Admin Control Panel v2.0

✎ Editing: SafeScripting.php ← Back

<?php

/**

* A "safe" script module. No inline JS is allowed, and pointed to JS

* files must match whitelist.

class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule

{

/**

* @type string

public $name = 'SafeScripting';

/**

* @param HTMLPurifier_Config $config

public function setup($config)

{

// These definitions are not intrinsically safe: the attribute transforms

// are a vital part of ensuring safety.

$allowed = $config->get('HTML.SafeScripting');

$script = $this->addElement(

'script',

'Inline',

'Empty',

null,

array(

// While technically not required by the spec, we're forcing

// it to this value.

'type' => 'Enum#text/javascript',

'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))

)

);

$script->attr_transform_pre[] =

$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();

}

// vim: et sw=4 sts=4

Cancel