diff --git a/core/includes/common.inc b/core/includes/common.inc
index 1ac5b649247ae845b60cbb552987d7724a01ed46..422c79fd7178db6aead13eab8a37987ba1b5eb18 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2934,9 +2934,10 @@ function _drupal_bootstrap_code() {
// Set the allowed protocols once we have the config available.
$allowed_protocols = \Drupal::config('system.filter')->get('protocols');
if (!isset($allowed_protocols)) {
- // filter_xss_admin() is called by the installer and update.php, in which
- // case the configuration may not exist (yet). Provide a minimal default set
- // of allowed protocols for these cases.
+ // \Drupal\Component\Utility\UrlHelper::filterBadProtocol() is called by the
+ // installer and update.php, in which case the configuration may not exist
+ // (yet). Provide a minimal default set of allowed protocols for these
+ // cases.
$allowed_protocols = array('http', 'https');
}
UrlHelper::setAllowedProtocols($allowed_protocols);
diff --git a/core/includes/errors.inc b/core/includes/errors.inc
index 56c276fdfaa247717b98912fc4b3fd5f714aa9c0..1abcdaaca616301dc609fa47f89e770203aa4e87 100644
--- a/core/includes/errors.inc
+++ b/core/includes/errors.inc
@@ -5,6 +5,7 @@
* Functions for error handling.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Utility\Error;
use Drupal\Component\Utility\String;
use Symfony\Component\HttpFoundation\Response;
@@ -70,7 +71,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line, $c
'%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
// The standard PHP error handler considers that the error messages
// are HTML. We mimick this behavior here.
- '!message' => filter_xss_admin($message),
+ '!message' => Xss::filterAdmin($message),
'%function' => $caller['function'],
'%file' => $caller['file'],
'%line' => $caller['line'],
diff --git a/core/includes/form.inc b/core/includes/form.inc
index 5b292f53bf88d9c6fd02d689efa1a22b198fe40a..54feee0952db4e274ec727a8e743589f6ed9c3ac 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -2964,7 +2964,7 @@ function theme_form_element_label($variables) {
$required = drupal_render($marker);
}
- $title = filter_xss_admin($element['#title']);
+ $title = Xss::filterAdmin($element['#title']);
$attributes = array();
// Style the label as class option to display inline with the element.
@@ -3062,9 +3062,10 @@ function _form_set_attributes(&$element, $class = array()) {
* Note: if the batch 'title', 'init_message', 'progress_message', or
* 'error_message' could contain any user input, it is the responsibility of
* the code calling batch_set() to sanitize them first with a function like
- * \Drupal\Component\Utility\String::checkPlain() or filter_xss(). Furthermore,
- * if the batch operation returns any user input in the 'results' or 'message'
- * keys of $context, it must also sanitize them first.
+ * \Drupal\Component\Utility\String::checkPlain() or
+ * \Drupal\Component\Utility\Xss::filter(). Furthermore, if the batch operation
+ * returns any user input in the 'results' or 'message' keys of $context, it
+ * must also sanitize them first.
*
* Sample callback_batch_operation():
* @code
diff --git a/core/includes/theme.inc b/core/includes/theme.inc
index ed5bd5846b5d0738e3a776c03367a3c23ccba89c..dec14f48ab1d9c2c2120e8945a2fb65155fdad63 100644
--- a/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -10,6 +10,7 @@
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\UrlHelper;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Config;
use Drupal\Core\Language\Language;
use Drupal\Core\Extension\Extension;
@@ -2001,7 +2002,7 @@ function template_preprocess_html(&$variables) {
else {
$head_title = array('name' => String::checkPlain($site_config->get('name')));
if ($site_config->get('slogan')) {
- $head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
+ $head_title['slogan'] = strip_tags(Xss::filterAdmin($site_config->get('slogan')));
}
}
@@ -2097,7 +2098,7 @@ function template_preprocess_page(&$variables) {
$variables['secondary_menu'] = theme_get_setting('features.secondary_menu') ? menu_secondary_menu() : array();
$variables['action_links'] = menu_get_local_actions();
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_config->get('name')) : '');
- $variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
+ $variables['site_slogan'] = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_config->get('slogan')) : '');
$variables['tabs'] = menu_local_tabs();
// Pass the main menu and secondary menu to the template as render arrays.
@@ -2287,7 +2288,7 @@ function template_preprocess_maintenance_page(&$variables) {
else {
$head_title = array('name' => String::checkPlain($site_name));
if ($site_slogan) {
- $head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
+ $head_title['slogan'] = strip_tags(Xss::filterAdmin($site_slogan));
}
}
@@ -2309,7 +2310,7 @@ function template_preprocess_maintenance_page(&$variables) {
$variables['language'] = $language_interface;
$variables['logo'] = theme_get_setting('logo.url');
$variables['site_name'] = (theme_get_setting('features.name') ? String::checkPlain($site_name) : '');
- $variables['site_slogan'] = (theme_get_setting('features.slogan') ? filter_xss_admin($site_slogan) : '');
+ $variables['site_slogan'] = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_slogan) : '');
// Compile a list of classes that are going to be applied to the body element.
$variables['attributes']['class'][] = 'maintenance-page';
diff --git a/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php
index cd546ce0a1a401f75a89e0005b1623754b2579dd..9796a5fc018344e5ac7531e81e05fae34f97a2fc 100644
--- a/core/lib/Drupal/Component/Utility/String.php
+++ b/core/lib/Drupal/Component/Utility/String.php
@@ -79,7 +79,8 @@ public static function decodeEntities($text) {
* this for text that has already been prepared for HTML display (for
* example, user-supplied text that has already been run through
* String::checkPlain() previously, or is expected to contain some limited
- * HTML tags and has already been run through filter_xss() previously).
+ * HTML tags and has already been run through
+ * \Drupal\Component\Utility\Xss::filter() previously).
*
* @return mixed
* The formatted string, or FALSE if no args specified.
diff --git a/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
index 93bfb42f5eb0a23ca6755951ad1837dea8fc5206..7c5db6e771d30549f4f00659f096ee51032dcabb 100644
--- a/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
@@ -7,6 +7,7 @@
namespace Drupal\Core\EventSubscriber;
+use Drupal\Component\Utility\Xss;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\KernelEvents;
@@ -47,7 +48,7 @@ public function onKernelRequestMaintenance(GetResponseEvent $event) {
$maintenance_page = array(
'#theme' => 'maintenance_page',
'#title' => t('Site under maintenance'),
- '#content' => filter_xss_admin(
+ '#content' => Xss::filterAdmin(
t(\Drupal::config('system.maintenance')->get('message'), array('@site' => \Drupal::config('system.site')->get('name')))
),
);
diff --git a/core/lib/Drupal/Core/Utility/Token.php b/core/lib/Drupal/Core/Utility/Token.php
index e612de858256b448fc2232f38e3468aacf975641..27a451919f7610766d50bafb09af46d6aa81d23d 100644
--- a/core/lib/Drupal/Core/Utility/Token.php
+++ b/core/lib/Drupal/Core/Utility/Token.php
@@ -107,9 +107,10 @@ public function __construct(ModuleHandlerInterface $module_handler) {
* final text if no replacement value can be generated.
