| 5 bootstrap.inc | check_plain($text) |
| 6 bootstrap.inc | check_plain($text) |
| 7 bootstrap.inc | check_plain($text) |
| 8 bootstrap.inc | check_plain($text) |
Encode special characters in a plain-text string for display as HTML.
Also validates strings as UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.
Parameters
$text: The text to be checked or processed.
Return value
An HTML safe version of $text, or an empty string if $text is not valid UTF-8.
See also
137 functions call check_plain()
File
- includes/
bootstrap.inc, line 845 - Functions that need to be loaded on every Drupal request.
Code
<?php
function check_plain($text) {
static $php525;
if (!isset($php525)) {
$php525 = version_compare(PHP_VERSION, '5.2.5', '>=');
}
// We duplicate the preg_match() to validate strings as UTF-8 from
// drupal_validate_utf8() here. This avoids the overhead of an additional
// function call, since check_plain() may be called hundreds of times during
// a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
// internally by PHP in htmlspecialchars().
// @see http://www.php.net/releases/5_2_5.php
// @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.
if ($php525) {
return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
}
return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
}
?>
Comments
Accelerate check_plain
Drupal now has a php extension to accelerate check_plain (and also drupal_static.)
It's tested in php 5.3 (but not officially production ready) and should also work under php 5.2.
http://drupal.org/project/drupal_php_ext
Drupal 7
Which is for Drupal 7 only.
Ampersands and some other characters
Be careful if your strings have ampersands. This wants to replace them with literally '&&' which is certainly invalid. If you notice any characters going wrong with this, str_replace() is a perfectly valid option if you only need to replace 1 or 2 characters with their htmlspecialchars() variant. Otherwise, use htmlspecialchars() on your string.
Your comment is
Your comment is misguided.
You must use check_plain on plaintext strings before pasting them into HTML. If you see
&amp;appearing on strings containing an ampersand, it means you did some double escaping / called check_plain on a string that's already HTML.htmlspecialchar's double_encode arg
as of 5.2.3 (according to php.net doc), htmlspecialchars() has a fourth argument: $double_encode = TRUE;
Setting it to FALSE will make check_plain() idempotent. I tested it on PHP 5.3.3 and it appears to work
php -r "echo htmlspecialchars('\'\"&<>&foo&"'<>', ENT_QUOTES, 'UTF-8', FALSE) . \"\n\";"
'"&<>&foo&"'<>
Beware of htmlspecialchars or preg_match argument type errors
If you're developing a module and on
hook_userat op=load you load an object or array in an existing object property (like i had mistakenly loaded an object into$account->status), you'll get an error from one of the 2 functions in this post's title, which are called from check_plain. I don't know why, but after the load hook there's no data integrity check, and type mismatch errors propagate through to here.So if you're loading additional data in
hook_userat op=load (orhook_user_loadin D7) be sure to load it in a custom variable or something, just never in an existing object member (unless you mean it).The problem is that it's unintuitive to look in hook_user (_load) when those errors occur, and this type of issue can be very tricky to detect. A stack trace doesn't make much sense either and can send you in wrong directions (as it did to me), but who knows, it might also save you. So I hope this helps anyone having the same trouble I did.
Have fun :)