SafeObject.php 1.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263
  1. <?php
  2. /**
  3. * A "safe" object module. In theory, objects permitted by this module will
  4. * be safe, and untrusted users can be allowed to embed arbitrary flash objects
  5. * (maybe other types too, but only Flash is supported as of right now).
  6. * Highly experimental.
  7. */
  8. class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  9. {
  10. /**
  11. * @type string
  12. */
  13. public $name = 'SafeObject';
  14. /**
  15. * @param HTMLPurifier_Config $config
  16. */
  17. public function setup($config)
  18. {
  19. // These definitions are not intrinsically safe: the attribute transforms
  20. // are a vital part of ensuring safety.
  21. $max = $config->get('HTML.MaxImgLength');
  22. $object = $this->addElement(
  23. 'object',
  24. 'Inline',
  25. 'Optional: param | Flow | #PCDATA',
  26. 'Common',
  27. array(
  28. // While technically not required by the spec, we're forcing
  29. // it to this value.
  30. 'type' => 'Enum#application/x-shockwave-flash',
  31. 'width' => 'Pixels#' . $max,
  32. 'height' => 'Pixels#' . $max,
  33. 'data' => 'URI#embedded',
  34. 'codebase' => new HTMLPurifier_AttrDef_Enum(
  35. array(
  36. 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
  37. )
  38. ),
  39. )
  40. );
  41. $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  42. $param = $this->addElement(
  43. 'param',
  44. false,
  45. 'Empty',
  46. false,
  47. array(
  48. 'id' => 'ID',
  49. 'name*' => 'Text',
  50. 'value' => 'Text'
  51. )
  52. );
  53. $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  54. $this->info_injector[] = 'SafeObject';
  55. }
  56. }
  57. // vim: et sw=4 sts=4