A.2. Link and URL Building Functions
These five functions sanitize user-provided text and make sure that user-provided URLs are safe for inclusion in links or as src elements in tags. The l function was covered in Chapter 5.
l($tainted_title, $tainted_path)
Description Creates full HTML for links after filtering the title through check_plain and filtering the URL through check_url.
Use Anytime you create a link.
Example Linking node types to the edit page in content_types.inc.
$row = array( l($name, 'admin/content/node-type/'. $type_url_str), check_plain($type->type), filter_xss_admin($type->description), );
url($tainted_path)
Description Similar to l, tests URLs by passing them through filtering functions so that they are formatted to use in HTTP headers like Location:. Note that it does not do newline stripping, so that needs to be done separately.
Use Functionally, to build links that will work regardless of a new domain name or Drupal being installed in a subdirectory. From a security perspective, very little, actually.
Example Redirecting users in common.inc.
$url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE)); // Remove newlines from the URL to avoid header injection attacks. $url = str_replace(array("\n", "\r"), '', $url); . . . // Even though session_write_close() is registered as a shutdown function, we // need all session data written to the database before redirecting. session_write_close(); header('Location: '. $url, TRUE, $http_response_code); ...
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.