protected static Standard::filterXssDataAttributes($html)
Applies a very permissive XSS/HTML filter to data-attributes.
Parameters
string $html: The string to apply the data-attributes filtering to.
Return value
string The filtered string.
File
- core/modules/editor/src/EditorXssFilter/Standard.php, line 101
Class
- Standard
- Defines the standard text editor XSS filter.
Namespace
Drupal\editor\EditorXssFilter
Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | protected static function filterXssDataAttributes( $html ) { if ( stristr ( $html , 'data-' ) !== FALSE) { $dom = Html::load( $html ); $xpath = new \DOMXPath( $dom ); foreach ( $xpath ->query( '//@*[starts-with(name(.), "data-")]' ) as $node ) { // The data-attributes contain an HTML-encoded value, so we need to // decode the value, apply XSS filtering and then re-save as encoded // value. There is no need to explicitly decode $node->value, since the // DOMAttr::value getter returns the decoded value. $value = Xss::filterAdmin( $node ->value); $node ->value = Html::escape( $value ); } $html = Html::serialize( $dom ); } return $html ; } |
Please login to continue.