protected function Renderer::ensureMarkupIsSafe

protected Renderer::ensureMarkupIsSafe(array $elements)

Escapes #plain_text or filters #markup as required.

Drupal uses Twig's auto-escape feature to improve security. This feature automatically escapes any HTML that is not known to be safe. Due to this the render system needs to ensure that all markup it generates is marked safe so that Twig does not do any additional escaping.

By default all #markup is filtered to protect against XSS using the admin tag list. Render arrays can alter the list of tags allowed by the filter using the #allowed_tags property. This value should be an array of tags that Xss::filter() would accept. Render arrays can escape text instead of XSS filtering by setting the #plain_text property instead of #markup. If #plain_text is used #allowed_tags is ignored.

Parameters

array $elements: A render array with #markup set.

Return value

\Drupal\Component\Render\MarkupInterface|string The escaped markup wrapped in a Markup object. If $elements['#markup'] is an instance of \Drupal\Component\Render\MarkupInterface, it won't be escaped or filtered again.

See also

\Drupal\Component\Utility\Html::escape()

\Drupal\Component\Utility\Xss::filter()

\Drupal\Component\Utility\Xss::adminFilter()

File

core/lib/Drupal/Core/Render/Renderer.php, line 713

Class

Renderer
Turns a render array into a HTML string.

Namespace

Drupal\Core\Render

Code

protected function ensureMarkupIsSafe(array $elements) {
  if (empty($elements['#markup']) && empty($elements['#plain_text'])) {
    return $elements;
  }

  if (!empty($elements['#plain_text'])) {
    $elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
  }
  elseif (!($elements['#markup'] instanceof MarkupInterface)) {
    // The default behaviour is to XSS filter using the admin tag list.
    $tags = isset($elements['#allowed_tags']) ? $elements['#allowed_tags'] : Xss::getAdminTagList();
    $elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
  }

  return $elements;
}

© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/core!lib!Drupal!Core!Render!Renderer.php/function/Renderer::ensureMarkupIsSafe/8.1.x