1 | <?php |
||
2 | |||
3 | /** |
||
4 | * A "safe" script module. No inline JS is allowed, and pointed to JS |
||
5 | * files must match whitelist. |
||
6 | */ |
||
7 | class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule |
||
8 | { |
||
9 | /** |
||
10 | * @type string |
||
11 | */ |
||
12 | public $name = 'SafeScripting'; |
||
13 | |||
14 | /** |
||
15 | * @param HTMLPurifier_Config $config |
||
16 | */ |
||
17 | public function setup($config) |
||
18 | { |
||
19 | // These definitions are not intrinsically safe: the attribute transforms |
||
20 | // are a vital part of ensuring safety. |
||
21 | |||
22 | $allowed = $config->get('HTML.SafeScripting'); |
||
23 | $script = $this->addElement( |
||
24 | 'script', |
||
25 | 'Inline', |
||
26 | 'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html |
||
27 | null, |
||
28 | array( |
||
29 | // While technically not required by the spec, we're forcing |
||
30 | // it to this value. |
||
31 | 'type' => 'Enum#text/javascript', |
||
32 | 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true) |
||
0 ignored issues
–
show
Bug
introduced
by
Loading history...
|
|||
33 | ) |
||
34 | ); |
||
35 | $script->attr_transform_pre[] = |
||
36 | $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired(); |
||
37 | } |
||
38 | } |
||
39 | |||
40 | // vim: et sw=4 sts=4 |
||
41 |