| [ Index ] |
PHP Cross Reference of Unnamed Project |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * Adds important param elements to inside of object in order to make 5 * things safe. 6 */ 7 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector 8 { 9 /** 10 * @type string 11 */ 12 public $name = 'SafeObject'; 13 14 /** 15 * @type array 16 */ 17 public $needed = array('object', 'param'); 18 19 /** 20 * @type array 21 */ 22 protected $objectStack = array(); 23 24 /** 25 * @type array 26 */ 27 protected $paramStack = array(); 28 29 /** 30 * Keep this synchronized with AttrTransform/SafeParam.php. 31 * @type array 32 */ 33 protected $addParam = array( 34 'allowScriptAccess' => 'never', 35 'allowNetworking' => 'internal', 36 ); 37 38 /** 39 * @type array 40 */ 41 protected $allowedParam = array( 42 'wmode' => true, 43 'movie' => true, 44 'flashvars' => true, 45 'src' => true, 46 'allowFullScreen' => true, // if omitted, assume to be 'false' 47 ); 48 49 /** 50 * @param HTMLPurifier_Config $config 51 * @param HTMLPurifier_Context $context 52 * @return void 53 */ 54 public function prepare($config, $context) 55 { 56 parent::prepare($config, $context); 57 } 58 59 /** 60 * @param HTMLPurifier_Token $token 61 */ 62 public function handleElement(&$token) 63 { 64 if ($token->name == 'object') { 65 $this->objectStack[] = $token; 66 $this->paramStack[] = array(); 67 $new = array($token); 68 foreach ($this->addParam as $name => $value) { 69 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value)); 70 } 71 $token = $new; 72 } elseif ($token->name == 'param') { 73 $nest = count($this->currentNesting) - 1; 74 if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') { 75 $i = count($this->objectStack) - 1; 76 if (!isset($token->attr['name'])) { 77 $token = false; 78 return; 79 } 80 $n = $token->attr['name']; 81 // We need this fix because YouTube doesn't supply a data 82 // attribute, which we need if a type is specified. This is 83 // *very* Flash specific. 84 if (!isset($this->objectStack[$i]->attr['data']) && 85 ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src') 86 ) { 87 $this->objectStack[$i]->attr['data'] = $token->attr['value']; 88 } 89 // Check if the parameter is the correct value but has not 90 // already been added 91 if (!isset($this->paramStack[$i][$n]) && 92 isset($this->addParam[$n]) && 93 $token->attr['name'] === $this->addParam[$n]) { 94 // keep token, and add to param stack 95 $this->paramStack[$i][$n] = true; 96 } elseif (isset($this->allowedParam[$n])) { 97 // keep token, don't do anything to it 98 // (could possibly check for duplicates here) 99 } else { 100 $token = false; 101 } 102 } else { 103 // not directly inside an object, DENY! 104 $token = false; 105 } 106 } 107 } 108 109 public function handleEnd(&$token) 110 { 111 // This is the WRONG way of handling the object and param stacks; 112 // we should be inserting them directly on the relevant object tokens 113 // so that the global stack handling handles it. 114 if ($token->name == 'object') { 115 array_pop($this->objectStack); 116 array_pop($this->paramStack); 117 } 118 } 119 } 120 121 // vim: et sw=4 sts=4
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Tue Mar 17 22:47:18 2015 | Cross-referenced by PHPXref 0.7.1 |