function Renderer::ensureMarkupIsSafe
Escapes #plain_text or filters #markup as required.
Drupal uses Twig's auto-escape feature to improve security. This feature automatically escapes any HTML that is not known to be safe. Due to this the render system needs to ensure that all markup it generates is marked safe so that Twig does not do any additional escaping.
By default all #markup is filtered to protect against XSS using the admin tag list. Render arrays can alter the list of tags allowed by the filter using the #allowed_tags property. This value should be an array of tags that Xss::filter() would accept. Render arrays can escape text instead of XSS filtering by setting the #plain_text property instead of #markup. If #plain_text is used #allowed_tags is ignored.
Parameters
array $elements: A render array with #markup set.
Return value
array The given array with the escaped markup wrapped in a Markup object. If $elements['#markup'] is an instance of \Drupal\Component\Render\MarkupInterface, it won't be escaped or filtered again.
See also
\Drupal\Component\Utility\Html::escape()
\Drupal\Component\Utility\Xss::filter()
\Drupal\Component\Utility\Xss::filterAdmin()
1 call to Renderer::ensureMarkupIsSafe()
- Renderer::doRender in core/
lib/ Drupal/ Core/ Render/ Renderer.php - See the docs for ::render().
File
-
core/
lib/ Drupal/ Core/ Render/ Renderer.php, line 789
Class
- Renderer
- Turns a render array into an HTML string.
Namespace
Drupal\Core\RenderCode
protected function ensureMarkupIsSafe(array $elements) {
if (isset($elements['#plain_text'])) {
$elements['#markup'] = Markup::create(Html::escape($elements['#plain_text']));
}
elseif (!$elements['#markup'] instanceof MarkupInterface) {
// The default behavior is to XSS filter using the admin tag list.
$tags = $elements['#allowed_tags'] ?? Xss::getAdminTagList();
$elements['#markup'] = Markup::create(Xss::filter($elements['#markup'], $tags));
}
return $elements;
}