class FieldFilteredMarkup

Same name in other branches
  1. 9 core/lib/Drupal/Core/Field/FieldFilteredMarkup.php \Drupal\Core\Field\FieldFilteredMarkup
  2. 8.9.x core/lib/Drupal/Core/Field/FieldFilteredMarkup.php \Drupal\Core\Field\FieldFilteredMarkup
  3. 11.x core/lib/Drupal/Core/Field/FieldFilteredMarkup.php \Drupal\Core\Field\FieldFilteredMarkup

Defines an object that passes safe strings through the Field system.

This object filters the string using a very restrictive tag list when it is created.

@internal This object is marked as internal because it should only be used by the Field module and field-related plugins.

Hierarchy

Expanded class hierarchy of FieldFilteredMarkup

See also

\Drupal\Core\Render\Markup

12 files declare their use of FieldFilteredMarkup
FieldConfigEditForm.php in core/modules/field_ui/src/Form/FieldConfigEditForm.php
FieldFilteredMarkupTest.php in core/tests/Drupal/Tests/Core/Field/FieldFilteredMarkupTest.php
file.module in core/modules/file/file.module
Defines a "managed_file" Form API field and a "file" field for Field module.
ListFloatItem.php in core/modules/options/src/Plugin/Field/FieldType/ListFloatItem.php
ListIntegerItem.php in core/modules/options/src/Plugin/Field/FieldType/ListIntegerItem.php

... See full list

File

core/lib/Drupal/Core/Field/FieldFilteredMarkup.php, line 22

Namespace

Drupal\Core\Field
View source
final class FieldFilteredMarkup implements MarkupInterface, \Countable {
    use MarkupTrait;
    
    /**
     * Overrides \Drupal\Component\Render\MarkupTrait::create().
     *
     * @return string|\Drupal\Component\Render\MarkupInterface
     *   A safe string filtered with the allowed tag list and normalized.
     *
     * @see \Drupal\Core\Field\FieldFilteredMarkup::allowedTags()
     * @see \Drupal\Component\Utility\Xss::filter()
     * @see \Drupal\Component\Utility\Html::normalize()
     */
    public static function create($string) {
        $string = (string) $string;
        if ($string === '') {
            return '';
        }
        $safe_string = new static();
        // All known XSS vectors are filtered out by
        // \Drupal\Component\Utility\Xss::filter(), all tags in the markup are
        // allowed intentionally by the trait, and no danger is added in by
        // \Drupal\Component\Utility\Html::normalize(). Since the normalized value
        // is essentially the same markup, designate this string as safe as well.
        // This method is an internal part of field sanitization, so the resultant,
        // sanitized string should be printable as is.
        $safe_string->string = Html::normalize(Xss::filter($string, static::allowedTags()));
        return $safe_string;
    }
    
    /**
     * Returns the allowed tag list.
     *
     * @return string[]
     *   A list of allowed tags.
     */
    public static function allowedTags() {
        return [
            'a',
            'b',
            'big',
            'code',
            'del',
            'em',
            'i',
            'ins',
            'pre',
            'q',
            'small',
            'span',
            'strong',
            'sub',
            'sup',
            'tt',
            'ol',
            'ul',
            'li',
            'p',
            'br',
            'img',
        ];
    }
    
    /**
     * Returns a human-readable list of allowed tags for display in help texts.
     *
     * @return string
     *   A human-readable list of allowed tags for display in help texts.
     */
    public static function displayAllowedTags() {
        return '<' . implode('> <', static::allowedTags()) . '>';
    }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title
FieldFilteredMarkup::allowedTags public static function Returns the allowed tag list.
FieldFilteredMarkup::create public static function Overrides \Drupal\Component\Render\MarkupTrait::create(). Overrides MarkupTrait::create
FieldFilteredMarkup::displayAllowedTags public static function Returns a human-readable list of allowed tags for display in help texts.
MarkupTrait::$string protected property The safe string.
MarkupTrait::count public function Returns the string length.
MarkupTrait::jsonSerialize public function Returns a representation of the object for use in JSON serialization.
MarkupTrait::__toString public function Returns the string version of the Markup object.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.