1: | <?php |
2: | |
3: | /** |
4: | * Implements safety checks for safe iframes. |
5: | * |
6: | * @warning This filter is *critical* for ensuring that %HTML.SafeIframe |
7: | * works safely. |
8: | */ |
9: | class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter |
10: | { |
11: | /** |
12: | * @type string |
13: | */ |
14: | public $name = 'SafeIframe'; |
15: | |
16: | /** |
17: | * @type bool |
18: | */ |
19: | public $always_load = true; |
20: | |
21: | /** |
22: | * @type string |
23: | */ |
24: | protected $regexp = null; |
25: | |
26: | // XXX: The not so good bit about how this is all set up now is we |
27: | // can't check HTML.SafeIframe in the 'prepare' step: we have to |
28: | // defer till the actual filtering. |
29: | /** |
30: | * @param HTMLPurifier_Config $config |
31: | * @return bool |
32: | */ |
33: | public function prepare($config) |
34: | { |
35: | $this->regexp = $config->get('URI.SafeIframeRegexp'); |
36: | return true; |
37: | } |
38: | |
39: | /** |
40: | * @param HTMLPurifier_URI $uri |
41: | * @param HTMLPurifier_Config $config |
42: | * @param HTMLPurifier_Context $context |
43: | * @return bool |
44: | */ |
45: | public function filter(&$uri, $config, $context) |
46: | { |
47: | // check if filter not applicable |
48: | if (!$config->get('HTML.SafeIframe')) { |
49: | return true; |
50: | } |
51: | // check if the filter should actually trigger |
52: | if (!$context->get('EmbeddedURI', true)) { |
53: | return true; |
54: | } |
55: | $token = $context->get('CurrentToken', true); |
56: | if (!($token && $token->name == 'iframe')) { |
57: | return true; |
58: | } |
59: | // check if we actually have some whitelists enabled |
60: | if ($this->regexp === null) { |
61: | return false; |
62: | } |
63: | // actually check the whitelists |
64: | return preg_match($this->regexp, $uri->toString()); |
65: | } |
66: | } |
67: | |
68: | // vim: et sw=4 sts=4 |
69: |