'; } if (params.type == 'text/html') { this.extraparams += ''; } else if (params.type == 'application/x-shockwave-flash') { this.extraparams += ''; } }, escape: function(str) { if (typeof str != "string") return str; str = str.replace(/&/g, '&', str); str = str.replace(/&/g, '&', str); str = str.replace(/"/g, '"e;', str); str = str.replace(/'/g, ''', str); return str; } }); */ class mediaUtils { const MAX_WIDTH = 640; const MAX_HEIGHT = 480; /** * Types d'objets standards acceptés */ protected static $allowed_object_types = array( 'text/html', 'image/jpeg', 'image/png', 'image/gif', 'application/x-shockwave-flash'); /** * Paramètres acceptés dans les objets standards */ protected static $allowed_object_params = array( 'allowfullscreen' => array('true', 'false'), 'flashvars' => 'string', ); /** * Vérifie le contenu d'une chaîne pour en extraire les paramètres d'un object/embed * WARNING potentiellement problème de sécu, le contenu des paramètres n'est pas vérifié */ static public function checkStringForStandardObject($str) { $infos = array(); $infos['params'] = array(); $params = array(); if (preg_match('!]+>!i', $str, $match)) { $object = $match[0]; preg_match_all('!([a-z]+)\s*=\s*[\'"]?([^\'" ]*)[\'"]?!i', $object, $match, PREG_SET_ORDER); foreach ($match as &$param) { switch ($param[1]) { case 'type': $infos[$param[1]] = strtolower($param[2]); break; case 'src': $infos['data'] = $param[2]; break; case 'width': case 'height': $infos[$param[1]] = (int)$param[2]; break; default: $params[$param[1]] = $param[2]; break; } } } elseif (preg_match('!(]+>)(.*)!is', $str, $match)) { $object = $match[1]; $o_params = $match[2]; preg_match_all('!([a-z]+)\s*=\s*[\'"]?([^\'" ]*)[\'"]?!i', $object, $match, PREG_SET_ORDER); foreach ($match as &$param) { switch ($param[1]) { case 'type': $infos[$param[1]] = strtolower($param[2]); break; case 'data': $infos[$param[1]] = $param[2]; break; case 'width': case 'height': $infos[$param[1]] = (int)$param[2]; break; default: } } preg_match_all('!]+>!i', $o_params, $match, PREG_SET_ORDER); foreach ($match as &$param) { $name = $value = false; if (preg_match('!name\s*=\s*[\'"]?([^\'" ]*)[\'"]!i', $param[0], $submatch)) $name = $submatch[1]; if (preg_match('!value\s*=\s*[\'"]?([^\'" ]*)[\'"]!i', $param[0], $submatch)) $value = $submatch[1]; if ($name == 'movie' && empty($params['data']) && !empty($value)) $params['data'] = $value; elseif ($name == 'movie') continue; elseif (!empty($name) && !empty($value)) $params[$name] = $value; } } if (empty($infos['data'])) return false; if (!utils::isUrlValid($infos['data'])) return false; if (empty($infos['type']) && preg_match('!swf!i', $infos['data'])) $info['type'] = 'application/x-shockwave-flash'; if (empty($infos['type'])) return false; if (!in_array($infos['type'], self::$allowed_object_types)) return false; if (empty($infos['width']) || $infos['width'] > self::MAX_WIDTH) $infos['width'] = self::MAX_WIDTH; if (empty($infos['height']) || $infos['height'] > self::MAX_HEIGHT) $infos['height'] = self::MAX_HEIGHT; foreach ($params as $key=>$value) { if (!array_key_exists(strtolower($key), self::$allowed_object_params)) continue; $allowed =& self::$allowed_object_params[strtolower($key)]; if (is_array($allowed) && !in_array(strtolower($value), $allowed)) $infos['params'][$key] = $value; elseif ($allowed == 'string') $infos['params'][$key] = (string)$value; } unset($params); return $infos; } } ?>