ホーム エクスプローラ ヘルプ
サインイン
shangshang
/
jili2
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 8e72a69b26
ブランチ タグ
jili2
/
vendor
/
ezyang
/
htmlpurifier
/
library
/
HTMLPurifier
/
AttrTransform
/
SafeParam.php

SafeParam.php 2.6 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Validates name/value pairs in param tags to be used in safe objects. This
    5. 

  5.  * will only allow name values it recognizes, and pre-fill certain attributes
    6. 

  6.  * with required values.
    7. 

  7.  *
    8. 

  8.  * @note
    9. 

  9.  *      This class only supports Flash. In the future, Quicktime support
    10. 

  10.  *      may be added.
    11. 

  11.  *
    12. 

  12.  * @warning
    13. 

  13.  *      This class expects an injector to add the necessary parameters tags.
    14. 

  14.  */
    15. 

  15. class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
    16. 

  16. {
    17. 

  17.     /**
    18. 

  18.      * @type string
    19. 

  19.      */
    20. 

  20.     public $name = "SafeParam";
    21. 

  21. 

  22.     /**
    23. 

  23.      * @type HTMLPurifier_AttrDef_URI
    24. 

  24.      */
    25. 

  25.     private $uri;
    26. 

  26. 

  27.     /**
    28. 

  28.      * @type HTMLPurifier_AttrDef_Enum
    29. 

  29.      */
    30. 

  30.     public $wmode;
    31. 

  31. 

  32.     public function __construct()
    33. 

  33.     {
    34. 

  34.         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
    35. 

  35.         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
    36. 

  36.     }
    37. 

  37. 

  38.     /**
    39. 

  39.      * @param array $attr
    40. 

  40.      * @param HTMLPurifier_Config $config
    41. 

  41.      * @param HTMLPurifier_Context $context
    42. 

  42.      * @return array
    43. 

  43.      */
    44. 

  44.     public function transform($attr, $config, $context)
    45. 

  45.     {
    46. 

  46.         // If we add support for other objects, we'll need to alter the
    47. 

  47.         // transforms.
    48. 

  48.         switch ($attr['name']) {
    49. 

  49.             // application/x-shockwave-flash
    50. 

  50.             // Keep this synchronized with Injector/SafeObject.php
    51. 

  51.             case 'allowScriptAccess':
    52. 

  52.                 $attr['value'] = 'never';
    53. 

  53.                 break;
    54. 

  54.             case 'allowNetworking':
    55. 

  55.                 $attr['value'] = 'internal';
    56. 

  56.                 break;
    57. 

  57.             case 'allowFullScreen':
    58. 

  58.                 if ($config->get('HTML.FlashAllowFullScreen')) {
    59. 

  59.                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
    60. 

  60.                 } else {
    61. 

  61.                     $attr['value'] = 'false';
    62. 

  62.                 }
    63. 

  63.                 break;
    64. 

  64.             case 'wmode':
    65. 

  65.                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
    66. 

  66.                 break;
    67. 

  67.             case 'movie':
    68. 

  68.             case 'src':
    69. 

  69.                 $attr['name'] = "movie";
    70. 

  70.                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
    71. 

  71.                 break;
    72. 

  72.             case 'flashvars':
    73. 

  73.                 // we're going to allow arbitrary inputs to the SWF, on
    74. 

  74.                 // the reasoning that it could only hack the SWF, not us.
    75. 

  75.                 break;
    76. 

  76.             // add other cases to support other param name/value pairs
    77. 

  77.             default:
    78. 

  78.                 $attr['name'] = $attr['value'] = null;
    79. 

  79.         }
    80. 

  80.         return $attr;
    81. 

  81.     }
    82. 

  82. }
    83. 

  83. 

  84. // vim: et sw=4 sts=4
    85.