Same name and namespace in other branches
- 4.6.x modules/filter.module \filter_xss_bad_protocol()
- 4.7.x modules/filter.module \filter_xss_bad_protocol()
- 5.x modules/filter/filter.module \filter_xss_bad_protocol()
- 6.x includes/bootstrap.inc \filter_xss_bad_protocol()
Processes an HTML attribute value and strips dangerous protocols from URLs.
Parameters
$string: The string with the attribute value.
$decode: (deprecated) Whether to decode entities in the $string. Set to FALSE if the $string is in plain text, TRUE otherwise. Defaults to TRUE. This parameter is deprecated and will be removed in Drupal 8. To process a plain-text URI, call drupal_strip_dangerous_protocols() or check_url() instead.
Return value
Cleaned up and HTML-escaped version of $string.
Related topics
1 call to filter_xss_bad_protocol()
- _filter_xss_attributes in includes/
common.inc - Processes a string of HTML attributes.
File
- includes/
common.inc, line 1769 - Common functions that many Drupal modules will need to reference.
Code
function filter_xss_bad_protocol($string, $decode = TRUE) {
// Get the plain text representation of the attribute value (i.e. its meaning).
// @todo Remove the $decode parameter in Drupal 8, and always assume an HTML
// string that needs decoding.
if ($decode) {
if (!function_exists('decode_entities')) {
require_once DRUPAL_ROOT . '/includes/unicode.inc';
}
$string = decode_entities($string);
}
return check_plain(drupal_strip_dangerous_protocols($string));
}