function drupal_strip_dangerous_protocols

Strips dangerous protocols (e.g. 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), Drupal\Core\Template\Attribute, or another function that will call check_plain() separately.

Parameters

$uri: A plain-text URI that might contain dangerous protocols.

Return value

A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.

See also

check_url()

Related topics

Sanitization functions
Functions to sanitize values.
8 calls to drupal_strip_dangerous_protocols()
check_url in drupal/core/includes/common.inc
Strips dangerous protocols from a URI and encodes it for output to HTML.
filter_xss_bad_protocol in drupal/core/includes/common.inc
Processes an HTML attribute value and strips dangerous protocols from URLs.
template_preprocess_html in drupal/core/includes/theme.inc
Preprocess variables for html.tpl.php
template_preprocess_maintenance_page in drupal/core/includes/theme.inc
The variables array generated here is a mirror of template_preprocess_page(). This preprocessor will run its course when theme_maintenance_page() is invoked.
theme_form in drupal/core/includes/form.inc
Returns HTML for a form.

... See full list

File

drupal/core/includes/common.inc, line 1219
Common functions that many Drupal modules will need to reference.

Code

function drupal_strip_dangerous_protocols($uri) {
  static $allowed_protocols;
  if (!isset($allowed_protocols)) {

    // filter_xss_admin() is called by the installer and update.php, in which
    // case the configuration may not exist (yet). Provide a minimal default set
    // of allowed protocols for these cases.
    $allowed_protocols = array_flip(config('system.filter')
      ->get('protocols') ?: array(
      'http',
      'https',
    ));
  }

  // Iteratively remove any invalid protocol found.
  do {
    $before = $uri;
    $colonpos = strpos($uri, ':');
    if ($colonpos > 0) {

      // We found a colon, possibly a protocol. Verify.
      $protocol = substr($uri, 0, $colonpos);

      // If a colon is preceded by a slash, question mark or hash, it cannot
      // possibly be part of the URL scheme. This must be a relative URL, which
      // inherits the (safe) protocol of the base document.
      if (preg_match('![/?#]!', $protocol)) {
        break;
      }

      // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
      // (URI Comparison) scheme comparison must be case-insensitive.
      if (!isset($allowed_protocols[strtolower($protocol)])) {
        $uri = substr($uri, $colonpos + 1);
      }
    }
  } while ($before != $uri);
  return $uri;
}