htmlpurifier: HTMLPurifier/Injector/SafeObject.php Quellcode

00001 <?php
00002 
00007 class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
00008 {
00009     public $name = 'SafeObject';
00010     public $needed = array('object', 'param');
00011 
00012     protected $objectStack = array();
00013     protected $paramStack  = array();
00014 
00015     // Keep this synchronized with AttrTransform/SafeParam.php
00016     protected $addParam = array(
00017         'allowScriptAccess' => 'never',
00018         'allowNetworking' => 'internal',
00019     );
00020     protected $allowedParam = array(
00021         'wmode' => true,
00022         'movie' => true,
00023     );
00024 
00025     public function prepare($config, $context) {
00026         parent::prepare($config, $context);
00027     }
00028 
00029     public function handleElement(&$token) {
00030         if ($token->name == 'object') {
00031             $this->objectStack[] = $token;
00032             $this->paramStack[] = array();
00033             $new = array($token);
00034             foreach ($this->addParam as $name => $value) {
00035                 $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
00036             }
00037             $token = $new;
00038         } elseif ($token->name == 'param') {
00039             $nest = count($this->currentNesting) - 1;
00040             if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
00041                 $i = count($this->objectStack) - 1;
00042                 if (!isset($token->attr['name'])) {
00043                     $token = false;
00044                     return;
00045                 }
00046                 $n = $token->attr['name'];
00047                 // We need this fix because YouTube doesn't supply a data
00048                 // attribute, which we need if a type is specified. This is
00049                 // *very* Flash specific.
00050                 if (!isset($this->objectStack[$i]->attr['data']) && $token->attr['name'] == 'movie') {
00051                     $this->objectStack[$i]->attr['data'] = $token->attr['value'];
00052                 }
00053                 // Check if the parameter is the correct value but has not
00054                 // already been added
00055                 if (
00056                     !isset($this->paramStack[$i][$n]) &&
00057                     isset($this->addParam[$n]) &&
00058                     $token->attr['name'] === $this->addParam[$n]
00059                 ) {
00060                     // keep token, and add to param stack
00061                     $this->paramStack[$i][$n] = true;
00062                 } elseif (isset($this->allowedParam[$n])) {
00063                     // keep token, don't do anything to it
00064                     // (could possibly check for duplicates here)
00065                 } else {
00066                     $token = false;
00067                 }
00068             } else {
00069                 // not directly inside an object, DENY!
00070                 $token = false;
00071             }
00072         }
00073     }
00074 
00075     public function handleEnd(&$token) {
00076         // This is the WRONG way of handling the object and param stacks;
00077         // we should be inserting them directly on the relevant object tokens
00078         // so that the global stack handling handles it.
00079         if ($token->name == 'object') {
00080             array_pop($this->objectStack);
00081             array_pop($this->paramStack);
00082         }
00083     }
00084 
00085 }
00086 
00087 // vim: et sw=4 sts=4


Copyright © 2003 - 2009 MyOOS [Shopsystem]. All rights reserved. MyOOS [Shopsystem] is Free Software released under the GNU/GPL License. Webmaster: info@r23.de (Impressum)