ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
SafeObject.php
Go to the documentation of this file.
1<?php
2
8{
12 public $name = 'SafeObject';
13
17 public $needed = array('object', 'param');
18
22 protected $objectStack = array();
23
27 protected $paramStack = array();
28
33 protected $addParam = array(
34 'allowScriptAccess' => 'never',
35 'allowNetworking' => 'internal',
36 );
37
41 protected $allowedParam = array(
42 'wmode' => true,
43 'movie' => true,
44 'flashvars' => true,
45 'src' => true,
46 'allowFullScreen' => true, // if omitted, assume to be 'false'
47 );
48
54 public function prepare($config, $context)
55 {
56 parent::prepare($config, $context);
57 }
58
62 public function handleElement(&$token)
63 {
64 if ($token->name == 'object') {
65 $this->objectStack[] = $token;
66 $this->paramStack[] = array();
67 $new = array($token);
68 foreach ($this->addParam as $name => $value) {
69 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
70 }
71 $token = $new;
72 } elseif ($token->name == 'param') {
73 $nest = count($this->currentNesting) - 1;
74 if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
75 $i = count($this->objectStack) - 1;
76 if (!isset($token->attr['name'])) {
77 $token = false;
78 return;
79 }
80 $n = $token->attr['name'];
81 // We need this fix because YouTube doesn't supply a data
82 // attribute, which we need if a type is specified. This is
83 // *very* Flash specific.
84 if (!isset($this->objectStack[$i]->attr['data']) &&
85 ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
86 ) {
87 $this->objectStack[$i]->attr['data'] = $token->attr['value'];
88 }
89 // Check if the parameter is the correct value but has not
90 // already been added
91 if (!isset($this->paramStack[$i][$n]) &&
92 isset($this->addParam[$n]) &&
93 $token->attr['name'] === $this->addParam[$n]) {
94 // keep token, and add to param stack
95 $this->paramStack[$i][$n] = true;
96 } elseif (isset($this->allowedParam[$n])) {
97 // keep token, don't do anything to it
98 // (could possibly check for duplicates here)
99 } else {
100 $token = false;
101 }
102 } else {
103 // not directly inside an object, DENY!
104 $token = false;
105 }
106 }
107 }
108
109 public function handleEnd(&$token)
110 {
111 // This is the WRONG way of handling the object and param stacks;
112 // we should be inserting them directly on the relevant object tokens
113 // so that the global stack handling handles it.
114 if ($token->name == 'object') {
115 array_pop($this->objectStack);
116 array_pop($this->paramStack);
117 }
118 }
119}
120
121// vim: et sw=4 sts=4
$n
Definition: RandomTest.php:80
Adds important param elements to inside of object in order to make things safe.
Definition: SafeObject.php:8
$addParam
Keep this synchronized with AttrTransform/SafeParam.php.
Definition: SafeObject.php:33
prepare($config, $context)
Definition: SafeObject.php:54
handleEnd(&$token)
Handler that is called when an end token is processed.
Definition: SafeObject.php:109
Injects tokens into the document while parsing for well-formedness.
Definition: Injector.php:17
Concrete empty token class.
Definition: Empty.php:7