1. class
  2. Drupal
  3. \
  4. Component
  5. \
  6. Utility
  7. \
  8. Xss

Xss

class Xss (View source)

Provides helper to filter for cross-site scripting.

Properties

static protected array $adminTags

The list of HTML tags allowed by filterAdmin().
static protected array $htmlTags

The default list of HTML tags allowed by filter().

Methods

static string
filter($string, array $html_tags = NULL)

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

static string
filterAdmin(string $string)

Applies a very permissive XSS/HTML filter for admin-only use.

static string
split(string $string, array $html_tags, string $class)

Processes an HTML tag.

static string
attributes(string $attributes)

Processes a string of HTML attributes.

static bool
needsRemoval($html_tags, $elem)

Whether this element needs to be removed altogether.

static array
getAdminTagList()

Gets the list of HTML tags allowed by Xss::filterAdmin().

static array
getHtmlTagList()

Gets the standard list of HTML tags allowed by Xss::filter().

Details

at line 59
static string filter($string, array $html_tags = NULL)

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string

The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.
array $html_tags

An array of HTML tags.

Return Value

string

An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

Unicode::validateUtf8

at line 122
static string filterAdmin(string $string)

Applies a very permissive XSS/HTML filter for admin-only use.

Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so \Drupal\Component\Utility\Html::escape() is not acceptable).

Allows all tags that can be used inside an HTML body, save for scripts and styles.

Parameters

string $string

The string to apply the filter to.

Return Value

string

The filtered string.

See also

Xss::getAdminTagList

at line 143
static protected string split(string $string, array $html_tags, string $class)

Processes an HTML tag.

Parameters

string $string

The HTML tag to process.
array $html_tags

An array where the keys are the allowed tags and the values are not used.
string $class

The called class. This method is called from an anonymous function which breaks late static binding. See https://bugs.php.net/bug.php?id=66622 for more information.

Return Value

string

If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.

at line 202
static protected string attributes(string $attributes)

Processes a string of HTML attributes.

Parameters

string $attributes

The html attribute to process.

Return Value

string

Cleaned up version of the HTML attributes.

at line 340
static protected bool needsRemoval($html_tags, $elem)

Whether this element needs to be removed altogether.

Parameters

$html_tags

The list of HTML tags.
$elem

The name of the HTML element.

Return Value

bool

TRUE if this element needs to be removed.

at line 350
static array getAdminTagList()

Gets the list of HTML tags allowed by Xss::filterAdmin().

Return Value

array

The list of HTML tags allowed by filterAdmin().

at line 360
static array getHtmlTagList()

Gets the standard list of HTML tags allowed by Xss::filter().

Return Value

array

The list of HTML tags allowed by Xss::filter().