You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.2 KiB
40 lines
1.2 KiB
<?php |
|
|
|
/** |
|
* A "safe" script module. No inline JS is allowed, and pointed to JS |
|
* files must match whitelist. |
|
*/ |
|
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule |
|
{ |
|
/** |
|
* @type string |
|
*/ |
|
public $name = 'SafeScripting'; |
|
|
|
/** |
|
* @param HTMLPurifier_Config $config |
|
*/ |
|
public function setup($config) |
|
{ |
|
// These definitions are not intrinsically safe: the attribute transforms |
|
// are a vital part of ensuring safety. |
|
|
|
$allowed = $config->get('HTML.SafeScripting'); |
|
$script = $this->addElement( |
|
'script', |
|
'Inline', |
|
'Optional:', // Not `Empty` to not allow to autoclose the <script /> tag @see https://www.w3.org/TR/html4/interact/scripts.html |
|
null, |
|
array( |
|
// While technically not required by the spec, we're forcing |
|
// it to this value. |
|
'type' => 'Enum#text/javascript', |
|
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true) |
|
) |
|
); |
|
$script->attr_transform_pre[] = |
|
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired(); |
|
} |
|
} |
|
|
|
// vim: et sw=4 sts=4
|
|
|