function AttributeXss::sanitizeAttributes

Same name in other branches
  1. 10 core/modules/link/src/AttributeXss.php \Drupal\link\AttributeXss::sanitizeAttributes()

Sanitizes attributes.

Parameters

array $attributes: Attribute values as key => value format. Value may be a string or in the case of the 'class' attribute, an array.

Return value

array Sanitized attributes.

2 calls to AttributeXss::sanitizeAttributes()
LinkFormatter::buildUrl in core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php
Builds the \Drupal\Core\Url object for a link field item.
MenuLinkContent::getUrlObject in core/modules/menu_link_content/src/Entity/MenuLinkContent.php
Gets the URL object pointing to the URL of the menu link content entity.

File

core/modules/link/src/AttributeXss.php, line 162

Class

AttributeXss
Defines a class for attribute XSS filtering.

Namespace

Drupal\link

Code

public static function sanitizeAttributes(array $attributes) : array {
    $new_attributes = [];
    foreach ($attributes as $name => $value) {
        // The attribute name should be a single attribute, but there is the
        // possibility that the name is corrupt. Core's XSS::attributes can
        // cleanly handle sanitizing 'selected href="http://example.com" so we
        // provide an allowance for cases where the attribute array is malformed.
        // For example given a name of 'selected href' and a value of
        // http://example.com we split this into two separate attributes, with the
        // value assigned to the last attribute name.
        // Explode the attribute name if a space exists.
        $names = \array_filter(\explode(' ', $name));
        if (\count($names) === 0) {
            // Empty attribute names.
            continue;
        }
        // Valueless attributes set the name to the value when processed by the
        // Attributes object.
        $with_values = \array_combine($names, $names);
        // Create a new Attribute object with the value applied to the last
        // attribute name. If there is only one attribute this simply creates a
        // new attribute with a single key-value pair.
        $last_name = \end($names);
        $with_values[$last_name] = $value;
        $attribute_object = new Attribute($with_values);
        // Filter the attributes.
        $safe = AttributeXss::attributes((string) $attribute_object);
        $safe = \array_map([
            Html::class,
            'decodeEntities',
        ], $safe);
        if (\array_key_exists('class', $safe)) {
            // The class attribute is expected to be an array.
            $safe['class'] = \explode(' ', $safe['class']);
        }
        // Special case for boolean values which are unique to valueless
        // attributes.
        if (\array_key_exists($last_name, $safe) && \is_bool($value)) {
            $safe[$last_name] = $value;
        }
        // Add the safe attributes to the new list.
        $new_attributes += \array_intersect_key($safe, $with_values);
    }
    return $new_attributes;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.