[support] Using check_markup and check_plain

Jamie Holly hovercrafter at earthlink.net
Wed Sep 26 16:05:45 UTC 2012 

You don't want check_plain and check_markup together. Just use 
check_markup and the appropriate filter (or create one that does the 
filtering you want).

One other thing:

  $text = check_markup($text,1);

That's fine for D7, but D6 should be:

$text = check_markup($text, 1, FALSE);

That prevents any permission problems.

In D7 if you want to cache the filtered output, then use:

$text = check_markup($text, 1, '', TRUE);

Jamie Holly
http://www.intoxination.net
http://www.hollyit.net

On 9/26/2012 6:55 AM, Vaibhav Jain wrote:
> Nancy,
>
> I am trying to escape XSS attacks, like alerts....
> and on the same end, want to convert text URL into links.
>
> I am doing this
> $text = check_plain($text);
> $text = check_markup($text,1);
> print $text;
>
> is this a correct way, or can there be a better way to achieve this.
>
> On Wed, Sep 26, 2012 at 4:19 PM, Ms. Nancy Wichmann 
> <nan_wich at bellsouth.net <mailto:nan_wich at bellsouth.net>> wrote:
>
>     The standard Drupal mantra is "Filter on output." So do not filter
>     before saving to the DB. You should filter when rendering the
>     data. You should not use both functions together - that's asking
>     for double encoding issues. Check_markup() will run the data
>     through your input filters and make it safe - assuming that your
>     filters are properly set up.
>     /*Nancy*/
>     Injustice anywhere is a threat to justice everywhere. -- Dr.
>     Martin L. King, Jr.
>
>         ------------------------------------------------------------------------
>         *From:* Vaibhav Jain
>
>         I am using D6, want to use check_plain and check_markup functions.
>         What is the best time to use these functions and why ?
>         Should they be used before data is saved to DB
>         OR
>         Just before the data is rendered.
>
>         I am trying to use both the functions on the same piece of
>         text, firstly escape with check_plain and then implement
>         check_markup to implement few set of filters.
>
>
>     --
>     [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
>
> -- 
> Regards,
> Vaibhav Jain
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20120926/1edae11e/attachment.html

More information about the support mailing list