You are here

Home » API reference » Blazy 8.2 » BlazyUtil.php » BlazyUtil

public static function BlazyUtil::sanitize in Blazy 8.2

Returns the sanitized attributes for user-defined (UGC Blazy Filter).

When IMG and IFRAME are allowed for untrusted users, trojan horses are welcome. Hence sanitize attributes relevant for BlazyFilter. The rest should be taken care of by HTML filters after Blazy.

Parameters

array $attributes: The given attributes to sanitize.

Return value

array The sanitized $attributes suitable for UGC, such as Blazy filter.

2 calls to BlazyUtil::sanitize()
BlazyManager::buildMedia in src/BlazyManager.php
Build out (Responsive) image.
BlazyManager::prepareBlazy in src/BlazyManager.php
Prepares the Blazy output as a structured array ready for ::renderer().

File

src/BlazyUtil.php, line 50

Class

BlazyUtil
Provides Blazy utilities.

Namespace

Drupal\blazy

Code

public static function sanitize(array $attributes = []) {
  $clean_attributes = [];
  $tags = [
    'href',
    'poster',
    'src',
    'about',
    'data',
    'action',
    'formaction',
  ];
  foreach ($attributes as $key => $value) {
    if (is_array($value)) {

      // Respects array item containing space delimited classes: aaa bbb ccc.
      $value = implode(' ', $value);
      $clean_attributes[$key] = array_map('\\Drupal\\Component\\Utility\\Html::cleanCssIdentifier', explode(' ', $value));
    }
    else {

      // Since Blazy is lazyloading known URLs, sanitize attributes which
      // make no sense to stick around within IMG or IFRAME tags.
      $kid = mb_substr($key, 0, 2) === 'on' || in_array($key, $tags);
      $key = $kid ? 'data-' . $key : $key;
      $clean_attributes[$key] = $kid ? Html::cleanCssIdentifier($value) : Html::escape($value);
    }
  }
  return $clean_attributes;
}