function drupal_strip_dangerous_protocols


Error message

User warning: The following module is missing from the file system: theme/theme. For information about how to fix this, see the documentation page. in _drupal_trigger_error_with_delayed_logging() (line 1156 of /var/www/html/elmsln_community/
cis7 drupal_strip_dangerous_protocols($uri)
cle7 drupal_strip_dangerous_protocols($uri)
elmsmedia7 drupal_strip_dangerous_protocols($uri)
icor7 drupal_strip_dangerous_protocols($uri)
meedjum_blog7 drupal_strip_dangerous_protocols($uri)
mooc7 drupal_strip_dangerous_protocols($uri)

Strips dangerous protocols (e.g. 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of check_url() or filter_xss(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to t(), l(), drupal_attributes(), or another function that will call check_plain() separately.


$uri: A plain-text URI that might contain dangerous protocols.

Return value

A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without check_plain() being called on it. However, it can be passed to functions expecting plain-text strings.

See also


Related topics

9 calls to drupal_strip_dangerous_protocols()
at_core_fonts_form in sites/all/themes/ulmus/adaptivetheme/at_core/inc/forms/
@file Generate form elments for the font settings.
at_core_submit_fonts in sites/all/themes/ulmus/adaptivetheme/at_core/inc/forms/
@file Extract font data from form values, send for processing and print returned data in a CSS file.
check_url in includes/
Strips dangerous protocols from a URI and encodes it for output to HTML.
filter_xss_bad_protocol in includes/
Processes an HTML attribute value and strips dangerous protocols from URLs.
template_preprocess_html in includes/
Preprocess variables for html.tpl.php

... See full list


includes/, line 1340
Common functions that many Drupal modules will need to reference.


function drupal_strip_dangerous_protocols($uri) {
  static $allowed_protocols;

  if (!isset($allowed_protocols)) {
    $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('ftp', 'http', 'https', 'irc', 'mailto', 'news', 'nntp', 'rtsp', 'sftp', 'ssh', 'tel', 'telnet', 'webcal')));

  // Iteratively remove any invalid protocol found.
  do {
    $before = $uri;
    $colonpos = strpos($uri, ':');
    if ($colonpos > 0) {
      // We found a colon, possibly a protocol. Verify.
      $protocol = substr($uri, 0, $colonpos);
      // If a colon is preceded by a slash, question mark or hash, it cannot
      // possibly be part of the URL scheme. This must be a relative URL, which
      // inherits the (safe) protocol of the base document.
      if (preg_match('![/?#]!', $protocol)) {
      // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
      // (URI Comparison) scheme comparison must be case-insensitive.
      if (!isset($allowed_protocols[strtolower($protocol)])) {
        $uri = substr($uri, $colonpos + 1);
  } while ($before != $uri);

  return $uri;



Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/elmsln_community/ in drupal_send_headers() (line 1499 of /var/www/html/elmsln_community/
  • Error: Call to undefined function apc_delete() in DrupalAPCCache->clear() (line 289 of /var/www/html/elmsln_community/
The website encountered an unexpected error. Please try again later.