]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | /**\r | |
4 | * Validates name/value pairs in param tags to be used in safe objects. This\r | |
5 | * will only allow name values it recognizes, and pre-fill certain attributes\r | |
6 | * with required values.\r | |
7 | *\r | |
8 | * @note\r | |
9 | * This class only supports Flash. In the future, Quicktime support\r | |
10 | * may be added.\r | |
11 | *\r | |
12 | * @warning\r | |
13 | * This class expects an injector to add the necessary parameters tags.\r | |
14 | */\r | |
15 | class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform\r | |
16 | {\r | |
17 | /**\r | |
18 | * @type string\r | |
19 | */\r | |
20 | public $name = "SafeParam";\r | |
21 | \r | |
22 | /**\r | |
23 | * @type HTMLPurifier_AttrDef_URI\r | |
24 | */\r | |
25 | private $uri;\r | |
26 | \r | |
27 | public function __construct()\r | |
28 | {\r | |
29 | $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded\r | |
30 | $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));\r | |
31 | }\r | |
32 | \r | |
33 | /**\r | |
34 | * @param array $attr\r | |
35 | * @param HTMLPurifier_Config $config\r | |
36 | * @param HTMLPurifier_Context $context\r | |
37 | * @return array\r | |
38 | */\r | |
39 | public function transform($attr, $config, $context)\r | |
40 | {\r | |
41 | // If we add support for other objects, we'll need to alter the\r | |
42 | // transforms.\r | |
43 | switch ($attr['name']) {\r | |
44 | // application/x-shockwave-flash\r | |
45 | // Keep this synchronized with Injector/SafeObject.php\r | |
46 | case 'allowScriptAccess':\r | |
47 | $attr['value'] = 'never';\r | |
48 | break;\r | |
49 | case 'allowNetworking':\r | |
50 | $attr['value'] = 'internal';\r | |
51 | break;\r | |
52 | case 'allowFullScreen':\r | |
53 | if ($config->get('HTML.FlashAllowFullScreen')) {\r | |
54 | $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';\r | |
55 | } else {\r | |
56 | $attr['value'] = 'false';\r | |
57 | }\r | |
58 | break;\r | |
59 | case 'wmode':\r | |
60 | $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);\r | |
61 | break;\r | |
62 | case 'movie':\r | |
63 | case 'src':\r | |
64 | $attr['name'] = "movie";\r | |
65 | $attr['value'] = $this->uri->validate($attr['value'], $config, $context);\r | |
66 | break;\r | |
67 | case 'flashvars':\r | |
68 | // we're going to allow arbitrary inputs to the SWF, on\r | |
69 | // the reasoning that it could only hack the SWF, not us.\r | |
70 | break;\r | |
71 | // add other cases to support other param name/value pairs\r | |
72 | default:\r | |
73 | $attr['name'] = $attr['value'] = null;\r | |
74 | }\r | |
75 | return $attr;\r | |
76 | }\r | |
77 | }\r | |
78 | \r | |
79 | // vim: et sw=4 sts=4\r |