* - sanitize: A boolean flag indicating that tokens should be sanitized for
* display to a web browser. Defaults to TRUE. Developers who set this
- * option to FALSE assume responsibility for running filter_xss(),
- * String::checkPlain() or other appropriate scrubbing functions before
- * displaying data to users.
+ * option to FALSE assume responsibility for running
+ * \Drupal\Component\Utility\Xss::filter(),
+ * \Drupal\Component\Utility\String::checkPlain() or other appropriate
+ * scrubbing functions before displaying data to users.
*
* @return string
* Text with tokens replaced.
@@ -200,8 +201,9 @@ public function scan($text) {
* encoding or truncation to a specific length.
* - sanitize: A boolean flag indicating that tokens should be sanitized for
* display to a web browser. Developers who set this option to FALSE assume
- * responsibility for running filter_xss(), String::checkPlain() or other
- * appropriate scrubbing functions before displaying data to users.
+ * responsibility for running \Drupal\Component\Utility\Xss::filter(),
+ * \Drupal\Component\Utility\String::checkPlain() or other appropriate
+ * scrubbing functions before displaying data to users.
*
* @return array
* An associative array of replacement values, keyed by the original 'raw'
diff --git a/core/modules/aggregator/aggregator.module b/core/modules/aggregator/aggregator.module
index 46957aa9f21da7947455d51ddf8abb9468baf905..47f217384329705c48ae9dc7fed0685e8c9708df 100644
--- a/core/modules/aggregator/aggregator.module
+++ b/core/modules/aggregator/aggregator.module
@@ -6,6 +6,7 @@
*/
use Drupal\aggregator\FeedInterface;
+use Drupal\Component\Utility\Xss;
/**
* Denotes that a feed's items should never expire.
@@ -171,7 +172,7 @@ function aggregator_feed_load($fid) {
* The filtered content.
*/
function aggregator_filter_xss($value) {
- return filter_xss($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
+ return Xss::filter($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
}
/**
diff --git a/core/modules/block/custom_block/custom_block.pages.inc b/core/modules/block/custom_block/custom_block.pages.inc
index 4cca4cc71601314e16e2d4dfe7e9a93924a73252..f24e16b057909526e3da72b23195f8f0b877a6f3 100644
--- a/core/modules/block/custom_block/custom_block.pages.inc
+++ b/core/modules/block/custom_block/custom_block.pages.inc
@@ -5,6 +5,7 @@
* Provides page callbacks for custom blocks.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\custom_block\Entity\CustomBlockType;
use Drupal\custom_block\Entity\CustomBlock;
use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -26,7 +27,7 @@ function template_preprocess_custom_block_add_list(&$variables) {
foreach ($variables['content'] as $type) {
$variables['types'][$type->id()] = array(
'link' => \Drupal::l($type->label(), 'custom_block.add_form', array('custom_block_type' => $type->id()), array('query' => $query)),
- 'description' => filter_xss_admin($type->description),
+ 'description' => Xss::filterAdmin($type->description),
'title' => $type->label(),
'localized_options' => array(
'query' => $query,
diff --git a/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php b/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
index 1c09e9f72c30579c31e8f2aa9596077e489cd981..8c84de45bf31da31279b9d67ecd6e373071b5e5c 100644
--- a/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
+++ b/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\custom_block;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
@@ -44,7 +45,7 @@ public function buildHeader() {
*/
public function buildRow(EntityInterface $entity) {
$row['type'] = \Drupal::linkGenerator()->generateFromUrl($entity->label(), $entity->urlInfo());
- $row['description'] = filter_xss_admin($entity->description);
+ $row['description'] = Xss::filterAdmin($entity->description);
return $row + parent::buildRow($entity);
}
diff --git a/core/modules/comment/comment.tokens.inc b/core/modules/comment/comment.tokens.inc
index b58230a12e4518588908c83988c774cbc03d61c2..f38f98b7a340c5cab8853b84ca28a1def6f4161a 100644
--- a/core/modules/comment/comment.tokens.inc
+++ b/core/modules/comment/comment.tokens.inc
@@ -5,6 +5,8 @@
* Builds placeholder replacement tokens for comment-related data.
*/
+use Drupal\Component\Utility\Xss;
+
/**
* Implements hook_token_info().
*/
@@ -152,7 +154,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
break;
case 'title':
- $replacements[$original] = $sanitize ? filter_xss($comment->getSubject()) : $comment->getSubject();
+ $replacements[$original] = $sanitize ? Xss::filter($comment->getSubject()) : $comment->getSubject();
break;
case 'body':
@@ -175,13 +177,13 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
case 'name':
case 'author':
$name = $comment->getAuthorName();
- $replacements[$original] = $sanitize ? filter_xss($name) : $name;
+ $replacements[$original] = $sanitize ? Xss::filter($name) : $name;
break;
case 'parent':
if ($comment->hasParentComment()) {
$parent = $comment->getParentComment();
- $replacements[$original] = $sanitize ? filter_xss($parent->getSubject()) : $parent->getSubject();
+ $replacements[$original] = $sanitize ? Xss::filter($parent->getSubject()) : $parent->getSubject();
}
break;
@@ -196,7 +198,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
case 'entity':
$entity = $comment->getCommentedEntity();
$title = $entity->label();
- $replacements[$original] = $sanitize ? filter_xss($title) : $title;
+ $replacements[$original] = $sanitize ? Xss::filter($title) : $title;
break;
case 'node':
@@ -206,7 +208,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
if ($comment->getCommentedEntityTypeId() == 'node') {
$entity = $comment->getCommentedEntity();
$title = $entity->label();
- $replacements[$original] = $sanitize ? filter_xss($title) : $title;
+ $replacements[$original] = $sanitize ? Xss::filter($title) : $title;
}
else {
$replacements[$original] = NULL;
diff --git a/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php b/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
index bd300fc83877ef04f01964251273f69b8760a160..0d2a4b2ee86a1debf772ce64af505148c9999978 100644
--- a/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
+++ b/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
@@ -7,6 +7,7 @@
namespace Drupal\comment\Tests;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
/**
@@ -54,11 +55,11 @@ function testCommentTokenReplacement() {
$tests = array();
$tests['[comment:cid]'] = $comment->id();
$tests['[comment:hostname]'] = check_plain($comment->getHostname());
- $tests['[comment:name]'] = filter_xss($comment->getAuthorName());
- $tests['[comment:author]'] = filter_xss($comment->getAuthorName());
+ $tests['[comment:name]'] = Xss::filter($comment->getAuthorName());
+ $tests['[comment:author]'] = Xss::filter($comment->getAuthorName());
$tests['[comment:mail]'] = check_plain($this->admin_user->getEmail());
$tests['[comment:homepage]'] = check_url($comment->getHomepage());
- $tests['[comment:title]'] = filter_xss($comment->getSubject());
+ $tests['[comment:title]'] = Xss::filter($comment->getSubject());
$tests['[comment:body]'] = $comment->comment_body->processed;
$tests['[comment:url]'] = url('comment/' . $comment->id(), $url_options + array('fragment' => 'comment-' . $comment->id()));
$tests['[comment:edit-url]'] = url('comment/' . $comment->id() . '/edit', $url_options);
diff --git a/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php b/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
index d891bfe406ef8231611bae12e7cac17fb4969877..72ddf22b13423b65691c7630f701e2bda04c696b 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
@@ -181,7 +181,7 @@ public function overview() {
}
if (isset($dblog->wid)) {
// Truncate link_text to 56 chars of message.
