Same name and namespace in other branches

1. 9 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()
2. 10 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()
3. 11.x core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()

Applies a very permissive XSS/HTML filter to data-attributes.

Parameters

string $html: The string to apply the data-attributes filtering to.

Return value

string The filtered string.

1 call to Standard::filterXssDataAttributes()

Standard::filterXss in core/modules/editor/src/EditorXssFilter/Standard.php

Filters HTML to prevent XSS attacks when a user edits it in a text editor.

File

core/modules/editor/src/EditorXssFilter/Standard.php, line 101

Class

Standard

Defines the standard text editor XSS filter.

Namespace

Drupal\editor\EditorXssFilter

Code

protected static function filterXssDataAttributes($html) {
    if (stristr($html, 'data-') !== FALSE) {
        $dom = Html::load($html);
        $xpath = new \DOMXPath($dom);
        foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) {
            // The data-attributes contain an HTML-encoded value, so we need to
            // decode the value, apply XSS filtering and then re-save as encoded
            // value. There is no need to explicitly decode $node->value, since the
            // DOMAttr::value getter returns the decoded value.
            $value = Xss::filterAdmin($node->value);
            $node->value = Html::escape($value);
        }
        $html = Html::serialize($dom);
    }
    return $html;
}

---