ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
SafeObject.php
Go to the documentation of this file.
1 <?php
2 
7 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
8 {
12  public $name = 'SafeObject';
13 
17  public $needed = array('object', 'param');
18 
22  protected $objectStack = array();
23 
27  protected $paramStack = array();
28 
33  protected $addParam = array(
34  'allowScriptAccess' => 'never',
35  'allowNetworking' => 'internal',
36  );
37 
41  protected $allowedParam = array(
42  'wmode' => true,
43  'movie' => true,
44  'flashvars' => true,
45  'src' => true,
46  'allowFullScreen' => true, // if omitted, assume to be 'false'
47  );
48 
54  public function prepare($config, $context)
55  {
56  parent::prepare($config, $context);
57  }
58 
62  public function handleElement(&$token)
63  {
64  if ($token->name == 'object') {
65  $this->objectStack[] = $token;
66  $this->paramStack[] = array();
67  $new = array($token);
68  foreach ($this->addParam as $name => $value) {
69  $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
70  }
71  $token = $new;
72  } elseif ($token->name == 'param') {
73  $nest = count($this->currentNesting) - 1;
74  if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
75  $i = count($this->objectStack) - 1;
76  if (!isset($token->attr['name'])) {
77  $token = false;
78  return;
79  }
80  $n = $token->attr['name'];
81  // We need this fix because YouTube doesn't supply a data
82  // attribute, which we need if a type is specified. This is
83  // *very* Flash specific.
84  if (!isset($this->objectStack[$i]->attr['data']) &&
85  ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
86  ) {
87  $this->objectStack[$i]->attr['data'] = $token->attr['value'];
88  }
89  // Check if the parameter is the correct value but has not
90  // already been added
91  if (!isset($this->paramStack[$i][$n]) &&
92  isset($this->addParam[$n]) &&
93  $token->attr['name'] === $this->addParam[$n]) {
94  // keep token, and add to param stack
95  $this->paramStack[$i][$n] = true;
96  } elseif (isset($this->allowedParam[$n])) {
97  // keep token, don't do anything to it
98  // (could possibly check for duplicates here)
99  } else {
100  $token = false;
101  }
102  } else {
103  // not directly inside an object, DENY!
104  $token = false;
105  }
106  }
107  }
108 
109  public function handleEnd(&$token)
110  {
111  // This is the WRONG way of handling the object and param stacks;
112  // we should be inserting them directly on the relevant object tokens
113  // so that the global stack handling handles it.
114  if ($token->name == 'object') {
115  array_pop($this->objectStack);
116  array_pop($this->paramStack);
117  }
118  }
119 }
120 
121 // vim: et sw=4 sts=4
HTMLPurifier_Injector_SafeObject\$name
$name
string
Definition: SafeObject.php:12
HTMLPurifier_Injector_SafeObject\prepare
prepare($config, $context)
Definition: SafeObject.php:54
HTMLPurifier_Injector_SafeObject\$objectStack
$objectStack
array
Definition: SafeObject.php:22
HTMLPurifier_Injector_SafeObject\$needed
$needed
array
Definition: SafeObject.php:17
HTMLPurifier_Injector_SafeObject\$allowedParam
$allowedParam
array
Definition: SafeObject.php:41
HTMLPurifier_Injector_SafeObject
Adds important param elements to inside of object in order to make things safe.
Definition: SafeObject.php:7
HTMLPurifier_Injector_SafeObject\$paramStack
$paramStack
array
Definition: SafeObject.php:27
HTMLPurifier_Injector_SafeObject\$addParam
$addParam
Keep this synchronized with AttrTransform/SafeParam.php.
Definition: SafeObject.php:33
$n
$n
Definition: RandomTest.php:80
HTMLPurifier_Token_Empty
Concrete empty token class.
Definition: Empty.php:6
HTMLPurifier_Injector
Injects tokens into the document while parsing for well-formedness.
Definition: Injector.php:16
HTMLPurifier_Injector_SafeObject\handleElement
handleElement(&$token)
Definition: SafeObject.php:62
HTMLPurifier_Injector_SafeObject\handleEnd
handleEnd(&$token)
Definition: SafeObject.php:109