function drupal_attributes
7.x common.inc | drupal_attributes(array $attributes = array()) |
6.x common.inc | drupal_attributes($attributes = array()) |
Converts an associative array to an XML/HTML tag attribute string.
Each array key and its value will be formatted into an attribute string. If a value is itself an array, then its elements are concatenated to a single space-delimited string (for example, a class attribute with multiple values).
Attribute values are sanitized by running them through check_plain(). Attribute names are not automatically sanitized. When using user-supplied attribute names, it is strongly recommended to allow only white-listed names, since certain attributes carry security risks and can be abused.
Examples of security aspects when using drupal_attributes:
// By running the value in the following statement through check_plain,
// the malicious script is neutralized.
drupal_attributes(array('title' => t('<script>steal_cookie();</script>')));
// The statement below demonstrates dangerous use of drupal_attributes, and
// will return an onmouseout attribute with JavaScript code that, when used
// as attribute in a tag, will cause users to be redirected to another site.
//
// In this case, the 'onmouseout' attribute should not be whitelisted --
// you don't want users to have the ability to add this attribute or others
// that take JavaScript commands.
drupal_attributes(array('onmouseout' => 'window.location="http://malicious.com/";')));
Parameters
$attributes: An associative array of key-value pairs to be converted to attributes.
Return value
A string ready for insertion in a tag (starts with a space).
Related topics
- DrupalAttributesUnitTest::testDrupalAttributes in drupal-7.x/
modules/ simpletest/ tests/ common.test - Tests that drupal_html_class() cleans the class name properly.
- format_xml_elements in drupal-7.x/
includes/ common.inc - Formats XML elements.
- l in drupal-7.x/
includes/ common.inc - Formats an internal or external URL link as an HTML anchor tag.
- node_feed in drupal-7.x/
modules/ node/ node.module - Generates and prints an RSS feed.
- template_preprocess_user_profile_category in drupal-7.x/
modules/ user/ user.pages.inc - Process variables for user-profile-category.tpl.php.
File
- drupal-7.x/
includes/ common.inc, line 2377 - Common functions that many Drupal modules will need to reference.
Code
function drupal_attributes(array $attributes = array()) {
foreach ($attributes as $attribute => &$data) {
$data = implode(' ', (array) $data);
$data = $attribute . '="' . check_plain($data) . '"';
}
return $attributes ? ' ' . implode(' ', $attributes) : '';
}