Laclic
/
Souke
Watch 5
Star 0
Fork 1
Code Issues 1 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
6 Branches
Tree: e755510f00
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e755510f00'
${ noResults }
Souke/vendor/ezyang/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php

SafeObject.php 3.7KB
Raw Normal View History

Ajouter au dépot le dossier "vendor"
8 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 
  1. <?php

  2. 

  3. /**

  4.  * Adds important param elements to inside of object in order to make

  5.  * things safe.

  6.  */

  7. class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector

  8. {

  9.     /**

  10.      * @type string

  11.      */

  12.     public $name = 'SafeObject';

  13. 

  14.     /**

  15.      * @type array

  16.      */

  17.     public $needed = array('object', 'param');

  18. 

  19.     /**

  20.      * @type array

  21.      */

  22.     protected $objectStack = array();

  23. 

  24.     /**

  25.      * @type array

  26.      */

  27.     protected $paramStack = array();

  28. 

  29.     /**

  30.      * Keep this synchronized with AttrTransform/SafeParam.php.

  31.      * @type array

  32.      */

  33.     protected $addParam = array(

  34.         'allowScriptAccess' => 'never',

  35.         'allowNetworking' => 'internal',

  36.     );

  37. 

  38.     /**

  39.      * @type array

  40.      */

  41.     protected $allowedParam = array(

  42.         'wmode' => true,

  43.         'movie' => true,

  44.         'flashvars' => true,

  45.         'src' => true,

  46.         'allowFullScreen' => true, // if omitted, assume to be 'false'

  47.     );

  48. 

  49.     /**

  50.      * @param HTMLPurifier_Config $config

  51.      * @param HTMLPurifier_Context $context

  52.      * @return void

  53.      */

  54.     public function prepare($config, $context)

  55.     {

  56.         parent::prepare($config, $context);

  57.     }

  58. 

  59.     /**

  60.      * @param HTMLPurifier_Token $token

  61.      */

  62.     public function handleElement(&$token)

  63.     {

  64.         if ($token->name == 'object') {

  65.             $this->objectStack[] = $token;

  66.             $this->paramStack[] = array();

  67.             $new = array($token);

  68.             foreach ($this->addParam as $name => $value) {

  69.                 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));

  70.             }

  71.             $token = $new;

  72.         } elseif ($token->name == 'param') {

  73.             $nest = count($this->currentNesting) - 1;

  74.             if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {

  75.                 $i = count($this->objectStack) - 1;

  76.                 if (!isset($token->attr['name'])) {

  77.                     $token = false;

  78.                     return;

  79.                 }

  80.                 $n = $token->attr['name'];

  81.                 // We need this fix because YouTube doesn't supply a data

  82.                 // attribute, which we need if a type is specified. This is

  83.                 // *very* Flash specific.

  84.                 if (!isset($this->objectStack[$i]->attr['data']) &&

  85.                     ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')

  86.                 ) {

  87.                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];

  88.                 }

  89.                 // Check if the parameter is the correct value but has not

  90.                 // already been added

  91.                 if (!isset($this->paramStack[$i][$n]) &&

  92.                     isset($this->addParam[$n]) &&

  93.                     $token->attr['name'] === $this->addParam[$n]) {

  94.                     // keep token, and add to param stack

  95.                     $this->paramStack[$i][$n] = true;

  96.                 } elseif (isset($this->allowedParam[$n])) {

  97.                     // keep token, don't do anything to it

  98.                     // (could possibly check for duplicates here)

  99.                 } else {

  100.                     $token = false;

  101.                 }

  102.             } else {

  103.                 // not directly inside an object, DENY!

  104.                 $token = false;

  105.             }

  106.         }

  107.     }

  108. 

  109.     public function handleEnd(&$token)

  110.     {

  111.         // This is the WRONG way of handling the object and param stacks;

  112.         // we should be inserting them directly on the relevant object tokens

  113.         // so that the global stack handling handles it.

  114.         if ($token->name == 'object') {

  115.             array_pop($this->objectStack);

  116.             array_pop($this->paramStack);

  117.         }

  118.     }

  119. }

  120. 

  121. // vim: et sw=4 sts=4