library/HTMLPurifier/HTMLModule/SafeObject.php

   1 <?php
   2
   3 /**
   4  * A "safe" object module. In theory, objects permitted by this module will
   5  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
   6  * (maybe other types too, but only Flash is supported as of right now).
   7  * Highly experimental.
   8  */
   9 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  10 {
  11
  12     public $name = 'SafeObject';
  13
  14     public function setup($config) {
  15
  16         // These definitions are not intrinsically safe: the attribute transforms
  17         // are a vital part of ensuring safety.
  18
  19         $max = $config->get('HTML', 'MaxImgLength');
  20         $object = $this->addElement(
  21             'object',
  22             'Inline',
  23             'Optional: param | Flow | #PCDATA',
  24             'Common',
  25             array(
  26                 // While technically not required by the spec, we're forcing
  27                 // it to this value.
  28                 'type'   => 'Enum#application/x-shockwave-flash',
  29                 'width'  => 'Pixels#' . $max,
  30                 'height' => 'Pixels#' . $max,
  31                 'data'   => 'Text'
  32             )
  33         );
  34         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  35
  36         $param = $this->addElement('param', false, 'Empty', false,
  37             array(
  38                 'id' => 'ID',
  39                 'name*' => 'Text',
  40                 'value' => 'Text'
  41             )
  42         );
  43         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  44         $this->info_injector[] = 'SafeObject';
  45
  46     }
  47
  48 }