function drupal_strip_dangerous_protocols

Strips dangerous protocols (e.g. 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), Drupal\Core\Template\Attribute, or another function that will call check_plain() separately.

Parameters

$uri: A plain-text URI that might contain dangerous protocols.

Return value

A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.

See also

\Drupal\Component\Utility\Url::stripDangerousProtocols()

Related topics

Sanitization functions
Functions to sanitize values.
5 calls to drupal_strip_dangerous_protocols()
template_preprocess_html in drupal/core/includes/theme.inc
Prepares variables for HTML document templates.
template_preprocess_maintenance_page in drupal/core/includes/theme.inc
Prepare variables for maintenance page templates.
theme_form in drupal/core/includes/form.inc
Returns HTML for a form.
url_is_external in drupal/core/includes/common.inc
Returns TRUE if a path is external to Drupal (e.g. http://example.com).
XssUnitTest::testBadProtocolStripping in drupal/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
Checks that harmful protocols are stripped.

File

drupal/core/includes/common.inc, line 882
Common functions that many Drupal modules will need to reference.

Code

function drupal_strip_dangerous_protocols($uri) {
  return UrlValidator::stripDangerousProtocols($uri);
}