lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php

   1 <?php
   2
   3 /**
   4  * Adds important param elements to inside of object in order to make
   5  * things safe.
   6  */
   7 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
   8 {
   9     public $name = 'SafeObject';
  10     public $needed = array('object', 'param');
  11
  12     protected $objectStack = array();
  13     protected $paramStack  = array();
  14
  15     // Keep this synchronized with AttrTransform/SafeParam.php
  16     protected $addParam = array(
  17         'allowScriptAccess' => 'never',
  18         'allowNetworking' => 'internal',
  19     );
  20     protected $allowedParam = array(
  21         'wmode' => true,
  22         'movie' => true,
  23         'flashvars' => true,
  24         'src' => true,
  25         'allowFullScreen' => true, // if omitted, assume to be 'false'
  26     );
  27
  28     public function prepare($config, $context) {
  29         parent::prepare($config, $context);
  30     }
  31
  32     public function handleElement(&$token) {
  33         if ($token->name == 'object') {
  34             $this->objectStack[] = $token;
  35             $this->paramStack[] = array();
  36             $new = array($token);
  37             foreach ($this->addParam as $name => $value) {
  38                 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
  39             }
  40             $token = $new;
  41         } elseif ($token->name == 'param') {
  42             $nest = count($this->currentNesting) - 1;
  43             if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
  44                 $i = count($this->objectStack) - 1;
  45                 if (!isset($token->attr['name'])) {
  46                     $token = false;
  47                     return;
  48                 }
  49                 $n = $token->attr['name'];
  50                 // We need this fix because YouTube doesn't supply a data
  51                 // attribute, which we need if a type is specified. This is
  52                 // *very* Flash specific.
  53                 if (!isset($this->objectStack[$i]->attr['data']) &&
  54                     ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
  55                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];
  56                 }
  57                 // Check if the parameter is the correct value but has not
  58                 // already been added
  59                 if (
  60                     !isset($this->paramStack[$i][$n]) &&
  61                     isset($this->addParam[$n]) &&
  62                     $token->attr['name'] === $this->addParam[$n]
  63                 ) {
  64                     // keep token, and add to param stack
  65                     $this->paramStack[$i][$n] = true;
  66                 } elseif (isset($this->allowedParam[$n])) {
  67                     // keep token, don't do anything to it
  68                     // (could possibly check for duplicates here)
  69                 } else {
  70                     $token = false;
  71                 }
  72             } else {
  73                 // not directly inside an object, DENY!
  74                 $token = false;
  75             }
  76         }
  77     }
  78
  79     public function handleEnd(&$token) {
  80         // This is the WRONG way of handling the object and param stacks;
  81         // we should be inserting them directly on the relevant object tokens
  82         // so that the global stack handling handles it.
  83         if ($token->name == 'object') {
  84             array_pop($this->objectStack);
  85             array_pop($this->paramStack);
  86         }
  87     }
  88
  89 }
  90
  91 // vim: et sw=4 sts=4