Loading core/lib/Drupal/Component/Utility/Xss.php +5 −3 Original line number Diff line number Diff line Loading @@ -70,7 +70,7 @@ public static function filter($string, array $html_tags = NULL) { // Defuse all HTML entities. $string = str_replace('&', '&', $string); // Change back only well-formed entities in our whitelist: // Change back only well-formed entities in our list of allowed html tags: // Decimal numeric entities. $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string); // Hexadecimal numeric entities. Loading @@ -83,7 +83,7 @@ public static function filter($string, array $html_tags = NULL) { $splitter = function ($matches) use ($html_tags, $class) { return $class::split($matches[1], $html_tags, $class); }; // Strip any tags that are not in the whitelist. // Strip any tags that are not in the list of allowed html tags. return preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < Loading Loading @@ -161,7 +161,9 @@ protected static function split($string, $html_tags, $class) { $elem = '!--'; } // When in whitelist mode, an element is disallowed when not listed. // Defer to the ::needsRemoval() method to decide if the element is to be // removed. This allows the list of tags to be treated as either a list of // allowed tags or a list of denied tags. if ($class::needsRemoval($html_tags, $elem)) { return ''; } Loading core/lib/Drupal/Core/Render/theme.api.php +3 −3 Original line number Diff line number Diff line Loading @@ -274,9 +274,9 @@ * vectors while allowing a permissive list of HTML tags that are not XSS * vectors. (For example, <script> and <style> are not allowed.) See * \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If * your markup needs any of the tags not in this whitelist, then you can * implement a theme hook and/or an asset library. Alternatively, you can use * the key #allowed_tags to alter which tags are filtered. * your markup needs any of the tags not in this list, then you can implement * a theme hook and/or an asset library. Alternatively, you can use the key * #allowed_tags to alter which tags are filtered. * - #plain_text: Specifies that the array provides text that needs to be * escaped. This value takes precedence over #markup. * - #allowed_tags: If #markup is supplied, this can be used to change which Loading Loading
core/lib/Drupal/Component/Utility/Xss.php +5 −3 Original line number Diff line number Diff line Loading @@ -70,7 +70,7 @@ public static function filter($string, array $html_tags = NULL) { // Defuse all HTML entities. $string = str_replace('&', '&', $string); // Change back only well-formed entities in our whitelist: // Change back only well-formed entities in our list of allowed html tags: // Decimal numeric entities. $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string); // Hexadecimal numeric entities. Loading @@ -83,7 +83,7 @@ public static function filter($string, array $html_tags = NULL) { $splitter = function ($matches) use ($html_tags, $class) { return $class::split($matches[1], $html_tags, $class); }; // Strip any tags that are not in the whitelist. // Strip any tags that are not in the list of allowed html tags. return preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < Loading Loading @@ -161,7 +161,9 @@ protected static function split($string, $html_tags, $class) { $elem = '!--'; } // When in whitelist mode, an element is disallowed when not listed. // Defer to the ::needsRemoval() method to decide if the element is to be // removed. This allows the list of tags to be treated as either a list of // allowed tags or a list of denied tags. if ($class::needsRemoval($html_tags, $elem)) { return ''; } Loading
core/lib/Drupal/Core/Render/theme.api.php +3 −3 Original line number Diff line number Diff line Loading @@ -274,9 +274,9 @@ * vectors while allowing a permissive list of HTML tags that are not XSS * vectors. (For example, <script> and <style> are not allowed.) See * \Drupal\Component\Utility\Xss::$adminTags for the list of allowed tags. If * your markup needs any of the tags not in this whitelist, then you can * implement a theme hook and/or an asset library. Alternatively, you can use * the key #allowed_tags to alter which tags are filtered. * your markup needs any of the tags not in this list, then you can implement * a theme hook and/or an asset library. Alternatively, you can use the key * #allowed_tags to alter which tags are filtered. * - #plain_text: Specifies that the array provides text that needs to be * escaped. This value takes precedence over #markup. * - #allowed_tags: If #markup is supplied, this can be used to change which Loading
