]>
Commit | Line | Data |
---|---|---|
f45a286b AD |
1 | <?php |
2 | ||
3 | /** | |
4 | * A "safe" object module. In theory, objects permitted by this module will | |
5 | * be safe, and untrusted users can be allowed to embed arbitrary flash objects | |
6 | * (maybe other types too, but only Flash is supported as of right now). | |
7 | * Highly experimental. | |
8 | */ | |
9 | class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule | |
10 | { | |
11 | ||
12 | public $name = 'SafeObject'; | |
13 | ||
14 | public function setup($config) { | |
15 | ||
16 | // These definitions are not intrinsically safe: the attribute transforms | |
17 | // are a vital part of ensuring safety. | |
18 | ||
f4f0f80d | 19 | $max = $config->get('HTML.MaxImgLength'); |
f45a286b AD |
20 | $object = $this->addElement( |
21 | 'object', | |
22 | 'Inline', | |
23 | 'Optional: param | Flow | #PCDATA', | |
24 | 'Common', | |
25 | array( | |
26 | // While technically not required by the spec, we're forcing | |
27 | // it to this value. | |
28 | 'type' => 'Enum#application/x-shockwave-flash', | |
29 | 'width' => 'Pixels#' . $max, | |
30 | 'height' => 'Pixels#' . $max, | |
f4f0f80d AD |
31 | 'data' => 'URI#embedded', |
32 | 'codebase' => new HTMLPurifier_AttrDef_Enum(array( | |
33 | 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')), | |
f45a286b AD |
34 | ) |
35 | ); | |
36 | $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); | |
37 | ||
38 | $param = $this->addElement('param', false, 'Empty', false, | |
39 | array( | |
40 | 'id' => 'ID', | |
41 | 'name*' => 'Text', | |
42 | 'value' => 'Text' | |
43 | ) | |
44 | ); | |
45 | $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam(); | |
46 | $this->info_injector[] = 'SafeObject'; | |
47 | ||
48 | } | |
49 | ||
50 | } | |
51 | ||
52 | // vim: et sw=4 sts=4 |