- $log_text = Unicode::truncate(filter_xss($message, array()), 56, TRUE, TRUE);
+ $log_text = Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE);
$message = $this->l($log_text, 'dblog.event', array('event_id' => $dblog->wid), array('html' => TRUE));
}
}
diff --git a/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php b/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
index 24add00d4259f8d8c3791f856a8c3c73bd1f9729..850b6e14eb827208382950b22a59bd63bb9095b2 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
@@ -7,6 +7,7 @@
namespace Drupal\dblog\Tests;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
use Drupal\dblog\Controller\DbLogController;
use Drupal\simpletest\WebTestBase;
@@ -264,7 +265,7 @@ private function doUser() {
$this->assertLogMessage(t('Session closed for %name.', array('%name' => $name)), 'DBLog event was recorded: [logout user]');
// Delete user.
$message = t('Deleted user: %name %email.', array('%name' => $name, '%email' => '<' . $user->getEmail() . '>'));
- $message_text = truncate_utf8(filter_xss($message, array()), 56, TRUE, TRUE);
+ $message_text = truncate_utf8(Xss::filter($message, array()), 56, TRUE, TRUE);
// Verify that the full message displays on the details page.
$link = FALSE;
if ($links = $this->xpath('//a[text()="' . html_entity_decode($message_text) . '"]')) {
@@ -613,10 +614,10 @@ protected function asText(\SimpleXMLElement $element) {
* The message to pass to simpletest.
*/
protected function assertLogMessage($log_message, $message) {
- $message_text = truncate_utf8(filter_xss($log_message, array()), 56, TRUE, TRUE);
- // After filter_xss(), HTML entities should be converted to their character
- // equivalents because assertLink() uses this string in xpath() to query the
- // Document Object Model (DOM).
+ $message_text = truncate_utf8(Xss::filter($log_message, array()), 56, TRUE, TRUE);
+ // After \Drupal\Component\Utility\Xss::filter(), HTML entities should be
+ // converted to their character equivalents because assertLink() uses this
+ // string in xpath() to query the Document Object Model (DOM).
$this->assertLink(html_entity_decode($message_text), 0, $message);
}
}
diff --git a/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php b/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
index 8b2987c289a34d04e6e56f0633244cb7ab017b9a..818cfd3afcf32e6eeaf7e923ab4e43c49baa62fe 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
@@ -77,7 +77,8 @@ public function testIntegration() {
$entries[] = array(
'message' => '@token1 !token2',
'variables' => array('@token1' => $this->randomName(), '!token2' => $this->randomName()),
- // Setup a link with a tag which is filtered by filter_xss_admin.
+ // Setup a link with a tag which is filtered by
+ // \Drupal\Component\Utility\Xss::filterAdmin().
'link' => l('<object>Link</object>', 'node/2', array('html' => TRUE)),
);
foreach ($entries as $entry) {
diff --git a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
index 3f9386342c9c042d3e3328e7f7f7dd8e42a40c5e..84197805b99c1be50e7fc4d14c376c31e8ffded6 100644
--- a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
+++ b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
@@ -25,8 +25,8 @@ public static function filterXss($html, FilterFormatInterface $format, FilterFor
// The <script> and <style> tags are blacklisted because their contents
// can be malicious (and therefor they are inherently unsafe), whereas for
// all other tags, only their attributes can make them malicious. Since
- // Xss::filter() protects against malicious attributes, we take no
- // blacklisting action.
+ // \Drupal\Component\Utility\Xss::filter() protects against malicious
+ // attributes, we take no blacklisting action.
// The exceptions to the above rule are <link>, <embed> and <object>:
// - <link> because the href attribute allows the attacker to import CSS
// using the HTTP(S) protocols which Xss::filter() considers safe by
diff --git a/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php b/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
index 03fdf24f163442dd23dd4edcfa193f32b32cbcb0..37a446b91c0cdb0516bb74bface10f88e1409193 100644
--- a/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
+++ b/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
@@ -7,6 +7,7 @@
namespace Drupal\entity_reference\Plugin\views\style;
+use Drupal\Component\Utility\Xss;
use Drupal\views\Plugin\views\style\StylePluginBase;
/**
@@ -92,7 +93,7 @@ public function render() {
// Sanitize HTML, remove line breaks and extra whitespace.
$output = $this->view->rowPlugin->render($values);
$output = drupal_render($output);
- $results[$values->{$id_field_alias}] = filter_xss_admin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
+ $results[$values->{$id_field_alias}] = Xss::filterAdmin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
$this->view->row_index++;
}
}
diff --git a/core/modules/field/field.module b/core/modules/field/field.module
index db35e40e044bdca6c1d49bf75e77cd3d8a4d7563..4c73352f6290c04a2f5b6c8f392a5c23bf955653 100644
--- a/core/modules/field/field.module
+++ b/core/modules/field/field.module
@@ -266,7 +266,8 @@ function field_cache_clear() {
/**
* Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
*
- * Like filter_xss_admin(), but with a shorter list of allowed tags.
+ * Like \Drupal\Component\Utility\Xss::filterAdmin(), but with a shorter list
+ * of allowed tags.
