HTMLPurifier/HTMLModule/SafeScripting.php

0001 <?php
0002
0003 /**
0004  * A "safe" script module. No inline JS is allowed, and pointed to JS
0005  * files must match whitelist.
0006  */
0007 class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
0008 {
0009     /**
0010      * @type string
0011      */
0012     public $name = 'SafeScripting';
0013
0014     /**
0015      * @param HTMLPurifier_Config $config
0016      */
0017     public function setup($config)
0018     {
0019         // These definitions are not intrinsically safe: the attribute transforms
0020         // are a vital part of ensuring safety.
0021
0022         $allowed = $config->get('HTML.SafeScripting');
0023         $script = $this->addElement(
0024             'script',
0025             'Inline',
0026             'Empty',
0027             null,
0028             array(
0029                 // While technically not required by the spec, we're forcing
0030                 // it to this value.
0031                 'type' => 'Enum#text/javascript',
0032                 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
0033             )
0034         );
0035         $script->attr_transform_pre[] =
0036         $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
0037     }
0038 }
0039
0040 // vim: et sw=4 sts=4