merge changes of luminous to maserati (~r12676)

git-svn-id: http://xe-core.googlecode.com/svn/branches/maserati@12680 201d5d3c-b55e-5fd7-737f-ddc643e51545
2026-01-08 03:01:43 +09:00 · 2013-02-04 08:09:07 +00:00 · 2013-02-04 08:09:07 +00:00 · 0f04bd3f92
commit 0f04bd3f92
parent 507cf2ecbf 6ada9a3639
50 changed files with 784 additions and 265 deletions
--- a/classes/security/EmbedFilter.class.php
+++ b/classes/security/EmbedFilter.class.php
@ -3,6 +3,16 @@ include _XE_PATH_ . 'classes/security/phphtmlparser/src/htmlparser.inc';

 class EmbedFilter
 {
+	/**
+	 * allow script access list
+	 * @var array
+	 */
+	var $allowscriptaccessList = array();
+	/**
+	 * allow script access key
+	 * @var int
+	 */
+	var $allowscriptaccessKey = 0;
 	var $whiteUrlXmlFile = './classes/security/conf/embedWhiteUrl.xml';
 	var $whiteUrlCacheFile = './files/cache/embedfilter/embedWhiteUrl.php';
 	var $whiteUrlList = array();
@ -285,6 +295,9 @@ class EmbedFilter
 	 */
 	function check(&$content)
 	{
+		$content = preg_replace_callback('/<(object|param|embed)[^>]*/is', array($this, '_checkAllowScriptAccess'), $content);
+		$content = preg_replace_callback('/<object[^>]*>/is', array($this, '_addAllowScriptAccess'), $content);
+
 		$this->checkObjectTag($content);
 		$this->checkEmbedTag($content);
 		$this->checkIframeTag($content);
@ -543,6 +556,49 @@ class EmbedFilter
 		return false;
 	}

+	function _checkAllowScriptAccess($m)
+	{
+		if($m[1] == 'object')
+		{
+			$this->allowscriptaccessList[] = 1;
+		}
+
+		if($m[1] == 'param')
+		{
+			if(strpos(strtolower($m[0]), 'allowscriptaccess'))
+			{
+				$m[0] = '<param name="allowscriptaccess" value="never"';
+				if(substr($m[0], -1) == '/')
+				{
+					$m[0] .= '/';
+				}
+				$this->allowscriptaccessList[count($this->allowscriptaccessList)-1]--;
+			}
+		}
+		else if($m[1] == 'embed')
+		{
+			if(strpos(strtolower($m[0]), 'allowscriptaccess'))
+			{
+				$m[0] = preg_replace('/always|samedomain/i', 'never', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/\<embed/i', '<embed allowscriptaccess="never"', $m[0]);
+			}
+		}
+		return $m[0];
+	}
+
+	function _addAllowScriptAccess($m)
+	{
+		if($this->allowscriptaccessList[$this->allowscriptaccessKey] == 1)
+		{
+			$m[0] = $m[0].'<param name="allowscriptaccess" value="never"></param>';
+		}
+		$this->allowscriptaccessKey++;
+		return $m[0];
+	}
+
 	/**
 	 * Make white domain list cache file from xml config file.
 	 * @return void