[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Validates name/value pairs in param tags to be used in safe objects. This
   5   * will only allow name values it recognizes, and pre-fill certain attributes
   6   * with required values.
   7   *
   8   * @note
   9   *      This class only supports Flash. In the future, Quicktime support
  10   *      may be added.
  11   *
  12   * @warning
  13   *      This class expects an injector to add the necessary parameters tags.
  14   */
  15  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16  {
  17      /**
  18       * @type string
  19       */
  20      public $name = "SafeParam";
  21  
  22      /**
  23       * @type HTMLPurifier_AttrDef_URI
  24       */
  25      private $uri;
  26  
  27      public function __construct()
  28      {
  29          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  30          $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  31      }
  32  
  33      /**
  34       * @param array $attr
  35       * @param HTMLPurifier_Config $config
  36       * @param HTMLPurifier_Context $context
  37       * @return array
  38       */
  39      public function transform($attr, $config, $context)
  40      {
  41          // If we add support for other objects, we'll need to alter the
  42          // transforms.
  43          switch ($attr['name']) {
  44              // application/x-shockwave-flash
  45              // Keep this synchronized with Injector/SafeObject.php
  46              case 'allowScriptAccess':
  47                  $attr['value'] = 'never';
  48                  break;
  49              case 'allowNetworking':
  50                  $attr['value'] = 'internal';
  51                  break;
  52              case 'allowFullScreen':
  53                  if ($config->get('HTML.FlashAllowFullScreen')) {
  54                      $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  55                  } else {
  56                      $attr['value'] = 'false';
  57                  }
  58                  break;
  59              case 'wmode':
  60                  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  61                  break;
  62              case 'movie':
  63              case 'src':
  64                  $attr['name'] = "movie";
  65                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  66                  break;
  67              case 'flashvars':
  68                  // we're going to allow arbitrary inputs to the SWF, on
  69                  // the reasoning that it could only hack the SWF, not us.
  70                  break;
  71              // add other cases to support other param name/value pairs
  72              default:
  73                  $attr['name'] = $attr['value'] = null;
  74          }
  75          return $attr;
  76      }
  77  }
  78  
  79  // vim: et sw=4 sts=4