3 namespace Drupal\editor;
5 use Drupal\filter\FilterFormatInterface;
8 * Defines an interface for text editor XSS (Cross-site scripting) filters.
10 interface EditorXssFilterInterface {
13 * Filters HTML to prevent XSS attacks when a user edits it in a text editor.
15 * Should filter as minimally as possible, only to remove XSS attack vectors.
17 * Is only called when:
18 * - loading a non-XSS-safe text editor for a $format that contains a filter
19 * preventing XSS attacks (a FilterInterface::TYPE_HTML_RESTRICTOR filter):
20 * if the output is safe, it should also be safe to edit.
21 * - loading a non-XSS-safe text editor for a $format that doesn't contain a
22 * filter preventing XSS attacks, but we're switching from a previous text
23 * format ($original_format is not NULL) that did prevent XSS attacks: if
24 * the output was previously safe, it should be safe to switch to another
25 * text format and edit.
28 * The HTML to be filtered.
29 * @param \Drupal\filter\FilterFormatInterface $format
30 * The text format configuration entity. Provides context based upon which
31 * one may want to adjust the filtering.
32 * @param \Drupal\filter\FilterFormatInterface|null $original_format
33 * (optional) The original text format configuration entity (when switching
34 * text formats/editors). Also provides context based upon which one may
35 * want to adjust the filtering.
38 * The filtered HTML that cannot cause any XSSes anymore.
40 public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL);