search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Whoops, forgot to edit WHATSNEW
[htmlpurifier/darkodev.git] / library / HTMLPurifier / HTMLModule / SafeObject.php
blob1297f80a39c5183b69769c9565500d434ceb4be3
1 <?php
2
3 /**
4 * A "safe" object module. In theory, objects permitted by this module will
5 * be safe, and untrusted users can be allowed to embed arbitrary flash objects
6 * (maybe other types too, but only Flash is supported as of right now).
7 * Highly experimental.
8 */
9 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
10 {
11 /**
12 * @type string
13 */
14 public $name = 'SafeObject';
15
16 /**
17 * @param HTMLPurifier_Config $config
18 */
19 public function setup($config)
20 {
21 // These definitions are not intrinsically safe: the attribute transforms
22 // are a vital part of ensuring safety.
23
24 $max = $config->get('HTML.MaxImgLength');
25 $object = $this->addElement(
26 'object',
27 'Inline',
28 'Optional: param | Flow | #PCDATA',
29 'Common',
30 array(
31 // While technically not required by the spec, we're forcing
32 // it to this value.
33 'type' => 'Enum#application/x-shockwave-flash',
34 'width' => 'Pixels#' . $max,
35 'height' => 'Pixels#' . $max,
36 'data' => 'URI#embedded',
37 'codebase' => new HTMLPurifier_AttrDef_Enum(
38 array(
39 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
40 )
41 ),
42 )
43 );
44 $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
45
46 $param = $this->addElement(
47 'param',
48 false,
49 'Empty',
50 false,
51 array(
52 'id' => 'ID',
53 'name*' => 'Text',
54 'value' => 'Text'
55 )
56 );
57 $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
58 $this->info_injector[] = 'SafeObject';
59 }
60 }
61
62 // vim: et sw=4 sts=4
Fixing PHP 7 reserved words in constant names