1<?php
2
3/**
4 * A "safe" script module. No inline JS is allowed, and pointed to JS
5 * files must match whitelist.
6 */
7class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
8{
9    /**
10     * @type string
11     */
12    public $name = 'SafeScripting';
13
14    /**
15     * @param HTMLPurifier_Config $config
16     */
17    public function setup($config)
18    {
19        // These definitions are not intrinsically safe: the attribute transforms
20        // are a vital part of ensuring safety.
21
22        $allowed = $config->get('HTML.SafeScripting');
23        $script = $this->addElement(
24            'script',
25            'Inline',
26            'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html
27            null,
28            array(
29                // While technically not required by the spec, we're forcing
30                // it to this value.
31                'type' => 'Enum#text/javascript',
32                'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
33            )
34        );
35        $script->attr_transform_pre[] =
36        $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
37    }
38}
39
40// vim: et sw=4 sts=4
41