filter_xss_bad_protocol

Search API

Navigation

Help e-Commerce Development

If you Use e-Commerce please consider helping by donating to or sponsoring development. You can make a donation of a one off amount as big or as small as you want, Or alternatively you can sponsor development by paying $US5.00/mth.

User login

Definition

filter_xss_bad_protocol($string, $decode = TRUE)
drupal-4-7/modules/filter.module, line 1345

Description

Processes an HTML attribute value and ensures it does not contain an URL with a disallowed protocol (e.g. javascript:)

Parameters

$string The string with the attribute value.

$decode Whether to decode entities in the $string. Set to FALSE if the $string is in plain text, TRUE otherwise. Defaults to TRUE.

Return value

Cleaned up and HTML-escaped version of $string.

Code

<?php
function filter_xss_bad_protocol($string, $decode = TRUE) {
  static $allowed_protocols;
  if (!isset($allowed_protocols)) {
    $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal')));
  }

  // Get the plain text representation of the attribute value (i.e. its meaning)
  if ($decode) {
    $string = decode_entities($string);
  }
  // Iteratively remove any invalid protocol found.
  do {
    $before = $string;
    $colonpos = strpos($string, ':');
    if ($colonpos > 0) {
      // We found a colon, possibly a protocol. Verify.
      $protocol = substr($string, 0, $colonpos);
      // If a colon is preceded by a slash, question mark or hash, it cannot
      // possibly be part of the URL scheme. This must be a relative URL,
      // which inherits the (safe) protocol of the base document.
      if (preg_match('![/?#]!', $protocol)) {
        break;
      }
      // Check if this is a disallowed protocol
      if (!isset($allowed_protocols[$protocol])) {
        $string = substr($string, $colonpos + 1);
      }
    }
  } while ($before != $string);
  return check_plain($string);
}
?>