function drupal_strip_dangerous_protocols

Strips dangerous protocols (e.g. 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), drupal_attributes(), or another function that will call check_plain() separately.

Parameters

$uri: A plain-text URI that might contain dangerous protocols.

Return value

A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.

See also

check_url()

Related topics

8 calls to drupal_strip_dangerous_protocols()
check_url in includes/common.inc
Strips dangerous protocols from a URI and encodes it for output to HTML.
CommonXssUnitTest::testBadProtocolStripping in modules/simpletest/tests/common.test
Check that harmful protocols are stripped.
filter_xss_bad_protocol in includes/common.inc
Processes an HTML attribute value and strips dangerous protocols from URLs.
l in includes/common.inc
Formats an internal or external URL link as an HTML anchor tag.
template_preprocess_html in includes/theme.inc
Preprocess variables for html.tpl.php

... See full list

File

includes/common.inc, line 1448

Code

function drupal_strip_dangerous_protocols($uri) {
    static $allowed_protocols;
    if (!isset($allowed_protocols)) {
        $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array(
            'ftp',
            'http',
            'https',
            'irc',
            'mailto',
            'news',
            'nntp',
            'rtsp',
            'sftp',
            'ssh',
            'tel',
            'telnet',
            'webcal',
        )));
    }
    // Iteratively remove any invalid protocol found.
    do {
        $before = $uri;
        $colonpos = strpos($uri, ':');
        if ($colonpos > 0) {
            // We found a colon, possibly a protocol. Verify.
            $protocol = substr($uri, 0, $colonpos);
            // If a colon is preceded by a slash, question mark or hash, it cannot
            // possibly be part of the URL scheme. This must be a relative URL, which
            // inherits the (safe) protocol of the base document.
            if (preg_match('![/?#]!', $protocol)) {
                break;
            }
            // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
            // (URI Comparison) scheme comparison must be case-insensitive.
            if (!isset($allowed_protocols[strtolower($protocol)])) {
                $uri = substr($uri, $colonpos + 1);
            }
        }
    } while ($before != $uri);
    return $uri;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.