1<?php
2
3/**
4 * Validates name/value pairs in param tags to be used in safe objects. This
5 * will only allow name values it recognizes, and pre-fill certain attributes
6 * with required values.
7 *
8 * @note
9 *      This class only supports Flash. In the future, Quicktime support
10 *      may be added.
11 *
12 * @warning
13 *      This class expects an injector to add the necessary parameters tags.
14 */
15class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
16{
17    /**
18     * @type string
19     */
20    public $name = "SafeParam";
21
22    /**
23     * @type HTMLPurifier_AttrDef_URI
24     */
25    private $uri;
26
27    /**
28     * @type HTMLPurifier_AttrDef_Enum
29     */
30    public $wmode;
31
32    public function __construct()
33    {
34        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
35        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
36    }
37
38    /**
39     * @param array $attr
40     * @param HTMLPurifier_Config $config
41     * @param HTMLPurifier_Context $context
42     * @return array
43     */
44    public function transform($attr, $config, $context)
45    {
46        // If we add support for other objects, we'll need to alter the
47        // transforms.
48        switch ($attr['name']) {
49            // application/x-shockwave-flash
50            // Keep this synchronized with Injector/SafeObject.php
51            case 'allowScriptAccess':
52                $attr['value'] = 'never';
53                break;
54            case 'allowNetworking':
55                $attr['value'] = 'internal';
56                break;
57            case 'allowFullScreen':
58                if ($config->get('HTML.FlashAllowFullScreen')) {
59                    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
60                } else {
61                    $attr['value'] = 'false';
62                }
63                break;
64            case 'wmode':
65                $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
66                break;
67            case 'movie':
68            case 'src':
69                $attr['name'] = "movie";
70                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
71                break;
72            case 'flashvars':
73                // we're going to allow arbitrary inputs to the SWF, on
74                // the reasoning that it could only hack the SWF, not us.
75                break;
76            // add other cases to support other param name/value pairs
77            default:
78                $attr['name'] = $attr['value'] = null;
79        }
80        return $attr;
81    }
82}
83
84// vim: et sw=4 sts=4
85