MENU
Edit
In Place Editing Advanced Editing

Attribute

Collects, sanitizes, and renders HTML attributes.

To use, optionally pass in an associative array of defined attributes, or add attributes using array syntax. For example:

1
2
3
4
5
$attributes = new Attribute(array('id' => 'socks'));
$attributes['class'] = array('black-cat', 'white-cat');
$attributes['class'][] = 'black-white-cat';
echo '<cat' . $attributes . '>';
// Produces <cat id="socks" class="black-cat white-cat black-white-cat">

$attributes always prints out all the attributes. For example:

1
2
3
4
5
$attributes = new Attribute(array('id' => 'socks'));
$attributes['class'] = array('black-cat', 'white-cat');
$attributes['class'][] = 'black-white-cat';
echo '<cat class="cat ' . $attributes['class'] . '"' . $attributes . '>';
// Produces <cat class="cat black-cat white-cat black-white-cat" id="socks" class="cat black-cat white-cat black-white-cat">

When printing out individual attributes to customize them within a Twig template, use the "without" filter to prevent attributes that have already been printed from being printed again. For example:

1
2
<cat class="{{ attributes.class }} my-custom-class"{{ attributes|without('class') }}>
{# Produces <cat class="cat black-cat white-cat black-white-cat my-custom-class" id="socks"> #}

The attribute keys and values are automatically escaped for output with Html::escape(). No protocol filtering is applied, so when using user-entered input as a value for an attribute that expects an URI (href, src, ...), UrlHelper::stripDangerousProtocols() should be used to ensure dangerous protocols (such as 'javascript:') are removed. For example:

1
2
3
4
5
$path = 'javascript:alert("xss");';
$path = UrlHelper::stripDangerousProtocols($path);
$attributes = new Attribute(array('href' => $path));
echo '<a' . $attributes . '>';
// Produces <a href="alert(&quot;xss&quot;);">

The attribute values are considered plain text and are treated as such. If a safe HTML string is detected, it is converted to plain text with PlainTextOutput::renderFromHtml() before being escaped. For example:

1
2
3
4
$value = t('Highlight the @tag tag', ['@tag' => '<em>']);
$attributes = new Attribute(['value' => $value]);
echo '<input' . $attributes . '>';
// Produces <input value="Highlight the &lt;em&gt; tag">

Hierarchy

See also

\Drupal\Component\Utility\Html::escape()

\Drupal\Component\Render\PlainTextOutput::renderFromHtml()

\Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()

File

core/lib/Drupal/Core/Template/Attribute.php, line 65

Namespace

Drupal\Core\Template

Members

Name Modifiers Type Description
Attribute::$storage protected property Stores the attribute data.
Attribute::addClass public function Adds classes or merges them on to array of existing CSS classes.
Attribute::createAttributeValue protected function Creates the different types of attribute values.
Attribute::getIterator public function
Attribute::hasClass public function Checks if the class array has the given CSS class.
Attribute::jsonSerialize public function Returns a representation of the object for use in JSON serialization.
Attribute::offsetExists public function
Attribute::offsetGet public function
Attribute::offsetSet public function
Attribute::offsetUnset public function
Attribute::removeAttribute public function Removes an attribute from an Attribute object.
Attribute::removeClass public function Removes argument values from array of existing CSS classes.
Attribute::setAttribute public function Sets values for an attribute key.
Attribute::storage public function Returns the whole array.
Attribute::toArray public function Returns all storage elements as an array.
Attribute::__clone public function Implements the magic __clone() method.
Attribute::__construct public function Constructs a \Drupal\Core\Template\Attribute object.
Attribute::__toString public function Implements the magic __toString() method. Overrides MarkupInterface::__toString
doc_Drupal
doc_Drupal
2025-01-10 15:47:30
Comments
Leave a Comment

Please login to continue.