Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
aj
/
chamilo-lms2
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: e7c246f349
Haarat Tagit
chamilo-lms2
/
vendor
/
ezyang
/
htmlpurifier
/
library
/
HTMLPurifier
/
AttrTransform
/
SafeParam.php

SafeParam.php 2.2 KB
Historia Raaka

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Validates name/value pairs in param tags to be used in safe objects. This
    5. 

  5.  * will only allow name values it recognizes, and pre-fill certain attributes
    6. 

  6.  * with required values.
    7. 

  7.  *
    8. 

  8.  * @note
    9. 

  9.  *      This class only supports Flash. In the future, Quicktime support
    10. 

  10.  *      may be added.
    11. 

  11.  *
    12. 

  12.  * @warning
    13. 

  13.  *      This class expects an injector to add the necessary parameters tags.
    14. 

  14.  */
    15. 

  15. class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
    16. 

  16. {
    17. 

  17.     public $name = "SafeParam";
    18. 

  18.     private $uri;
    19. 

  19. 

  20.     public function __construct() {
    21. 

  21.         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
    22. 

  22.         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
    23. 

  23.     }
    24. 

  24. 

  25.     public function transform($attr, $config, $context) {
    26. 

  26.         // If we add support for other objects, we'll need to alter the
    27. 

  27.         // transforms.
    28. 

  28.         switch ($attr['name']) {
    29. 

  29.             // application/x-shockwave-flash
    30. 

  30.             // Keep this synchronized with Injector/SafeObject.php
    31. 

  31.             case 'allowScriptAccess':
    32. 

  32.                 $attr['value'] = 'never';
    33. 

  33.                 break;
    34. 

  34.             case 'allowNetworking':
    35. 

  35.                 $attr['value'] = 'internal';
    36. 

  36.                 break;
    37. 

  37.             case 'allowFullScreen':
    38. 

  38.                 if ($config->get('HTML.FlashAllowFullScreen')) {
    39. 

  39.                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
    40. 

  40.                 } else {
    41. 

  41.                     $attr['value'] = 'false';
    42. 

  42.                 }
    43. 

  43.                 break;
    44. 

  44.             case 'wmode':
    45. 

  45.                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
    46. 

  46.                 break;
    47. 

  47.             case 'movie':
    48. 

  48.             case 'src':
    49. 

  49.                 $attr['name'] = "movie";
    50. 

  50.                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
    51. 

  51.                 break;
    52. 

  52.             case 'flashvars':
    53. 

  53.                 // we're going to allow arbitrary inputs to the SWF, on
    54. 

  54.                 // the reasoning that it could only hack the SWF, not us.
    55. 

  55.                 break;
    56. 

  56.             // add other cases to support other param name/value pairs
    57. 

  57.             default:
    58. 

  58.                 $attr['name'] = $attr['value'] = null;
    59. 

  59.         }
    60. 

  60.         return $attr;
    61. 

  61.     }
    62. 

  62. }
    63. 

  63. 

  64. // vim: et sw=4 sts=4
    65.