Commit fb9fcbfc authored by Steven Jones's avatar Steven Jones

Properly sanitize the body classes added.

parent 528feea9
......@@ -45,7 +45,7 @@ function eldir_preprocess_page(&$vars) {
// Add path-based class for a last line of defense
if (!empty($_GET['q'])) {
$vars['body_classes'] .= ' path-'. str_replace('/', '-', $_GET['q']);
$vars['body_classes'] .= ' path-'. drupal_html_class($_GET['q']);
}
// Add special body class for error pages
......@@ -120,3 +120,36 @@ function eldir_form_element($element, $value) {
return $output;
}
if (!function_exists('drupal_html_class')) {
/**
* Prepare a string for use as a valid class name.
*
* Do not pass one string containing multiple classes as they will be
* incorrectly concatenated with dashes, i.e. "one two" will become "one-two".
*
* @param $class
* The class name to clean.
* @return
* The cleaned class name.
*/
function drupal_html_class($class) {
// By default, we filter using Drupal's coding standards.
$class = strtr(drupal_strtolower($class), array(' ' => '-', '_' => '-', '/' => '-', '[' => '-', ']' => ''));
// http://www.w3.org/TR/CSS21/syndata.html#characters shows the syntax for valid
// CSS identifiers (including element names, classes, and IDs in selectors.)
//
// Valid characters in a CSS identifier are:
// - the hyphen (U+002D)
// - a-z (U+0030 - U+0039)
// - A-Z (U+0041 - U+005A)
// - the underscore (U+005F)
// - 0-9 (U+0061 - U+007A)
// - ISO 10646 characters U+00A1 and higher
// We strip out any character not in the above list.
$class = preg_replace('/[^\x{002D}\x{0030}-\x{0039}\x{0041}-\x{005A}\x{005F}\x{0061}-\x{007A}\x{00A1}-\x{FFFF}]/u', '', $class);
return $class;
}
} /* End of drupal_html_class conditional definition. */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment