1<?php 2 3/** 4 * Implements safety checks for safe iframes. 5 * 6 * @warning This filter is *critical* for ensuring that %HTML.SafeIframe 7 * works safely. 8 */ 9class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter 10{ 11 /** 12 * @type string 13 */ 14 public $name = 'SafeIframe'; 15 16 /** 17 * @type bool 18 */ 19 public $always_load = true; 20 21 /** 22 * @type string 23 */ 24 protected $regexp = null; 25 26 // XXX: The not so good bit about how this is all set up now is we 27 // can't check HTML.SafeIframe in the 'prepare' step: we have to 28 // defer till the actual filtering. 29 /** 30 * @param HTMLPurifier_Config $config 31 * @return bool 32 */ 33 public function prepare($config) 34 { 35 $this->regexp = $config->get('URI.SafeIframeRegexp'); 36 return true; 37 } 38 39 /** 40 * @param HTMLPurifier_URI $uri 41 * @param HTMLPurifier_Config $config 42 * @param HTMLPurifier_Context $context 43 * @return bool 44 */ 45 public function filter(&$uri, $config, $context) 46 { 47 // check if filter not applicable 48 if (!$config->get('HTML.SafeIframe')) { 49 return true; 50 } 51 // check if the filter should actually trigger 52 if (!$context->get('EmbeddedURI', true)) { 53 return true; 54 } 55 $token = $context->get('CurrentToken', true); 56 if (!($token && $token->name == 'iframe')) { 57 return true; 58 } 59 // check if we actually have some whitelists enabled 60 if ($this->regexp === null) { 61 return false; 62 } 63 // actually check the whitelists 64 return preg_match($this->regexp, $uri->toString()); 65 } 66} 67 68// vim: et sw=4 sts=4 69