library/HTMLPurifier/HTMLModule/SafeScripting.php

   1 <?php
   2
   3 /**
   4  * A "safe" script module. No inline JS is allowed, and pointed to JS
   5  * files must match whitelist.
   6  */
   7 class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
   8 {
   9
  10     public $name = 'SafeScripting';
  11
  12     public function setup($config) {
  13
  14         // These definitions are not intrinsically safe: the attribute transforms
  15         // are a vital part of ensuring safety.
  16
  17         $allowed = $config->get('HTML.SafeScripting');
  18         $script = $this->addElement(
  19             'script',
  20             'Inline',
  21             'Empty',
  22             null,
  23             array(
  24                 // While technically not required by the spec, we're forcing
  25                 // it to this value.
  26                 'type' => 'Enum#text/javascript',
  27                 'src*'  => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
  28             )
  29         );
  30         $script->attr_transform_pre[] =
  31         $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
  32
  33     }
  34
  35 }
  36
  37 // vim: et sw=4 sts=4