htmlpurifier/HTMLPurifier.standalone.php  ÷ object ± param   εǵ ణ  Ͽ,
safeiframe.txt   iframe ϱ   ߰ Ͽϴ. 


ڡڡ HTMLPurifier.standalone.php   ڡڡ

class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
{
    public $name = "SafeParam";
    private $uri;

    public function __construct() {
        $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
        $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
    }

    public function transform($attr, $config, $context) {
        // If we add support for other objects, we'll need to alter the
        // transforms.
        switch (strtolower($attr['name'])) {
            // application/x-shockwave-flash
            // Keep this synchronized with Injector/SafeObject.php
            case 'allowscriptaccess':
                $attr['value'] = 'never';
                break;
            case 'allownetworking':
                $attr['value'] = 'internal';
                break;
            case 'allowfullscreen':
                //if ($config->get('HTML.FlashAllowFullScreen')) {
                //    $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
                //} else {
                //    $attr['value'] = 'false';
                //}
				$attr['value'] = 'true';
                break;
            case 'wmode':
                //$attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
				$attr['value'] = "transparent";
                break;
            case 'movie':
            case 'src':
                $attr['name'] = "movie";
                $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
                break;
            case 'flashvars':
                // we're going to allow arbitrary inputs to the SWF, on
                // the reasoning that it could only hack the SWF, not us.
                break;
            // add other cases to support other param name/value pairs
            default:
                $attr['name'] = $attr['value'] = null;
        }
        return $attr;
    }
}


HTMLPurifier_Injector_SafeObject Ŭ 

public function handleElement(&$token) {
        if ($token->name == 'object') {
            $this->objectStack[] = $token;
            $this->paramStack[] = array();
            $new = array($token);
            foreach ($this->addParam as $name => $value) {
                $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value));
            }
            $token = $new;
        } elseif ($token->name == 'param') {
            $nest = count($this->currentNesting) - 1;
            if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') {
                $i = count($this->objectStack) - 1;
                if (!isset($token->attr['name'])) {
					
                    $token = false;
                    return;
                }
                $n = $token->attr['name'];
                // We need this fix because YouTube doesn't supply a data
                // attribute, which we need if a type is specified. This is
                // *very* Flash specific.
                if (!isset($this->objectStack[$i]->attr['data']) &&
                    ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) {
                    $this->objectStack[$i]->attr['data'] = $token->attr['value'];
                }
                // Check if the parameter is the correct value but has not
                // already been added
                if (
                    !isset($this->paramStack[$i][$n]) &&
                    isset($this->addParam[$n]) &&
                    $token->attr['name'] === $this->addParam[$n]
                ) {					
                    // keep token, and add to param stack
                    $this->paramStack[$i][$n] = true;
                } elseif (isset($this->allowedParam[$n])
					|| strtolower($n) == "allowfullscreen"
					|| strtolower($n) == "allowFullScreenInteractive"
					|| strtolower($n) == "wmode"
					) {
                    // keep token, don't do anything to it
                    // (could possibly check for duplicates here)
					$this->paramStack[$i][$n] = true;
                } else {
                    $token = false;

                }
            } else {
                // not directly inside an object, DENY!
				
                $token = false;
            }
        }
    }


ڡڡ safeiframe.txt ߰  ڡڡ

# iframe   ٿ ϳ .
#  ڿ  /  ٿּ.
www.youtube(?:-nocookie)?.com/
serviceapi.rmcnmv.naver.com/
videofarm.daum.net/
player.vimeo.com/
www.srook.net/
srook.net/
www.srook.com/
srook.com/
www.srook.co.kr/
srook.co.kr/


