check_plain

5 bootstrap.inc	`check_plain($text)`
6 bootstrap.inc	`check_plain($text)`
7 bootstrap.inc	`check_plain($text)`
8 bootstrap.inc	`check_plain($text)`

Encode special characters in a plain-text string for display as HTML.

Also validates strings as UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.

Parameters

$text: The text to be checked or processed.

Return value

An HTML safe version of $text, or an empty string if $text is not valid UTF-8.

▸ 137 functions call check_plain()

▾ 137 functions call check_plain()

aggregator_block in modules/aggregator/aggregator.module: Implementation of hook_block().
aggregator_categorize_items in modules/aggregator/aggregator.pages.inc: Form builder; build the page list form.
aggregator_form_feed in modules/aggregator/aggregator.admin.inc: Form builder; Generate a form to add/edit feed sources.
aggregator_page_source in modules/aggregator/aggregator.pages.inc: Menu callback; displays all the items captured from a particular feed.
aggregator_refresh in modules/aggregator/aggregator.module: Checks a news feed for new items.
block_admin_display_form in modules/block/block.admin.inc: Generate main blocks administration form.
block_list in modules/block/block.module: Return all blocks in the specified region for the current user.
block_menu in modules/block/block.module: Implementation of hook_menu().
block_user in modules/block/block.module: Implementation of hook_user().
blog_form in modules/blog/blog.module: Implementation of hook_form().
book_admin_edit in modules/book/book.admin.inc: Build the form to administrate the hierarchy of a single book.
book_outline in modules/book/book.pages.inc: Menu callback; show the outline form for a single node.
chameleon_node in themes/chameleon/chameleon.theme
comment_form_add_preview in modules/comment/comment.module: Form builder; Generate and validate a comment preview form.
comment_multiple_delete_confirm in modules/comment/comment.admin.inc: List the selected comments and verify that the admin really wants to delete them.
comment_nodeapi in modules/comment/comment.module: Implementation of hook_nodeapi().
conf_init in includes/bootstrap.inc: Loads the configuration and sets the base URL, cookie domain, and session name correctly.
contact_admin_categories in modules/contact/contact.admin.inc: Categories/list tab.
contact_mail_user in modules/contact/contact.pages.inc
contact_user_page in modules/contact/contact.pages.inc: Personal contact page.
dblog_event in modules/dblog/dblog.admin.inc: Menu callback; displays details about a log message.
db_add_field in includes/database.mysql-common.inc: Add a new field to a table.
db_add_field in includes/database.pgsql.inc: Add a new field to a table.
drupal_access_denied in includes/common.inc: Generates a 403 error if the request is not allowed.
drupal_attributes in includes/common.inc: Format an attribute string to insert in a tag.
drupal_error_handler in includes/common.inc: Log errors as defined by administrator.
drupal_get_title in includes/path.inc: Get the title of the current page, for display on the page and in the title bar.
drupal_not_found in includes/common.inc: Generates a 404 error if the request can not be handled.
expand_radios in includes/form.inc: Roll out a single radios element to a list of radios, using the options array as index.
file_check_directory in includes/file.inc: Checks whether a directory exists and is writable.
filter_filter_tips in modules/filter/filter.module: Implementation of hook_filter_tips().
filter_xss_bad_protocol in modules/filter/filter.module: Processes an HTML attribute value and ensures it does not contain an URL with a disallowed protocol (e.g. javascript:)
format_rss_channel in includes/common.inc: Formats an RSS channel.
format_rss_item in includes/common.inc: Format a single RSS item.
format_xml_elements in includes/common.inc: Format XML elements.
form_select_options in includes/form.inc
forum_form in modules/forum/forum.module: Implementation of hook_form().
hook_form in developer/hooks/node.php: Display a node editing form.
hook_search in developer/hooks/core.php: Define a custom search routine.
l in includes/common.inc: Formats an internal or external URL link as an HTML anchor tag.
locale_languages_overview_form in includes/locale.inc: User interface for the language overview screen.
locale_translate_edit_form in includes/locale.inc: User interface for string editing.
locale_translate_seek_form in includes/locale.inc: User interface for the string search screen.
