Support flashvars.
[htmlpurifier.git] / library / HTMLPurifier / AttrTransform / SafeParam.php
blob6451404ca4997e0300ce381e58ad1536d36a29e5
1 <?php
3 /**
4 * Validates name/value pairs in param tags to be used in safe objects. This
5 * will only allow name values it recognizes, and pre-fill certain attributes
6 * with required values.
8 * @note
9 * This class only supports Flash. In the future, Quicktime support
10 * may be added.
12 * @warning
13 * This class expects an injector to add the necessary parameters tags.
15 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
17 public $name = "SafeParam";
18 private $uri;
20 public function __construct() {
21 $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
24 public function transform($attr, $config, $context) {
25 // If we add support for other objects, we'll need to alter the
26 // transforms.
27 switch ($attr['name']) {
28 // application/x-shockwave-flash
29 // Keep this synchronized with Injector/SafeObject.php
30 case 'allowScriptAccess':
31 $attr['value'] = 'never';
32 break;
33 case 'allowNetworking':
34 $attr['value'] = 'internal';
35 break;
36 case 'wmode':
37 $attr['value'] = 'window';
38 break;
39 case 'movie':
40 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
41 break;
42 case 'flashvars':
43 // we're going to allow arbitrary inputs to the SWF, on
44 // the reasoning that it could only hack the SWF, not us.
45 break;
46 // add other cases to support other param name/value pairs
47 default:
48 $attr['name'] = $attr['value'] = null;
50 return $attr;
54 // vim: et sw=4 sts=4