public static function UrlValidator::stripDangerousProtocols

Strips dangerous protocols (e.g. 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), Drupal\Core\Template\Attribute, or another function that will call check_plain() separately.

Parameters

string $uri: A plain-text URI that might contain dangerous protocols.

Return value

string A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.

See also

check_url()

4 calls to UrlValidator::stripDangerousProtocols()
check_url in drupal/core/includes/common.inc
Strips dangerous protocols from a URI and encodes it for output to HTML.
drupal_strip_dangerous_protocols in drupal/core/includes/common.inc
Strips dangerous protocols (e.g. 'javascript:') from a URI.
UrlGenerator::generateFromPath in drupal/core/lib/Drupal/Core/Routing/UrlGenerator.php
Implements \Drupal\Core\Routing\PathBasedGeneratorInterface::generateFromPath().
UrlValidator::filterBadProtocol in drupal/core/lib/Drupal/Component/Utility/UrlValidator.php
Processes an HTML attribute value and strips dangerous protocols from URLs.

File

drupal/core/lib/Drupal/Component/Utility/UrlValidator.php, line 70
Contains \Drupal\Component\Utility\UrlValidator.

Class

UrlValidator
Helper class to support filtering bad protocols from an url.

Namespace

Drupal\Component\Utility

Code

public static function stripDangerousProtocols($uri) {
  $allowed_protocols = array_flip(static::$allowedProtocols);

  // Iteratively remove any invalid protocol found.
  do {
    $before = $uri;
    $colonpos = strpos($uri, ':');
    if ($colonpos > 0) {

      // We found a colon, possibly a protocol. Verify.
      $protocol = substr($uri, 0, $colonpos);

      // If a colon is preceded by a slash, question mark or hash, it cannot
      // possibly be part of the URL scheme. This must be a relative URL, which
      // inherits the (safe) protocol of the base document.
      if (preg_match('![/?#]!', $protocol)) {
        break;
      }

      // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
      // (URI Comparison) scheme comparison must be case-insensitive.
      if (!isset($allowed_protocols[strtolower($protocol)])) {
        $uri = substr($uri, $colonpos + 1);
      }
    }
  } while ($before != $uri);
  return $uri;
}