Attribute

Collects, sanitizes, and renders HTML attributes.

To use, optionally pass in an associative array of defined attributes, or add attributes using array syntax. For example:

 $attributes = new Attribute(array('id' => 'socks'));
 $attributes['class'] = array('black-cat', 'white-cat');
 $attributes['class'][] = 'black-white-cat';
 echo '<cat' . $attributes . '>';
 // Produces <cat id="socks" class="black-cat white-cat black-white-cat">

$attributes always prints out all the attributes. For example:

 $attributes = new Attribute(array('id' => 'socks'));
 $attributes['class'] = array('black-cat', 'white-cat');
 $attributes['class'][] = 'black-white-cat';
 echo '<cat class="cat ' . $attributes['class'] . '"' . $attributes . '>';
 // Produces <cat class="cat black-cat white-cat black-white-cat" id="socks" class="cat black-cat white-cat black-white-cat">

When printing out individual attributes to customize them within a Twig template, use the "without" filter to prevent attributes that have already been printed from being printed again. For example:

 <cat class="{{ attributes.class }} my-custom-class"{{ attributes|without('class') }}>
 {# Produces <cat class="cat black-cat white-cat black-white-cat my-custom-class" id="socks"> #}

The attribute keys and values are automatically escaped for output with Html::escape(). No protocol filtering is applied, so when using user-entered input as a value for an attribute that expects an URI (href, src, ...), UrlHelper::stripDangerousProtocols() should be used to ensure dangerous protocols (such as 'javascript:') are removed. For example:

 $path = 'javascript:alert("xss");';
 $path = UrlHelper::stripDangerousProtocols($path);
 $attributes = new Attribute(array('href' => $path));
 echo '<a' . $attributes . '>';
 // Produces <a href="alert(&quot;xss&quot;);">

The attribute values are considered plain text and are treated as such. If a safe HTML string is detected, it is converted to plain text with PlainTextOutput::renderFromHtml() before being escaped. For example:

  $value = t('Highlight the @tag tag', ['@tag' => '<em>']);
  $attributes = new Attribute(['value' => $value]);
  echo '<input' . $attributes . '>';
  // Produces <input value="Highlight the &lt;em&gt; tag">

Hierarchy

See also

\Drupal\Component\Utility\Html::escape()

\Drupal\Component\Render\PlainTextOutput::renderFromHtml()

\Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()

File

core/lib/Drupal/Core/Template/Attribute.php, line 65

Namespace

Drupal\Core\Template

Members

Name Modifiers Type Description
Attribute::$storage protected property Stores the attribute data.
Attribute::addClass public function Adds classes or merges them on to array of existing CSS classes.
Attribute::createAttributeValue protected function Creates the different types of attribute values.
Attribute::getIterator public function
Attribute::hasClass public function Checks if the class array has the given CSS class.
Attribute::jsonSerialize public function Returns a representation of the object for use in JSON serialization.
Attribute::offsetExists public function
Attribute::offsetGet public function
Attribute::offsetSet public function
Attribute::offsetUnset public function
Attribute::removeAttribute public function Removes an attribute from an Attribute object.
Attribute::removeClass public function Removes argument values from array of existing CSS classes.
Attribute::setAttribute public function Sets values for an attribute key.
Attribute::storage public function Returns the whole array.
Attribute::toArray public function Returns all storage elements as an array.
Attribute::__clone public function Implements the magic __clone() method.
Attribute::__construct public function Constructs a \Drupal\Core\Template\Attribute object.
Attribute::__toString public function Implements the magic __toString() method. Overrides MarkupInterface::__toString
doc_Drupal
2016-10-29 08:45:01
Comments
Leave a Comment

Please login to continue.