mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-07-10 01:06:20 +02:00
[3.1.1] Implement SafeObject.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1780 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
48
library/HTMLPurifier/HTMLModule/SafeObject.php
Normal file
48
library/HTMLPurifier/HTMLModule/SafeObject.php
Normal file
@ -0,0 +1,48 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* A "safe" object module. In theory, objects permitted by this module will
|
||||
* be safe, and untrusted users can be allowed to embed arbitrary flash objects
|
||||
* (maybe other types too, but only Flash is supported as of right now).
|
||||
* Highly experimental.
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'SafeObject';
|
||||
|
||||
public function setup($config) {
|
||||
|
||||
// These definitions are not intrinsically safe: the attribute transforms
|
||||
// are a vital part of ensuring safety.
|
||||
|
||||
$max = $config->get('HTML', 'MaxImgLength');
|
||||
$object = $this->addElement(
|
||||
'object',
|
||||
'Inline',
|
||||
'Optional: param | Flow | #PCDATA',
|
||||
'Common',
|
||||
array(
|
||||
// While technically not required by the spec, we're forcing
|
||||
// it to this value.
|
||||
'type' => 'Enum#application/x-shockwave-flash',
|
||||
'width' => 'Pixels#' . $max,
|
||||
'height' => 'Pixels#' . $max,
|
||||
'data' => 'Text'
|
||||
)
|
||||
);
|
||||
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
|
||||
|
||||
$param = $this->addElement('param', false, 'Empty', false,
|
||||
array(
|
||||
'id' => 'ID',
|
||||
'name*' => 'Text',
|
||||
'value' => 'Text'
|
||||
)
|
||||
);
|
||||
$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
|
||||
$this->info_injector[] = 'SafeObject';
|
||||
|
||||
}
|
||||
|
||||
}
|
Reference in New Issue
Block a user