4 * Validates name/value pairs in param tags to be used in safe objects. This
5 * will only allow name values it recognizes, and pre-fill certain attributes
6 * with required values.
9 * This class only supports Flash. In the future, Quicktime support
13 * This class expects an injector to add the necessary parameters tags.
15 class HTMLPurifier_AttrTransform_SafeParam
extends HTMLPurifier_AttrTransform
17 public $name = "SafeParam";
20 public function __construct() {
21 $this->uri
= new HTMLPurifier_AttrDef_URI(true); // embedded
22 $this->wmode
= new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
25 public function transform($attr, $config, $context) {
26 // If we add support for other objects, we'll need to alter the
28 switch ($attr['name']) {
29 // application/x-shockwave-flash
30 // Keep this synchronized with Injector/SafeObject.php
31 case 'allowScriptAccess':
32 $attr['value'] = 'never';
34 case 'allowNetworking':
35 $attr['value'] = 'internal';
37 case 'allowFullScreen':
38 if ($config->get('HTML.FlashAllowFullScreen')) {
39 $attr['value'] = ($attr['value'] == 'true') ?
'true' : 'false';
41 $attr['value'] = 'false';
45 $attr['value'] = $this->wmode
->validate($attr['value'], $config, $context);
49 $attr['name'] = "movie";
50 $attr['value'] = $this->uri
->validate($attr['value'], $config, $context);
53 // we're going to allow arbitrary inputs to the SWF, on
54 // the reasoning that it could only hack the SWF, not us.
56 // add other cases to support other param name/value pairs
58 $attr['name'] = $attr['value'] = null;