HTMLPurifier/HTMLModule/Scripting.php

0001 <?php
0002
0003 /*
0004
0005 WARNING: THIS MODULE IS EXTREMELY DANGEROUS AS IT ENABLES INLINE SCRIPTING
0006 INSIDE HTML PURIFIER DOCUMENTS. USE ONLY WITH TRUSTED USER INPUT!!!
0007
0008 */
0009
0010 /**
0011  * XHTML 1.1 Scripting module, defines elements that are used to contain
0012  * information pertaining to executable scripts or the lack of support
0013  * for executable scripts.
0014  * @note This module does not contain inline scripting elements
0015  */
0016 class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule
0017 {
0018     /**
0019      * @type string
0020      */
0021     public $name = 'Scripting';
0022
0023     /**
0024      * @type array
0025      */
0026     public $elements = array('script', 'noscript');
0027
0028     /**
0029      * @type array
0030      */
0031     public $content_sets = array('Block' => 'script | noscript', 'Inline' => 'script | noscript');
0032
0033     /**
0034      * @type bool
0035      */
0036     public $safe = false;
0037
0038     /**
0039      * @param HTMLPurifier_Config $config
0040      */
0041     public function setup($config)
0042     {
0043         // TODO: create custom child-definition for noscript that
0044         // auto-wraps stray #PCDATA in a similar manner to
0045         // blockquote's custom definition (we would use it but
0046         // blockquote's contents are optional while noscript's contents
0047         // are required)
0048
0049         // TODO: convert this to new syntax, main problem is getting
0050         // both content sets working
0051
0052         // In theory, this could be safe, but I don't see any reason to
0053         // allow it.
0054         $this->info['noscript'] = new HTMLPurifier_ElementDef();
0055         $this->info['noscript']->attr = array(0 => array('Common'));
0056         $this->info['noscript']->content_model = 'Heading | List | Block';
0057         $this->info['noscript']->content_model_type = 'required';
0058
0059         $this->info['script'] = new HTMLPurifier_ElementDef();
0060         $this->info['script']->attr = array(
0061             'defer' => new HTMLPurifier_AttrDef_Enum(array('defer')),
0062             'src' => new HTMLPurifier_AttrDef_URI(true),
0063             'type' => new HTMLPurifier_AttrDef_Enum(array('text/javascript'))
0064         );
0065         $this->info['script']->content_model = '#PCDATA';
0066         $this->info['script']->content_model_type = 'optional';
0067         $this->info['script']->attr_transform_pre[] =
0068         $this->info['script']->attr_transform_post[] =
0069             new HTMLPurifier_AttrTransform_ScriptRequired();
0070     }
0071 }
0072
0073 // vim: et sw=4 sts=4