public static function Insecure::filterXss in Drupal 10
Same name and namespace in other branches
- 8 core/modules/editor/tests/modules/src/EditorXssFilter/Insecure.php \Drupal\editor_test\EditorXssFilter\Insecure::filterXss()
- 9 core/modules/editor/tests/modules/src/EditorXssFilter/Insecure.php \Drupal\editor_test\EditorXssFilter\Insecure::filterXss()
Filters HTML to prevent XSS attacks when a user edits it in a text editor.
Should filter as minimally as possible, only to remove XSS attack vectors.
Is only called when:
- loading a non-XSS-safe text editor for a $format that contains a filter preventing XSS attacks (a FilterInterface::TYPE_HTML_RESTRICTOR filter): if the output is safe, it should also be safe to edit.
- loading a non-XSS-safe text editor for a $format that doesn't contain a filter preventing XSS attacks, but we're switching from a previous text format ($original_format is not NULL) that did prevent XSS attacks: if the output was previously safe, it should be safe to switch to another text format and edit.
Parameters
string $html: The HTML to be filtered.
\Drupal\filter\FilterFormatInterface $format: The text format configuration entity. Provides context based upon which one may want to adjust the filtering.
\Drupal\filter\FilterFormatInterface|null $original_format: (optional) The original text format configuration entity (when switching text formats/editors). Also provides context based upon which one may want to adjust the filtering.
Return value
string The filtered HTML that cannot cause any XSSes anymore.
Overrides EditorXssFilterInterface::filterXss
File
- core/
modules/ editor/ tests/ modules/ src/ EditorXssFilter/ Insecure.php, line 16
Class
- Insecure
- Defines an insecure text editor XSS filter (for testing purposes).
Namespace
Drupal\editor_test\EditorXssFilterCode
public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) {
// Don't apply any XSS filtering, just return the string we received.
return $html;
}