function editor_filter_xss

Same name in other branches
  1. 9 core/modules/editor/editor.module \editor_filter_xss()
  2. 8.9.x core/modules/editor/editor.module \editor_filter_xss()
  3. 11.x core/modules/editor/editor.module \editor_filter_xss()

Applies text editor XSS filtering.

Parameters

string $html: The HTML string that will be passed to the text editor.

\Drupal\filter\FilterFormatInterface|null $format: The text format whose text editor will be used or NULL if the previously defined text format is now disabled.

\Drupal\filter\FilterFormatInterface|null $original_format: (optional) The original text format (i.e. when switching text formats, $format is the text format that is going to be used, $original_format is the one that was being used initially, the one that is stored in the database when editing).

Return value

string|false The XSS filtered string or FALSE when no XSS filtering needs to be applied, because one of the next conditions might occur:

  • No text editor is associated with the text format,
  • The previously defined text format is now disabled,
  • The text editor is safe from XSS,
  • The text format does not use any XSS protection filters.

See also

https://www.drupal.org/node/2099741

2 calls to editor_filter_xss()
EditorController::filterXss in core/modules/editor/src/EditorController.php
Apply the necessary XSS filtering for using a certain text format's editor.
Element::preRenderTextFormat in core/modules/editor/src/Element.php
Additional #pre_render callback for 'text_format' elements.

File

core/modules/editor/editor.module, line 306

Code

function editor_filter_xss($html, ?FilterFormatInterface $format = NULL, ?FilterFormatInterface $original_format = NULL) {
    $editor = $format ? editor_load($format->id()) : NULL;
    // If no text editor is associated with this text format or the previously
    // defined text format is now disabled, then we don't need text editor XSS
    // filtering either.
    if (!isset($editor)) {
        return FALSE;
    }
    // If the text editor associated with this text format guarantees security,
    // then we also don't need text editor XSS filtering.
    $definition = \Drupal::service('plugin.manager.editor')->getDefinition($editor->getEditor());
    if ($definition['is_xss_safe'] === TRUE) {
        return FALSE;
    }
    // If there is no filter preventing XSS attacks in the text format being used,
    // then no text editor XSS filtering is needed either. (Because then the
    // editing user can already be attacked by merely viewing the content.)
    // e.g.: an admin user creates content in Full HTML and then edits it, no text
    // format switching happens; in this case, no text editor XSS filtering is
    // desirable, because it would strip style attributes, amongst others.
    $current_filter_types = $format->getFilterTypes();
    if (!in_array(FilterInterface::TYPE_HTML_RESTRICTOR, $current_filter_types, TRUE)) {
        if ($original_format === NULL) {
            return FALSE;
        }
        else {
            $original_filter_types = $original_format->getFilterTypes();
            if (!in_array(FilterInterface::TYPE_HTML_RESTRICTOR, $original_filter_types, TRUE)) {
                return FALSE;
            }
        }
    }
    // Otherwise, apply the text editor XSS filter. We use the default one unless
    // a module tells us to use a different one.
    $editor_xss_filter_class = '\\Drupal\\editor\\EditorXssFilter\\Standard';
    \Drupal::moduleHandler()->alter('editor_xss_filter', $editor_xss_filter_class, $format, $original_format);
    return call_user_func($editor_xss_filter_class . '::filterXss', $html, $format, $original_format);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.