElement('param', false, 'Empty', false,
	39	array(
	40	'id' => 'ID',
	41	'name*' => 'Text',
	42	'value' => 'Text'
	43	)
	44	);
	45	$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
	46	$this->info_injector[] = 'SafeObject';
	47
	48	}
	49
	50	}
	51
	52	// vim: et sw=4 sts=4