Same name and namespace in other branches
  1. 4.6.x modules/filter.module \_filter_xss_split()
  2. 4.7.x modules/filter.module \_filter_xss_split()
  3. 5.x modules/filter/filter.module \_filter_xss_split()
  4. 6.x modules/filter/filter.module \_filter_xss_split()

Processes an HTML tag.

Parameters

$m: An array with various meaning depending on the value of $store. If $store is TRUE then the array contains the allowed tags. If $store is FALSE then the array has one element, the HTML tag to process.

$store: Whether to store $m.

Return value

If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.

Related topics

1 call to _filter_xss_split()
filter_xss in includes/common.inc
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
1 string reference to '_filter_xss_split'
filter_xss in includes/common.inc
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

File

includes/common.inc, line 1587
Common functions that many Drupal modules will need to reference.

Code

function _filter_xss_split($m, $store = FALSE) {
  static $allowed_html;
  if ($store) {
    $allowed_html = array_flip($m);
    return;
  }
  $string = $m[1];
  if (substr($string, 0, 1) != '<') {

    // We matched a lone ">" character.
    return '&gt;';
  }
  elseif (strlen($string) == 1) {

    // We matched a lone "<" character.
    return '&lt;';
  }
  if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9\\-]+)\\s*([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {

    // Seriously malformed.
    return '';
  }
  $slash = trim($matches[1]);
  $elem =& $matches[2];
  $attrlist =& $matches[3];
  $comment =& $matches[4];
  if ($comment) {
    $elem = '!--';
  }
  if (!isset($allowed_html[strtolower($elem)])) {

    // Disallowed HTML element.
    return '';
  }
  if ($comment) {
    return $comment;
  }
  if ($slash != '') {
    return "</{$elem}>";
  }

  // Is there a closing XHTML slash at the end of the attributes?
  $attrlist = preg_replace('%(\\s?)/\\s*$%', '\\1', $attrlist, -1, $count);
  $xhtml_slash = $count ? ' /' : '';

  // Clean up attributes.
  $attr2 = implode(' ', _filter_xss_attributes($attrlist));
  $attr2 = preg_replace('/[<>]/', '', $attr2);
  $attr2 = strlen($attr2) ? ' ' . $attr2 : '';
  return "<{$elem}{$attr2}{$xhtml_slash}>";
}