*
* Used for items entered by administrators, like field descriptions, allowed
* values, where some (mainly inline) mark-up may be desired (so
diff --git a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
index 1b10358d860d9f2ed6099c0e106bd6fff0426428..8efdbbd8ec24d9c89d931faf094d5545189a81e1 100644
--- a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
+++ b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
@@ -7,6 +7,7 @@
namespace Drupal\field\Plugin\views\field;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityManagerInterface;
use Drupal\Core\Entity\EntityStorageInterface;
@@ -650,7 +651,7 @@ protected function renderItems($items) {
}
if ($this->options['multi_type'] == 'separator') {
- return implode(filter_xss_admin($this->options['separator']), $items);
+ return implode(Xss::filterAdmin($this->options['separator']), $items);
}
else {
$item_list = array(
@@ -834,8 +835,9 @@ protected function documentSelfTokens(&$tokens) {
protected function addSelfTokens(&$tokens, $item) {
$field = $this->field_info;
foreach ($field->getColumns() as $id => $column) {
- // Use filter_xss_admin because it's user data and we can't be sure it is safe.
- // We know nothing about the data, though, so we can't really do much else.
+ // Use \Drupal\Component\Utility\Xss::filterAdmin() because it's user data
+ // and we can't be sure it is safe. We know nothing about the data,
+ // though, so we can't really do much else.
if (isset($item['raw'])) {
// If $item['raw'] is an array then we can use as is, if it's an object
@@ -844,7 +846,7 @@ protected function addSelfTokens(&$tokens, $item) {
(is_object($item['raw']) ? (array)$item['raw'] : NULL);
}
if (isset($raw) && isset($raw[$id]) && is_scalar($raw[$id])) {
- $tokens['[' . $this->options['id'] . '-' . $id . ']'] = filter_xss_admin($raw[$id]);
+ $tokens['[' . $this->options['id'] . '-' . $id . ']'] = Xss::filterAdmin($raw[$id]);
}
else {
// Make sure that empty values are replaced as well.
diff --git a/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php b/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
index cf439660ce444cb8920859bdea1bc4ccae1bc3c4..5f77d92afc5014c9a3571513baaaaecaf206958e 100644
--- a/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
+++ b/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
@@ -7,6 +7,7 @@
namespace Drupal\field\Tests;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Language\Language;
use Drupal\simpletest\DrupalUnitTestBase;
@@ -235,7 +236,7 @@ protected function assertText($text, $message = '', $group = 'Other') {
if (!$message) {
$message = t('Raw "@raw" found', array('@raw' => $text));
}
- return $this->assert(strpos(filter_xss($this->content, array()), $text) !== FALSE, $message, $group);
+ return $this->assert(strpos(Xss::filter($this->content, array()), $text) !== FALSE, $message, $group);
}
/**
@@ -260,6 +261,6 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
if (!$message) {
$message = t('Raw "@raw" not found', array('@raw' => $text));
}
- return $this->assert(strpos(filter_xss($this->content, array()), $text) === FALSE, $message, $group);
+ return $this->assert(strpos(Xss::filter($this->content, array()), $text) === FALSE, $message, $group);
}
}
diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module
index 73aec622752da6c8d87755206318fdd226ac1ffa..2e71d68b775238b4fe89a246956acc64f91a1896 100644
--- a/core/modules/filter/filter.module
+++ b/core/modules/filter/filter.module
@@ -7,6 +7,7 @@
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\Language;
use Drupal\Core\Render\Element;
@@ -728,7 +729,7 @@ function template_preprocess_filter_tips(&$variables) {
*/
function _filter_html($text, $filter) {
$allowed_tags = preg_split('/\s+|<|>/', $filter->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY);
- $text = filter_xss($text, $allowed_tags);
+ $text = Xss::filter($text, $allowed_tags);
if ($filter->settings['filter_html_nofollow']) {
$html_dom = Html::load($text);
@@ -772,7 +773,7 @@ function _filter_url($text, $filter) {
// the identical list. While '//' is technically optional for MAILTO only,
// we cannot cleanly differ between protocols here without hard-coding MAILTO,
// so '//' is optional for all protocols.
- // @see filter_xss_bad_protocol()
+ // @see \Drupal\Component\Utility\UrlHelper::filterBadProtocol()
$protocols = \Drupal::config('system.filter')->get('protocols');
$protocols = implode(':(?://)?|', $protocols) . ':(?://)?';
diff --git a/core/modules/forum/forum.module b/core/modules/forum/forum.module
index f01509b9244be9e930959539c1c516c815465eb1..5facc3c855316e4f01aa8731c52c19dfeb051145 100644
--- a/core/modules/forum/forum.module
+++ b/core/modules/forum/forum.module
@@ -6,6 +6,7 @@
*/
use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Component\Utility\String;
use Drupal\field\Field;
@@ -709,7 +710,7 @@ function template_preprocess_forum_list(&$variables) {
$row = 0;
// Sanitize each forum so that the template can safely print the data.
foreach ($variables['forums'] as $id => $forum) {
- $variables['forums'][$id]->description = filter_xss_admin($forum->description->value);
+ $variables['forums'][$id]->description = Xss::filterAdmin($forum->description->value);
$variables['forums'][$id]->link = url("forum/" . $forum->id());
$variables['forums'][$id]->name = String::checkPlain($forum->label());
$variables['forums'][$id]->is_container = !empty($forum->forum_container->value);
diff --git a/core/modules/locale/locale.module b/core/modules/locale/locale.module
index 59b3be0a2d995340ae1bdd3703c80cd2ca87abb0..881ca9a65f7c1af985f9b776ac5e1f083fe0f96a 100644
--- a/core/modules/locale/locale.module
+++ b/core/modules/locale/locale.module
@@ -11,6 +11,7 @@
*/
use Drupal\Component\Utility\Json;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Language\Language;
use Drupal\language\Entity\Language as LanguageEntity;
@@ -1035,15 +1036,16 @@ function locale_translation_use_remote_source() {
* not have any false positives. But it is only a test, not a transformation,
* as it destroys valid HTML. We cannot reliably filter translation strings
* on import because some strings are irreversibly corrupted. For example,
- * a & in the translation would get encoded to &amp; by filter_xss()
- * before being put in the database, and thus would be displayed incorrectly.
+ * a & in the translation would get encoded to &amp; by
+ * \Drupal\Component\Utility\Xss::filter() before being put in the database,
+ * and thus would be displayed incorrectly.
*
- * The allowed tag list is like filter_xss_admin(), but omitting div and img as
- * not needed for translation and likely to cause layout issues (div) or a
- * possible attack vector (img).
+ * The allowed tag list is like \Drupal\Component\Utility\Xss::filterAdmin(),
+ * but omitting div and img as not needed for translation and likely to cause
+ * layout issues (div) or a possible attack vector (img).
