[github/wallabag/wallabag.git] / inc / 3rdparty / htmlpurifier / HTMLPurifier / Injector / SafeObject.php

<?php\r
\r
/**\r
 * Adds important param elements to inside of object in order to make\r
 * things safe.\r
 */\r
class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector\r
{\r
    /**\r
     * @type string\r
     */\r
    public $name = 'SafeObject';\r
\r
    /**\r
     * @type array\r
     */\r
    public $needed = array('object', 'param');\r
\r
    /**\r
     * @type array\r
     */\r
    protected $objectStack = array();\r
\r
    /**\r
     * @type array\r
     */\r
    protected $paramStack = array();\r
\r
    /**\r
     * Keep this synchronized with AttrTransform/SafeParam.php.\r
     * @type array\r
     */\r
    protected $addParam = array(\r
        'allowScriptAccess' => 'never',\r
        'allowNetworking' => 'internal',\r
    );\r
\r
    /**\r
     * @type array\r
     */\r
    protected $allowedParam = array(\r
        'wmode' => true,\r
        'movie' => true,\r
        'flashvars' => true,\r
        'src' => true,\r
        'allowFullScreen' => true, // if omitted, assume to be 'false'\r
    );\r
\r
    /**\r
     * @param HTMLPurifier_Config $config\r
     * @param HTMLPurifier_Context $context\r
     * @return void\r
     */\r
    public function prepare($config, $context)\r
    {\r
        parent::prepare($config, $context);\r
    }\r
\r
    /**\r
     * @param HTMLPurifier_Token $token\r
     */\r
    public function handleElement(&$token)\r
    {\r
        if ($token->name == 'object') {\r
            $this->objectStack[] = $token;\r
            $this->paramStack[] = array();\r
            $new = array($token);\r
            foreach ($this->addParam as $name => $value) {\r
                $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));\r
            }\r
            $token = $new;\r
        } elseif ($token->name == 'param') {\r
            $nest = count($this->currentNesting) - 1;\r
            if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {\r
                $i = count($this->objectStack) - 1;\r
                if (!isset($token->attr['name'])) {\r
                    $token = false;\r
                    return;\r
                }\r
                $n = $token->attr['name'];\r
                // We need this fix because YouTube doesn't supply a data\r
                // attribute, which we need if a type is specified. This is\r
                // *very* Flash specific.\r
                if (!isset($this->objectStack[$i]->attr['data']) &&\r
                    ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')\r
                ) {\r
                    $this->objectStack[$i]->attr['data'] = $token->attr['value'];\r
                }\r
                // Check if the parameter is the correct value but has not\r
                // already been added\r
                if (!isset($this->paramStack[$i][$n]) &&\r
                    isset($this->addParam[$n]) &&\r
                    $token->attr['name'] === $this->addParam[$n]) {\r
                    // keep token, and add to param stack\r
                    $this->paramStack[$i][$n] = true;\r
                } elseif (isset($this->allowedParam[$n])) {\r
                    // keep token, don't do anything to it\r
                    // (could possibly check for duplicates here)\r
                } else {\r
                    $token = false;\r
                }\r
            } else {\r
                // not directly inside an object, DENY!\r
                $token = false;\r
            }\r
        }\r
    }\r
\r
    public function handleEnd(&$token)\r
    {\r
        // This is the WRONG way of handling the object and param stacks;\r
