Community Documentation
Drupal 7 » common.inc

filter_xss

5 filter.module filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
6 filter.module filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
8 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.

$allowed_tags: An array of allowed tags.

Return value

An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

drupal_validate_utf8()

Related topics

Sanitization functions
Functions to sanitize values.

▸ 24 functions call filter_xss()

▾ 24 functions call filter_xss()

aggregator_filter_xss in modules/aggregator/aggregator.module
Safely renders HTML content, as allowed.
CommentTokenReplaceTestCase::testCommentTokenReplacement in modules/comment/comment.test
Creates a comment, then tests the tokens generated from it.
comment_tokens in modules/comment/comment.tokens.inc
Implements hook_tokens().
CommonXssUnitTest::testInvalidMultiByte in modules/simpletest/tests/common.test
Check that invalid multi-byte sequences are rejected.
DBLogTestCase::assertLogMessage in modules/dblog/dblog.test
Assert messages appear on the log overview screen.
DBLogTestCase::doUser in modules/dblog/dblog.test
Generate and verify user events.
dblog_overview in modules/dblog/dblog.admin.inc
Menu callback; displays a listing of log messages.
DrupalWebTestCase::assertTextHelper in modules/simpletest/drupal_web_test_case.php
Helper for assertText and assertNoText.
DrupalWebTestCase::assertUniqueTextHelper in modules/simpletest/drupal_web_test_case.php
Helper for assertUniqueText and assertNoUniqueText.
drupal_html_to_text in includes/mail.inc
Transform an HTML string into plain text, preserving the structure of the markup. Useful for preparing the body of a node to be sent by e-mail.
field_filter_xss in modules/field/field.module
Like filter_xss_admin(), but with a shorter list of allowed tags.
FilterUnitTestCase::testFilterXSS in modules/filter/filter.test
Tests limiting allowed tags and XSS prevention.
filter_xss_admin in includes/common.inc
Applies a very permissive XSS/HTML filter for admin-only use.
FormAlterTestCase::testExecutionOrder in modules/simpletest/tests/form.test
Tests execution order of hook_form_alter() and hook_form_FORM_ID_alter().
hook_tokens in modules/system/system.api.php
Provide replacement values for placeholder tokens.
locale_string_is_safe in includes/locale.inc
Check that a string is safe to be added or imported as a translation.
node_revision_overview in modules/node/node.pages.inc
Generate an overview table of older revisions of a node.
PollTokenReplaceTestCase::testPollTokenReplacement in modules/poll/poll.test
Creates a poll, then tests the tokens generated from it.
poll_tokens in modules/poll/poll.tokens.inc
Implements hook_tokens().
TaxonomyTokenReplaceTestCase::testTaxonomyTokenReplacement in modules/taxonomy/taxonomy.test
Creates some terms and a node, then tests the tokens generated from them.
taxonomy_tokens in modules/taxonomy/taxonomy.tokens.inc
Implements hook_tokens().
theme_dblog_message in modules/dblog/dblog.admin.inc
Returns HTML for a log message.
TokenReplaceTestCase::testSystemDateTokenReplacement in modules/system/system.test
Tests the generation of all system date tokens.
_filter_html in modules/filter/filter.module
HTML filter. Provides filtering of input into accepted HTML.

File

includes/common.inc, line 1355
Common functions that many Drupal modules will need to reference.

Code

<?php
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
  // site scripting issues on Internet Explorer 6.
  if (!drupal_validate_utf8($string)) {
    return '';
  }
  // Store the text format.
  _filter_xss_split($allowed_tags, TRUE);
  // Remove NULL characters (ignored by some browsers).
  $string = str_replace(chr(0), '', $string);
  // Remove Netscape 4 JS entities.
  $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);

  // Defuse all HTML entities.
  $string = str_replace('&', '&amp;', $string);
  // Change back only well-formed entities in our whitelist:
  // Decimal numeric entities.
  $string = preg_replace('/&amp;#([0-9]+;)/', '&#\1', $string);
  // Hexadecimal numeric entities.
  $string = preg_replace('/&amp;#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
  // Named entities.
  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);

  return preg_replace_callback('%
    (
    <(?=[^a-zA-Z!/])  # a lone <
    |                 # or
    <!--.*?-->        # a comment
    |                 # or
    <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
    |                 # or
    >                 # just a >
    )%x', '_filter_xss_split', $string);
}
?>
Login or register to post comments