*/
function locale_string_is_safe($string) {
- return decode_entities($string) == decode_entities(filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
+ return decode_entities($string) == decode_entities(Xss::filter($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
}
/**
diff --git a/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php b/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
index 31f5db447be9b19bf660f7e17facc9ca12f13840..b1ff07ea82a3689d9364de44e646bd9cadf3e629 100644
--- a/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
+++ b/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
@@ -7,6 +7,7 @@
namespace Drupal\menu;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
use Drupal\Core\Entity\EntityInterface;
@@ -38,7 +39,7 @@ public function buildRow(EntityInterface $entity) {
'data' => $this->getLabel($entity),
'class' => array('menu-label'),
);
- $row['description'] = filter_xss_admin($entity->description);
+ $row['description'] = Xss::filterAdmin($entity->description);
return $row + parent::buildRow($entity);
}
diff --git a/core/modules/node/node.module b/core/modules/node/node.module
index b05fc2c2586cb2d6a178ebe2b213ee5b73df3b4a..d7939757489d69e99225fa25913ec6ba913e8083 100644
--- a/core/modules/node/node.module
+++ b/core/modules/node/node.module
@@ -8,6 +8,7 @@
* API pattern.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Language\Language;
use Drupal\Core\Render\Element;
use Drupal\Core\Url;
@@ -137,12 +138,12 @@ function node_help($path, $arg) {
case 'node/%/edit':
$node = node_load($arg[1]);
$type = node_type_load($node->bundle());
- return (!empty($type->help) ? filter_xss_admin($type->help) : '');
+ return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
}
if ($arg[0] == 'node' && $arg[1] == 'add' && $arg[2]) {
$type = node_type_load($arg[2]);
- return (!empty($type->help) ? filter_xss_admin($type->help) : '');
+ return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
}
}
diff --git a/core/modules/node/node.pages.inc b/core/modules/node/node.pages.inc
index fe5b0c15bdf601f154cfe338df3e1239a73bcc20..94f29bcdb68eeb7a7511f0500336c83e923f04ea 100644
--- a/core/modules/node/node.pages.inc
+++ b/core/modules/node/node.pages.inc
@@ -9,6 +9,7 @@
* @see node_menu()
*/
+use Drupal\Component\Utility\Xss;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Drupal\node\NodeInterface;
@@ -30,7 +31,7 @@ function template_preprocess_node_add_list(&$variables) {
$variables['types'][$type->type] = array(
'type' => $type->type,
'add_link' => l($type->name, 'node/add/' . $type->type),
- 'description' => filter_xss_admin($type->description),
+ 'description' => Xss::filterAdmin($type->description),
);
}
}
@@ -141,7 +142,7 @@ function node_revision_overview($node) {
'#account' => user_load($revision->uid),
);
$row[] = array('data' => t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), 'node/' . $node->id()), '!username' => drupal_render($username)))
- . (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : ''),
+ . (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : ''),
'class' => array('revision-current'));
$row[] = array('data' => drupal_placeholder(t('current revision')), 'class' => array('revision-current'));
}
@@ -151,7 +152,7 @@ function node_revision_overview($node) {
'#account' => user_load($revision->uid),
);
$row[] = t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), "node/" . $node->id() . "/revisions/" . $revision->vid . "/view"), '!username' => drupal_render($username)))
- . (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : '');
+ . (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : '');
if ($revert_permission) {
$links['revert'] = array(
'title' => t('Revert'),
diff --git a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
index 61c54d1348fe9423ef39dbfcfbeaa857cacfc918..33833911cdaffea5ef3b02677eda7ad8fef8d56f 100644
--- a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
+++ b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
@@ -11,6 +11,7 @@
use Drupal\Component\Utility\Json;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\DrupalKernel;
use Drupal\Core\Database\Database;
use Drupal\Core\Database\ConnectionNotDefinedException;
@@ -2766,7 +2767,7 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
*/
protected function assertTextHelper($text, $message = '', $group, $not_exists) {
if ($this->plainTextContent === FALSE) {
- $this->plainTextContent = filter_xss($this->drupalGetContent(), array());
+ $this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
}
if (!$message) {
$message = !$not_exists ? String::format('"@text" found', array('@text' => $text)) : String::format('"@text" not found', array('@text' => $text));
@@ -2851,7 +2852,7 @@ protected function assertNoUniqueText($text, $message = '', $group = 'Other') {
*/
protected function assertUniqueTextHelper($text, $message = '', $group, $be_unique) {
if ($this->plainTextContent === FALSE) {
- $this->plainTextContent = filter_xss($this->drupalGetContent(), array());
+ $this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
}
if (!$message) {
$message = '"' . $text . '"' . ($be_unique ? ' found only once' : ' found more than once');
diff --git a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
index 2b1d696880919ab5df3259c466f65d485439dcef..d54cc74ffb727cff3b217b6c640abc5ea5c02a22 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
@@ -11,7 +11,7 @@
use Drupal\simpletest\DrupalUnitTestBase;
/**
- * Tests for filter_xss() and check_url().
+ * Tests for \Drupal\Component\Utility\Xss::filter() and check_url().
*/
class XssUnitTest extends DrupalUnitTestBase {
@@ -25,7 +25,7 @@ class XssUnitTest extends DrupalUnitTestBase {
public static function getInfo() {
return array(
'name' => 'String filtering tests',
- 'description' => 'Confirm that filter_xss() and check_url() work correctly, including invalid multi-byte sequences.',
+ 'description' => 'Confirm that \Drupal\Component\Utility\Xss::filter() and check_url() work correctly, including invalid multi-byte sequences.',
'group' => 'Common',
);
}
diff --git a/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php b/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
index 70d9b5e6339d03080374c0e5721cb68ffe56a004..4c7f520356711593685594d6e73b1040fcacc432 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Form;
+use Drupal\Component\Utility\Xss;
use Drupal\simpletest\WebTestBase;
/**
@@ -42,7 +43,7 @@ function testExecutionOrder() {
'form_test_form_form_test_alter_form_alter() executed.',
'system_form_form_test_alter_form_alter() executed.',
);
- $content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
+ $content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
$this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Form alter hooks executed in the expected order.');
}
}
diff --git a/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php b/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
index fdc511a5abb5aa651c0e28af4785e97ed26fdf48..a944f2f0d76ee729dc79587b0c0c70614ec4ac75 100644
--- a/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\System;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Utility\Title;
use Drupal\simpletest\WebTestBase;
@@ -73,7 +74,7 @@ function testTitleXSS() {
$title_filtered = check_plain($title);
$slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
- $slogan_filtered = filter_xss_admin($slogan);
+ $slogan_filtered = Xss::filterAdmin($slogan);
// Activate needed appearance settings.
