function filter_xss

8.x common.inc filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))

Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.

Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses. For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.

This code does four things:

  • Removes characters and constructs that can trick browsers.
  • Makes sure all HTML entities are well-formed.
  • Makes sure all HTML tags and attributes are well-formed.
  • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

Parameters

$string: The string with raw HTML in it. It will be stripped of everything that can cause an XSS attack.

$allowed_tags: An array of allowed tags.

Return value

An XSS safe version of $string, or an empty string if $string is not valid UTF-8.

See also

\Drupal\Component\Utility\Xss::filter()

Related topics

8 calls to filter_xss()
aggregator_filter_xss in drupal/core/modules/aggregator/aggregator.module
Renders the HTML content safely, as allowed.
comment_tokens in drupal/core/modules/comment/comment.tokens.inc
Implements hook_tokens().
field_filter_xss in drupal/core/modules/field/field.module
Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
format_backtrace in drupal/core/includes/errors.inc
Formats a backtrace into a plain-text string.
hook_tokens in drupal/core/modules/system/system.api.php
Provide replacement values for placeholder tokens.

... See full list

File

drupal/core/includes/common.inc, line 957
Common functions that many Drupal modules will need to reference.

Code

function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
  return Xss::filter($string, $allowed_tags);
}