1.20.x common.inc backdrop_attributes(array $attributes = array())

Converts an associative array to an XML/HTML tag attribute string.

Each array key and its value will be formatted into an attribute string. If a value is itself an array, then its elements are concatenated to a single space-delimited string (for example, a class attribute with multiple values).

Attribute values are sanitized by running them through check_plain(). Attribute names are not automatically sanitized. When using user-supplied attribute names, it is strongly recommended to allow only white-listed names, since certain attributes carry security risks and can be abused.

Examples of security aspects when using backdrop_attributes:

  // By running the value in the following statement through check_plain,
  // the malicious script is neutralized.
  backdrop_attributes(array('title' => t('<script>steal_cookie();</script>')));

  // The statement below demonstrates dangerous use of backdrop_attributes, and
  // will return an onmouseout attribute with JavaScript code that, when used
  // as attribute in a tag, will cause users to be redirected to another site.
  //
  // In this case, the 'onmouseout' attribute should not be whitelisted --
  // you don't want users to have the ability to add this attribute or others
  // that take JavaScript commands.
  backdrop_attributes(array('onmouseout' => 'window.location="http://malicious.com/";')));

Parameters

$attributes: An associative array of key-value pairs to be converted to attributes.

Return value

A string ready for insertion in a tag (starts with a space).:

Related topics

File

includes/common.inc, line 2831
Common functions that many Backdrop modules will need to reference.

Code

function backdrop_attributes(array $attributes = array()) {
  foreach ($attributes as $attribute => &$data) {
    $data = implode(' ', (array) $data);
    $data = $attribute . '="' . check_plain($data) . '"';
  }
  return $attributes ? ' ' . implode(' ', $attributes) : '';
}