Home » API reference » filter.module

_filter_xss_split

Versions
4.6 – 7
_filter_xss_split($m, $store = FALSE)

Processes an HTML tag.

Parameters

@m An array with various meaning depending on the value of $store. If $store is TRUE then the array contains the allowed tags. If $store is FALSE then the array has one element, the HTML tag to process.

$store Whether to store $m.

Return value

If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.

▸ 1 function calls _filter_xss_split()

▾ 1 function calls _filter_xss_split()

filter_xss in modules/filter.module
Filters XSS. Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses

Code

modules/filter.module, line 1066

<?php
function _filter_xss_split($m, $store = FALSE) {
  static $allowed_html;

  if ($store) {
    $allowed_html = array_flip($m);
    return;
  }

  $string = $m[1];

  if (substr($string, 0, 1) != '<') {
    // We matched a lone ">" character
    return '&gt;';
  }

  if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
    // Seriously malformed
    return '';
  }

  $slash = trim($matches[1]);
  $elem = &$matches[2];
  $attrlist = &$matches[3];

  if (!isset($allowed_html[strtolower($elem)])) {
    // Disallowed HTML element
    return '';
  }

  if ($slash != '') {
    return "</$elem>";
  }
  // Is there a closing XHTML slash at the end of the attributes?
  $xhtml_slash = preg_match('%\s/\s*$%', $attr) ? '/' : '';

  // Clean up attributes
  $attr2 = implode(' ', _filter_xss_attributes($attrlist));
  $attr2 = preg_replace('/[<>]/', '', $attr2);

  return "<$elem $attr2$xhtml_slash>";
}
?>
Login or register to post comments
 
 

All source code and documentation on this site is released under the terms of the GNU General Public License, version 2 and later. Drupal is a registered trademark of Dries Buytaert.