public static Xss::filter($string, array $html_tags = NULL)
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
This code does four things:
- Removes characters and constructs that can trick browsers.
- Makes sure all HTML entities are well-formed.
- Makes sure all HTML tags and attributes are well-formed.
- Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
Parameters
$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.
array $html_tags: An array of HTML tags.
Return value
string An XSS safe version of $string, or an empty string if $string is not valid UTF-8.
See also
\Drupal\Component\Utility\Unicode::validateUtf8()
Related topics
- Sanitization functions
- Functions to sanitize values.
File
- core/lib/Drupal/Component/Utility/Xss.php, line 57
Class
- Xss
- Provides helper to filter for cross-site scripting.
Namespace
Drupal\Component\Utility
Code
public static function filter($string, array $html_tags = NULL) { if (is_null($html_tags)) { $html_tags = static::$htmlTags; } // Only operate on valid UTF-8 strings. This is necessary to prevent cross // site scripting issues on Internet Explorer 6. if (!Unicode::validateUtf8($string)) { return ''; } // Remove NULL characters (ignored by some browsers). $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities. $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); // Defuse all HTML entities. $string = str_replace('&', '&', $string); // Change back only well-formed entities in our whitelist: // Decimal numeric entities. $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string); // Hexadecimal numeric entities. $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string); // Named entities. $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string); $html_tags = array_flip($html_tags); // Late static binding does not work inside anonymous functions. $class = get_called_class(); $splitter = function($matches) use ($html_tags, $class) { return $class::split($matches[1], $html_tags, $class); }; // Strip any tags that are not in the whitelist. return preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < | # or <!--.*?--> # a comment | # or <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > )%x', $splitter, $string); }
Please login to continue.