function Standard::filterXssDataAttributes
Same name in other branches
- 9 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()
- 10 core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()
- 11.x core/modules/editor/src/EditorXssFilter/Standard.php \Drupal\editor\EditorXssFilter\Standard::filterXssDataAttributes()
Applies a very permissive XSS/HTML filter to data-attributes.
Parameters
string $html: The string to apply the data-attributes filtering to.
Return value
string The filtered string.
1 call to Standard::filterXssDataAttributes()
- Standard::filterXss in core/
modules/ editor/ src/ EditorXssFilter/ Standard.php - Filters HTML to prevent XSS attacks when a user edits it in a text editor.
File
-
core/
modules/ editor/ src/ EditorXssFilter/ Standard.php, line 101
Class
- Standard
- Defines the standard text editor XSS filter.
Namespace
Drupal\editor\EditorXssFilterCode
protected static function filterXssDataAttributes($html) {
if (stristr($html, 'data-') !== FALSE) {
$dom = Html::load($html);
$xpath = new \DOMXPath($dom);
foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) {
// The data-attributes contain an HTML-encoded value, so we need to
// decode the value, apply XSS filtering and then re-save as encoded
// value. There is no need to explicitly decode $node->value, since the
// DOMAttr::value getter returns the decoded value.
$value = Xss::filterAdmin($node->value);
$node->value = Html::escape($value);
}
$html = Html::serialize($dom);
}
return $html;
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.