File indexing completed on 2024-05-12 06:02:05
0001 <?php 0002 0003 /** 0004 * A "safe" object module. In theory, objects permitted by this module will 0005 * be safe, and untrusted users can be allowed to embed arbitrary flash objects 0006 * (maybe other types too, but only Flash is supported as of right now). 0007 * Highly experimental. 0008 */ 0009 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule 0010 { 0011 /** 0012 * @type string 0013 */ 0014 public $name = 'SafeObject'; 0015 0016 /** 0017 * @param HTMLPurifier_Config $config 0018 */ 0019 public function setup($config) 0020 { 0021 // These definitions are not intrinsically safe: the attribute transforms 0022 // are a vital part of ensuring safety. 0023 0024 $max = $config->get('HTML.MaxImgLength'); 0025 $object = $this->addElement( 0026 'object', 0027 'Inline', 0028 'Optional: param | Flow | #PCDATA', 0029 'Common', 0030 array( 0031 // While technically not required by the spec, we're forcing 0032 // it to this value. 0033 'type' => 'Enum#application/x-shockwave-flash', 0034 'width' => 'Pixels#' . $max, 0035 'height' => 'Pixels#' . $max, 0036 'data' => 'URI#embedded', 0037 'codebase' => new HTMLPurifier_AttrDef_Enum( 0038 array( 0039 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0' 0040 ) 0041 ), 0042 ) 0043 ); 0044 $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); 0045 0046 $param = $this->addElement( 0047 'param', 0048 false, 0049 'Empty', 0050 false, 0051 array( 0052 'id' => 'ID', 0053 'name*' => 'Text', 0054 'value' => 'Text' 0055 ) 0056 ); 0057 $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam(); 0058 $this->info_injector[] = 'SafeObject'; 0059 } 0060 } 0061 0062 // vim: et sw=4 sts=4