function FilterHtml::getHTMLRestrictions

Same name and namespace in other branches
  1. 11.x core/modules/filter/src/Plugin/Filter/FilterHtml.php \Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions()
  2. 10 core/modules/filter/src/Plugin/Filter/FilterHtml.php \Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions()
  3. 9 core/modules/filter/src/Plugin/Filter/FilterHtml.php \Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions()

Overrides FilterBase::getHTMLRestrictions

2 calls to FilterHtml::getHTMLRestrictions()
FilterHtml::filterAttributes in core/modules/filter/src/Plugin/Filter/FilterHtml.php
Provides filtering of tag attributes into accepted HTML.
FilterHtml::process in core/modules/filter/src/Plugin/Filter/FilterHtml.php
Performs the filter processing.

File

core/modules/filter/src/Plugin/Filter/FilterHtml.php, line 245

Class

FilterHtml
Provides a filter to limit allowed HTML tags.

Namespace

Drupal\filter\Plugin\Filter

Code

public function getHTMLRestrictions() {
  if ($this->restrictions) {
    return $this->restrictions;
  }
  // Parse the allowed HTML setting, and gradually make the list of allowed
  // tags more specific.
  $restrictions = [
    'allowed' => [],
  ];
  // Make all the tags self-closing, so they will be parsed into direct
  // children of the body tag in the DomDocument.
  $html = str_replace('>', ' />', $this->settings['allowed_html']);
  // Protect any trailing * characters in attribute names, since DomDocument
  // strips them as invalid.
  $star_protector = '__zqh6vxfbk3cg__';
  $html = str_replace('*', $star_protector, $html);
  $body_child_nodes = Html::load($html)->getElementsByTagName('body')
    ->item(0)->childNodes;
  foreach ($body_child_nodes as $node) {
    if ($node->nodeType !== XML_ELEMENT_NODE) {
      // Skip the empty text nodes inside tags.
      continue;
    }
    $tag = $node->tagName;
    if ($node->hasAttributes()) {
      // Mark the tag as allowed, assigning TRUE for each attribute name if
      // all values are allowed, or an array of specific allowed values.
      $restrictions['allowed'][$tag] = [];
      // Iterate over any attributes, and mark them as allowed.
      foreach ($node->attributes as $name => $attribute) {
        // Put back any trailing * on wildcard attribute name.
        $name = str_replace($star_protector, '*', $name);
        // Put back any trailing * on wildcard attribute value and parse out
        // the allowed attribute values.
        $allowed_attribute_values = preg_split('/\\s+/', str_replace($star_protector, '*', $attribute->value), -1, PREG_SPLIT_NO_EMPTY);
        // Sanitize the attribute value: it lists the allowed attribute values
        // but one allowed attribute value that some may be tempted to use
        // is specifically nonsensical: the asterisk. A prefix is required for
        // allowed attribute values with a wildcard. A wildcard by itself
        // would mean allowing all possible attribute values. But in that
        // case, one would not specify an attribute value at all.
        $allowed_attribute_values = array_filter($allowed_attribute_values, function ($value) use ($star_protector) {
          return $value !== '*';
        });
        if (empty($allowed_attribute_values)) {
          // If the value is the empty string all values are allowed.
          $restrictions['allowed'][$tag][$name] = TRUE;
        }
        else {
          // A non-empty attribute value is assigned, mark each of the
          // specified attribute values as allowed.
          foreach ($allowed_attribute_values as $value) {
            $restrictions['allowed'][$tag][$name][$value] = TRUE;
          }
        }
      }
    }
    else {
      // Mark the tag as allowed, but with no attributes allowed.
      $restrictions['allowed'][$tag] = FALSE;
    }
  }
  // The 'style' and 'on*' ('onClick' etc.) attributes are always forbidden,
  // and are removed by Xss::filter().
  // The 'lang', and 'dir' attributes apply to all elements and are always
  // allowed. The list of allowed values for the 'dir' attribute is enforced
  // by self::filterAttributes(). Note that those two attributes are in the
  // short list of globally usable attributes in HTML5. They are always
  // allowed since the correct values of lang and dir may only be known to
  // the content author. Of the other global attributes, they are not usually
  // added by hand to content, and especially the class attribute can have
  // undesired visual effects by allowing content authors to apply any
  // available style, so specific values should be explicitly allowed.
  // @see http://www.w3.org/TR/html5/dom.html#global-attributes
  $restrictions['allowed']['*'] = [
    'style' => FALSE,
    'on*' => FALSE,
    'lang' => TRUE,
    'dir' => [
      'ltr' => TRUE,
      'rtl' => TRUE,
    ],
  ];
  // Save this calculated result for re-use.
  $this->restrictions = $restrictions;
  return $restrictions;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.