]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | /**\r | |
4 | * Adds important param elements to inside of object in order to make\r | |
5 | * things safe.\r | |
6 | */\r | |
7 | class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector\r | |
8 | {\r | |
9 | /**\r | |
10 | * @type string\r | |
11 | */\r | |
12 | public $name = 'SafeObject';\r | |
13 | \r | |
14 | /**\r | |
15 | * @type array\r | |
16 | */\r | |
17 | public $needed = array('object', 'param');\r | |
18 | \r | |
19 | /**\r | |
20 | * @type array\r | |
21 | */\r | |
22 | protected $objectStack = array();\r | |
23 | \r | |
24 | /**\r | |
25 | * @type array\r | |
26 | */\r | |
27 | protected $paramStack = array();\r | |
28 | \r | |
29 | /**\r | |
30 | * Keep this synchronized with AttrTransform/SafeParam.php.\r | |
31 | * @type array\r | |
32 | */\r | |
33 | protected $addParam = array(\r | |
34 | 'allowScriptAccess' => 'never',\r | |
35 | 'allowNetworking' => 'internal',\r | |
36 | );\r | |
37 | \r | |
38 | /**\r | |
39 | * @type array\r | |
40 | */\r | |
41 | protected $allowedParam = array(\r | |
42 | 'wmode' => true,\r | |
43 | 'movie' => true,\r | |
44 | 'flashvars' => true,\r | |
45 | 'src' => true,\r | |
46 | 'allowFullScreen' => true, // if omitted, assume to be 'false'\r | |
47 | );\r | |
48 | \r | |
49 | /**\r | |
50 | * @param HTMLPurifier_Config $config\r | |
51 | * @param HTMLPurifier_Context $context\r | |
52 | * @return void\r | |
53 | */\r | |
54 | public function prepare($config, $context)\r | |
55 | {\r | |
56 | parent::prepare($config, $context);\r | |
57 | }\r | |
58 | \r | |
59 | /**\r | |
60 | * @param HTMLPurifier_Token $token\r | |
61 | */\r | |
62 | public function handleElement(&$token)\r | |
63 | {\r | |
64 | if ($token->name == 'object') {\r | |
65 | $this->objectStack[] = $token;\r | |
66 | $this->paramStack[] = array();\r | |
67 | $new = array($token);\r | |
68 | foreach ($this->addParam as $name => $value) {\r | |
69 | $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));\r | |
70 | }\r | |
71 | $token = $new;\r | |
72 | } elseif ($token->name == 'param') {\r | |
73 | $nest = count($this->currentNesting) - 1;\r | |
74 | if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {\r | |
75 | $i = count($this->objectStack) - 1;\r | |
76 | if (!isset($token->attr['name'])) {\r | |
77 | $token = false;\r | |
78 | return;\r | |
79 | }\r | |
80 | $n = $token->attr['name'];\r | |
81 | // We need this fix because YouTube doesn't supply a data\r | |
82 | // attribute, which we need if a type is specified. This is\r | |
83 | // *very* Flash specific.\r | |
84 | if (!isset($this->objectStack[$i]->attr['data']) &&\r | |
85 | ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')\r | |
86 | ) {\r | |
87 | $this->objectStack[$i]->attr['data'] = $token->attr['value'];\r | |
88 | }\r | |
89 | // Check if the parameter is the correct value but has not\r | |
90 | // already been added\r | |
91 | if (!isset($this->paramStack[$i][$n]) &&\r | |
92 | isset($this->addParam[$n]) &&\r | |
93 | $token->attr['name'] === $this->addParam[$n]) {\r | |
94 | // keep token, and add to param stack\r | |
95 | $this->paramStack[$i][$n] = true;\r | |
96 | } elseif (isset($this->allowedParam[$n])) {\r | |
97 | // keep token, don't do anything to it\r | |
98 | // (could possibly check for duplicates here)\r | |
99 | } else {\r | |
100 | $token = false;\r | |
101 | }\r | |
102 | } else {\r | |
103 | // not directly inside an object, DENY!\r | |
104 | $token = false;\r | |
105 | }\r | |
106 | }\r | |
107 | }\r | |
108 | \r | |
109 | public function handleEnd(&$token)\r | |
110 | {\r | |
111 | // This is the WRONG way of handling the object and param stacks;\r | |
112 | // we should be inserting them directly on the relevant object tokens\r | |
113 | // so that the global stack handling handles it.\r | |
114 | if ($token->name == 'object') {\r | |
115 | array_pop($this->objectStack);\r | |
116 | array_pop($this->paramStack);\r | |
117 | }\r | |
118 | }\r | |
119 | }\r | |
120 | \r | |
121 | // vim: et sw=4 sts=4\r |