function UrlHelper::stripDangerousProtocols

Same name in other branches
  1. 9 core/lib/Drupal/Component/Utility/UrlHelper.php \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()
  2. 8.9.x core/lib/Drupal/Component/Utility/UrlHelper.php \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()
  3. 10 core/lib/Drupal/Component/Utility/UrlHelper.php \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols()

Strips dangerous protocols (for example, 'javascript:') from a URI.

This function must be called for all URIs within user-entered input prior to being output to an HTML attribute value. It is often called as part of \Drupal\Component\Utility\UrlHelper::filterBadProtocol() or \Drupal\Component\Utility\Xss::filter(), but those functions return an HTML-encoded string, so this function can be called independently when the output needs to be a plain-text string for passing to functions that will call Html::escape() separately. The exact behavior depends on the value:

  • If the value is a well-formed (per RFC 3986) relative URL or absolute URL that does not use a dangerous protocol (like "javascript:"), then the URL remains unchanged. This includes all URLs generated via Url::toString().
  • If the value is a well-formed absolute URL with a dangerous protocol, the protocol is stripped. This process is repeated on the remaining URL until it is stripped down to a safe protocol.
  • If the value is not a well-formed URL, the same sanitization behavior as for well-formed URLs will be invoked, which strips most substrings that precede a ":". The result can be used in URL attributes such as "href" or "src" (only after calling Html::escape() separately), but this may not produce valid HTML (for example, malformed URLs within "href" attributes fail HTML validation). This can be avoided by using Url::fromUri($possibly_not_a_url)->toString(), which either throws an exception or returns a well-formed URL.

Parameters

string $uri: A plain-text URI that might contain dangerous protocols.

Return value

string A plain-text URI stripped of dangerous protocols. As with all plain-text strings, this return value must not be output to an HTML page without being sanitized first. However, it can be passed to functions expecting plain-text strings.

See also

\Drupal\Component\Utility\Html::escape()

\Drupal\Core\Url::toString()

\Drupal\Core\Url::fromUri()

10 calls to UrlHelper::stripDangerousProtocols()
comment_tokens in core/modules/comment/comment.tokens.inc
Implements hook_tokens().
FormattableMarkup::placeholderFormat in core/lib/Drupal/Component/Render/FormattableMarkup.php
Replaces placeholders in a string with values.
HandlerBase::sanitizeValue in core/modules/views/src/Plugin/views/HandlerBase.php
Sanitize the value for output.
system_page_attachments in core/modules/system/system.module
Implements hook_page_attachments().
template_preprocess_form in core/includes/form.inc
Prepares variables for form templates.

... See full list

File

core/lib/Drupal/Component/Utility/UrlHelper.php, line 402

Class

UrlHelper
Helper class URL based methods.

Namespace

Drupal\Component\Utility

Code

public static function stripDangerousProtocols($uri) {
    $allowed_protocols = array_flip(static::$allowedProtocols);
    // Iteratively remove any invalid protocol found.
    do {
        $before = $uri;
        $colon_position = strpos($uri, ':');
        if ($colon_position > 0) {
            // We found a colon, possibly a protocol. Verify.
            $protocol = substr($uri, 0, $colon_position);
            // If a colon is preceded by a slash, question mark or hash, it cannot
            // possibly be part of the URL scheme. This must be a relative URL, which
            // inherits the (safe) protocol of the base document.
            if (preg_match('![/?#]!', $protocol)) {
                break;
            }
            // Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
            // (URI Comparison) scheme comparison must be case-insensitive.
            if (!isset($allowed_protocols[strtolower($protocol)])) {
                $uri = substr($uri, $colon_position + 1);
            }
        }
    } while ($before != $uri);
    return $uri;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.