[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * A "safe" object module. In theory, objects permitted by this module will
   5   * be safe, and untrusted users can be allowed to embed arbitrary flash objects
   6   * (maybe other types too, but only Flash is supported as of right now).
   7   * Highly experimental.
   8   */
   9  class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
  10  {
  11  
  12      public $name = 'SafeObject';
  13  
  14      public function setup($config) {
  15  
  16          // These definitions are not intrinsically safe: the attribute transforms
  17          // are a vital part of ensuring safety.
  18  
  19          $max = $config->get('HTML', 'MaxImgLength');
  20          $object = $this->addElement(
  21              'object',
  22              'Inline',
  23              'Optional: param | Flow | #PCDATA',
  24              'Common',
  25              array(
  26                  // While technically not required by the spec, we're forcing
  27                  // it to this value.
  28                  'type'   => 'Enum#application/x-shockwave-flash',
  29                  'width'  => 'Pixels#' . $max,
  30                  'height' => 'Pixels#' . $max,
  31                  'data'   => 'URI#embedded'
  32              )
  33          );
  34          $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
  35  
  36          $param = $this->addElement('param', false, 'Empty', false,
  37              array(
  38                  'id' => 'ID',
  39                  'name*' => 'Text',
  40                  'value' => 'Text'
  41              )
  42          );
  43          $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
  44          $this->info_injector[] = 'SafeObject';
  45  
  46      }
  47  
  48  }
  49  
  50  // vim: et sw=4 sts=4