1: <?php
2:
3: /**
4: * Validates name/value pairs in param tags to be used in safe objects. This
5: * will only allow name values it recognizes, and pre-fill certain attributes
6: * with required values.
7: *
8: * @note
9: * This class only supports Flash. In the future, Quicktime support
10: * may be added.
11: *
12: * @warning
13: * This class expects an injector to add the necessary parameters tags.
14: */
15: class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
16: {
17: public $name = "SafeParam";
18: private $uri;
19:
20: public function __construct() {
21: $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
22: $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
23: }
24:
25: public function transform($attr, $config, $context) {
26: // If we add support for other objects, we'll need to alter the
27: // transforms.
28: switch ($attr['name']) {
29: // application/x-shockwave-flash
30: // Keep this synchronized with Injector/SafeObject.php
31: case 'allowScriptAccess':
32: $attr['value'] = 'never';
33: break;
34: case 'allowNetworking':
35: $attr['value'] = 'internal';
36: break;
37: case 'allowFullScreen':
38: if ($config->get('HTML.FlashAllowFullScreen')) {
39: $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
40: } else {
41: $attr['value'] = 'false';
42: }
43: break;
44: case 'wmode':
45: $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
46: break;
47: case 'movie':
48: case 'src':
49: $attr['name'] = "movie";
50: $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
51: break;
52: case 'flashvars':
53: // we're going to allow arbitrary inputs to the SWF, on
54: // the reasoning that it could only hack the SWF, not us.
55: break;
56: // add other cases to support other param name/value pairs
57: default:
58: $attr['name'] = $attr['value'] = null;
59: }
60: return $attr;
61: }
62: }
63:
64: // vim: et sw=4 sts=4
65: