1. class
  2. Drupal
  3. \
  4. editor
  5. \
  6. EditorXssFilter
  7. \
  8. Standard

Standard

class Standard extends Xss implements EditorXssFilterInterface (View source)

Defines the standard text editor XSS filter.

Properties

static protected array $adminTags

The list of HTML tags allowed by filterAdmin().

 from  Xss
static protected array $htmlTags

The default list of HTML tags allowed by filter().

 from  Xss

Methods

static string
filter($string, array $html_tags = NULL)

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

from  Xss
static string
filterAdmin(string $string)

Applies a very permissive XSS/HTML filter for admin-only use.

from  Xss
static string
split(string $string, array $html_tags, string $class)

Processes an HTML tag.

from  Xss
static string
attributes(string $attributes)

Processes a string of HTML attributes.

from  Xss
static bool
needsRemoval($html_tags, $elem)

Whether this element needs to be removed altogether.

static array
getAdminTagList()

Gets the list of HTML tags allowed by Xss::filterAdmin().

from  Xss
static array
getHtmlTagList()

Gets the standard list of HTML tags allowed by Xss::filter().

from  Xss
static string
filterXss(string $html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL)

Filters HTML to prevent XSS attacks when a user edits it in a text editor.

static string
filterXssDataAttributes(string $html)

Applies a very permissive XSS/HTML filter to data-attributes.

static array
getAllowedTags(array|false $restrictions)

Get all allowed tags from a restrictions data structure.

static array
getForbiddenTags(array|false $restrictions)

Get all forbidden tags from a restrictions data structure.

Details

in Xss at line 59
static string filter($string, array $html_tags = NULL)

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string

The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.
array $html_tags

An array of HTML tags.

Return Value

string

An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

Unicode::validateUtf8

in Xss at line 122
static string filterAdmin(string $string)

Applies a very permissive XSS/HTML filter for admin-only use.

Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so \Drupal\Component\Utility\Html::escape() is not acceptable).

Allows all tags that can be used inside an HTML body, save for scripts and styles.

Parameters

string $string

The string to apply the filter to.

Return Value

string

The filtered string.

See also

Xss::getAdminTagList

in Xss at line 143
static protected string split(string $string, array $html_tags, string $class)

Processes an HTML tag.

Parameters

string $string

The HTML tag to process.
array $html_tags

An array where the keys are the allowed tags and the values are not used.
string $class

The called class. This method is called from an anonymous function which breaks late static binding. See https://bugs.php.net/bug.php?id=66622 for more information.

Return Value

string

If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.

in Xss at line 202
static protected string attributes(string $attributes)

Processes a string of HTML attributes.

Parameters

string $attributes

The html attribute to process.

Return Value

string

Cleaned up version of the HTML attributes.

at line 166
static protected bool needsRemoval($html_tags, $elem)

Whether this element needs to be removed altogether.

Parameters

$html_tags

The list of HTML tags.
$elem

The name of the HTML element.

Return Value

bool

TRUE if this element needs to be removed.

in Xss at line 350
static array getAdminTagList()

Gets the list of HTML tags allowed by Xss::filterAdmin().

Return Value

array

The list of HTML tags allowed by filterAdmin().

in Xss at line 360
static array getHtmlTagList()

Gets the standard list of HTML tags allowed by Xss::filter().

Return Value

array

The list of HTML tags allowed by Xss::filter().

at line 18
static string filterXss(string $html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL)

Filters HTML to prevent XSS attacks when a user edits it in a text editor.

Should filter as minimally as possible, only to remove XSS attack vectors.

Is only called when:

  • loading a non-XSS-safe text editor for a $format that contains a filter preventing XSS attacks (a FilterInterface::TYPE_HTML_RESTRICTOR filter): if the output is safe, it should also be safe to edit.
  • loading a non-XSS-safe text editor for a $format that doesn't contain a filter preventing XSS attacks, but we're switching from a previous text format ($original_format is not NULL) that did prevent XSS attacks: if the output was previously safe, it should be safe to switch to another text format and edit.

Parameters

string $html

The HTML to be filtered.
FilterFormatInterface $format

The text format configuration entity. Provides context based upon which one may want to adjust the filtering.
FilterFormatInterface $original_format

(optional) The original text format configuration entity (when switching text formats/editors). Also provides context based upon which one may want to adjust the filtering.

Return Value

string

The filtered HTML that cannot cause any XSSes anymore.

at line 101
static protected string filterXssDataAttributes(string $html)

Applies a very permissive XSS/HTML filter to data-attributes.

Parameters

string $html

The string to apply the data-attributes filtering to.

Return Value

string

The filtered string.

at line 130
static protected array getAllowedTags(array|false $restrictions)

Get all allowed tags from a restrictions data structure.

Parameters

array|false $restrictions

Restrictions as returned by FilterInterface::getHTMLRestrictions().

Return Value

array

An array of allowed HTML tags.

See also

\Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()

at line 154
static protected array getForbiddenTags(array|false $restrictions)

Get all forbidden tags from a restrictions data structure.

Parameters

array|false $restrictions

Restrictions as returned by FilterInterface::getHTMLRestrictions().

Return Value

array

An array of forbidden HTML tags.

See also

\Drupal\filter\Plugin\Filter\FilterInterface::getHTMLRestrictions()