mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-07-10 09:16:20 +02:00
Support for safe external scripts via explicit whitelist.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
37
library/HTMLPurifier/HTMLModule/SafeScripting.php
Normal file
37
library/HTMLPurifier/HTMLModule/SafeScripting.php
Normal file
@ -0,0 +1,37 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* A "safe" script module. No inline JS is allowed, and pointed to JS
|
||||
* files must match whitelist.
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'SafeScripting';
|
||||
|
||||
public function setup($config) {
|
||||
|
||||
// These definitions are not intrinsically safe: the attribute transforms
|
||||
// are a vital part of ensuring safety.
|
||||
|
||||
$allowed = $config->get('HTML.SafeScripting');
|
||||
$script = $this->addElement(
|
||||
'script',
|
||||
'Inline',
|
||||
'Empty',
|
||||
null,
|
||||
array(
|
||||
// While technically not required by the spec, we're forcing
|
||||
// it to this value.
|
||||
'type' => 'Enum#text/javascript',
|
||||
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
|
||||
)
|
||||
);
|
||||
$script->attr_transform_pre[] =
|
||||
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
Reference in New Issue
Block a user