4 * Adds important param elements to inside of object in order to make
7 class HTMLPurifier_Injector_SafeObject
extends HTMLPurifier_Injector
9 public $name = 'SafeObject';
10 public $needed = array('object', 'param');
12 protected $objectStack = array();
13 protected $paramStack = array();
15 // Keep this synchronized with AttrTransform/SafeParam.php
16 protected $addParam = array(
17 'allowScriptAccess' => 'never',
18 'allowNetworking' => 'internal',
20 protected $allowedParam = array(
25 public function prepare($config, $context) {
26 parent
::prepare($config, $context);
29 public function handleElement(&$token) {
30 if ($token->name
== 'object') {
31 $this->objectStack
[] = $token;
32 $this->paramStack
[] = array();
34 foreach ($this->addParam
as $name => $value) {
35 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
38 } elseif ($token->name
== 'param') {
39 $nest = count($this->currentNesting
) - 1;
40 if ($nest >= 0 && $this->currentNesting
[$nest]->name
=== 'object') {
41 $i = count($this->objectStack
) - 1;
42 if (!isset($token->attr
['name'])) {
46 $n = $token->attr
['name'];
47 // Check if the parameter is the correct value but has not
50 !isset($this->paramStack
[$i][$n]) &&
51 isset($this->addParam
[$n]) &&
52 $token->attr
['name'] === $this->addParam
[$n]
54 // keep token, and add to param stack
55 $this->paramStack
[$i][$n] = true;
56 } elseif (isset($this->allowedParam
[$n])) {
57 // keep token, don't do anything to it
58 // (could possibly check for duplicates here)
63 // not directly inside an object, DENY!
69 public function notifyEnd($token) {
70 if ($token->name
== 'object') {
71 array_pop($this->objectStack
);
72 array_pop($this->paramStack
);