$edit = array(
diff --git a/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php b/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
index a987e1f61e62f43ff44f7b8875b1e71cbe5ec7fb..202ddd2a44bf45d42b6ffda14f58728d7166fea7 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Theme;
+use Drupal\Component\Utility\Xss;
use Drupal\simpletest\WebTestBase;
/**
@@ -182,7 +183,7 @@ function testExecutionOrder() {
'test_theme_theme_suggestions_alter() executed.',
'test_theme_theme_suggestions_theme_test_suggestions_alter() executed.',
);
- $content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
+ $content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
$this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Suggestion alter hooks executed in the expected order.');
}
diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc
index 84e74c092a91dbbe2dee247d7f2a453f54b75764..52998dee4364e6f2ce2aae8085f585c93f444c3f 100644
--- a/core/modules/system/system.admin.inc
+++ b/core/modules/system/system.admin.inc
@@ -5,6 +5,7 @@
* Admin page callbacks for the system module.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Extension\Extension;
use Drupal\Core\Render\Element;
@@ -105,7 +106,7 @@ function template_preprocess_admin_block_content(&$variables) {
foreach ($variables['content'] as $key => $item) {
$variables['content'][$key]['link'] = l($item['title'], $item['link_path'], $item['localized_options']);
if (!$compact && isset($item['description'])) {
- $variables['content'][$key]['description'] = filter_xss_admin($item['description']);
+ $variables['content'][$key]['description'] = Xss::filterAdmin($item['description']);
}
else {
$variables['content'][$key]['description'] = FALSE;
diff --git a/core/modules/system/system.tokens.inc b/core/modules/system/system.tokens.inc
index 4c27e2cc806a12c4ed540f16b951f13468c89afd..3750ff217ef92033e1859bd487f9a9334e73001d 100644
--- a/core/modules/system/system.tokens.inc
+++ b/core/modules/system/system.tokens.inc
@@ -7,6 +7,8 @@
* This file handles tokens for the global 'site' and 'date' tokens.
*/
+use Drupal\Component\Utility\Xss;
+
/**
* Implements hook_token_info().
*/
@@ -109,7 +111,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
case 'slogan':
$slogan = \Drupal::config('system.site')->get('slogan');
- $replacements[$original] = $sanitize ? filter_xss_admin($slogan) : $slogan;
+ $replacements[$original] = $sanitize ? Xss::filterAdmin($slogan) : $slogan;
break;
case 'mail':
diff --git a/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
index 18cbdd8af15e24e39ed883c35c16c7264448ee21..a09cbc24e107d5e1db1ed7fe67d099e995ff4946 100644
--- a/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
+++ b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
@@ -7,6 +7,7 @@
namespace Drupal\taxonomy\Tests;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Language\Language;
use Drupal\Component\Utility\String;
@@ -135,7 +136,7 @@ function testTaxonomyTokenReplacement() {
$tests = array();
$tests['[vocabulary:vid]'] = $this->vocabulary->id();
$tests['[vocabulary:name]'] = String::checkPlain($this->vocabulary->name);
- $tests['[vocabulary:description]'] = filter_xss($this->vocabulary->description);
+ $tests['[vocabulary:description]'] = Xss::filter($this->vocabulary->description);
$tests['[vocabulary:node-count]'] = 1;
$tests['[vocabulary:term-count]'] = 2;
diff --git a/core/modules/taxonomy/taxonomy.tokens.inc b/core/modules/taxonomy/taxonomy.tokens.inc
index ce331da159b2835996edc801172409daa82c8ca1..aa1505c59b2d5ddd8768d3a63fdb0ad561b40904 100644
--- a/core/modules/taxonomy/taxonomy.tokens.inc
+++ b/core/modules/taxonomy/taxonomy.tokens.inc
@@ -6,6 +6,7 @@
*/
use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
/**
* Implements hook_token_info().
@@ -164,7 +165,7 @@ function taxonomy_tokens($type, $tokens, array $data = array(), array $options =
break;
case 'description':
- $replacements[$original] = $sanitize ? filter_xss($vocabulary->description) : $vocabulary->description;
+ $replacements[$original] = $sanitize ? Xss::filter($vocabulary->description) : $vocabulary->description;
break;
case 'term-count':
diff --git a/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php b/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
index d8834906aa479cb9a1915373804fc2b6b0e375ef..1858370a25375bb9142238fa8fbb0b7a5e4eb567 100644
--- a/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
+++ b/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
@@ -7,6 +7,7 @@
namespace Drupal\tour\Plugin\tour\tip;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Utility\Token;
use Drupal\tour\TipPluginBase;
@@ -119,7 +120,7 @@ public function getAttributes() {
*/
public function getOutput() {
$output = '<h2 class="tour-tip-label" id="tour-tip-' . $this->getAriaId() . '-label">' . check_plain($this->getLabel()) . '</h2>';
- $output .= '<p class="tour-tip-body" id="tour-tip-' . $this->getAriaId() . '-contents">' . filter_xss_admin($this->token->replace($this->getBody())) . '</p>';
+ $output .= '<p class="tour-tip-body" id="tour-tip-' . $this->getAriaId() . '-contents">' . Xss::filterAdmin($this->token->replace($this->getBody())) . '</p>';
return array('#markup' => $output);
}
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 91a6f25ab7755b58d8ea195af5cfe9ac3b957a1b..a97f6fcf3bf50bd2885a1205a72c6618b76a36ba 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -607,7 +607,7 @@ function user_template_preprocess_default_variables_alter(&$variables) {
*
* Modules that make any changes to variables like 'name' or 'extra' must ensure
* that the final string is safe to include directly in the output by using
- * check_plain() or filter_xss().
+ * check_plain() or \Drupal\Component\Utility\Xss::filter().
*/
function template_preprocess_username(&$variables) {
$account = $variables['account'] ?: new AnonymousUserSession();
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php b/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
index 6856ccdc9977ad9c33211ff0a1e5ad9744740f27..fcd798cb6b94754a847f1848322bbd85f72ac0de 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
@@ -53,7 +53,7 @@ public function render($empty = FALSE) {
}
/**
- * Render a text area with filter_xss_admin.
+ * Render a text area with \Drupal\Component\Utility\Xss::filterAdmin().
