XOOPS 2.5.6  Final
 All Classes Namespaces Files Functions Variables Pages
SafeParam.php
Go to the documentation of this file.
1 <?php
2 
16 {
17  public $name = "SafeParam";
18  private $uri;
19 
20  public function __construct() {
21  $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
22  $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
23  }
24 
25  public function transform($attr, $config, $context) {
26  // If we add support for other objects, we'll need to alter the
27  // transforms.
28  switch ($attr['name']) {
29  // application/x-shockwave-flash
30  // Keep this synchronized with Injector/SafeObject.php
31  case 'allowScriptAccess':
32  $attr['value'] = 'never';
33  break;
34  case 'allowNetworking':
35  $attr['value'] = 'internal';
36  break;
37  case 'allowFullScreen':
38  if ($config->get('HTML.FlashAllowFullScreen')) {
39  $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
40  } else {
41  $attr['value'] = 'false';
42  }
43  break;
44  case 'wmode':
45  $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
46  break;
47  case 'movie':
48  case 'src':
49  $attr['name'] = "movie";
50  $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
51  break;
52  case 'flashvars':
53  // we're going to allow arbitrary inputs to the SWF, on
54  // the reasoning that it could only hack the SWF, not us.
55  break;
56  // add other cases to support other param name/value pairs
57  default:
58  $attr['name'] = $attr['value'] = null;
59  }
60  return $attr;
61  }
62 }
63 
64 // vim: et sw=4 sts=4