Release 3.1.0

[htmlpurifier-web.git] / demo.custom.php

<?php

class HTMLPurifier_AttrTransform_ParamValidator extends HTMLPurifier_AttrTransform 
{
    var $name = "ParamValidator";
    var $uri;
    
    function HTMLPurifier_AttrTransform_ParamValidator() {
        $this->uri = new HTMLPurifier_AttrDef_URI();
    }
    
    function transform($attr, $config, $context) {
        switch ($attr['name']) {
            case 'allowscriptaccess':
                $attr['value'] = 'never';
                break;
            case 'wmode':
                $attr['value'] = 'window';
                break;
            case 'enablejsurls':
                $attr['value'] = 'false';
                break;
            case 'movie':
                $attr['value'] = $this->uri->validate($attr['movie'], $config, $context);
                break;
            // probably more
            default:
                $attr['name'] = $attr['value'] = null;
        }
        return $attr;
    }
}

class HTMLPurifier_AttrTransform_ObjectValidator extends HTMLPurifier_AttrTransform
{
    var $name = "ObjectValidator";

    function transform($attr, $config, $context) {
        if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash';
        return $attr;
    }
}

$config->set('AutoFormat', 'Custom', array('AddParam'));
$config->set('HTML', 'DefinitionID', 'allow flash movies');
$config->set('HTML', 'DefinitionRev', 1);
$config->set('Cache', 'DefinitionImpl', null); //remove this later
$def =& $config->getHTMLDefinition(true);

$param =& $def->addElement(
    'param',
    false, //only appears in object tags, remove elsewhere
    'Empty',
    false,
    array(
        // this by default is insecure, and must have a validator
        'name' => 'Text', 
        'value' => 'Text'
    )
);

$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_ParamValidator();

$object =& $def->addElement(
    'object',
    'Inline',
    'Optional: param | #PCDATA',
    false,
    array(
        'type*' => 'Enum#application/x-shockwave-flash',
        'width*' => 'Pixels',
        'height*' => 'Pixels',
        'data'    => 'Text'
    )
);
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_ObjectValidator();



$embed =& $def->addElement(
    'embed',
    'Block',
    'Empty',
    false,
    array(
        'type*' => 'Enum#application/x-shockwave-flash',
        'width*' => 'Pixels',
        'height*' => 'Pixels',
        'src*' => 'URI',
        'flashvars' => 'Text',
        'allowscriptaccess' => 'Enum#never',
        'enablejsurls' => 'Enum#false',
        'enablehref' => 'Enum#false',
        'bgcolor' => 'Text',
        //these will all be ignored by the injector
        'wmode' => 'Text',
        'pluginspage' => 'URI',
        'saveembedtags' => 'Text',
        'salign' => 'Text',
        'scale' => 'Text',
        'name' => 'Text'
    )
);

class HTMLPurifier_AttrTransform_EmbedValidator extends HTMLPurifier_AttrTransform 
{
    var $name = "EmbedValidator";

    function transform($attr, $config, $context) {
        $attr['allowscriptaccess'] = 'never';
        $attr['enablejsurls'] = 'false';
        $attr['enablehref'] = 'false';
        return $attr;
    }
}
$embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_EmbedValidator();

class HTMLPurifier_Injector_AddParam extends HTMLPurifier_Injector
{
    var $name = 'AddParam';
    var $needed  = array('object', 'param');
    function handleElement(&$token) {
        if ($token->name == 'object') {
            $token = array(
                $token,
                new HTMLPurifier_Token_Start('param', array('name' => 'enablejsurls', 'value' => 'false'))
            );
        }
    }
}