Merge pull request #7 from martinwittmann/xss-fix

Escaping the css classes added here to prevent xss and other security issues

Author: callinmullaney

src/BemTwigExtension.php

@@ -5,6 +5,7 @@
 use Drupal\Core\Template\Attribute;
 use Twig\Extension\AbstractExtension;
 use Twig\TwigFunction;
+use Drupal\Component\Utility\Html;
 
 /**
  * Class DefaultService.
@@ -129,6 +130,10 @@ public function bem($context, $base_class, $modifiers = [], $blockname = '', $ex
         }
         // Add class attribute.
         if (!empty($classes)) {
+          // Escape the css classes added to prevent security issues.
+          $classes = array_map(function($css_class) {
+            return Html::cleanCssIdentifier($css_class);
+          }, $classes);
           $attributes->setAttribute('class', $classes);
         }
         return $attributes;