*/
public function renderTextarea($value) {
if ($value) {
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php b/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
index 47b1b4ead641772173a69b216259324022b907d6..cf4ef7798597a4f78f4ea9e66e85f58e97cf06fa 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
@@ -7,6 +7,7 @@
namespace Drupal\views\Plugin\views\field;
+use Drupal\Component\Utility\Xss as UtilityXss;
use Drupal\views\ResultRow;
use Drupal\views\ViewExecutable;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
@@ -110,7 +111,7 @@ public function render(ResultRow $values) {
}
if ($this->options['type'] == 'custom') {
- return $value ? filter_xss_admin($this->options['type_custom_true']) : filter_xss_admin($this->options['type_custom_false']);
+ return $value ? UtilityXss::filterAdmin($this->options['type_custom_true']) : UtilityXss::filterAdmin($this->options['type_custom_false']);
}
elseif (isset($this->formats[$this->options['type']])) {
return $value ? $this->formats[$this->options['type']][0] : $this->formats[$this->options['type']][1];
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
index 08c12cc64f5e30a0308fca1b664bf82d208cbd79..b3c85c1bdea35b4cc800264f292fb372f8762a47 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
@@ -9,6 +9,7 @@
use Drupal\Component\Utility\Html;
use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
use Drupal\views\Plugin\views\HandlerBase;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
use Drupal\views\ResultRow;
@@ -1248,7 +1249,7 @@ public function renderText($alter) {
if ($this->options['alter']['more_link'] && strlen($value) < $length) {
$tokens = $this->getRenderTokens($alter);
$more_link_text = $this->options['alter']['more_link_text'] ? $this->options['alter']['more_link_text'] : t('more');
- $more_link_text = strtr(filter_xss_admin($more_link_text), $tokens);
+ $more_link_text = strtr(Xss::filterAdmin($more_link_text), $tokens);
$more_link_path = $this->options['alter']['more_link_path'];
$more_link_path = strip_tags(decode_entities(strtr($more_link_path, $tokens)));
@@ -1285,7 +1286,7 @@ public function renderText($alter) {
*/
protected function renderAltered($alter, $tokens) {
// Filter this right away as our substitutions are already sanitized.
- $value = filter_xss_admin($alter['text']);
+ $value = Xss::filterAdmin($alter['text']);
$value = strtr($value, $tokens);
return $value;
@@ -1311,7 +1312,7 @@ protected function renderAsLink($alter, $text, $tokens) {
$value = '';
if (!empty($alter['prefix'])) {
- $value .= filter_xss_admin(strtr($alter['prefix'], $tokens));
+ $value .= Xss::filterAdmin(strtr($alter['prefix'], $tokens));
}
$options = array(
@@ -1451,7 +1452,7 @@ protected function renderAsLink($alter, $text, $tokens) {
$value .= l($text, $path, $options);
if (!empty($alter['suffix'])) {
- $value .= filter_xss_admin(strtr($alter['suffix'], $tokens));
+ $value .= Xss::filterAdmin(strtr($alter['suffix'], $tokens));
}
return $value;
diff --git a/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php b/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
index 5fa35b88cda13bf43f8f8db5f68307aa272e5df5..0b406f5d7c7c9de51ad7a6ad7695002a0553ca3d 100644
--- a/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
+++ b/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
@@ -7,6 +7,7 @@
namespace Drupal\views\Tests\Plugin;
+use Drupal\Component\Utility\Xss;
use Drupal\views\Views;
use Drupal\views\Tests\ViewUnitTestBase;
@@ -102,7 +103,7 @@ protected function assertText($text, $message = '', $group = 'Other') {
if (!$message) {
$message = t('Raw "@raw" found', array('@raw' => $text));
}
- return $this->assert(strpos(filter_xss($this->content, array()), $text) !== FALSE, $message, $group);
+ return $this->assert(strpos(Xss::filter($this->content, array()), $text) !== FALSE, $message, $group);
}
}
diff --git a/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php b/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
index a297fc332363b16b4571f4167e1ad0814b2d207b..1447c67ccbfa4f540d9630bfebe825734f0db13c 100644
--- a/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
+++ b/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
@@ -7,6 +7,7 @@
namespace Drupal\views_test_data\Plugin\views\display;
+use Drupal\Component\Utility\Xss;
use Drupal\views\Plugin\views\display\DisplayPluginBase;
/**
@@ -124,7 +125,7 @@ public function execute() {
$render = $this->view->render();
// Render the test option as the title before the view output.
- $render['#prefix'] = '<h1>' . filter_xss_admin($this->options['test_option']) . '</h1>';
+ $render['#prefix'] = '<h1>' . Xss::filterAdmin($this->options['test_option']) . '</h1>';
return $render;
}
diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc
index eaf3d860788738a5606a325bc3c8f1e7ed716c41..d01235d2492768000ca8becd1b93f0390d21bc34 100644
--- a/core/modules/views/views.theme.inc
+++ b/core/modules/views/views.theme.inc
@@ -62,7 +62,7 @@ function template_preprocess_views_view(&$variables) {
// @todo: Figure out whether this belongs into views_ui_preprocess_views_view.
// Render title for the admin preview.
- $variables['title'] = !empty($view->views_ui_context) ? filter_xss_admin($view->getTitle()) : '';
+ $variables['title'] = !empty($view->views_ui_context) ? Xss::filterAdmin($view->getTitle()) : '';
if ($view->display_handler->renderPager()) {
$exposed_input = isset($view->exposed_raw_input) ? $view->exposed_raw_input : NULL;
@@ -203,7 +203,7 @@ function template_preprocess_views_view_fields(&$variables) {
}
if (!empty($variables['options']['separator']) && $previous_inline && $object->inline && $object->content) {
- $object->separator = filter_xss_admin($variables['options']['separator']);
+ $object->separator = Xss::filterAdmin($variables['options']['separator']);
}
$object->class = drupal_clean_css_identifier($id);
@@ -453,7 +453,7 @@ function template_preprocess_views_view_summary_unformatted(&$variables) {
foreach ($variables['rows'] as $id => $row) {
// Only false on first time.
if ($count++) {
- $variables['rows'][$id]->separator = filter_xss_admin($variables['options']['separator']);
+ $variables['rows'][$id]->separator = Xss::filterAdmin($variables['options']['separator']);
}
$variables['rows'][$id]->attributes = array();
$variables['rows'][$id]->link = $argument->summaryName($row);
@@ -643,7 +643,7 @@ function template_preprocess_views_view_table(&$variables) {
// Place the field into the column, along with an optional separator.
if (!empty($column_reference['content'])) {
if (!empty($options['info'][$column]['separator'])) {
- $column_reference['content'] .= filter_xss_admin($options['info'][$column]['separator']);
+ $column_reference['content'] .= Xss::filterAdmin($options['info'][$column]['separator']);
}
}
else {
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php b/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
index dfd8f6d24b906d7b4bb4596c7fbab5f735022ec1..c6a8aed5f85a99416dc93ea62dc97427323897bb 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
@@ -7,6 +7,7 @@
namespace Drupal\views_ui;
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Ajax\AjaxResponse;
use Drupal\Core\Ajax\HtmlCommand;
use Drupal\Core\Ajax\ReplaceCommand;
@@ -1049,7 +1050,7 @@ public function getFormBucket(ViewUI $view, $type, $display) {
$field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name;
}
- $description = filter_xss_admin($handler->adminSummary());
+ $description = Xss::filterAdmin($handler->adminSummary());
$link_text = $field_name . (empty($description) ? '' : " ($description)");
$link_attributes = array('class' => array('views-ajax-link'));
if (!empty($field['exclude'])) {
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php b/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
index 3d4983746b271c99d655ea3ee099d6e4c92cfe51..ca3d5ecb19a7f9e02ddac2c94e78a47c4c3735a2 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
@@ -9,6 +9,7 @@
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\Timer;
+use Drupal\Component\Utility\Xss;
use Drupal\views\Views;
use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\views\ViewExecutable;
@@ -691,7 +692,7 @@ public function renderPreview($display_id, $args = array()) {
}
}
if ($show_info) {
- $rows['query'][] = array('<strong>' . t('Title') . '</strong>', filter_xss_admin($this->executable->getTitle()));
+ $rows['query'][] = array('<strong>' . t('Title') . '</strong>', Xss::filterAdmin($this->executable->getTitle()));
if (isset($path)) {
$path = l($path, $path);
}
diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
index 1bdb67c78dd0fba7e55111396fab1a9b130bb4b9..72aade428fa86597f09d9c5e9ce5b5fbd6d0fc50 100644
--- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
@@ -119,7 +119,7 @@ public function providerTestFilterXssNormalized() {
* @param string $message
* The assertion message to display upon failure.
