Documentation & API reference
function filter_xss
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
This code does four things:
- Removes characters and constructs that can trick browsers.
- Makes sure all HTML entities are well-formed.
- Makes sure all HTML tags and attributes are well-formed.
- Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
Parameters
$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.
$allowed_tags: An array of allowed tags.
Return value
An XSS safe version of $string, or an empty string if $string is not valid UTF-8.
See also
\Drupal\Component\Utility\Xss::filter()
Related topics
23 calls to filter_xss()
- aggregator_filter_xss in drupal/
core/ modules/ aggregator/ aggregator.module - Renders the HTML content safely, as allowed.
- AlterTest::testExecutionOrder in drupal/
core/ modules/ system/ lib/ Drupal/ system/ Tests/ Form/ AlterTest.php - Tests execution order of hook_form_alter() and hook_form_FORM_ID_alter().
- CommentTokenReplaceTest::testCommentTokenReplacement in drupal/
core/ modules/ comment/ lib/ Drupal/ comment/ Tests/ CommentTokenReplaceTest.php - Creates a comment, then tests the tokens generated from it.
- comment_tokens in drupal/
core/ modules/ comment/ comment.tokens.inc - Implements hook_tokens().
- DbLogController::overview in drupal/
core/ modules/ dblog/ lib/ Drupal/ dblog/ Controller/ DbLogController.php - Displays a listing of database log messages.
File
- drupal/
core/ includes/ common.inc, line 957 - Common functions that many Drupal modules will need to reference.
Code
function filter_xss($string, $allowed_tags = array(
'a',
'em',
'strong',
'cite',
'blockquote',
'code',
'ul',
'ol',
'li',
'dl',
'dt',
'dd',
)) {
return Xss::filter($string, $allowed_tags);
}