public static function Xss::filter in Service Container 7
Same name and namespace in other branches
- 7.2 lib/Drupal/Component/Utility/Xss.php \Drupal\Component\Utility\Xss::filter()
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
This code does four things:
- Removes characters and constructs that can trick browsers.
- Makes sure all HTML entities are well-formed.
- Makes sure all HTML tags and attributes are well-formed.
- Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
Parameters
$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.
array $html_tags: An array of HTML tags.
Return value
string An XSS safe version of $string, or an empty string if $string is not valid UTF-8.
See also
\Drupal\Component\Utility\Unicode::validateUtf8()
1 call to Xss::filter()
- Xss::filterAdmin in lib/
Drupal/ Component/ Utility/ Xss.php - Applies a very permissive XSS/HTML filter for admin-only use.
File
- lib/
Drupal/ Component/ Utility/ Xss.php, line 62 - Contains \Drupal\Component\Utility\Xss.
Class
- Xss
- Provides helper to filter for cross-site scripting.
Namespace
Drupal\Component\UtilityCode
public static function filter($string, array $html_tags = NULL) {
if (is_null($html_tags)) {
$html_tags = static::$htmlTags;
}
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!Unicode::validateUtf8($string)) {
return '';
}
// Remove NULL characters (ignored by some browsers).
$string = str_replace(chr(0), '', $string);
// Remove Netscape 4 JS entities.
$string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string);
// Defuse all HTML entities.
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist:
// Decimal numeric entities.
$string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string);
// Hexadecimal numeric entities.
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string);
// Named entities.
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string);
$html_tags = array_flip($html_tags);
// Late static binding does not work inside anonymous functions.
$class = get_called_class();
$splitter = function ($matches) use ($html_tags, $class) {
return $class::split($matches[1], $html_tags, $class);
};
// Strip any tags that are not in the whitelist.
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
<!--.*?--> # a comment
| # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', $splitter, $string);
}