library/HTMLPurifier/HTMLModule/SafeObject.php

   1 <?php
   2
   3 /**
   4  * A "safe" object module. In theory, objects permitted by this module will
   5  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
   6  * (maybe other types too, but only Flash is supported as of right now).
   7  * Highly experimental.
   8  */
   9 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  10 {
  11
  12     public $name = 'SafeObject';
  13
  14     public function setup($config) {
  15
  16         // These definitions are not intrinsically safe: the attribute transforms
  17         // are a vital part of ensuring safety.
  18
  19         $max = $config->get('HTML.MaxImgLength');
  20         $object = $this->addElement(
  21             'object',
  22             'Inline',
  23             'Optional: param | Flow | #PCDATA',
  24             'Common',
  25             array(
  26                 // While technically not required by the spec, we're forcing
  27                 // it to this value.
  28                 'type'   => 'Enum#application/x-shockwave-flash',
  29                 'width'  => 'Pixels#' . $max,
  30                 'height' => 'Pixels#' . $max,
  31                 'data'   => 'URI#embedded',
  32                 'codebase' => new HTMLPurifier_AttrDef_Enum(array(
  33                     'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
  34             )
  35         );
  36         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  37
  38         $param = $this->addElement('param', false, 'Empty', false,
  39             array(
  40                 'id' => 'ID',
  41                 'name*' => 'Text',
  42                 'value' => 'Text'
  43             )
  44         );
  45         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  46         $this->info_injector[] = 'SafeObject';
  47
  48     }
  49
  50 }
  51
  52 // vim: et sw=4 sts=4