function html_title_filter_xss in HTML Title 7

Helper function to help filter out unwanted XSS opportunities.

Use this function if you expect to have junk or incomplete html. It uses the same strategy as the "Fix Html" filter option in configuring the HTML filter in the text format configuration.

3 calls to html_title_filter_xss()

html_title_preprocess_node in ./html_title.module

Implementation of template_preprocess_node()

html_title_preprocess_page in ./html_title.module

Implementation of hook_preprocess_page()

html_title_preprocess_search_result in ./html_title.module

Implementation of hook_preprocess_search_result()

File

./html_title.module, line 120

This module enables limited HTML to be used in node titles. It strips title markup from RSS feeds to eliminate unsightly markup in feed readers.

Code

function html_title_filter_xss($title) {
  $elements = variable_get('html_title_allowed_elements', array(
    'em',
    'sub',
    'sup',
  ));
  $dom = new DOMDocument();

  // Ignore warnings during HTML soup loading.
  @$dom
    ->loadHTML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body>' . $title . '</body></html>', LIBXML_NOENT);
  $xp = new DOMXPath($dom);
  $q = "//body//text()";
  $nodes = $xp
    ->query($q);
  foreach ($nodes as $n) {
    $n->nodeValue = htmlspecialchars($n->nodeValue, ENT_QUOTES);
  }
  $body = $dom
    ->saveHTML($dom
    ->getElementsByTagName('body')
    ->item(0));

  // $dom->saveHTML() escapes & as &amp; for all entities that were replaced
  // using htmlspecialchars(). Undo this double-escaping.
  $body = str_replace('&amp;', '&', $body);
  return filter_xss($body, $elements);
}