public static function BlazyUtil::sanitize in Blazy 8.2
Returns the sanitized attributes for user-defined (UGC Blazy Filter).
When IMG and IFRAME are allowed for untrusted users, trojan horses are welcome. Hence sanitize attributes relevant for BlazyFilter. The rest should be taken care of by HTML filters after Blazy.
Parameters
array $attributes: The given attributes to sanitize.
Return value
array The sanitized $attributes suitable for UGC, such as Blazy filter.
2 calls to BlazyUtil::sanitize()
- BlazyManager::buildMedia in src/
BlazyManager.php - Build out (Responsive) image.
- BlazyManager::prepareBlazy in src/
BlazyManager.php - Prepares the Blazy output as a structured array ready for ::renderer().
File
- src/
BlazyUtil.php, line 50
Class
- BlazyUtil
- Provides Blazy utilities.
Namespace
Drupal\blazyCode
public static function sanitize(array $attributes = []) {
$clean_attributes = [];
$tags = [
'href',
'poster',
'src',
'about',
'data',
'action',
'formaction',
];
foreach ($attributes as $key => $value) {
if (is_array($value)) {
// Respects array item containing space delimited classes: aaa bbb ccc.
$value = implode(' ', $value);
$clean_attributes[$key] = array_map('\\Drupal\\Component\\Utility\\Html::cleanCssIdentifier', explode(' ', $value));
}
else {
// Since Blazy is lazyloading known URLs, sanitize attributes which
// make no sense to stick around within IMG or IFRAME tags.
$kid = mb_substr($key, 0, 2) === 'on' || in_array($key, $tags);
$key = $kid ? 'data-' . $key : $key;
$clean_attributes[$key] = $kid ? Html::cleanCssIdentifier($value) : Html::escape($value);
}
}
return $clean_attributes;
}