Collects, sanitizes, and renders HTML attributes.
To use, optionally pass in an associative array of defined attributes, or add attributes using array syntax. For example:
$attributes = new Attribute(array('id' => 'socks')); $attributes['class'] = array('black-cat', 'white-cat'); $attributes['class'][] = 'black-white-cat'; echo '<cat' . $attributes . '>'; // Produces <cat id="socks" class="black-cat white-cat black-white-cat">
$attributes always prints out all the attributes. For example:
$attributes = new Attribute(array('id' => 'socks')); $attributes['class'] = array('black-cat', 'white-cat'); $attributes['class'][] = 'black-white-cat'; echo '<cat class="cat ' . $attributes['class'] . '"' . $attributes . '>'; // Produces <cat class="cat black-cat white-cat black-white-cat" id="socks" class="cat black-cat white-cat black-white-cat">
When printing out individual attributes to customize them within a Twig template, use the "without" filter to prevent attributes that have already been printed from being printed again. For example:
<cat class="{{ attributes.class }} my-custom-class"{{ attributes|without('class') }}> {# Produces <cat class="cat black-cat white-cat black-white-cat my-custom-class" id="socks"> #}
The attribute keys and values are automatically escaped for output with Html::escape(). No protocol filtering is applied, so when using user-entered input as a value for an attribute that expects an URI (href, src, ...), UrlHelper::stripDangerousProtocols() should be used to ensure dangerous protocols (such as 'javascript:') are removed. For example:
$path = 'javascript:alert("xss");'; $path = UrlHelper::stripDangerousProtocols($path); $attributes = new Attribute(array('href' => $path)); echo '<a' . $attributes . '>'; // Produces <a href="alert("xss");">
The attribute values are considered plain text and are treated as such. If a safe HTML string is detected, it is converted to plain text with PlainTextOutput::renderFromHtml() before being escaped. For example:
$value = t('Highlight the @tag tag', ['@tag' => '<em>']); $attributes = new Attribute(['value' => $value]); echo '<input' . $attributes . '>'; // Produces <input value="Highlight the <em> tag">
Hierarchy
- class \Drupal\Core\Template\Attribute implements \ArrayAccess, \IteratorAggregate, MarkupInterface
See also
\Drupal\Component\Utility\Html::escape()
\Drupal\Component\Render\PlainTextOutput::renderFromHtml()
\Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()
File
- core/lib/Drupal/Core/Template/Attribute.php, line 65
Namespace
Drupal\Core\Template
Members
Name | Modifiers | Type | Description |
---|---|---|---|
Attribute::$storage | protected | property | Stores the attribute data. |
Attribute::addClass | public | function | Adds classes or merges them on to array of existing CSS classes. |
Attribute::createAttributeValue | protected | function | Creates the different types of attribute values. |
Attribute::getIterator | public | function | |
Attribute::hasClass | public | function | Checks if the class array has the given CSS class. |
Attribute::jsonSerialize | public | function | Returns a representation of the object for use in JSON serialization. |
Attribute::offsetExists | public | function | |
Attribute::offsetGet | public | function | |
Attribute::offsetSet | public | function | |
Attribute::offsetUnset | public | function | |
Attribute::removeAttribute | public | function | Removes an attribute from an Attribute object. |
Attribute::removeClass | public | function | Removes argument values from array of existing CSS classes. |
Attribute::setAttribute | public | function | Sets values for an attribute key. |
Attribute::storage | public | function | Returns the whole array. |
Attribute::toArray | public | function | Returns all storage elements as an array. |
Attribute::__clone | public | function | Implements the magic __clone() method. |
Attribute::__construct | public | function | Constructs a \Drupal\Core\Template\Attribute object. |
Attribute::__toString | public | function | Implements the magic __toString() method. Overrides MarkupInterface::__toString |
Please login to continue.