[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Validates name/value pairs in param tags to be used in safe objects. This
   5   * will only allow name values it recognizes, and pre-fill certain attributes
   6   * with required values.
   7   *
   8   * @note
   9   *      This class only supports Flash. In the future, Quicktime support
  10   *      may be added.
  11   *
  12   * @warning
  13   *      This class expects an injector to add the necessary parameters tags.
  14   */
  15  class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16  {
  17      public $name = "SafeParam";
  18      private $uri;
  19  
  20      public function __construct() {
  21          $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  22      }
  23  
  24      public function transform($attr, $config, $context) {
  25          // If we add support for other objects, we'll need to alter the
  26          // transforms.
  27          switch ($attr['name']) {
  28              // application/x-shockwave-flash
  29              // Keep this synchronized with Injector/SafeObject.php
  30              case 'allowScriptAccess':
  31                  $attr['value'] = 'never';
  32                  break;
  33              case 'allowNetworking':
  34                  $attr['value'] = 'internal';
  35                  break;
  36              case 'wmode':
  37                  $attr['value'] = 'window';
  38                  break;
  39              case 'movie':
  40                  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  41                  break;
  42              // add other cases to support other param name/value pairs
  43              default:
  44                  $attr['name'] = $attr['value'] = null;
  45          }
  46          return $attr;
  47      }
  48  }
  49  
  50  // vim: et sw=4 sts=4