library/HTMLPurifier/HTMLModule/SafeScripting.php

   1 <?php
   2
   3 /**
   4  * A "safe" script module. No inline JS is allowed, and pointed to JS
   5  * files must match whitelist.
   6  */
   7 class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
   8 {
   9     /**
  10      * @type string
  11      */
  12     public $name = 'SafeScripting';
  13
  14     /**
  15      * @param HTMLPurifier_Config $config
  16      */
  17     public function setup($config)
  18     {
  19         // These definitions are not intrinsically safe: the attribute transforms
  20         // are a vital part of ensuring safety.
  21
  22         $allowed = $config->get('HTML.SafeScripting');
  23         $script = $this->addElement(
  24             'script',
  25             'Inline',
  26             'Empty',
  27             null,
  28             array(
  29                 // While technically not required by the spec, we're forcing
  30                 // it to this value.
  31                 'type' => 'Enum#text/javascript',
  32                 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
  33             )
  34         );
  35         $script->attr_transform_pre[] =
  36         $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
  37     }
  38 }
  39
  40 // vim: et sw=4 sts=4