8.5.x common.inc check_url($uri)
8.0.x common.inc check_url($uri)
8.1.x common.inc check_url($uri)
8.2.x common.inc check_url($uri)
8.3.x common.inc check_url($uri)
8.4.x common.inc check_url($uri)
8.6.x common.inc check_url($uri)
4.6.x common.inc check_url($uri)
4.7.x common.inc check_url($uri)
5.x common.inc check_url($uri)
6.x common.inc check_url($uri)
7.x common.inc check_url($uri)

Strips dangerous protocols from a URI and encodes it for output to HTML.


$uri: A plain-text URI that might contain dangerous protocols.

Return value

string A URI stripped of dangerous protocols and encoded for output to an HTML attribute value. Because it is already encoded, it should not be set as a value within a $attributes array passed to Drupal\Core\Template\Attribute, because Drupal\Core\Template\Attribute expects those values to be plain-text strings. To pass a filtered URI to Drupal\Core\Template\Attribute, call \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() instead.


in Drupal 8.0.x-dev, will be removed before Drupal 9.0.0. Use UrlHelper::stripDangerousProtocols() or UrlHelper::filterBadProtocol() instead. UrlHelper::stripDangerousProtocols() can be used in conjunction with \Drupal\Component\Utility\SafeMarkup::format() and an @variable placeholder which will perform the necessary escaping. UrlHelper::filterBadProtocol() is functionality equivalent to check_url() apart from the fact it is protected from double escaping bugs. Note that this method no longer marks its output as safe.

See also




Related topics

1 call to check_url()
XssUnitTest::testBadProtocolStripping in core/tests/Drupal/KernelTests/Core/Common/XssUnitTest.php
Checks that harmful protocols are stripped.
1 string reference to 'check_url'
DrupalPractice_Sniffs_FunctionCalls_DefaultValueSanitizeSniff::registerFunctionNames in vendor/drupal/coder/coder_sniffer/DrupalPractice/Sniffs/FunctionCalls/DefaultValueSanitizeSniff.php
Returns an array of function names this test wants to listen for.


core/includes/common.inc, line 228
Common functions that many Drupal modules will need to reference.


function check_url($uri) {
  return Html::escape(UrlHelper::stripDangerousProtocols($uri));