function filter_xss

×

Error message

User warning: The following module is missing from the file system: theme/theme. For information about how to fix this, see the documentation page. in _drupal_trigger_error_with_delayed_logging() (line 1156 of /var/www/html/elmsln_community/api.elmsln.org/includes/bootstrap.inc).
cis7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
cle7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
elmsmedia7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
icor7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
meedjum_blog7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
mooc7 common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.

$allowed_tags: An array of allowed tags.

Return value

An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

drupal_validate_utf8()

Related topics

56 calls to filter_xss()
advagg_admin_info_form in sites/all/modules/ulmus/advagg/advagg.admin.inc
Form builder; Show info about advagg and advagg settings.
advagg_css_compress_admin_settings_form in sites/all/modules/ulmus/advagg/advagg_css_compress/advagg_css_compress.admin.inc
Form builder; Configure advagg settings.
advagg_js_compress_admin_settings_form in sites/all/modules/ulmus/advagg/advagg_js_compress/advagg_js_compress.admin.inc
Form builder; Configure advagg settings.
aggregator_filter_xss in modules/aggregator/aggregator.module
Renders the HTML content safely, as allowed.
analytics_dashboard_form in sites/all/modules/local_contrib/google_chart_tools/analytics_dashboard/analytics_dashboard.forms.inc
Provide a simple form to change time periods

... See full list

8 string references to 'filter_xss'
diff_global_settings_form in sites/all/modules/ulmus/diff/diff.diff.inc
Helper function to initiate any global form elements.
entity_metadata_comment_entity_property_info in sites/all/modules/ulmus/entity/modules/comment.info.inc
Implements hook_entity_property_info() on top of comment module.
entity_metadata_poll_entity_property_info_alter in sites/all/modules/ulmus/entity/modules/poll.info.inc
Implements hook_entity_property_info_alter() on top of poll module.
entity_metadata_system_entity_property_info in sites/all/modules/ulmus/entity/modules/system.info.inc
Implements hook_entity_property_info() on top of system module.
entity_metadata_taxonomy_entity_property_info in sites/all/modules/ulmus/entity/modules/taxonomy.info.inc
Implements hook_entity_property_info() on top of taxonomy module.

... See full list

File

includes/common.inc, line 1431
Common functions that many Drupal modules will need to reference.

Code

function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
  // site scripting issues on Internet Explorer 6.
  if (!drupal_validate_utf8($string)) {
    return '';
  }
  // Store the text format.
  _filter_xss_split($allowed_tags, TRUE);
  // Remove NULL characters (ignored by some browsers).
  $string = str_replace(chr(0), '', $string);
  // Remove Netscape 4 JS entities.
  $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);

  // Defuse all HTML entities.
  $string = str_replace('&', '&', $string);
  // Change back only well-formed entities in our whitelist:
  // Decimal numeric entities.
  $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
  // Hexadecimal numeric entities.
  $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
  // Named entities.
  $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);

  return preg_replace_callback('%
    (
    <(?=[^a-zA-Z!/])  # a lone <
    |                 # or
    <!--.*?-->        # a comment
    |                 # or
    <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
    |                 # or
    >                 # just a >
    )%x', '_filter_xss_split', $string);
}
Error | ELMSLN API

Error

×

Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/elmsln_community/api.elmsln.org/includes/common.inc:2791) in drupal_send_headers() (line 1499 of /var/www/html/elmsln_community/api.elmsln.org/includes/bootstrap.inc).
  • Error: Call to undefined function apc_delete() in DrupalAPCCache->clear() (line 289 of /var/www/html/elmsln_community/api.elmsln.org/sites/all/modules/apc/drupal_apc_cache.inc).
The website encountered an unexpected error. Please try again later.