Home Explore Help
Register Sign In
aj
/
chamilo-lms2
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 0e3191628e
Branches Tags
chamilo-lms2
/
main
/
inc
/
lib
/
htmlpurifier
/
library
/
HTMLPurifier
/
AttrTransform
/
SafeParam.php

SafeParam.php 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Validates name/value pairs in param tags to be used in safe objects. This
    5. 

  5.  * will only allow name values it recognizes, and pre-fill certain attributes
    6. 

  6.  * with required values.
    7. 

  7.  *
    8. 

  8.  * @note
    9. 

  9.  *      This class only supports Flash. In the future, Quicktime support
    10. 

  10.  *      may be added.
    11. 

  11.  *
    12. 

  12.  * @warning
    13. 

  13.  *      This class expects an injector to add the necessary parameters tags.
    14. 

  14.  */
    15. 

  15. class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
    16. 

  16. {
    17. 

  17.     public $name = "SafeParam";
    18. 

  18.     private $uri;
    19. 

  19. 

  20.     public function __construct() {
    21. 

  21.         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
    22. 

  22.         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
    23. 

  23.     }
    24. 

  24. 

  25.     public function transform($attr, $config, $context) {
    26. 

  26.         // If we add support for other objects, we'll need to alter the
    27. 

  27.         // transforms.
    28. 

  28.         switch ($attr['name']) {
    29. 

  29.             // application/x-shockwave-flash
    30. 

  30.             // Keep this synchronized with Injector/SafeObject.php
    31. 

  31.             case 'allowScriptAccess':
    32. 

  32.             case 'allowscriptaccess':
    33. 

  33.                 $attr['value'] = 'never';
    34. 

  34.                 break;
    35. 

  35.             case 'allowNetworking':
    36. 

  36.             case 'allownetworking':
    37. 

  37.                 $attr['value'] = 'internal';
    38. 

  38.                 break;
    39. 

  39.             case 'allowFullScreen':
    40. 

  40.             case 'allowfullscreen':
    41. 

  41.                 if ($config->get('HTML.FlashAllowFullScreen')) {
    42. 

  42.                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
    43. 

  43.                 } else {
    44. 

  44.                     $attr['value'] = 'false';
    45. 

  45.                 }
    46. 

  46.                 break;
    47. 

  47.             case 'wmode':
    48. 

  48.                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
    49. 

  49.                 break;
    50. 

  50.             case 'movie':
    51. 

  51.             case 'src':
    52. 

  52.                 $attr['name'] = "movie";
    53. 

  53.                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
    54. 

  54.                 break;
    55. 

  55.             case 'flashvars':
    56. 

  56.                 // we're going to allow arbitrary inputs to the SWF, on
    57. 

  57.                 // the reasoning that it could only hack the SWF, not us.
    58. 

  58.                 break;
    59. 

  59.             // add other cases to support other param name/value pairs
    60. 

  60.             default:
    61. 

  61.                 $attr['name'] = $attr['value'] = null;
    62. 

  62.         }
    63. 

  63.         return $attr;
    64. 

  64.     }
    65. 

  65. }
    66. 

  66. 

  67. // vim: et sw=4 sts=4
    68.