function AttributeXss::sanitizeAttributes

Same name and namespace in other branches
  1. 11.x core/modules/link/src/AttributeXss.php \Drupal\link\AttributeXss::sanitizeAttributes()

Sanitizes attributes.

Parameters

array $attributes: Attribute values as key => value format. Value may be a string or in the case of the 'class' attribute, an array.

Return value

array Sanitized attributes.

2 calls to AttributeXss::sanitizeAttributes()
LinkFormatter::buildUrl in core/modules/link/src/Plugin/Field/FieldFormatter/LinkFormatter.php
Builds the \Drupal\Core\Url object for a link field item.
MenuLinkContent::getUrlObject in core/modules/menu_link_content/src/Entity/MenuLinkContent.php
Gets the URL object pointing to the URL of the menu link content entity.

File

core/modules/link/src/AttributeXss.php, line 162

Class

AttributeXss
Defines a class for attribute XSS filtering.

Namespace

Drupal\link

Code

public static function sanitizeAttributes(array $attributes) : array {
  $new_attributes = [];
  foreach ($attributes as $name => $value) {
    // The attribute name should be a single attribute, but there is the
    // possibility that the name is corrupt. Core's XSS::attributes can
    // cleanly handle sanitizing 'selected href="http://example.com" so we
    // provide an allowance for cases where the attribute array is malformed.
    // For example given a name of 'selected href' and a value of
    // http://example.com we split this into two separate attributes, with the
    // value assigned to the last attribute name.
    // Explode the attribute name if a space exists.
    $names = \array_filter(\explode(' ', $name));
    if (\count($names) === 0) {
      // Empty attribute names.
      continue;
    }
    // Valueless attributes set the name to the value when processed by the
    // Attributes object.
    $with_values = \array_combine($names, $names);
    // Create a new Attribute object with the value applied to the last
    // attribute name. If there is only one attribute this simply creates a
    // new attribute with a single key-value pair.
    $last_name = \end($names);
    $with_values[$last_name] = $value;
    $attribute_object = new Attribute($with_values);
    // Filter the attributes.
    $safe = AttributeXss::attributes((string) $attribute_object);
    $safe = \array_map([
      Html::class,
      'decodeEntities',
    ], $safe);
    if (\array_key_exists('class', $safe)) {
      // The class attribute is expected to be an array.
      $safe['class'] = \explode(' ', $safe['class']);
    }
    // Special case for boolean values which are unique to valueless
    // attributes.
    if (\array_key_exists($last_name, $safe) && \is_bool($value)) {
      $safe[$last_name] = $value;
    }
    // Add the safe attributes to the new list.
    $new_attributes += \array_intersect_key($safe, $with_values);
  }
  return $new_attributes;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.