mirror of
				https://github.com/ezyang/htmlpurifier.git
				synced 2025-10-22 09:06:23 +02:00 
			
		
		
		
	git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1781 48356398-32a2-884e-a903-53898d9a118a
		
			
				
	
	
		
			49 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			49 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| 
 | |
| /**
 | |
|  * A "safe" object module. In theory, objects permitted by this module will
 | |
|  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
 | |
|  * (maybe other types too, but only Flash is supported as of right now).
 | |
|  * Highly experimental.
 | |
|  */
 | |
| class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
 | |
| {
 | |
|     
 | |
|     public $name = 'SafeObject';
 | |
|     
 | |
|     public function setup($config) {
 | |
|         
 | |
|         // These definitions are not intrinsically safe: the attribute transforms
 | |
|         // are a vital part of ensuring safety.
 | |
|         
 | |
|         $max = $config->get('HTML', 'MaxImgLength');
 | |
|         $object = $this->addElement(
 | |
|             'object',
 | |
|             'Inline',
 | |
|             'Optional: param | Flow | #PCDATA',
 | |
|             'Common',
 | |
|             array(
 | |
|                 // While technically not required by the spec, we're forcing
 | |
|                 // it to this value.
 | |
|                 'type'   => 'Enum#application/x-shockwave-flash',
 | |
|                 'width'  => 'Pixels#' . $max,
 | |
|                 'height' => 'Pixels#' . $max,
 | |
|                 'data'   => 'URI#embedded'
 | |
|             )
 | |
|         );
 | |
|         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
 | |
| 
 | |
|         $param = $this->addElement('param', false, 'Empty', false,
 | |
|             array(
 | |
|                 'id' => 'ID',
 | |
|                 'name*' => 'Text', 
 | |
|                 'value' => 'Text'
 | |
|             )
 | |
|         );
 | |
|         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
 | |
|         $this->info_injector[] = 'SafeObject';
 | |
|     
 | |
|     }
 | |
|     
 | |
| }
 |