You are here

protected static function XssEscape::split in Extensible BBCode 8.3

Same name and namespace in other branches
  1. 4.0.x src/XssEscape.php \Drupal\xbbcode\XssEscape::split()

Processes an HTML tag.

Parameters

string $string: The HTML tag to process.

array $html_tags: An array where the keys are the allowed tags and the values are not used.

string $class: The called class. This method is called from an anonymous function which breaks late static binding. See https://bugs.php.net/bug.php?id=66622 for more information.

Return value

string If the element isn't allowed, an empty string. Otherwise, the cleaned up version of the HTML element.

Overrides Xss::split

File

src/XssEscape.php, line 16

Class

XssEscape
Augmented version of Xss that defuses markup instead of removing it.

Namespace

Drupal\xbbcode

Code

protected static function split($string, $html_tags, $class) : string {

  // Sanity check.
  if (!is_subclass_of($class, Xss::class)) {
    $class = static::class;
  }
  $output = parent::split($string, $html_tags, $class);
  if ($output !== '') {
    return $output;
  }
  if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9\\-]+)\\s*([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {

    // Seriously malformed.
    return Html::escape($string);
  }
  $elem = $matches[2];

  // When in whitelist mode, an element is disallowed when not listed.
  if ($class::needsRemoval($html_tags, $elem)) {
    return Html::escape($string);
  }

  // This should be unreachable.
  return '';
}