[support] Using check_markup and check_plain
Jamie Holly
hovercrafter at earthlink.net
Wed Sep 26 16:05:45 UTC 2012
You don't want check_plain and check_markup together. Just use
check_markup and the appropriate filter (or create one that does the
filtering you want).
One other thing:
$text = check_markup($text,1);
That's fine for D7, but D6 should be:
$text = check_markup($text, 1, FALSE);
That prevents any permission problems.
In D7 if you want to cache the filtered output, then use:
$text = check_markup($text, 1, '', TRUE);
Jamie Holly
http://www.intoxination.net
http://www.hollyit.net
On 9/26/2012 6:55 AM, Vaibhav Jain wrote:
> Nancy,
>
> I am trying to escape XSS attacks, like alerts....
> and on the same end, want to convert text URL into links.
>
> I am doing this
> $text = check_plain($text);
> $text = check_markup($text,1);
> print $text;
>
> is this a correct way, or can there be a better way to achieve this.
>
> On Wed, Sep 26, 2012 at 4:19 PM, Ms. Nancy Wichmann
> <nan_wich at bellsouth.net <mailto:nan_wich at bellsouth.net>> wrote:
>
> The standard Drupal mantra is "Filter on output." So do not filter
> before saving to the DB. You should filter when rendering the
> data. You should not use both functions together - that's asking
> for double encoding issues. Check_markup() will run the data
> through your input filters and make it safe - assuming that your
> filters are properly set up.
> /*Nancy*/
> Injustice anywhere is a threat to justice everywhere. -- Dr.
> Martin L. King, Jr.
>
> ------------------------------------------------------------------------
> *From:* Vaibhav Jain
>
> I am using D6, want to use check_plain and check_markup functions.
> What is the best time to use these functions and why ?
> Should they be used before data is saved to DB
> OR
> Just before the data is rendered.
>
> I am trying to use both the functions on the same piece of
> text, firstly escape with check_plain and then implement
> check_markup to implement few set of filters.
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
>
> --
> Regards,
> Vaibhav Jain
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20120926/1edae11e/attachment.html
More information about the support
mailing list