function wysiwyg_filter_process in WYSIWYG Filter 6
WYSIWYG Filter. Provides filtering of input into accepted HTML.
This function is based on Drupal's filter_xss() with a few additions:
- Validates HTML input against whitelists of HTML elements, attributes and style properties.
- Optionally apply rel="nofollow" rules to links.
- Rules for the above can be specified by site administrators from the filter settings form.
Parameters
string $text: HTML text to be filtered.
int $format: Input format identifier.
Return value
string Filtered HTML text.
1 call to wysiwyg_filter_process()
- wysiwyg_filter_filter in ./
wysiwyg_filter.module - Implementation of hook_filter().
File
- ./
wysiwyg_filter.pages.inc, line 25 - User land code for the WYSIWYG Filter module.
Code
function wysiwyg_filter_process($text, $format) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!drupal_validate_utf8($text)) {
return '';
}
// Load common functions.
module_load_include('inc', 'wysiwyg_filter');
// Store input filter options.
_wysiwyg_filter_xss_split(wysiwyg_filter_get_filter_options($format), TRUE);
// Remove NUL characters (ignored by some browsers).
$text = str_replace(chr(0), '', $text);
// Remove Netscape 4 JS entities.
$text = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $text);
// Defuse all HTML entities.
$text = str_replace('&', '&', $text);
// Change back only well-formed entities in our whitelist
// Decimal numeric entities.
$text = preg_replace('/&#([0-9]+;)/', '&#\\1', $text);
// Hexadecimal numeric entities.
$text = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $text);
// Named entities.
$text = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $text);
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
<!--.*?--> # a comment
| # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', '_wysiwyg_filter_xss_split', $text);
}