File indexing completed on 2025-01-26 05:29:06 

0001 <?php
0002 
0003 /**
0004  * Validates name/value pairs in param tags to be used in safe objects. This
0005  * will only allow name values it recognizes, and pre-fill certain attributes
0006  * with required values.
0007  *
0008  * @note
0009  *      This class only supports Flash. In the future, Quicktime support
0010  *      may be added.
0011  *
0012  * @warning
0013  *      This class expects an injector to add the necessary parameters tags.
0014  */
0015 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
0016 {
0017     /**
0018      * @type string
0019      */
0020     public $name = "SafeParam";
0021 
0022     /**
0023      * @type HTMLPurifier_AttrDef_URI
0024      */
0025     private $uri;
0026 
0027     public function __construct()
0028     {
0029         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
0030         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
0031     }
0032 
0033     /**
0034      * @param array $attr
0035      * @param HTMLPurifier_Config $config
0036      * @param HTMLPurifier_Context $context
0037      * @return array
0038      */
0039     public function transform($attr, $config, $context)
0040     {
0041         // If we add support for other objects, we'll need to alter the
0042         // transforms.
0043         switch ($attr['name']) {
0044             // application/x-shockwave-flash
0045             // Keep this synchronized with Injector/SafeObject.php
0046             case 'allowScriptAccess':
0047                 $attr['value'] = 'never';
0048                 break;
0049             case 'allowNetworking':
0050                 $attr['value'] = 'internal';
0051                 break;
0052             case 'allowFullScreen':
0053                 if ($config->get('HTML.FlashAllowFullScreen')) {
0054                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
0055                 } else {
0056                     $attr['value'] = 'false';
0057                 }
0058                 break;
0059             case 'wmode':
0060                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
0061                 break;
0062             case 'movie':
0063             case 'src':
0064                 $attr['name'] = "movie";
0065                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
0066                 break;
0067             case 'flashvars':
0068                 // we're going to allow arbitrary inputs to the SWF, on
0069                 // the reasoning that it could only hack the SWF, not us.
0070                 break;
0071             // add other cases to support other param name/value pairs
0072             default:
0073                 $attr['name'] = $attr['value'] = null;
0074         }
0075         return $attr;
0076     }
0077 }
0078 
0079 // vim: et sw=4 sts=4