FieldFilteredMarkup.php

Same filename in other branches
  1. 9 core/lib/Drupal/Core/Field/FieldFilteredMarkup.php
  2. 8.9.x core/lib/Drupal/Core/Field/FieldFilteredMarkup.php
  3. 10 core/lib/Drupal/Core/Field/FieldFilteredMarkup.php

Namespace

Drupal\Core\Field

File

core/lib/Drupal/Core/Field/FieldFilteredMarkup.php

View source
<?php

namespace Drupal\Core\Field;

use Drupal\Component\Utility\Html;
use Drupal\Component\Render\MarkupInterface;
use Drupal\Component\Render\MarkupTrait;
use Drupal\Component\Utility\Xss;

/**
 * Defines an object that passes safe strings through the Field system.
 *
 * This object filters the string using a very restrictive tag list when it is
 * created.
 *
 * @internal
 *   This object is marked as internal because it should only be used by the
 *   Field module and field-related plugins.
 *
 * @see \Drupal\Core\Render\Markup
 */
final class FieldFilteredMarkup implements MarkupInterface, \Countable {
    use MarkupTrait;
    
    /**
     * Overrides \Drupal\Component\Render\MarkupTrait::create().
     *
     * @return string|\Drupal\Component\Render\MarkupInterface
     *   A safe string filtered with the allowed tag list and normalized.
     *
     * @see \Drupal\Core\Field\FieldFilteredMarkup::allowedTags()
     * @see \Drupal\Component\Utility\Xss::filter()
     * @see \Drupal\Component\Utility\Html::normalize()
     */
    public static function create($string) {
        $string = (string) $string;
        if ($string === '') {
            return '';
        }
        $safe_string = new static();
        // All known XSS vectors are filtered out by
        // \Drupal\Component\Utility\Xss::filter(), all tags in the markup are
        // allowed intentionally by the trait, and no danger is added in by
        // \Drupal\Component\Utility\Html::normalize(). Since the normalized value
        // is essentially the same markup, designate this string as safe as well.
        // This method is an internal part of field sanitization, so the resultant,
        // sanitized string should be printable as is.
        $safe_string->string = Html::normalize(Xss::filter($string, static::allowedTags()));
        return $safe_string;
    }
    
    /**
     * Returns the allowed tag list.
     *
     * @return string[]
     *   A list of allowed tags.
     */
    public static function allowedTags() {
        return [
            'a',
            'b',
            'big',
            'code',
            'del',
            'em',
            'i',
            'ins',
            'pre',
            'q',
            'small',
            'span',
            'strong',
            'sub',
            'sup',
            'tt',
            'ol',
            'ul',
            'li',
            'p',
            'br',
            'img',
        ];
    }
    
    /**
     * Returns a human-readable list of allowed tags for display in help texts.
     *
     * @return string
     *   A human-readable list of allowed tags for display in help texts.
     */
    public static function displayAllowedTags() {
        return '<' . implode('> <', static::allowedTags()) . '>';
    }

}

Classes

Title Deprecated Summary
FieldFilteredMarkup Defines an object that passes safe strings through the Field system.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.