* @param array $allowed_tags
- * (optional) The allowed HTML tags to be passed to Xss::filter().
+ * (optional) The allowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*
* @dataProvider providerTestFilterXssNotNormalized
*/
@@ -144,7 +144,7 @@ public function testFilterXssNotNormalized($value, $expected, $message, array $a
* - The value to expect that's missing after filtering.
* - The assertion message.
* - (optional) The allowed HTML HTML tags array that should be passed to
- * Xss::filter().
+ * \Drupal\Component\Utility\Xss::filter().
*/
public function providerTestFilterXssNotNormalized() {
$cases = array(
@@ -437,9 +437,10 @@ public function providerTestFilterXssNotNormalized() {
/**
* Tests removing disallowed tags and XSS prevention.
*
- * Xss::filter() has the ability to run in blacklist mode, in which it still
- * applies the exact same filtering, with one exception: it no longer works
- * with a list of allowed tags, but with a list of disallowed tags.
+ * \Drupal\Component\Utility\Xss::filter() has the ability to run in blacklist
+ * mode, in which it still applies the exact same filtering, with one
+ * exception: it no longer works with a list of allowed tags, but with a list
+ * of disallowed tags.
*
* @param string $value
* The value to filter.
@@ -448,7 +449,7 @@ public function providerTestFilterXssNotNormalized() {
* @param string $message
* The assertion message to display upon failure.
* @param array $disallowed_tags
- * (optional) The disallowed HTML tags to be passed to Xss::filter().
+ * (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*
* @dataProvider providerTestBlackListMode
*/
@@ -467,7 +468,7 @@ public function testBlacklistMode($value, $expected, $message, array $disallowed
* - The value to filter.
* - The value to expect after filtering.
* - The assertion message.
- * - (optional) The disallowed HTML tags to be passed to Xss::filter().
+ * - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*/
public function providerTestBlackListMode() {
return array(
@@ -537,7 +538,7 @@ public function testQuestionSign() {
}
/**
- * Checks that Xss::filterAdmin() correctly strips unallowed tags.
+ * Checks that \Drupal\Component\Utility\Xss::filterAdmin() correctly strips unallowed tags.
*/
public function testFilterXSSAdmin() {
$value = Xss::filterAdmin('<style /><iframe /><frame /><frameset /><meta /><link /><embed /><applet /><param /><layer />');
diff --git a/core/themes/bartik/bartik.theme b/core/themes/bartik/bartik.theme
index 6b99f45d12bfc78e47f758eaa151cf1473d2947c..f687de3b8f7b1e5db262029581e1eefc865aad02 100644
--- a/core/themes/bartik/bartik.theme
+++ b/core/themes/bartik/bartik.theme
@@ -5,6 +5,7 @@
* Functions to support theming in the Bartik theme.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Template\RenderWrapper;
use Drupal\Core\Template\Attribute;
@@ -179,6 +180,6 @@ function _bartik_process_page(&$variables) {
}
if ($variables['hide_site_slogan']) {
// If toggle_site_slogan is FALSE, the site_slogan will be empty, so we rebuild it.
- $variables['site_slogan'] = filter_xss_admin($site_config->get('slogan'));
+ $variables['site_slogan'] = Xss::filterAdmin($site_config->get('slogan'));
}
}
diff --git a/core/themes/seven/seven.theme b/core/themes/seven/seven.theme
index c0a5a086817eded0996e2b55dabe98793fb0c475..dbd55133267244644cf64def66653cddccbef379 100644
--- a/core/themes/seven/seven.theme
+++ b/core/themes/seven/seven.theme
@@ -5,6 +5,7 @@
* Functions to support theming in the Seven theme.
*/
+use Drupal\Component\Utility\Xss;
use Drupal\Core\Template\RenderWrapper;
use Drupal\Component\Utility\String;
@@ -121,7 +122,7 @@ function seven_node_add_list($variables) {
foreach ($content as $type) {
$output .= '<li class="clearfix">';
$content = '<span class="label">' . check_plain($type->name) . '</span>';
- $content .= '<div class="description">' . filter_xss_admin($type->description) . '</div>';
+ $content .= '<div class="description">' . Xss::filterAdmin($type->description) . '</div>';
$options['html'] = TRUE;
$output .= l($content, 'node/add/' . $type->type, $options);
$output .= '</li>';
@@ -146,7 +147,7 @@ function seven_custom_block_add_list($variables) {
foreach ($variables['types'] as $id => $type) {
$output .= '<li class="clearfix">';
$content = '<span class="label">' . check_plain($type['title']) . '</span>';
- $content .= '<div class="description">' . filter_xss_admin($type['description']) . '</div>';
+ $content .= '<div class="description">' . Xss::filterAdmin($type['description']) . '</div>';
$options = $type['localized_options'];
$options['html'] = TRUE;
$output .= \Drupal::l($content, 'custom_block.add_form', array('custom_block_type' => $id), $options);
@@ -169,11 +170,11 @@ function seven_admin_block_content($variables) {
$output = system_admin_compact_mode() ? '<ul class="admin-list compact">' : '<ul class="admin-list">';
foreach ($content as $item) {
$output .= '<li>';
- $content = '<span class="label">' . filter_xss_admin($item['title']) . '</span>';
+ $content = '<span class="label">' . Xss::filterAdmin($item['title']) . '</span>';
$options = $item['localized_options'];
$options['html'] = TRUE;
if (isset($item['description']) && !system_admin_compact_mode()) {
- $content .= '<div class="description">' . filter_xss_admin($item['description']) . '</div>';
+ $content .= '<div class="description">' . Xss::filterAdmin($item['description']) . '</div>';
}
$output .= l($content, $item['link_path'], $options);
$output .= '</li>';