|
- <?php
-
- /**
- * A "safe" script module. No inline JS is allowed, and pointed to JS
- * files must match whitelist.
- */
- class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
- {
- /**
- * @type string
- */
- public $name = 'SafeScripting';
-
- /**
- * @param HTMLPurifier_Config $config
- */
- public function setup($config)
- {
- // These definitions are not intrinsically safe: the attribute transforms
- // are a vital part of ensuring safety.
-
- $allowed = $config->get('HTML.SafeScripting');
- $script = $this->addElement(
- 'script',
- 'Inline',
- 'Empty',
- null,
- array(
- // While technically not required by the spec, we're forcing
- // it to this value.
- 'type' => 'Enum#text/javascript',
- 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
- )
- );
- $script->attr_transform_pre[] =
- $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
- }
- }
-
- // vim: et sw=4 sts=4
|