[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Adds important param elements to inside of object in order to make
   5   * things safe.
   6   */
   7  class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
   8  {
   9      public $name = 'SafeObject';
  10      public $needed = array('object', 'param');
  11  
  12      protected $objectStack = array();
  13      protected $paramStack  = array();
  14  
  15      // Keep this synchronized with AttrTransform/SafeParam.php
  16      protected $addParam = array(
  17          'allowScriptAccess' => 'never',
  18          'allowNetworking' => 'internal',
  19      );
  20      protected $allowedParam = array(
  21          'wmode' => true,
  22          'movie' => true,
  23      );
  24  
  25      public function prepare($config, $context) {
  26          parent::prepare($config, $context);
  27      }
  28  
  29      public function handleElement(&$token) {
  30          if ($token->name == 'object') {
  31              $this->objectStack[] = $token;
  32              $this->paramStack[] = array();
  33              $new = array($token);
  34              foreach ($this->addParam as $name => $value) {
  35                  $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
  36              }
  37              $token = $new;
  38          } elseif ($token->name == 'param') {
  39              $nest = count($this->currentNesting) - 1;
  40              if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
  41                  $i = count($this->objectStack) - 1;
  42                  if (!isset($token->attr['name'])) {
  43                      $token = false;
  44                      return;
  45                  }
  46                  $n = $token->attr['name'];
  47                  // We need this fix because YouTube doesn't supply a data
  48                  // attribute, which we need if a type is specified. This is
  49                  // *very* Flash specific.
  50                  if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') {
  51                      $this->objectStack[$i]->attr['data'] = $token->attr['value'];
  52                  }
  53                  // Check if the parameter is the correct value but has not
  54                  // already been added
  55                  if (
  56                      !isset($this->paramStack[$i][$n]) &&
  57                      isset($this->addParam[$n]) &&
  58                      $token->attr['name'] === $this->addParam[$n]
  59                  ) {
  60                      // keep token, and add to param stack
  61                      $this->paramStack[$i][$n] = true;
  62                  } elseif (isset($this->allowedParam[$n])) {
  63                      // keep token, don't do anything to it
  64                      // (could possibly check for duplicates here)
  65                  } else {
  66                      $token = false;
  67                  }
  68              } else {
  69                  // not directly inside an object, DENY!
  70                  $token = false;
  71              }
  72          }
  73      }
  74  
  75      public function handleEnd(&$token) {
  76          // This is the WRONG way of handling the object and param stacks;
  77          // we should be inserting them directly on the relevant object tokens
  78          // so that the global stack handling handles it.
  79          if ($token->name == 'object') {
  80              array_pop($this->objectStack);
  81              array_pop($this->paramStack);
  82          }
  83      }
  84  
  85  }
  86  
  87  // vim: et sw=4 sts=4