]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | /**\r | |
4 | * A "safe" object module. In theory, objects permitted by this module will\r | |
5 | * be safe, and untrusted users can be allowed to embed arbitrary flash objects\r | |
6 | * (maybe other types too, but only Flash is supported as of right now).\r | |
7 | * Highly experimental.\r | |
8 | */\r | |
9 | class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule\r | |
10 | {\r | |
11 | /**\r | |
12 | * @type string\r | |
13 | */\r | |
14 | public $name = 'SafeObject';\r | |
15 | \r | |
16 | /**\r | |
17 | * @param HTMLPurifier_Config $config\r | |
18 | */\r | |
19 | public function setup($config)\r | |
20 | {\r | |
21 | // These definitions are not intrinsically safe: the attribute transforms\r | |
22 | // are a vital part of ensuring safety.\r | |
23 | \r | |
24 | $max = $config->get('HTML.MaxImgLength');\r | |
25 | $object = $this->addElement(\r | |
26 | 'object',\r | |
27 | 'Inline',\r | |
28 | 'Optional: param | Flow | #PCDATA',\r | |
29 | 'Common',\r | |
30 | array(\r | |
31 | // While technically not required by the spec, we're forcing\r | |
32 | // it to this value.\r | |
33 | 'type' => 'Enum#application/x-shockwave-flash',\r | |
34 | 'width' => 'Pixels#' . $max,\r | |
35 | 'height' => 'Pixels#' . $max,\r | |
36 | 'data' => 'URI#embedded',\r | |
37 | 'codebase' => new HTMLPurifier_AttrDef_Enum(\r | |
38 | array(\r | |
39 | 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'\r | |
40 | )\r | |
41 | ),\r | |
42 | )\r | |
43 | );\r | |
44 | $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();\r | |
45 | \r | |
46 | $param = $this->addElement(\r | |
47 | 'param',\r | |
48 | false,\r | |
49 | 'Empty',\r | |
50 | false,\r | |
51 | array(\r | |
52 | 'id' => 'ID',\r | |
53 | 'name*' => 'Text',\r | |
54 | 'value' => 'Text'\r | |
55 | )\r | |
56 | );\r | |
57 | $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();\r | |
58 | $this->info_injector[] = 'SafeObject';\r | |
59 | }\r | |
60 | }\r | |
61 | \r | |
62 | // vim: et sw=4 sts=4\r |