ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
SafeParam.php
Go to the documentation of this file.
1<?php
2
16{
20 public $name = "SafeParam";
21
25 private $uri;
26
27 public function __construct()
28 {
29 $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
30 $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
31 }
32
39 public function transform($attr, $config, $context)
40 {
41 // If we add support for other objects, we'll need to alter the
42 // transforms.
43 switch ($attr['name']) {
44 // application/x-shockwave-flash
45 // Keep this synchronized with Injector/SafeObject.php
46 case 'allowScriptAccess':
47 $attr['value'] = 'never';
48 break;
49 case 'allowNetworking':
50 $attr['value'] = 'internal';
51 break;
52 case 'allowFullScreen':
53 if ($config->get('HTML.FlashAllowFullScreen')) {
54 $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
55 } else {
56 $attr['value'] = 'false';
57 }
58 break;
59 case 'wmode':
60 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
61 break;
62 case 'movie':
63 case 'src':
64 $attr['name'] = "movie";
65 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
66 break;
67 case 'flashvars':
68 // we're going to allow arbitrary inputs to the SWF, on
69 // the reasoning that it could only hack the SWF, not us.
70 break;
71 // add other cases to support other param name/value pairs
72 default:
73 $attr['name'] = $attr['value'] = null;
74 }
75 return $attr;
76 }
77}
78
79// vim: et sw=4 sts=4
Validates a keyword against a list of valid values.
Definition: Enum.php:11
Validates a URI as defined by RFC 3986.
Definition: URI.php:8
Validates name/value pairs in param tags to be used in safe objects.
Definition: SafeParam.php:16
transform($attr, $config, $context)
Definition: SafeParam.php:39
$uri
@type HTMLPurifier_AttrDef_URI
Definition: SafeParam.php:25
Processes an entire attribute array for corrections needing multiple values.