You are here

protected function Renderer::ensureMarkupIsSafe in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/lib/Drupal/Core/Render/Renderer.php \Drupal\Core\Render\Renderer::ensureMarkupIsSafe()

Escapes #plain_text or filters #markup as required.

Drupal uses Twig's auto-escape feature to improve security. This feature automatically escapes any HTML that is not known to be safe. Due to this the render system needs to ensure that all markup it generates is marked safe so that Twig does not do any additional escaping.

By default all #markup is filtered to protect against XSS using the admin tag list. Render arrays can alter the list of tags allowed by the filter using the #allowed_tags property. This value should be an array of tags that Xss::filter() would accept. Render arrays can escape text instead of XSS filtering by setting the #plain_text property instead of #markup. If #plain_text is used #allowed_tags is ignored.

Parameters

array $elements: A render array with #markup set.

Return value

\Drupal\Component\Render\MarkupInterface|string The escaped markup wrapped in a Markup object. If SafeMarkup::isSafe($elements['#markup']) returns TRUE, it won't be escaped or filtered again.

See also

\Drupal\Component\Utility\Html::escape()

\Drupal\Component\Utility\Xss::filter()

\Drupal\Component\Utility\Xss::adminFilter()

1 call to Renderer::ensureMarkupIsSafe()
Renderer::doRender in core/lib/Drupal/Core/Render/Renderer.php
See the docs for ::render().

File

core/lib/Drupal/Core/Render/Renderer.php, line 715
Contains \Drupal\Core\Render\Renderer.

Class

Renderer
Turns a render array into a HTML string.

Namespace

Drupal\Core\Render

Code

protected function ensureMarkupIsSafe(array $elements) {
  if (empty($elements['#markup']) && empty($elements['#plain_text'])) {
    return $elements;
  }
  if (!empty($elements['#plain_text'])) {
    $elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
  }
  elseif (!SafeMarkup::isSafe($elements['#markup'])) {

    // The default behaviour is to XSS filter using the admin tag list.
    $tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList();
    $elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
  }
  return $elements;
}