library/HTMLPurifier/URIFilter/SafeIframe.php

   1 <?php
   2
   3 /**
   4  * Implements safety checks for safe iframes.
   5  *
   6  * @warning This filter is *critical* for ensuring that %HTML.SafeIframe
   7  * works safely.
   8  */
   9 class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
  10 {
  11     public $name = 'SafeIframe';
  12     public $always_load = true;
  13     protected $regexp = NULL;
  14     // XXX: The not so good bit about how this is all setup now is we
  15     // can't check HTML.SafeIframe in the 'prepare' step: we have to
  16     // defer till the actual filtering.
  17     public function prepare($config) {
  18         $this->regexp = $config->get('URI.SafeIframeRegexp');
  19         return true;
  20     }
  21     public function filter(&$uri, $config, $context) {
  22         // check if filter not applicable
  23         if (!$config->get('HTML.SafeIframe')) return true;
  24         // check if the filter should actually trigger
  25         if (!$context->get('EmbeddedURI', true)) return true;
  26         $token = $context->get('CurrentToken', true);
  27         if (!($token && $token->name == 'iframe')) return true;
  28         // check if we actually have some whitelists enabled
  29         if ($this->regexp === null) return false;
  30         // actually check the whitelists
  31         return preg_match($this->regexp, $uri->toString());
  32     }
  33 }
  34
  35 // vim: et sw=4 sts=4