]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | /**\r | |
4 | * A "safe" script module. No inline JS is allowed, and pointed to JS\r | |
5 | * files must match whitelist.\r | |
6 | */\r | |
7 | class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule\r | |
8 | {\r | |
9 | /**\r | |
10 | * @type string\r | |
11 | */\r | |
12 | public $name = 'SafeScripting';\r | |
13 | \r | |
14 | /**\r | |
15 | * @param HTMLPurifier_Config $config\r | |
16 | */\r | |
17 | public function setup($config)\r | |
18 | {\r | |
19 | // These definitions are not intrinsically safe: the attribute transforms\r | |
20 | // are a vital part of ensuring safety.\r | |
21 | \r | |
22 | $allowed = $config->get('HTML.SafeScripting');\r | |
23 | $script = $this->addElement(\r | |
24 | 'script',\r | |
25 | 'Inline',\r | |
26 | 'Empty',\r | |
27 | null,\r | |
28 | array(\r | |
29 | // While technically not required by the spec, we're forcing\r | |
30 | // it to this value.\r | |
31 | 'type' => 'Enum#text/javascript',\r | |
32 | 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))\r | |
33 | )\r | |
34 | );\r | |
35 | $script->attr_transform_pre[] =\r | |
36 | $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();\r | |
37 | }\r | |
38 | }\r | |
39 | \r | |
40 | // vim: et sw=4 sts=4\r |