git.wh0rd.org / tt-rss.git / blame
| Commit | Line | Data |
|---|---|---|
| dd205fba MK |
1 | <?php |
| 2 | ||
| 3 | /** | |
| 4 | * Implements safety checks for safe iframes. | |
| 5 | * | |
| 6 | * @warning This filter is *critical* for ensuring that %HTML.SafeIframe | |
| 7 | * works safely. | |
| 8 | */ | |
| 9 | class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter | |
| 10 | { | |
| 11 | public $name = 'SafeIframe'; | |
| 12 | public $always_load = true; | |
| 13 | protected $regexp = NULL; | |
| 14 | // XXX: The not so good bit about how this is all setup now is we | |
| 15 | // can't check HTML.SafeIframe in the 'prepare' step: we have to | |
| 16 | // defer till the actual filtering. | |
| 17 | public function prepare($config) { | |
| 18 | $this->regexp = $config->get('URI.SafeIframeRegexp'); | |
| 19 | return true; | |
| 20 | } | |
| 21 | public function filter(&$uri, $config, $context) { | |
| 22 | // check if filter not applicable | |
| 23 | if (!$config->get('HTML.SafeIframe')) return true; | |
| 24 | // check if the filter should actually trigger | |
| 25 | if (!$context->get('EmbeddedURI', true)) return true; | |
| 26 | $token = $context->get('CurrentToken', true); | |
| 27 | if (!($token && $token->name == 'iframe')) return true; | |
| 28 | // check if we actually have some whitelists enabled | |
| 29 | if ($this->regexp === null) return false; | |
| 30 | // actually check the whitelists | |
| 31 | return preg_match($this->regexp, $uri->toString()); | |
| 32 | } | |
| 33 | } | |
| 34 | ||
| 35 | // vim: et sw=4 sts=4 |