1: <?php
2:
3: 4: 5: 6:
7: class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
8: {
9: public $name = 'SafeObject';
10: public $needed = array('object', 'param');
11:
12: protected $objectStack = array();
13: protected $paramStack = array();
14:
15:
16: protected $addParam = array(
17: 'allowScriptAccess' => 'never',
18: 'allowNetworking' => 'internal',
19: );
20: protected $allowedParam = array(
21: 'wmode' => true,
22: 'movie' => true,
23: 'flashvars' => true,
24: 'src' => true,
25: 'allowFullScreen' => true,
26: );
27:
28: public function prepare($config, $context) {
29: parent::prepare($config, $context);
30: }
31:
32: public function handleElement(&$token) {
33: if ($token->name == 'object') {
34: $this->objectStack[] = $token;
35: $this->paramStack[] = array();
36: $new = array($token);
37: foreach ($this->addParam as $name => $value) {
38: $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
39: }
40: $token = $new;
41: } elseif ($token->name == 'param') {
42: $nest = count($this->currentNesting) - 1;
43: if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
44: $i = count($this->objectStack) - 1;
45: if (!isset($token->attr['name'])) {
46: $token = false;
47: return;
48: }
49: $n = $token->attr['name'];
50:
51:
52:
53: if (!isset($this->objectStack[$i]->attr['data']) &&
54: ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
55: $this->objectStack[$i]->attr['data'] = $token->attr['value'];
56: }
57:
58:
59: if (
60: !isset($this->paramStack[$i][$n]) &&
61: isset($this->addParam[$n]) &&
62: $token->attr['name'] === $this->addParam[$n]
63: ) {
64:
65: $this->paramStack[$i][$n] = true;
66: } elseif (isset($this->allowedParam[$n])) {
67:
68:
69: } else {
70: $token = false;
71: }
72: } else {
73:
74: $token = false;
75: }
76: }
77: }
78:
79: public function handleEnd(&$token) {
80:
81:
82:
83: if ($token->name == 'object') {
84: array_pop($this->objectStack);
85: array_pop($this->paramStack);
86: }
87: }
88:
89: }
90:
91:
92: