4 * A "safe" object module. In theory, objects permitted by this module will
5 * be safe, and untrusted users can be allowed to embed arbitrary flash objects
6 * (maybe other types too, but only Flash is supported as of right now).
9 class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
12 public $name = 'SafeObject';
14 public function setup($config) {
16 // These definitions are not intrinsically safe: the attribute transforms
17 // are a vital part of ensuring safety.
19 $max = $config->get('HTML.MaxImgLength');
20 $object = $this->addElement(
23 'Optional: param | Flow | #PCDATA',
26 // While technically not required by the spec, we're forcing
28 'type' => 'Enum#application/x-shockwave-flash',
29 'width' => 'Pixels#' . $max,
30 'height' => 'Pixels#' . $max,
31 'data' => 'URI#embedded',
32 'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000',
33 'codebase' => new HTMLPurifier_AttrDef_Enum(array(
34 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
37 $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();
39 $param = $this->addElement('param', false, 'Empty', false,
46 $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam();
47 $this->info_injector[] = 'SafeObject';