-
Notifications
You must be signed in to change notification settings - Fork 0
Just as tags are the foundation of HTML, the function tag($tag, $inner='', ...$attr)
is the foundation of ob_html
. Tags was used as a synonym for HTML/XML elements, which can be divided as follows:
Element | ||||||
---|---|---|---|---|---|---|
Opening tag | Closing tag | |||||
Element name | Attributes | Element content | ||||
< | p | id="paragraph" | > | Lorem ipsum | </p> |
The implementation of ob_html
puts all attribute values in double quotes and void elements use self-closing tags. The element name ($tag
) and attribute names are not validated. Thus invalid names, HTML injection and JavaScript injection is possible.
Named attributes for the tag are passed via a variable-length argument list into $attr
. Unnamed attributes are not prevented, but are invalid. Because they are interpreted as values of attributes whose names start with a number, which is not a valid HTML attribute name.
The content is provided into $inner
. It may be a scalar, a function or an array. Functions will be called with no parameters and their output buffer is surrounded by the tags. In PHP some strings and arrays are considered callable. This is not the case for ob_html
. Scalars are equivalent to a function that echo
s the scalar. These steps will happen to every entry of an array that is not named. Named entries are added to $attr
.