HTMLPurifier_AttrTransform_SafeParam Class Reference

Validates name/value pairs in param tags to be used in safe objects. More...

Inheritance diagram for HTMLPurifier_AttrTransform_SafeParam:

Collaboration diagram for HTMLPurifier_AttrTransform_SafeParam:

Public Member Functions
	__construct ()
	transform ($attr, $config, $context)
Public Member Functions inherited from HTMLPurifier_AttrTransform
	transform ($attr, $config, $context)
	Abstract: makes changes to the attributes dependent on multiple values. More...
	prependCSS (&$attr, $css)
	Prepends CSS properties to the style attribute, creating the attribute if it doesn't exist. More...
	confiscateAttr (&$attr, $key)
	Retrieves and removes an attribute. More...

Data Fields
	$name = "SafeParam"
	@type string More...

Private Attributes
	$uri
	@type HTMLPurifier_AttrDef_URI More...

Detailed Description

Validates name/value pairs in param tags to be used in safe objects.

This will only allow name values it recognizes, and pre-fill certain attributes with required values.

Note

This class only supports Flash. In the future, Quicktime support may be added.

Warning

This class expects an injector to add the necessary parameters tags.

Definition at line 15 of file SafeParam.php.

Constructor & Destructor Documentation

__construct()

HTMLPurifier_AttrTransform_SafeParam::__construct

(

)

Definition at line 27 of file SafeParam.php.

    {
        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
    }

Member Function Documentation

transform()

HTMLPurifier_AttrTransform_SafeParam::transform	(		$attr,
			$config,
			$context
	)

Parameters

array	$attr
HTMLPurifier_Config	$config
HTMLPurifier_Context	$context

Returns

array

Reimplemented from HTMLPurifier_AttrTransform.

Definition at line 39 of file SafeParam.php.

    {
        // If we add support for other objects, we'll need to alter the
        // transforms.
        switch ($attr['name']) {
            // application/x-shockwave-flash
            // Keep this synchronized with Injector/SafeObject.php
            case 'allowScriptAccess':
                $attr['value'] = 'never';
                break;
            case 'allowNetworking':
                $attr['value'] = 'internal';
                break;
            case 'allowFullScreen':
                if ($config->get('HTML.FlashAllowFullScreen')) {
                    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
                } else {
                    $attr['value'] = 'false';
                }
                break;
            case 'wmode':
                $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
                break;
            case 'movie':
            case 'src':
                $attr['name'] = "movie";
                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                break;
            case 'flashvars':
                // we're going to allow arbitrary inputs to the SWF, on
                // the reasoning that it could only hack the SWF, not us.
                break;
            // add other cases to support other param name/value pairs
            default:
                $attr['name'] = $attr['value'] = null;
        }
        return $attr;
    }

References $config.

Field Documentation

$name

HTMLPurifier_AttrTransform_SafeParam::$name = "SafeParam"

@type string

Definition at line 20 of file SafeParam.php.

$uri

HTMLPurifier_AttrTransform_SafeParam::$uri

private

@type HTMLPurifier_AttrDef_URI

Definition at line 25 of file SafeParam.php.

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/ezyang/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php