+++ /dev/null
-<?php\r
-\r
-/**\r
- * Validates name/value pairs in param tags to be used in safe objects. This\r
- * will only allow name values it recognizes, and pre-fill certain attributes\r
- * with required values.\r
- *\r
- * @note\r
- * This class only supports Flash. In the future, Quicktime support\r
- * may be added.\r
- *\r
- * @warning\r
- * This class expects an injector to add the necessary parameters tags.\r
- */\r
-class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform\r
-{\r
- /**\r
- * @type string\r
- */\r
- public $name = "SafeParam";\r
-\r
- /**\r
- * @type HTMLPurifier_AttrDef_URI\r
- */\r
- private $uri;\r
-\r
- public function __construct()\r
- {\r
- $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded\r
- $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));\r
- }\r
-\r
- /**\r
- * @param array $attr\r
- * @param HTMLPurifier_Config $config\r
- * @param HTMLPurifier_Context $context\r
- * @return array\r
- */\r
- public function transform($attr, $config, $context)\r
- {\r
- // If we add support for other objects, we'll need to alter the\r
- // transforms.\r
- switch ($attr['name']) {\r
- // application/x-shockwave-flash\r
- // Keep this synchronized with Injector/SafeObject.php\r
- case 'allowScriptAccess':\r
- $attr['value'] = 'never';\r
- break;\r
- case 'allowNetworking':\r
- $attr['value'] = 'internal';\r
- break;\r
- case 'allowFullScreen':\r
- if ($config->get('HTML.FlashAllowFullScreen')) {\r
- $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';\r
- } else {\r
- $attr['value'] = 'false';\r
- }\r
- break;\r
- case 'wmode':\r
- $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);\r
- break;\r
- case 'movie':\r
- case 'src':\r
- $attr['name'] = "movie";\r
- $attr['value'] = $this->uri->validate($attr['value'], $config, $context);\r
- break;\r
- case 'flashvars':\r
- // we're going to allow arbitrary inputs to the SWF, on\r
- // the reasoning that it could only hack the SWF, not us.\r
- break;\r
- // add other cases to support other param name/value pairs\r
- default:\r
- $attr['name'] = $attr['value'] = null;\r
- }\r
- return $attr;\r
- }\r
-}\r
-\r
-// vim: et sw=4 sts=4\r