library/HTMLPurifier/AttrTransform/SafeParam.php

   1 <?php
   2
   3 /**
   4  * Validates name/value pairs in param tags to be used in safe objects. This
   5  * will only allow name values it recognizes, and pre-fill certain attributes
   6  * with required values.
   7  *
   8  * @note
   9  *      This class only supports Flash. In the future, Quicktime support
  10  *      may be added.
  11  *
  12  * @warning
  13  *      This class expects an injector to add the necessary parameters tags.
  14  */
  15 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16 {
  17     public $name = "SafeParam";
  18     private $uri;
  19
  20     function __construct() {
  21         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  22     }
  23
  24     function transform($attr, $config, $context) {
  25         // If we add support for other objects, we'll need to alter the
  26         // transforms.
  27         switch ($attr['name']) {
  28             // application/x-shockwave-flash
  29             // Keep this synchronized with Injector/SafeObject.php
  30             case 'allowScriptAccess':
  31                 $attr['value'] = 'never';
  32                 break;
  33             case 'allowNetworking':
  34                 $attr['value'] = 'internal';
  35                 break;
  36             case 'wmode':
  37                 $attr['value'] = 'window';
  38                 break;
  39             case 'movie':
  40                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  41                 break;
  42             // add other cases to support other param name/value pairs
  43             default:
  44                 $attr['name'] = $attr['value'] = null;
  45         }
  46         return $attr;
  47     }
  48 }