editor_filter_xss($html, FilterFormatInterface $format = NULL, FilterFormatInterface $original_format = NULL)
Applies text editor XSS filtering.
Parameters
string $html: The HTML string that will be passed to the text editor.
\Drupal\filter\FilterFormatInterface|null $format: The text format whose text editor will be used or NULL if the previously defined text format is now disabled.
\Drupal\filter\FilterFormatInterface $original_format|null: (optional) The original text format (i.e. when switching text formats, $format is the text format that is going to be used, $original_format is the one that was being used initially, the one that is stored in the database when editing).
Return value
string|false The XSS filtered string or FALSE when no XSS filtering needs to be applied, because one of the next conditions might occur:
- No text editor is associated with the text format,
- The previously defined text format is now disabled,
- The text editor is safe from XSS,
- The text format does not use any XSS protection filters.
See also
https://www.drupal.org/node/2099741
File
- core/modules/editor/editor.module, line 294
- Adds bindings for client-side "text editors" to text formats.
Code
function editor_filter_xss($html, FilterFormatInterface $format = NULL, FilterFormatInterface $original_format = NULL) {
$editor = $format ? editor_load($format->id()) : NULL;
// If no text editor is associated with this text format or the previously
// defined text format is now disabled, then we don't need text editor XSS
// filtering either.
if (!isset($editor)) {
return FALSE;
}
// If the text editor associated with this text format guarantees security,
// then we also don't need text editor XSS filtering.
$definition = \Drupal::service('plugin.manager.editor')->getDefinition($editor->getEditor());
if ($definition['is_xss_safe'] === TRUE) {
return FALSE;
}
// If there is no filter preventing XSS attacks in the text format being used,
// then no text editor XSS filtering is needed either. (Because then the
// editing user can already be attacked by merely viewing the content.)
// e.g.: an admin user creates content in Full HTML and then edits it, no text
// format switching happens; in this case, no text editor XSS filtering is
// desirable, because it would strip style attributes, amongst others.
$current_filter_types = $format->getFilterTypes();
if (!in_array(FilterInterface::TYPE_HTML_RESTRICTOR, $current_filter_types, TRUE)) {
if ($original_format === NULL) {
return FALSE;
}
// Unless we are switching from another text format, in which case we must
// first check whether a filter preventing XSS attacks is used in that text
// format, and if so, we must still apply XSS filtering.
// e.g.: an anonymous user creates content in Restricted HTML, an admin user
// edits it (then no XSS filtering is applied because no text editor is
// used), and switches to Full HTML (for which a text editor is used). Then
// we must apply XSS filtering to protect the admin user.
else {
$original_filter_types = $original_format->getFilterTypes();
if (!in_array(FilterInterface::TYPE_HTML_RESTRICTOR, $original_filter_types, TRUE)) {
return FALSE;
}
}
}
// Otherwise, apply the text editor XSS filter. We use the default one unless
// a module tells us to use a different one.
$editor_xss_filter_class = '\Drupal\editor\EditorXssFilter\Standard';
\Drupal::moduleHandler()->alter('editor_xss_filter', $editor_xss_filter_class, $format, $original_format);
return call_user_func($editor_xss_filter_class . '::filterXss', $html, $format, $original_format);
}
Please login to continue.