function check_plain

You are here

7 bootstrap.inc check_plain($text)
4.6 bootstrap.inc check_plain($text)
4.7 bootstrap.inc check_plain($text)
5 bootstrap.inc check_plain($text)
6 bootstrap.inc check_plain($text)
8 bootstrap.inc check_plain($text)

Encode special characters in a plain-text string for display as HTML.

Also validates strings as UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.

Parameters

$text: The text to be checked or processed.

Return value

An HTML safe version of $text, or an empty string if $text is not valid UTF-8.

See also

drupal_validate_utf8().

139 calls to check_plain()
aggregator_block in modules/aggregator/aggregator.module
Implementation of hook_block().
aggregator_categorize_items in modules/aggregator/aggregator.pages.inc
Form builder; build the page list form.
aggregator_form_feed in modules/aggregator/aggregator.admin.inc
Form builder; Generate a form to add/edit feed sources.
aggregator_page_source in modules/aggregator/aggregator.pages.inc
Menu callback; displays all the items captured from a particular feed.
aggregator_refresh in modules/aggregator/aggregator.module
Checks a news feed for new items.

... See full list

6 string references to 'check_plain'
blogapi_admin_settings in modules/blogapi/blogapi.module
node_form_alter in modules/node/node.module
Implementation of hook_form_alter().
node_menu in modules/node/node.module
Implementation of hook_menu().
taxonomy_form_vocabulary in modules/taxonomy/taxonomy.admin.inc
Display form for adding and editing vocabularies.
user_menu in modules/user/user.module
Implementation of hook_menu().

... See full list

File

includes/bootstrap.inc, line 845
Functions that need to be loaded on every Drupal request.

Code

function check_plain($text) {
  static $php525;

  if (!isset($php525)) {
    $php525 = version_compare(PHP_VERSION, '5.2.5', '>=');
  }
  // We duplicate the preg_match() to validate strings as UTF-8 from
  // drupal_validate_utf8() here. This avoids the overhead of an additional
  // function call, since check_plain() may be called hundreds of times during
  // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
  // internally by PHP in htmlspecialchars().
  // @see http://www.php.net/releases/5_2_5.php
  // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.

  if ($php525) {
    return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
  }
  return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
}

Comments

Drupal now has a php extension to accelerate check_plain (and also drupal_static.)

It's tested in php 5.3 (but not officially production ready) and should also work under php 5.2.

http://drupal.org/project/drupal_php_ext

Which is for Drupal 7 only.

Be careful if your strings have ampersands. This wants to replace them with literally '&&' which is certainly invalid. If you notice any characters going wrong with this, str_replace() is a perfectly valid option if you only need to replace 1 or 2 characters with their htmlspecialchars() variant. Otherwise, use htmlspecialchars() on your string.

Your comment is misguided.

You must use check_plain on plaintext strings before pasting them into HTML. If you see &amp;amp; appearing on strings containing an ampersand, it means you did some double escaping / called check_plain on a string that's already HTML.

as of 5.2.3 (according to php.net doc), htmlspecialchars() has a fourth argument: $double_encode = TRUE;
Setting it to FALSE will make check_plain() idempotent. I tested it on PHP 5.3.3 and it appears to work

php -r "echo htmlspecialchars('\'\"&<>&foo&"'<>', ENT_QUOTES, 'UTF-8', FALSE) . \"\n\";"
'"&<>&foo&"'<>

If you're developing a module and on hook_user at op=load you load an object or array in an existing object property (like i had mistakenly loaded an object into $account->status), you'll get an error from one of the 2 functions in this post's title, which are called from check_plain. I don't know why, but after the load hook there's no data integrity check, and type mismatch errors propagate through to here.

So if you're loading additional data in hook_user at op=load (or hook_user_load in D7) be sure to load it in a custom variable or something, just never in an existing object member (unless you mean it).

The problem is that it's unintuitive to look in hook_user (_load) when those errors occur, and this type of issue can be very tricky to detect. A stack trace doesn't make much sense either and can send you in wrong directions (as it did to me), but who knows, it might also save you. So I hope this helps anyone having the same trouble I did.

Have fun :)

Why isn't the double encode flag set to false?

I feel that mikehoward raises a good point that check_plain should be idempotent.

Because Drupal 6.x supports PHP versions as far back as 4.4.0