class HtmlSerializerRules

Same name in other branches
  1. 11.x core/lib/Drupal/Component/Utility/HtmlSerializerRules.php \Drupal\Component\Utility\HtmlSerializerRules

Drupal-specific HTML5 serializer rules.

Drupal's XSS filtering cannot handle entities inside element attribute values. The XSS filtering was written based on W3C XML recommendations which constituted that the ampersand character (&) and the angle brackets (< and >) must not appear in their literal form in attribute values. This differs from the HTML living standard which permits angle brackets.

Hierarchy

  • class \Drupal\Component\Utility\HtmlSerializerRules extends \Masterminds\HTML5\Serializer\OutputRules

Expanded class hierarchy of HtmlSerializerRules

See also

core/modules/ckeditor5/js/ckeditor5_plugins/drupalHtmlEngine/src/drupalhtmlbuilder.js

File

core/lib/Drupal/Component/Utility/HtmlSerializerRules.php, line 23

Namespace

Drupal\Component\Utility
View source 
class HtmlSerializerRules extends OutputRules {
    
    /**
     * {@inheritdoc}
     */
    protected function escape($text, $attribute = FALSE) {
        $text = parent::escape($text, $attribute);
        if ($attribute) {
            $text = strtr($text, [
                '<' => '&lt;',
                '>' => '&gt;',
            ]);
        }
        return $text;
    }

}

Members

Title Modifiers Object type Summary
HtmlSerializerRules::escape protected function

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.