Standard::filterXssDataAttributes

protected static Standard::filterXssDataAttributes($html)

Applies a very permissive XSS/HTML filter to data-attributes.

Parameters

string $html: The string to apply the data-attributes filtering to.

Return value

string The filtered string.

File

core/modules/editor/src/EditorXssFilter/Standard.php, line 101

Class

Standard: Defines the standard text editor XSS filter.

Namespace

Drupal\editor\EditorXssFilter

Code

protected static function filterXssDataAttributes($html) {
  if (stristr($html, 'data-') !== FALSE) {
    $dom = Html::load($html);
    $xpath = new \DOMXPath($dom);
    foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) {
      // The data-attributes contain an HTML-encoded value, so we need to
      // decode the value, apply XSS filtering and then re-save as encoded
      // value. There is no need to explicitly decode $node->value, since the
      // DOMAttr::value getter returns the decoded value.
      $value = Xss::filterAdmin($node->value);
      $node->value = Html::escape($value);
    }
    $html = Html::serialize($dom);
  }

  return $html;
}

Links:

https://api.drupal.org/api/drupal/core%21modules%21editor%21src%21EditorXssFilter%21Standard.php/function/Standard%3A%3AfilterXssDataAttributes/8.2.x

doc_Drupal

2016-10-29 09:43:53

Comments