File xoops_lib\modules\protector\library\HTMLPurifier\HTMLModule\SafeScripting.php

1:	<?php
2:
3:	/**
4:	* A "safe" script module. No inline JS is allowed, and pointed to JS
5:	* files must match whitelist.
6:	*/
7:	class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
8:	{
9:	/**
10:	* @type string
11:	*/
12:	public $name = 'SafeScripting';
13:
14:	/**
15:	* @param HTMLPurifier_Config $config
16:	*/
17:	public function setup($config)
18:	{
19:	// These definitions are not intrinsically safe: the attribute transforms
20:	// are a vital part of ensuring safety.
21:
22:	$allowed = $config->get('HTML.SafeScripting');
23:	$script = $this->addElement(
24:	'script',
25:	'Inline',
26:	'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
27:	null,
28:	array(
29:	// While technically not required by the spec, we're forcing
30:	// it to this value.
31:	'type' => 'Enum#text/javascript',
32:	'src' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /case sensitive*/ true)
33:	)
34:	);
35:	$script->attr_transform_pre[] =
36:	$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
37:	}
38:	}
39:
40:	// vim: et sw=4 sts=4
41: