[github/wallabag/wallabag.git] / inc / 3rdparty / htmlpurifier / HTMLPurifier / AttrTransform / SafeParam.php

<?php\r
\r
/**\r
 * Validates name/value pairs in param tags to be used in safe objects. This\r
 * will only allow name values it recognizes, and pre-fill certain attributes\r
 * with required values.\r
 *\r
 * @note\r
 *      This class only supports Flash. In the future, Quicktime support\r
 *      may be added.\r
 *\r
 * @warning\r
 *      This class expects an injector to add the necessary parameters tags.\r
 */\r
class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform\r
{\r
    /**\r
     * @type string\r
     */\r
    public $name = "SafeParam";\r
\r
    /**\r
     * @type HTMLPurifier_AttrDef_URI\r
     */\r
    private $uri;\r
\r
    public function __construct()\r
    {\r
        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded\r
        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));\r
    }\r
\r
    /**\r
     * @param array $attr\r
     * @param HTMLPurifier_Config $config\r
     * @param HTMLPurifier_Context $context\r
     * @return array\r
     */\r
    public function transform($attr, $config, $context)\r
    {\r
        // If we add support for other objects, we'll need to alter the\r
        // transforms.\r
        switch ($attr['name']) {\r
            // application/x-shockwave-flash\r
            // Keep this synchronized with Injector/SafeObject.php\r
            case 'allowScriptAccess':\r
                $attr['value'] = 'never';\r
                break;\r
            case 'allowNetworking':\r
                $attr['value'] = 'internal';\r
                break;\r
            case 'allowFullScreen':\r
                if ($config->get('HTML.FlashAllowFullScreen')) {\r
                    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';\r
                } else {\r
                    $attr['value'] = 'false';\r
                }\r
                break;\r
            case 'wmode':\r
                $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);\r
                break;\r
            case 'movie':\r
            case 'src':\r
                $attr['name'] = "movie";\r
                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);\r
                break;\r
            case 'flashvars':\r
                // we're going to allow arbitrary inputs to the SWF, on\r
                // the reasoning that it could only hack the SWF, not us.\r
                break;\r
            // add other cases to support other param name/value pairs\r
            default:\r
                $attr['name'] = $attr['value'] = null;\r
        }\r
        return $attr;\r
    }\r
}\r
\r
// vim: et sw=4 sts=4\r
Commit	Line	Data
d4949327 NL	1	<?php\r
	2	\r
	3	/**\r
	4	* Validates name/value pairs in param tags to be used in safe objects. This\r
	5	* will only allow name values it recognizes, and pre-fill certain attributes\r
	6	* with required values.\r
	7	*\r
	8	* @note\r
	9	* This class only supports Flash. In the future, Quicktime support\r
	10	* may be added.\r
	11	*\r
	12	* @warning\r
	13	* This class expects an injector to add the necessary parameters tags.\r
	14	*/\r
	15	class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform\r
	16	{\r
	17	/**\r
	18	* @type string\r
	19	*/\r
	20	public $name = "SafeParam";\r
	21	\r
	22	/**\r
	23	* @type HTMLPurifier_AttrDef_URI\r
	24	*/\r
	25	private $uri;\r
	26	\r
	27	public function __construct()\r
	28	{\r
	29	$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded\r
	30	$this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));\r
	31	}\r
	32	\r
	33	/**\r
	34	* @param array $attr\r
	35	* @param HTMLPurifier_Config $config\r
	36	* @param HTMLPurifier_Context $context\r
	37	* @return array\r
	38	*/\r
	39	public function transform($attr, $config, $context)\r
	40	{\r
	41	// If we add support for other objects, we'll need to alter the\r
	42	// transforms.\r
	43	switch ($attr['name']) {\r
	44	// application/x-shockwave-flash\r
	45	// Keep this synchronized with Injector/SafeObject.php\r
	46	case 'allowScriptAccess':\r
	47	$attr['value'] = 'never';\r
	48	break;\r
	49	case 'allowNetworking':\r
	50	$attr['value'] = 'internal';\r
	51	break;\r
	52	case 'allowFullScreen':\r
	53	if ($config->get('HTML.FlashAllowFullScreen')) {\r
	54	$attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';\r
	55	} else {\r
	56	$attr['value'] = 'false';\r
	57	}\r
	58	break;\r
	59	case 'wmode':\r
	60	$attr['value'] = $this->wmode->validate($attr['value'], $config, $context);\r
	61	break;\r
	62	case 'movie':\r
	63	case 'src':\r
	64	$attr['name'] = "movie";\r
65	$attr['value'] = $this->uri->validate($attr['value'], $config, $context);\r
66	break;\r
67	case 'flashvars':\r
68	// we're going to allow arbitrary inputs to the SWF, on\r
69	// the reasoning that it could only hack the SWF, not us.\r
70	break;\r
71	// add other cases to support other param name/value pairs\r
72	default:\r
73	$attr['name'] = $attr['value'] = null;\r
74	}\r
75	return $attr;\r
76	}\r
77	}\r
78	\r
79	// vim: et sw=4 sts=4\r