function _filter_xss_split
Processes an HTML tag.
Parameters
$m: An array with various meaning depending on the value of $store. If $store is TRUE then the array contains the allowed tags. If $store is FALSE then the array has one element, the HTML tag to process.
$store: Whether to store $m.
Return value
If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.
Related topics
1 call to _filter_xss_split()
- filter_xss in includes/
common.inc - Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
1 string reference to '_filter_xss_split'
- filter_xss in includes/
common.inc - Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
File
-
includes/
common.inc, line 1587
Code
function _filter_xss_split($m, $store = FALSE) {
static $allowed_html;
if ($store) {
$allowed_html = array_flip($m);
return;
}
$string = $m[1];
if (substr($string, 0, 1) != '<') {
// We matched a lone ">" character.
return '>';
}
elseif (strlen($string) == 1) {
// We matched a lone "<" character.
return '<';
}
if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9\\-]+)\\s*([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
// Seriously malformed.
return '';
}
$slash = trim($matches[1]);
$elem =& $matches[2];
$attrlist =& $matches[3];
$comment =& $matches[4];
if ($comment) {
$elem = '!--';
}
if (!isset($allowed_html[strtolower($elem)])) {
// Disallowed HTML element.
return '';
}
if ($comment) {
return $comment;
}
if ($slash != '') {
return "</{$elem}>";
}
// Is there a closing XHTML slash at the end of the attributes?
$attrlist = preg_replace('%(\\s?)/\\s*$%', '\\1', $attrlist, -1, $count);
$xhtml_slash = $count ? ' /' : '';
// Clean up attributes.
$attr2 = implode(' ', _filter_xss_attributes($attrlist));
$attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : '';
return "<{$elem}{$attr2}{$xhtml_slash}>";
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.