        // we should be inserting them directly on the relevant object tokens\r
        // so that the global stack handling handles it.\r
        if ($token->name == 'object') {\r
            array_pop($this->objectStack);\r
            array_pop($this->paramStack);\r
        }\r
    }\r
}\r
\r
// vim: et sw=4 sts=4\r
Commit	Line	Data
d4949327 NL	1	<?php\r
	2	\r
	3	/**\r
	4	* Adds important param elements to inside of object in order to make\r
	5	* things safe.\r
	6	*/\r
	7	class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector\r
	8	{\r
	9	/**\r
	10	* @type string\r
	11	*/\r
	12	public $name = 'SafeObject';\r
	13	\r
	14	/**\r
	15	* @type array\r
	16	*/\r
	17	public $needed = array('object', 'param');\r
	18	\r
	19	/**\r
	20	* @type array\r
	21	*/\r
	22	protected $objectStack = array();\r
	23	\r
	24	/**\r
	25	* @type array\r
	26	*/\r
	27	protected $paramStack = array();\r
	28	\r
	29	/**\r
	30	* Keep this synchronized with AttrTransform/SafeParam.php.\r
	31	* @type array\r
	32	*/\r
	33	protected $addParam = array(\r
	34	'allowScriptAccess' => 'never',\r
	35	'allowNetworking' => 'internal',\r
	36	);\r
	37	\r
	38	/**\r
	39	* @type array\r
	40	*/\r
	41	protected $allowedParam = array(\r
	42	'wmode' => true,\r
	43	'movie' => true,\r
	44	'flashvars' => true,\r
	45	'src' => true,\r
	46	'allowFullScreen' => true, // if omitted, assume to be 'false'\r
	47	);\r
	48	\r
	49	/**\r
	50	* @param HTMLPurifier_Config $config\r
	51	* @param HTMLPurifier_Context $context\r
	52	* @return void\r
	53	*/\r
	54	public function prepare($config, $context)\r
	55	{\r
	56	parent::prepare($config, $context);\r
	57	}\r
	58	\r
	59	/**\r
	60	* @param HTMLPurifier_Token $token\r
	61	*/\r
	62	public function handleElement(&$token)\r
	63	{\r
	64	if ($token->name == 'object') {\r
65	$this->objectStack[] = $token;\r
66	$this->paramStack[] = array();\r
67	$new = array($token);\r
68	foreach ($this->addParam as $name => $value) {\r
69	$new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));\r
70	}\r
71	$token = $new;\r
72	} elseif ($token->name == 'param') {\r
73	$nest = count($this->currentNesting) - 1;\r
74	if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {\r
75	$i = count($this->objectStack) - 1;\r
76	if (!isset($token->attr['name'])) {\r
77	$token = false;\r
78	return;\r
79	}\r
80	$n = $token->attr['name'];\r
81	// We need this fix because YouTube doesn't supply a data\r
82	// attribute, which we need if a type is specified. This is\r
83	// very Flash specific.\r
84	if (!isset($this->objectStack[$i]->attr['data']) &&\r
85	($token->attr['name'] == 'movie' \|\| $token->attr['name'] == 'src')\r
86	) {\r
87	$this->objectStack[$i]->attr['data'] = $token->attr['value'];\r
88	}\r
89	// Check if the parameter is the correct value but has not\r
90	// already been added\r
91	if (!isset($this->paramStack[$i][$n]) &&\r
92	isset($this->addParam[$n]) &&\r
93	$token->attr['name'] === $this->addParam[$n]) {\r
94	// keep token, and add to param stack\r
95	$this->paramStack[$i][$n] = true;\r
96	} elseif (isset($this->allowedParam[$n])) {\r
97	// keep token, don't do anything to it\r
98	// (could possibly check for duplicates here)\r
99	} else {\r
100	$token = false;\r
101	}\r
102	} else {\r
103	// not directly inside an object, DENY!\r
104	$token = false;\r
105	}\r
106	}\r
107	}\r
108	\r
109	public function handleEnd(&$token)\r
110	{\r
111	// This is the WRONG way of handling the object and param stacks;\r
112	// we should be inserting them directly on the relevant object tokens\r
113	// so that the global stack handling handles it.\r
114	if ($token->name == 'object') {\r
115	array_pop($this->objectStack);\r
116	array_pop($this->paramStack);\r
117	}\r
118	}\r
119	}\r
120	\r
121	// vim: et sw=4 sts=4\r