1.20.x common.inc | backdrop_attributes(array $attributes = array()) |
Converts an associative array to an XML/HTML tag attribute string.
Each array key and its value will be formatted into an attribute string. If a value is itself an array, then its elements are concatenated to a single space-delimited string (for example, a class attribute with multiple values).
Attribute values are sanitized by running them through check_plain(). Attribute names are not automatically sanitized. When using user-supplied attribute names, it is strongly recommended to allow only white-listed names, since certain attributes carry security risks and can be abused.
Examples of security aspects when using backdrop_attributes:
// By running the value in the following statement through check_plain,
// the malicious script is neutralized.
backdrop_attributes(array('title' => t('<script>steal_cookie();</script>')));
// The statement below demonstrates dangerous use of backdrop_attributes, and
// will return an onmouseout attribute with JavaScript code that, when used
// as attribute in a tag, will cause users to be redirected to another site.
//
// In this case, the 'onmouseout' attribute should not be whitelisted --
// you don't want users to have the ability to add this attribute or others
// that take JavaScript commands.
backdrop_attributes(array('onmouseout' => 'window.location="http://malicious.com/";')));
Parameters
$attributes: An associative array of key-value pairs to be converted to attributes.
Return value
A string ready for insertion in a tag (starts with a space).:
Related topics
File
- includes/
common.inc, line 2831 - Common functions that many Backdrop modules will need to reference.
Code
function backdrop_attributes(array $attributes = array()) {
foreach ($attributes as $attribute => &$data) {
$data = implode(' ', (array) $data);
$data = $attribute . '="' . check_plain($data) . '"';
}
return $attributes ? ' ' . implode(' ', $attributes) : '';
}