Namespaces

Classes

Interfaces

Exceptions

Functions

1: <?php
2:
3: /**
4: * A "safe" object module. In theory, objects permitted by this module will
5: * be safe, and untrusted users can be allowed to embed arbitrary flash objects
6: * (maybe other types too, but only Flash is supported as of right now).
7: * Highly experimental.
8: */
9: class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
10: {
11: /**
12: * @type string
13: */
14: public $name = 'SafeObject';
15:
16: /**
17: * @param HTMLPurifier_Config $config
18: */
19: public function setup($config)
20: {
21: // These definitions are not intrinsically safe: the attribute transforms
22: // are a vital part of ensuring safety.
23:
24: $max = $config->get('HTML.MaxImgLength');
25: $object = $this->addElement(
26: 'object',
27: 'Inline',
28: 'Optional: param | Flow | #PCDATA',
29: 'Common',
30: array(
31: // While technically not required by the spec, we're forcing
32: // it to this value.
33: 'type' => 'Enum#application/x-shockwave-flash',
34: 'width' => 'Pixels#' . $max,
35: 'height' => 'Pixels#' . $max,
36: 'data' => 'URI#embedded',
37: 'codebase' => new HTMLPurifier_AttrDef_Enum(
38: array(
39: 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
40: )
41: ),
42: )
43: );
44: $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
45:
46: $param = $this->addElement(
47: 'param',
48: false,
49: 'Empty',
50: false,
51: array(
52: 'id' => 'ID',
53: 'name*' => 'Text',
54: 'value' => 'Text'
55: )
56: );
57: $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
58: $this->info_injector[] = 'SafeObject';
59: }
60: }
61:
62: // vim: et sw=4 sts=4
63:
API documentation generated by ApiGen v7.0.0-alpha.6