function drupal_strip_dangerous_protocols
drupal_strip_dangerous_protocols($uri)
Strips dangerous protocols (e.g. 'javascript:') from a URI.
This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), drupal_attributes(), or another function that will call check_plain() separately.
Parameters
$uri: A plain-text URI that might contain dangerous protocols.
Return value
A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.
See also
Related topics
File
- includes/common.inc, line 1383
- Common functions that many Drupal modules will need to reference.
Code
function drupal_strip_dangerous_protocols($uri) { static $allowed_protocols; if (!isset($allowed_protocols)) { $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('ftp', 'http', 'https', 'irc', 'mailto', 'news', 'nntp', 'rtsp', 'sftp', 'ssh', 'tel', 'telnet', 'webcal'))); } // Iteratively remove any invalid protocol found. do { $before = $uri; $colonpos = strpos($uri, ':'); if ($colonpos > 0) { // We found a colon, possibly a protocol. Verify. $protocol = substr($uri, 0, $colonpos); // If a colon is preceded by a slash, question mark or hash, it cannot // possibly be part of the URL scheme. This must be a relative URL, which // inherits the (safe) protocol of the base document. if (preg_match('![/?#]!', $protocol)) { break; } // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3 // (URI Comparison) scheme comparison must be case-insensitive. if (!isset($allowed_protocols[strtolower($protocol)])) { $uri = substr($uri, $colonpos + 1); } } } while ($before != $uri); return $uri; }
© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/includes!common.inc/function/drupal_strip_dangerous_protocols/7.x