function EditorXssFilterInterface::filterXss

Same name in other branches
  1. 9 core/modules/editor/src/EditorXssFilterInterface.php \Drupal\editor\EditorXssFilterInterface::filterXss()
  2. 8.9.x core/modules/editor/src/EditorXssFilterInterface.php \Drupal\editor\EditorXssFilterInterface::filterXss()
  3. 10 core/modules/editor/src/EditorXssFilterInterface.php \Drupal\editor\EditorXssFilterInterface::filterXss()

Filters HTML to prevent XSS attacks when a user edits it in a text editor.

Should filter as minimally as possible, only to remove XSS attack vectors.

Is only called when:

  • loading a non-XSS-safe text editor for a $format that contains a filter preventing XSS attacks (a FilterInterface::TYPE_HTML_RESTRICTOR filter): if the output is safe, it should also be safe to edit.
  • loading a non-XSS-safe text editor for a $format that doesn't contain a filter preventing XSS attacks, but we're switching from a previous text format ($original_format is not NULL) that did prevent XSS attacks: if the output was previously safe, it should be safe to switch to another text format and edit.

Parameters

string $html: The HTML to be filtered.

\Drupal\filter\FilterFormatInterface $format: The text format configuration entity. Provides context based upon which one may want to adjust the filtering.

\Drupal\filter\FilterFormatInterface|null $original_format: (optional) The original text format configuration entity (when switching text formats/editors). Also provides context based upon which one may want to adjust the filtering.

Return value

string The filtered HTML that cannot cause any XSS anymore.

2 methods override EditorXssFilterInterface::filterXss()
Insecure::filterXss in core/modules/editor/tests/modules/editor_test/src/EditorXssFilter/Insecure.php
Filters HTML to prevent XSS attacks when a user edits it in a text editor.
Standard::filterXss in core/modules/editor/src/EditorXssFilter/Standard.php
Filters HTML to prevent XSS attacks when a user edits it in a text editor.

File

core/modules/editor/src/EditorXssFilterInterface.php, line 40

Class

EditorXssFilterInterface
Defines an interface for text editor XSS (Cross-site scripting) filters.

Namespace

Drupal\editor

Code

public static function filterXss($html, FilterFormatInterface $format, ?FilterFormatInterface $original_format = NULL);

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.