Validates name/value pairs in param tags to be used in safe objects. More...

Inheritance diagram for HTMLPurifier_AttrTransform_SafeParam:

Collaboration diagram for HTMLPurifier_AttrTransform_SafeParam:

Public Member Functions
	__construct ()

	transform ($attr, $config, $context)

Public Member Functions inherited from HTMLPurifier_AttrTransform
	transform ($attr, $config, $context)
	Abstract: makes changes to the attributes dependent on multiple values. More...

	prependCSS (&$attr, $css)
	Prepends CSS properties to the style attribute, creating the attribute if it doesn't exist. More...

	confiscateAttr (&$attr, $key)
	Retrieves and removes an attribute. More...

Data Fields
	$name = "SafeParam"

Private Attributes
	$uri

Detailed Description

Validates name/value pairs in param tags to be used in safe objects.

This will only allow name values it recognizes, and pre-fill certain attributes with required values.

Note: This class only supports Flash. In the future, Quicktime support may be added.

Warning: This class expects an injector to add the necessary parameters tags.

Definition at line 15 of file SafeParam.php.

Constructor & Destructor Documentation

◆ __construct()

HTMLPurifier_AttrTransform_SafeParam::__construct ( )

Definition at line 20 of file SafeParam.php.

                                   {
         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
     }

Member Function Documentation

◆ transform()

HTMLPurifier_AttrTransform_SafeParam::transform	(	$attr,
		$config,
		$context
	)

Definition at line 25 of file SafeParam.php.

                                                         {
         // If we add support for other objects, we'll need to alter the
         // transforms.
         switch ($attr['name']) {
             // application/x-shockwave-flash
             // Keep this synchronized with Injector/SafeObject.php
             case 'allowScriptAccess':
                 $attr['value'] = 'never';
                 break;
             case 'allowNetworking':
                 $attr['value'] = 'internal';
                 break;
             case 'allowFullScreen':
                 if ($config->get('HTML.FlashAllowFullScreen')) {
                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
                 } else {
                     $attr['value'] = 'false';
                 }
                 break;
             case 'wmode':
                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
                 break;
             case 'movie':
             case 'src':
                 $attr['name'] = "movie";
                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                 break;
             case 'flashvars':
                 // we're going to allow arbitrary inputs to the SWF, on
                 // the reasoning that it could only hack the SWF, not us.
                 break;
             // add other cases to support other param name/value pairs
             default:
                 $attr['name'] = $attr['value'] = null;
         }
         return $attr;
     }

Field Documentation

◆ $name

HTMLPurifier_AttrTransform_SafeParam::$name = "SafeParam"

Definition at line 17 of file SafeParam.php.

◆ $uri

HTMLPurifier_AttrTransform_SafeParam::$uri

private

Definition at line 18 of file SafeParam.php.

The documentation for this class was generated from the following file:

Services/Html/HtmlPurifier/library/HTMLPurifier/AttrTransform/SafeParam.php

Public Member Functions

Data Fields

Private Attributes