protected function HtmlTitleFilter::filterXss in HTML Title 8
Helper function to help filter out unwanted XSS opportunities.
Use this function if you expect to have junk or incomplete html. It uses the same strategy as the "Fix Html" filter option in configuring the HTML filter in the text format configuration.
1 call to HtmlTitleFilter::filterXss()
- HtmlTitleFilter::decodeToText in src/
HtmlTitleFilter.php - Filte string with allow html tags.
File
- src/
HtmlTitleFilter.php, line 50
Class
Namespace
Drupal\html_titleCode
protected function filterXss($title) {
$dom = new \DOMDocument();
// Ignore warnings during HTML soup loading.
@$dom
->loadHTML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body>' . $title . '</body></html>', LIBXML_NOENT);
$xp = new \DOMXPath($dom);
$q = "//body//text()";
$nodes = $xp
->query($q);
foreach ($nodes as $n) {
$n->nodeValue = htmlspecialchars($n->nodeValue, ENT_QUOTES);
}
$body = $dom
->saveHTML($dom
->getElementsByTagName('body')
->item(0));
// $dom->saveHTML() escapes & as & for all entities that were replaced
// using htmlspecialchars(). Undo this double-escaping.
$body = str_replace('&', '&', $body);
return Xss::filter($body, $this
->getAllowHtmlTags());
}