function FilterHtmlImageSecure::process

Same name and namespace in other branches
  1. 10 core/modules/filter/src/Plugin/Filter/FilterHtmlImageSecure.php \Drupal\filter\Plugin\Filter\FilterHtmlImageSecure::process()
  2. 9 core/modules/filter/src/Plugin/Filter/FilterHtmlImageSecure.php \Drupal\filter\Plugin\Filter\FilterHtmlImageSecure::process()
  3. 8.9.x core/modules/filter/src/Plugin/Filter/FilterHtmlImageSecure.php \Drupal\filter\Plugin\Filter\FilterHtmlImageSecure::process()
  4. main core/modules/filter/src/Plugin/Filter/FilterHtmlImageSecure.php \Drupal\filter\Plugin\Filter\FilterHtmlImageSecure::process()

Performs the filter processing.

Parameters

string $text: The text string to be filtered.

string $langcode: The language code of the text to be filtered.

Return value

\Drupal\filter\FilterProcessResult The filtered text, wrapped in a FilterProcessResult object, and possibly with associated assets, cacheability metadata and placeholders.

Overrides FilterInterface::process

File

core/modules/filter/src/Plugin/Filter/FilterHtmlImageSecure.php, line 74

Class

FilterHtmlImageSecure
Provides a filter to restrict images to site.

Namespace

Drupal\filter\Plugin\Filter

Code

public function process($text, $langcode) {
  // Find the path (e.g. '/') to Drupal root.
  $base_path = base_path();
  $base_path_length = mb_strlen($base_path);
  // Find the directory on the server where index.php resides.
  $local_dir = $this->root . '/';
  $html_dom = Html::load($text);
  $images = $html_dom->getElementsByTagName('img');
  foreach ($images as $image) {
    $src = $image->getAttribute('src');
    // Transform absolute image URLs to relative image URLs: prevent problems
    // on multisite set-ups and prevent mixed content errors.
    $image->setAttribute('src', $this->fileUrlGenerator
      ->transformRelative($src));
    // Verify that $src starts with $base_path.
    // This also ensures that external images cannot be referenced.
    $src = $image->getAttribute('src');
    if (mb_substr($src, 0, $base_path_length) === $base_path) {
      // Remove the $base_path to get the path relative to the Drupal root.
      // Ensure the path refers to an actual image by prefixing the image
      // source with the Drupal root and running getimagesize() on it.
      $local_image_path = $local_dir . mb_substr($src, $base_path_length);
      $local_image_path = rawurldecode($local_image_path);
      if (@getimagesize($local_image_path)) {
        // The image has the right path. Invalid images are handled below.
        continue;
      }
    }
    // Allow modules and themes to replace an invalid image with an error
    // indicator.
    // @see \Drupal\filter\Hook\FilterHooks::filterSecureImageAlter()
    $this->moduleHandler
      ->alter('filter_secure_image', $image);
  }
  return new FilterProcessResult(Html::serialize($html_dom));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.