inc/3rdparty/htmlpurifier/HTMLPurifier/HTMLModule/SafeObject.php

   1 <?php
   2
   3 /**
   4  * A "safe" object module. In theory, objects permitted by this module will
   5  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
   6  * (maybe other types too, but only Flash is supported as of right now).
   7  * Highly experimental.
   8  */
   9 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  10 {
  11     /**
  12      * @type string
  13      */
  14     public $name = 'SafeObject';
  15
  16     /**
  17      * @param HTMLPurifier_Config $config
  18      */
  19     public function setup($config)
  20     {
  21         // These definitions are not intrinsically safe: the attribute transforms
  22         // are a vital part of ensuring safety.
  23
  24         $max = $config->get('HTML.MaxImgLength');
  25         $object = $this->addElement(
  26             'object',
  27             'Inline',
  28             'Optional: param | Flow | #PCDATA',
  29             'Common',
  30             array(
  31                 // While technically not required by the spec, we're forcing
  32                 // it to this value.
  33                 'type' => 'Enum#application/x-shockwave-flash',
  34                 'width' => 'Pixels#' . $max,
  35                 'height' => 'Pixels#' . $max,
  36                 'data' => 'URI#embedded',
  37                 'codebase' => new HTMLPurifier_AttrDef_Enum(
  38                     array(
  39                         'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
  40                     )
  41                 ),
  42             )
  43         );
  44         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  45
  46         $param = $this->addElement(
  47             'param',
  48             false,
  49             'Empty',
  50             false,
  51             array(
  52                 'id' => 'ID',
  53                 'name*' => 'Text',
  54                 'value' => 'Text'
  55             )
  56         );
  57         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  58         $this->info_injector[] = 'SafeObject';
  59     }
  60 }
  61
  62 // vim: et sw=4 sts=4