locale_user in modules/locale/locale.module: Implementation of hook_user().
menu_block in modules/menu/menu.module: Implementation of hook_block().
menu_path_is_external in includes/menu.inc: Returns TRUE if a path is external (e.g. http://example.com).
node_admin_nodes in modules/node/node.admin.inc: Form builder: Builds the node administration overview.
node_body_field in modules/node/node.pages.inc: Return a node body field, with format and teaser.
node_content_form in modules/node/node.module: Implementation of hook_form().
node_multiple_delete_confirm in modules/node/node.admin.inc
node_overview_types in modules/node/content_types.inc: Displays the content type admin overview page.
node_page_edit in modules/node/node.pages.inc: Menu callback; presents the node editing form, or redirects to delete confirmation.
node_page_view in modules/node/node.module: Menu callback; view a single node.
node_perm in modules/node/node.module: Implementation of hook_perm().
node_search in modules/node/node.module: Implementation of hook_search().
openid_form_alter in modules/openid/openid.module: Implementation of hook_form_alter : adds OpenID login to the login forms.
openid_user_identities in modules/openid/openid.pages.inc: Menu callback; Manage OpenID identities for the specified user.
path_admin_edit in modules/path/path.admin.inc: Menu callback; handles pages for creating and editing URL aliases.
path_admin_overview in modules/path/path.admin.inc: Return a listing of all defined URL aliases. When filter key passed, perform a standard search on the given key, and return the list of matching URL aliases.
poll_form in modules/poll/poll.module: Implementation of hook_form().
poll_results in modules/poll/poll.pages.inc: Callback for the 'results' tab for polls you can vote on
poll_teaser in modules/poll/poll.module: Creates a simple teaser that lists all the choices.
poll_view_voting in modules/poll/poll.module: Generates the voting form for a poll.
poll_votes in modules/poll/poll.pages.inc: Callback for the 'votes' tab for polls you can see other votes on
profile_admin_overview in modules/profile/profile.admin.inc: Form builder to display a listing of all editable profile fields.
profile_admin_settings_autocomplete in modules/profile/profile.admin.inc: Retrieve a pipe delimited string of autocomplete suggestions for profile categories
profile_autocomplete in modules/profile/profile.pages.inc: Callback to allow autocomplete of profile text fields.
profile_block in modules/profile/profile.module: Implementation of hook_block().
profile_browse in modules/profile/profile.pages.inc: Menu callback; display a list of user information.
profile_form_profile in modules/profile/profile.module
profile_view_field in modules/profile/profile.module
profile_view_profile in modules/profile/profile.module
st in includes/install.inc: Hardcoded function for doing the equivalent of t() during the install process, when database, theme, and localization system is possibly not yet available.
statistics_access_log in modules/statistics/statistics.admin.inc: Menu callback; Displays recent page accesses.
statistics_node_tracker in modules/statistics/statistics.pages.inc
statistics_user_tracker in modules/statistics/statistics.pages.inc
system_message_action in modules/system/system.module: A configurable Drupal action. Sends a message to the current user's screen.
system_theme_settings in modules/system/system.admin.inc: Form builder; display theme configuration for entire site and individual themes.
t in includes/common.inc: Translate strings to the page language or a given language.
taxonomy_autocomplete in modules/taxonomy/taxonomy.pages.inc: Helper function for autocompletion
taxonomy_form in modules/taxonomy/taxonomy.module: Generate a form element for selecting terms from a vocabulary.
taxonomy_overview_vocabularies in modules/taxonomy/taxonomy.admin.inc: Form builder to list and manage vocabularies.
taxonomy_term_page in modules/taxonomy/taxonomy.pages.inc: Menu callback; displays all nodes associated with a term.
template_preprocess_aggregator_item in modules/aggregator/aggregator.pages.inc: Process variables for aggregator-item.tpl.php.
template_preprocess_aggregator_summary_item in modules/aggregator/aggregator.pages.inc: Process variables for aggregator-summary-item.tpl.php.
template_preprocess_aggregator_summary_items in modules/aggregator/aggregator.pages.inc: Process variables for aggregator-summary-items.tpl.php.
template_preprocess_book_export_html in modules/book/book.module: Process variables for book-export-html.tpl.php.
