4 * A "safe" script module. No inline JS is allowed, and pointed to JS
5 * files must match whitelist.
7 class HTMLPurifier_HTMLModule_SafeScripting
extends HTMLPurifier_HTMLModule
10 public $name = 'SafeScripting';
12 public function setup($config) {
14 // These definitions are not intrinsically safe: the attribute transforms
15 // are a vital part of ensuring safety.
17 $allowed = $config->get('HTML.SafeScripting');
18 $script = $this->addElement(
24 // While technically not required by the spec, we're forcing
26 'type' => 'Enum#text/javascript',
27 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
30 $script->attr_transform_pre
[] =
31 $script->attr_transform_post
[] = new HTMLPurifier_AttrTransform_ScriptRequired();