public static function UrlHelper::stripDangerousProtocols in Service Container 7
Same name and namespace in other branches
- 7.2 lib/Drupal/Component/Utility/UrlHelper.php \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()
Strips dangerous protocols (e.g. 'javascript:') from a URI.
This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of \Drupal\Component\Utility\UrlHelper::filterBadProtocol() or \Drupal\Component\Utility\Xss::filter(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to functions that will call Html::escape() separately. The exact behavior depends on the value:
- If the value is a well-formed (per RFC 3986) relative URL or absolute URL that does not use a dangerous protocol (like "javascript:"), then the URL remains unchanged. This includes all URLs generated via Url::toString() and UrlGeneratorTrait::url().
- If the value is a well-formed absolute URL with a dangerous protocol, the protocol is stripped. This process is repeated on the remaining URL until it is stripped down to a safe protocol.
- If the value is not a well-formed URL, the same sanitization behavior as for well-formed URLs will be invoked, which strips most substrings that precede a ":". The result can be used in URL attributes such as "href" or "src" (only after calling Html::escape() separately), but this may not produce valid HTML (e.g., malformed URLs within "href" attributes fail HTML validation). This can be avoided by using Url::fromUri($possibly_not_a_url)->toString(), which either throws an exception or returns a well-formed URL.
Parameters
string $uri: A plain-text URI that might contain dangerous protocols.
Return value
string A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without being sanitized first. However, it can be passed to functions expecting plain-text strings.
See also
\Drupal\Component\Utility\Html::escape()
\Drupal\Core\Url::toString()
\Drupal\Core\Routing\UrlGeneratorTrait::url()
\Drupal\Core\Url::fromUri()
2 calls to UrlHelper::stripDangerousProtocols()
- UrlHelper::filterBadProtocol in lib/
Drupal/ Component/ Utility/ UrlHelper.php - Processes an HTML attribute value and strips dangerous protocols from URLs.
- UrlHelper::isExternal in lib/
Drupal/ Component/ Utility/ UrlHelper.php - Determines whether a path is external to Drupal (e.g. http://example.com).
File
- lib/
Drupal/ Component/ Utility/ UrlHelper.php, line 338 - Contains \Drupal\Component\Utility\UrlHelper.
Class
- UrlHelper
- Helper class URL based methods.
Namespace
Drupal\Component\UtilityCode
public static function stripDangerousProtocols($uri) {
$allowed_protocols = array_flip(static::$allowedProtocols);
// Iteratively remove any invalid protocol found.
do {
$before = $uri;
$colonpos = strpos($uri, ':');
if ($colonpos > 0) {
// We found a colon, possibly a protocol. Verify.
$protocol = substr($uri, 0, $colonpos);
// If a colon is preceded by a slash, question mark or hash, it cannot
// possibly be part of the URL scheme. This must be a relative URL, which
// inherits the (safe) protocol of the base document.
if (preg_match('![/?#]!', $protocol)) {
break;
}
// Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
// (URI Comparison) scheme comparison must be case-insensitive.
if (!isset($allowed_protocols[strtolower($protocol)])) {
$uri = substr($uri, $colonpos + 1);
}
}
} while ($before != $uri);
return $uri;
}