template_preprocess_book_navigation in modules/book/book.module: Process variables for book-navigation.tpl.php.
template_preprocess_book_node_export_html in modules/book/book.module: Process variables for book-node-export-html.tpl.php.
template_preprocess_forums in modules/forum/forum.module: Process variables for forums.tpl.php
template_preprocess_forum_list in modules/forum/forum.module: Process variables to format a forum listing.
template_preprocess_forum_topic_list in modules/forum/forum.module: Preprocess variables to format the topic listing.
template_preprocess_forum_topic_navigation in modules/forum/forum.module: Preprocess variables to format the next/previous forum topic navigation links.
template_preprocess_node in includes/theme.inc: Process variables for node.tpl.php
template_preprocess_poll_bar in modules/poll/poll.module: Preprocess the poll_bar theme hook.
template_preprocess_poll_results in modules/poll/poll.module: Preprocess the poll_results theme hook.
template_preprocess_poll_vote in modules/poll/poll.module: Themes the voting form for a poll.
template_preprocess_profile_block in modules/profile/profile.module: Process variables for profile-block.tpl.php.
template_preprocess_search_result in modules/search/search.pages.inc: Process variables for search-result.tpl.php.
template_preprocess_user_profile_category in modules/user/user.pages.inc: Process variables for user-profile-category.tpl.php.
theme_aggregator_block_item in modules/aggregator/aggregator.module: Format an individual feed item for display in the block.
theme_aggregator_page_opml in modules/aggregator/aggregator.pages.inc: Theme the OPML feed output.
theme_button in includes/form.inc: Theme a form button.
theme_filter_admin_overview in modules/filter/filter.admin.inc: Theme the admin overview form.
theme_hidden in includes/form.inc: Format a hidden form field.
theme_image in includes/theme.inc: Return a themed image.
theme_image_button in includes/form.inc: Theme a form image button.
theme_links in includes/theme.inc: Return a themed set of links.
theme_locale_languages_overview_form in includes/locale.inc: Theme the language overview form.
theme_placeholder in includes/theme.inc: Formats text for emphasized display in a placeholder inside a sentence. Used automatically by t().
theme_radio in includes/form.inc: Format a radio button.
theme_textarea in includes/form.inc: Format a textarea.
theme_textfield in includes/form.inc: Format a textfield.
theme_update_report in modules/update/update.report.inc: Theme project status report.
theme_username in includes/theme.inc: Format a username.
tracker_page in modules/tracker/tracker.pages.inc: Menu callback. Prints a listing of active nodes on the site.
update_do_one in ./update.php: Perform one update and store the results which will later be displayed on the finished page.
update_sql in includes/database.inc: Perform an SQL query and return success or failure.
url in includes/common.inc: Generates an internal or external URL.
user_autocomplete in modules/user/user.pages.inc: Menu callback; Retrieve a JSON object containing autocomplete suggestions for existing users.
user_block in modules/user/user.module: Implementation of hook_block().
user_block_user_action in modules/user/user.module: Implementation of a Drupal action. Blocks the current user.
user_edit in modules/user/user.pages.inc: Form builder; Present the form to edit a given user or profile category.
user_multiple_delete_confirm in modules/user/user.module
user_view in modules/user/user.pages.inc: Menu callback; Displays a user or user profile page.
xmlrpc_value_get_xml in includes/xmlrpc.inc: Generate XML representing the given value.
_db_query in includes/database.mysqli.inc: Helper function for db_query().
_db_query in includes/database.pgsql.inc: Helper function for db_query().
_db_query in includes/database.mysql.inc: Helper function for db_query().
_drupal_bootstrap in includes/bootstrap.inc
_filter_html in modules/filter/filter.module: HTML filter. Provides filtering of input into accepted HTML.
_filter_url_parse_full_links in modules/filter/filter.module: Make links out of absolute URLs.
_filter_url_parse_partial_links in modules/filter/filter.module: Make links out of domain names starting with "www."
_locale_translate_seek in includes/locale.inc: Perform a string search and display results in a table
_node_index_node in modules/node/node.module: Index a single node.
_system_sql in modules/system/system.admin.inc: Theme a SQL result table.
_upload_form in modules/upload/upload.module

