friendica/vendor/ezyang/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php

122 lines
3.7 KiB
PHP
Raw Normal View History

2010-09-08 23:14:17 -04:00
<?php
/**
* Adds important param elements to inside of object in order to make
* things safe.
*/
class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector
{
2016-02-09 05:06:17 -05:00
/**
* @type string
*/
2010-09-08 23:14:17 -04:00
public $name = 'SafeObject';
2016-02-09 05:06:17 -05:00
/**
* @type array
*/
2010-09-08 23:14:17 -04:00
public $needed = array('object', 'param');
2016-02-09 05:06:17 -05:00
/**
* @type array
*/
2010-09-08 23:14:17 -04:00
protected $objectStack = array();
2016-02-09 05:06:17 -05:00
/**
* @type array
*/
protected $paramStack = array();
/**
* Keep this synchronized with AttrTransform/SafeParam.php.
* @type array
*/
2010-09-08 23:14:17 -04:00
protected $addParam = array(
'allowScriptAccess' => 'never',
'allowNetworking' => 'internal',
);
2016-02-09 05:06:17 -05:00
/**
* @type array
*/
2010-09-08 23:14:17 -04:00
protected $allowedParam = array(
'wmode' => true,
'movie' => true,
'flashvars' => true,
'src' => true,
2016-02-09 05:06:17 -05:00
'allowFullScreen' => true, // if omitted, assume to be 'false'
2010-09-08 23:14:17 -04:00
);
2016-02-09 05:06:17 -05:00
/**
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return void
*/
public function prepare($config, $context)
{
2010-09-08 23:14:17 -04:00
parent::prepare($config, $context);
}
2016-02-09 05:06:17 -05:00
/**
* @param HTMLPurifier_Token $token
*/
public function handleElement(&$token)
{
2010-09-08 23:14:17 -04:00
if ($token->name == 'object') {
$this->objectStack[] = $token;
$this->paramStack[] = array();
$new = array($token);
foreach ($this->addParam as $name => $value) {
$new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
}
$token = $new;
} elseif ($token->name == 'param') {
$nest = count($this->currentNesting) - 1;
if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
$i = count($this->objectStack) - 1;
if (!isset($token->attr['name'])) {
$token = false;
return;
}
$n = $token->attr['name'];
// We need this fix because YouTube doesn't supply a data
// attribute, which we need if a type is specified. This is
// *very* Flash specific.
if (!isset($this->objectStack[$i]->attr['data']) &&
2016-02-09 05:06:17 -05:00
($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')
) {
2010-09-08 23:14:17 -04:00
$this->objectStack[$i]->attr['data'] = $token->attr['value'];
}
// Check if the parameter is the correct value but has not
// already been added
2016-02-09 05:06:17 -05:00
if (!isset($this->paramStack[$i][$n]) &&
2010-09-08 23:14:17 -04:00
isset($this->addParam[$n]) &&
2016-02-09 05:06:17 -05:00
$token->attr['name'] === $this->addParam[$n]) {
2010-09-08 23:14:17 -04:00
// keep token, and add to param stack
$this->paramStack[$i][$n] = true;
} elseif (isset($this->allowedParam[$n])) {
// keep token, don't do anything to it
// (could possibly check for duplicates here)
} else {
$token = false;
}
} else {
// not directly inside an object, DENY!
$token = false;
}
}
}
2016-02-09 05:06:17 -05:00
public function handleEnd(&$token)
{
2010-09-08 23:14:17 -04:00
// This is the WRONG way of handling the object and param stacks;
// we should be inserting them directly on the relevant object tokens
// so that the global stack handling handles it.
if ($token->name == 'object') {
array_pop($this->objectStack);
array_pop($this->paramStack);
}
}
}
// vim: et sw=4 sts=4