53 lines
		
	
	
	
		
			1.8 KiB
		
	
	
	
		
			PHP
		
	
	
		
			Executable file
		
	
	
	
	
			
		
		
	
	
			53 lines
		
	
	
	
		
			1.8 KiB
		
	
	
	
		
			PHP
		
	
	
		
			Executable file
		
	
	
	
	
| <?php
 | |
| 
 | |
| /**
 | |
|  * A "safe" object module. In theory, objects permitted by this module will
 | |
|  * be safe, and untrusted users can be allowed to embed arbitrary flash objects
 | |
|  * (maybe other types too, but only Flash is supported as of right now).
 | |
|  * Highly experimental.
 | |
|  */
 | |
| class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
 | |
| {
 | |
| 
 | |
|     public $name = 'SafeObject';
 | |
| 
 | |
|     public function setup($config) {
 | |
| 
 | |
|         // These definitions are not intrinsically safe: the attribute transforms
 | |
|         // are a vital part of ensuring safety.
 | |
| 
 | |
|         $max = $config->get('HTML.MaxImgLength');
 | |
|         $object = $this->addElement(
 | |
|             'object',
 | |
|             'Inline',
 | |
|             'Optional: param | Flow | #PCDATA',
 | |
|             'Common',
 | |
|             array(
 | |
|                 // While technically not required by the spec, we're forcing
 | |
|                 // it to this value.
 | |
|                 'type'   => 'Enum#application/x-shockwave-flash',
 | |
|                 'width'  => 'Pixels#' . $max,
 | |
|                 'height' => 'Pixels#' . $max,
 | |
|                 'data'   => 'URI#embedded',
 | |
|                 'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000',
 | |
|                 'codebase' => new HTMLPurifier_AttrDef_Enum(array(
 | |
|                     'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
 | |
|             )
 | |
|         );
 | |
|         $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
 | |
| 
 | |
|         $param = $this->addElement('param', false, 'Empty', false,
 | |
|             array(
 | |
|                 'id' => 'ID',
 | |
|                 'name*' => 'Text',
 | |
|                 'value' => 'Text'
 | |
|             )
 | |
|         );
 | |
|         $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
 | |
|         $this->info_injector[] = 'SafeObject';
 | |
| 
 | |
|     }
 | |
| 
 | |
| }
 | |
| 
 | |
| // vim: et sw=4 sts=4
 |