File

includes/bootstrap.inc, line 845: Functions that need to be loaded on every Drupal request.

Code

<?php
function check_plain($text) {
  static $php525;

  if (!isset($php525)) {
    $php525 = version_compare(PHP_VERSION, '5.2.5', '>=');
  }
  // We duplicate the preg_match() to validate strings as UTF-8 from
  // drupal_validate_utf8() here. This avoids the overhead of an additional
  // function call, since check_plain() may be called hundreds of times during
  // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
  // internally by PHP in htmlspecialchars().
  // @see http://www.php.net/releases/5_2_5.php
  // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.

  if ($php525) {
    return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
  }
  return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
}
?>

Comments

Accelerate check_plain

Posted by forestmars on June 20, 2010 at 10:26pm

Drupal now has a php extension to accelerate check_plain (and also drupal_static.)

It's tested in php 5.3 (but not officially production ready) and should also work under php 5.2.

http://drupal.org/project/drupal_php_ext

Drupal 7

Posted by indytechcook on June 28, 2010 at 3:22pm

Which is for Drupal 7 only.

Ampersands and some other characters

Posted by Andy Udvare on August 25, 2010 at 6:38am

Be careful if your strings have ampersands. This wants to replace them with literally '&&' which is certainly invalid. If you notice any characters going wrong with this, str_replace() is a perfectly valid option if you only need to replace 1 or 2 characters with their htmlspecialchars() variant. Otherwise, use htmlspecialchars() on your string.

Your comment is

Posted by Heine on September 14, 2010 at 7:03am

Your comment is misguided.

You must use check_plain on plaintext strings before pasting them into HTML. If you see &amp; appearing on strings containing an ampersand, it means you did some double escaping / called check_plain on a string that's already HTML.

htmlspecialchar's double_encode arg

Posted by mikehoward on November 9, 2010 at 9:06pm

as of 5.2.3 (according to php.net doc), htmlspecialchars() has a fourth argument: $double_encode = TRUE;
Setting it to FALSE will make check_plain() idempotent. I tested it on PHP 5.3.3 and it appears to work

php -r "echo htmlspecialchars('\'\"&<>&foo&"'<>', ENT_QUOTES, 'UTF-8', FALSE) . \"\n\";"
'"&<>&foo&"'<>

Beware of htmlspecialchars or preg_match argument type errors

Posted by teodor.sandu on November 19, 2010 at 9:33am

If you're developing a module and on hook_user at op=load you load an object or array in an existing object property (like i had mistakenly loaded an object into $account->status), you'll get an error from one of the 2 functions in this post's title, which are called from check_plain. I don't know why, but after the load hook there's no data integrity check, and type mismatch errors propagate through to here.

So if you're loading additional data in hook_user at op=load (or hook_user_load in D7) be sure to load it in a custom variable or something, just never in an existing object member (unless you mean it).

The problem is that it's unintuitive to look in hook_user (_load) when those errors occur, and this type of issue can be very tricky to detect. A stack trace doesn't make much sense either and can send you in wrong directions (as it did to me), but who knows, it might also save you. So I hope this helps anyone having the same trouble I did.

Have fun :)