4.6.x filter.module filter_xss_bad_protocol($string, $decode = TRUE)
4.7.x filter.module filter_xss_bad_protocol($string, $decode = TRUE)
5.x filter.module filter_xss_bad_protocol($string, $decode = TRUE)
6.x bootstrap.inc filter_xss_bad_protocol($string, $decode = TRUE)
7.x common.inc filter_xss_bad_protocol($string, $decode = TRUE)

Processes an HTML attribute value and strips dangerous protocols from URLs.


$string: The string with the attribute value.

$decode: (deprecated) Whether to decode entities in the $string. Set to FALSE if the $string is in plain text, TRUE otherwise. Defaults to TRUE. This parameter is deprecated and will be removed in Drupal 8. To process a plain-text URI, call drupal_strip_dangerous_protocols() or check_url() instead.

Return value

Cleaned up and HTML-escaped version of $string.

Related topics

1 call to filter_xss_bad_protocol()
_filter_xss_attributes in includes/common.inc
Processes a string of HTML attributes.


includes/common.inc, line 1698
Common functions that many Drupal modules will need to reference.


function filter_xss_bad_protocol($string, $decode = TRUE) {
  // Get the plain text representation of the attribute value (i.e. its meaning).
  // @todo Remove the $decode parameter in Drupal 8, and always assume an HTML
  //   string that needs decoding.
  if ($decode) {
    if (!function_exists('decode_entities')) {
      require_once DRUPAL_ROOT . '/includes/unicode.inc';

    $string = decode_entities($string);
  return check_plain(drupal_strip_dangerous_protocols($string));