function drupal_strip_dangerous_protocols
Strips dangerous protocols (e.g. 'javascript:') from a URI.
This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), drupal_attributes(), or another function that will call check_plain() separately.
Parameters
$uri: A plain-text URI that might contain dangerous protocols.
Return value
A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.
See also
Related topics
8 calls to drupal_strip_dangerous_protocols()
- check_url in includes/
common.inc - Strips dangerous protocols from a URI and encodes it for output to HTML.
- CommonXssUnitTest::testBadProtocolStripping in modules/
simpletest/ tests/ common.test - Check that harmful protocols are stripped.
- filter_xss_bad_protocol in includes/
common.inc - Processes an HTML attribute value and strips dangerous protocols from URLs.
- l in includes/
common.inc - Formats an internal or external URL link as an HTML anchor tag.
- template_preprocess_html in includes/
theme.inc - Preprocess variables for html.tpl.php
File
-
includes/
common.inc, line 1448
Code
function drupal_strip_dangerous_protocols($uri) {
static $allowed_protocols;
if (!isset($allowed_protocols)) {
$allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array(
'ftp',
'http',
'https',
'irc',
'mailto',
'news',
'nntp',
'rtsp',
'sftp',
'ssh',
'tel',
'telnet',
'webcal',
)));
}
// Iteratively remove any invalid protocol found.
do {
$before = $uri;
$colonpos = strpos($uri, ':');
if ($colonpos > 0) {
// We found a colon, possibly a protocol. Verify.
$protocol = substr($uri, 0, $colonpos);
// If a colon is preceded by a slash, question mark or hash, it cannot
// possibly be part of the URL scheme. This must be a relative URL, which
// inherits the (safe) protocol of the base document.
if (preg_match('![/?#]!', $protocol)) {
break;
}
// Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
// (URI Comparison) scheme comparison must be case-insensitive.
if (!isset($allowed_protocols[strtolower($protocol)])) {
$uri = substr($uri, $colonpos + 1);
}
}
} while ($before != $uri);
return $uri;
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.