function url_is_external

Returns TRUE if a path is external to Drupal (e.g. http://example.com).

If a path cannot be assessed by Drupal's menu handler, then we must treat it as potentially insecure.

Parameters

$path: The internal path or external URL being linked to, such as "node/34" or "http://example.com/foo".

Return value

Boolean TRUE or FALSE, where TRUE indicates an external path.

7 calls to url_is_external()
drupal_goto in drupal/core/includes/common.inc
Sends the user to a different Drupal page.
drupal_valid_path in drupal/core/includes/path.inc
Checks a path exists and the current user has access to it.
form_builder in drupal/core/includes/form.inc
Builds and processes all elements in the structured form array.
MenuLinkFormController::validate in drupal/core/modules/menu_link/lib/Drupal/menu_link/MenuLinkFormController.php
Overrides EntityFormController::validate().
MenuLinkStorageController::preSave in drupal/core/modules/menu_link/lib/Drupal/menu_link/MenuLinkStorageController.php
Overrides DatabaseStorageController::preSave().

... See full list

File

drupal/core/includes/common.inc, line 1402
Common functions that many Drupal modules will need to reference.

Code

function url_is_external($path) {
  $colonpos = strpos($path, ':');

  // Avoid calling drupal_strip_dangerous_protocols() if there is any
  // slash (/), hash (#) or question_mark (?) before the colon (:)
  // occurrence - if any - as this would clearly mean it is not a URL.
  return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && drupal_strip_dangerous_protocols($path) == $path;
}