function locale_string_is_safe in Drupal 6
Same name and namespace in other branches
- 8 core/modules/locale/locale.module \locale_string_is_safe()
- 7 includes/locale.inc \locale_string_is_safe()
- 9 core/modules/locale/locale.module \locale_string_is_safe()
Check that a string is safe to be added or imported as a translation.
This test can be used to detect possibly bad translation strings. It should not have any false positives. But it is only a test, not a transformation, as it destroys valid HTML. We cannot reliably filter translation strings on inport becuase some strings are irreversibly corrupted. For example, a & in the translation would get encoded to & by filter_xss() before being put in the database, and thus would be displayed incorrectly.
The allowed tag list is like filter_xss_admin(), but omitting div and img as not needed for translation and likely to cause layout issues (div) or a possible attack vector (img).
Related topics
2 calls to locale_string_is_safe()
- locale_translate_edit_form_validate in includes/
locale.inc - Validate string editing form submissions.
- _locale_import_one_string_db in includes/
locale.inc - Import one string into the database.
File
- includes/
locale.inc, line 860 - Administration functions for locale.module.
Code
function locale_string_is_safe($string) {
return decode_entities($string) == decode_entities(filter_xss($string, array(
'a',
'abbr',
'acronym',
'address',
'b',
'bdo',
'big',
'blockquote',
'br',
'caption',
'cite',
'code',
'col',
'colgroup',
'dd',
'del',
'dfn',
'dl',
'dt',
'em',
'h1',
'h2',
'h3',
'h4',
'h5',
'h6',
'hr',
'i',
'ins',
'kbd',
'li',
'ol',
'p',
'pre',
'q',
'samp',
'small',
'span',
'strong',
'sub',
'sup',
'table',
'tbody',
'td',
'tfoot',
'th',
'thead',
'tr',
'tt',
'ul',
'var',
)));
}