|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 |
- <?php
-
-
- class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
- {
-
-
- public $name = 'SafeObject';
-
-
-
- public $needed = array('object', 'param');
-
-
-
- protected $objectStack = array();
-
-
-
- protected $paramStack = array();
-
-
-
- protected $addParam = array(
- 'allowScriptAccess' => 'never',
- 'allowNetworking' => 'internal',
- );
-
-
-
- protected $allowedParam = array(
- 'wmode' => true,
- 'movie' => true,
- 'flashvars' => true,
- 'src' => true,
- 'allowfullscreen' => true,
- );
-
-
-
- public function prepare($config, $context)
- {
- parent::prepare($config, $context);
- }
-
-
-
- public function handleElement(&$token)
- {
- if ($token->name == 'object') {
- $this->objectStack[] = $token;
- $this->paramStack[] = array();
- $new = array($token);
- foreach ($this->addParam as $name => $value) {
- $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
- }
- $token = $new;
- } elseif ($token->name == 'param') {
- $nest = count($this->currentNesting) - 1;
- if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
- $i = count($this->objectStack) - 1;
- if (!isset($token->attr['name'])) {
- $token = false;
- return;
- }
- $n = $token->attr['name'];
-
-
-
- if (!isset($this->objectStack[$i]->attr['data']) &&
- ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
- ) {
- $this->objectStack[$i]->attr['data'] = $token->attr['value'];
- }
-
-
- if (!isset($this->paramStack[$i][$n]) &&
- isset($this->addParam[$n]) &&
- $token->attr['name'] === $this->addParam[$n]) {
-
- $this->paramStack[$i][$n] = true;
- } elseif (isset($this->allowedParam[strtolower($n)])) {
-
-
-
-
- } else {
- $token = false;
- }
- } else {
-
- $token = false;
- }
- }
- }
-
- public function handleEnd(&$token)
- {
-
-
-
- if ($token->name == 'object') {
- array_pop($this->objectStack);
- array_pop($this->paramStack);
- }
- }
- }
-
-
|