public static function Xss::filter

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.

array $allowed_tags: An array of allowed tags.

Return value

string An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

\Drupal\Component\Utility\Unicode::validateUtf8()

Related topics

Sanitization functions
Functions to sanitize values.
7 calls to Xss::filter()
Date::format in drupal/core/lib/Drupal/Core/Datetime/Date.php
Formats a date, using a date type or a custom date format string.
filter_xss in drupal/core/includes/common.inc
Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
Xss::filterAdmin in drupal/core/lib/Drupal/Component/Utility/Xss.php
Applies a very permissive XSS/HTML filter for admin-only use.
XssTest::testFilterXssNormalized in drupal/core/tests/Drupal/Tests/Component/Utility/XssTest.php
Tests limiting allowed tags and XSS prevention.
XssTest::testFilterXssNotNormalized in drupal/core/tests/Drupal/Tests/Component/Utility/XssTest.php
Tests limiting allowed tags and XSS prevention.

... See full list

File

drupal/core/lib/Drupal/Component/Utility/Xss.php, line 51
Contains \Drupal\Component\Utility\Xss.

Class

Xss
Provides helper to filter for cross-site scripting.

Namespace

Drupal\Component\Utility

Code

public static function filter($string, $allowed_tags = array(
  'a',
  'em',
  'strong',
  'cite',
  'blockquote',
  'code',
  'ul',
  'ol',
  'li',
  'dl',
  'dt',
  'dd',
)) {

  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
  // site scripting issues on Internet Explorer 6.
  if (!Unicode::validateUtf8($string)) {
    return '';
  }

  // Store the text format.
  static::split($allowed_tags, TRUE);

  // Remove NULL characters (ignored by some browsers).
  $string = str_replace(chr(0), '', $string);

  // Remove Netscape 4 JS entities.
  $string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string);

  // Defuse all HTML entities.
  $string = str_replace('&', '&', $string);

  // Change back only well-formed entities in our whitelist:
  // Decimal numeric entities.
  $string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string);

  // Hexadecimal numeric entities.
  $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string);

  // Named entities.
  $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string);
  return preg_replace_callback('%
      (
      <(?=[^a-zA-Z!/])  # a lone <
      |                 # or
      <!--.*?-->        # a comment
      |                 # or
      <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
      |                 # or
      >                 # just a >
      )%x', '\\Drupal\\Component\\Utility\\Xss::split', $string);
}