library/HTMLPurifier/AttrTransform/SafeParam.php

   1 <?php
   2
   3 /**
   4  * Validates name/value pairs in param tags to be used in safe objects. This
   5  * will only allow name values it recognizes, and pre-fill certain attributes
   6  * with required values.
   7  *
   8  * @note
   9  *      This class only supports Flash. In the future, Quicktime support
  10  *      may be added.
  11  *
  12  * @warning
  13  *      This class expects an injector to add the necessary parameters tags.
  14  */
  15 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16 {
  17     public $name = "SafeParam";
  18     private $uri;
  19
  20     public function __construct() {
  21         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  22     }
  23
  24     public function transform($attr, $config, $context) {
  25         // If we add support for other objects, we'll need to alter the
  26         // transforms.
  27         switch ($attr['name']) {
  28             // application/x-shockwave-flash
  29             // Keep this synchronized with Injector/SafeObject.php
  30             case 'allowScriptAccess':
  31                 $attr['value'] = 'never';
  32                 break;
  33             case 'allowNetworking':
  34                 $attr['value'] = 'internal';
  35                 break;
  36             case 'allowFullScreen':
  37                 if ($config->get('HTML.FlashAllowFullScreen')) {
  38                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  39                 } else {
  40                     $attr['value'] = 'false';
  41                 }
  42                 break;
  43             case 'wmode':
  44                 $attr['value'] = 'window';
  45                 break;
  46             case 'movie':
  47             case 'src':
  48                 $attr['name'] = "movie";
  49                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  50                 break;
  51             case 'flashvars':
  52                 // we're going to allow arbitrary inputs to the SWF, on
  53                 // the reasoning that it could only hack the SWF, not us.
  54                 break;
  55             // add other cases to support other param name/value pairs
  56             default:
  57                 $attr['name'] = $attr['value'] = null;
  58         }
  59         return $attr;
  60     }
  61 }
  62
  63 // vim: et sw=4 sts=4