Commit 08344875 authored by xjm's avatar xjm

Issue #2501403 by Cottser, xjm, pwolanin, joelpittet: Document SafeMarkup::set in Xss::filter

parent 2b20dd20
......@@ -79,6 +79,10 @@ public static function filter($string, $html_tags = array('a', 'em', 'strong', '
$splitter = function ($matches) use ($html_tags, $class) {
return $class::split($matches[1], $html_tags, $class);
// Strip any tags that are not in the whitelist, then mark the text as safe
// for output. All other known XSS vectors have been filtered out by this
// point and any HTML tags remaining will have been deliberately allowed, so
// it is acceptable to call SafeMarkup::set() on the resultant string.
return SafeMarkup::set(preg_replace_callback('%
<(?=[^a-zA-Z!/]) # a lone <
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment