Same name and namespace in other branches
- 10 core/lib/Drupal/Core/Field/FieldFilteredMarkup.php \Drupal\Core\Field\FieldFilteredMarkup
- 9 core/lib/Drupal/Core/Field/FieldFilteredMarkup.php \Drupal\Core\Field\FieldFilteredMarkup
Defines an object that passes safe strings through the Field system.
This object filters the string using a very restrictive tag list when it is created.
@internal This object is marked as internal because it should only be used by the Field module and field-related plugins.
Hierarchy
- class \Drupal\Core\Field\FieldFilteredMarkup implements \Drupal\Core\Field\Countable, MarkupInterface uses MarkupTrait
Expanded class hierarchy of FieldFilteredMarkup
See also
13 files declare their use of FieldFilteredMarkup
- AllowedTagsXssTraitDeprecateTest.php in core/
tests/ Drupal/ Tests/ Core/ Field/ AllowedTagsXssTraitDeprecateTest.php - FieldConfigEditForm.php in core/
modules/ field_ui/ src/ Form/ FieldConfigEditForm.php - FieldFilteredMarkupTest.php in core/
tests/ Drupal/ Tests/ Core/ Field/ FieldFilteredMarkupTest.php - file.field.inc in core/
modules/ file/ file.field.inc - Field module functionality for the File module.
- ListFloatItem.php in core/
modules/ options/ src/ Plugin/ Field/ FieldType/ ListFloatItem.php
File
- core/
lib/ Drupal/ Core/ Field/ FieldFilteredMarkup.php, line 22
Namespace
Drupal\Core\FieldView source
final class FieldFilteredMarkup implements MarkupInterface, \Countable {
use MarkupTrait;
/**
* Overrides \Drupal\Component\Render\MarkupTrait::create().
*
* @return string|\Drupal\Component\Render\MarkupInterface
* A safe string filtered with the allowed tag list and normalized.
*
* @see \Drupal\Core\Field\FieldFilteredMarkup::allowedTags()
* @see \Drupal\Component\Utility\Xss::filter()
* @see \Drupal\Component\Utility\Html::normalize()
*/
public static function create($string) {
$string = (string) $string;
if ($string === '') {
return '';
}
$safe_string = new static();
// All known XSS vectors are filtered out by
// \Drupal\Component\Utility\Xss::filter(), all tags in the markup are
// allowed intentionally by the trait, and no danger is added in by
// \Drupal\Component\Utility\HTML::normalize(). Since the normalized value
// is essentially the same markup, designate this string as safe as well.
// This method is an internal part of field sanitization, so the resultant,
// sanitized string should be printable as is.
$safe_string->string = Html::normalize(Xss::filter($string, static::allowedTags()));
return $safe_string;
}
/**
* Returns the allowed tag list.
*
* @return string[]
* A list of allowed tags.
*/
public static function allowedTags() {
return [
'a',
'b',
'big',
'code',
'del',
'em',
'i',
'ins',
'pre',
'q',
'small',
'span',
'strong',
'sub',
'sup',
'tt',
'ol',
'ul',
'li',
'p',
'br',
'img',
];
}
/**
* Returns a human-readable list of allowed tags for display in help texts.
*
* @return string
* A human-readable list of allowed tags for display in help texts.
*/
public static function displayAllowedTags() {
return '<' . implode('> <', static::allowedTags()) . '>';
}
}Members
Name |
Modifiers | Type | Description | Overrides |
|---|---|---|---|---|
|
FieldFilteredMarkup:: |
public static | function | Returns the allowed tag list. | |
|
FieldFilteredMarkup:: |
public static | function |
Overrides \Drupal\Component\Render\MarkupTrait::create(). Overrides MarkupTrait:: |
|
|
FieldFilteredMarkup:: |
public static | function | Returns a human-readable list of allowed tags for display in help texts. | |
|
MarkupTrait:: |
protected | property | The safe string. | |
|
MarkupTrait:: |
public | function | Returns the string length. | |
|
MarkupTrait:: |
public | function | Returns a representation of the object for use in JSON serialization. | |
|
MarkupTrait:: |
public | function | Returns the string version of the Markup object. |
