mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-05 14:20:40 +01:00
8f797be836
- can be used via html class like: $clean_html = html::purify($html); - using it now in eTemplate to remove malicious code from html: a) when displaying "formatted text" b) when "formatted text" get's input by the user
51 lines
1.5 KiB
PHP
Executable File
51 lines
1.5 KiB
PHP
Executable File
<?php
|
|
|
|
/**
|
|
* A "safe" object module. In theory, objects permitted by this module will
|
|
* be safe, and untrusted users can be allowed to embed arbitrary flash objects
|
|
* (maybe other types too, but only Flash is supported as of right now).
|
|
* Highly experimental.
|
|
*/
|
|
class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
|
|
{
|
|
|
|
public $name = 'SafeObject';
|
|
|
|
public function setup($config) {
|
|
|
|
// These definitions are not intrinsically safe: the attribute transforms
|
|
// are a vital part of ensuring safety.
|
|
|
|
$max = $config->get('HTML', 'MaxImgLength');
|
|
$object = $this->addElement(
|
|
'object',
|
|
'Inline',
|
|
'Optional: param | Flow | #PCDATA',
|
|
'Common',
|
|
array(
|
|
// While technically not required by the spec, we're forcing
|
|
// it to this value.
|
|
'type' => 'Enum#application/x-shockwave-flash',
|
|
'width' => 'Pixels#' . $max,
|
|
'height' => 'Pixels#' . $max,
|
|
'data' => 'URI#embedded'
|
|
)
|
|
);
|
|
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
|
|
|
|
$param = $this->addElement('param', false, 'Empty', false,
|
|
array(
|
|
'id' => 'ID',
|
|
'name*' => 'Text',
|
|
'value' => 'Text'
|
|
)
|
|
);
|
|
$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
|
|
$this->info_injector[] = 'SafeObject';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|