1<?php 2 3/** 4 * A "safe" object module. In theory, objects permitted by this module will 5 * be safe, and untrusted users can be allowed to embed arbitrary flash objects 6 * (maybe other types too, but only Flash is supported as of right now). 7 * Highly experimental. 8 */ 9class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule 10{ 11 /** 12 * @type string 13 */ 14 public $name = 'SafeObject'; 15 16 /** 17 * @param HTMLPurifier_Config $config 18 */ 19 public function setup($config) 20 { 21 // These definitions are not intrinsically safe: the attribute transforms 22 // are a vital part of ensuring safety. 23 24 $max = $config->get('HTML.MaxImgLength'); 25 $object = $this->addElement( 26 'object', 27 'Inline', 28 'Optional: param | Flow | #PCDATA', 29 'Common', 30 array( 31 // While technically not required by the spec, we're forcing 32 // it to this value. 33 'type' => 'Enum#application/x-shockwave-flash', 34 'width' => 'Pixels#' . $max, 35 'height' => 'Pixels#' . $max, 36 'data' => 'URI#embedded', 37 'codebase' => new HTMLPurifier_AttrDef_Enum( 38 array( 39 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0' 40 ) 41 ), 42 ) 43 ); 44 $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); 45 46 $param = $this->addElement( 47 'param', 48 false, 49 'Empty', 50 false, 51 array( 52 'id' => 'ID', 53 'name*' => 'Text', 54 'value' => 'Text' 55 ) 56 ); 57 $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam(); 58 $this->info_injector[] = 'SafeObject'; 59 } 60} 61 62// vim: et sw=4 sts=4 63