mirror of
https://github.com/smogon/pokemon-showdown-client.git
synced 2026-03-22 18:15:55 -05:00
2105dc8e57
Closes #1567 The main reason I'm not simply merging Annika's PR is because this way makes it clearer that I'm taking responsibility for all this code, that it's mostly code I wrote, and also because it makes it easier to ensure that none of the files have been changed. (Not that I don't personally trust Annika, but I have something resembling an obligation to users not to expose them to risks based on personal trust.)
38 lines
1.0 KiB
PHP
38 lines
1.0 KiB
PHP
<?php
|
|
|
|
/**
|
|
* A "safe" script module. No inline JS is allowed, and pointed to JS
|
|
* files must match whitelist.
|
|
*/
|
|
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
|
|
{
|
|
|
|
public $name = 'SafeScripting';
|
|
|
|
public function setup($config) {
|
|
|
|
// These definitions are not intrinsically safe: the attribute transforms
|
|
// are a vital part of ensuring safety.
|
|
|
|
$allowed = $config->get('HTML.SafeScripting');
|
|
$script = $this->addElement(
|
|
'script',
|
|
'Inline',
|
|
'Empty',
|
|
null,
|
|
array(
|
|
// While technically not required by the spec, we're forcing
|
|
// it to this value.
|
|
'type' => 'Enum#text/javascript',
|
|
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
|
|
)
|
|
);
|
|
$script->attr_transform_pre[] =
|
|
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|