Nancy,<br><br>I am trying to escape XSS attacks, like alerts....<br>and on the same end, want to convert text URL into links.<br><br>I am doing this<br>$text = check_plain($text);<br>$text = check_markup($text,1);<br>print $text;<br>
<br>is this a correct way, or can there be a better way to achieve this.<br><br><div class="gmail_quote">On Wed, Sep 26, 2012 at 4:19 PM, Ms. Nancy Wichmann <span dir="ltr"><<a href="mailto:nan_wich@bellsouth.net" target="_blank">nan_wich@bellsouth.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif"><div><span>The standard Drupal mantra is "Filter on output." So do not filter before saving to the DB. You should filter when rendering the data. You should not use both functions together - that's asking for double encoding issues. Check_markup() will run the data through your input filters and make it safe - assuming that your filters are properly set up.<br>
</span></div><div> </div><div><font color="#ff007f" face="bookman old style, new york, times, serif" size="4"><i><b>Nancy</b></i></font> <br></div><div><font face="arial, helvetica, sans-serif">Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.</font></div>
<div style="font-style:normal;font-size:16px;background-color:transparent;font-family:arial,helvetica,sans-serif"><br><blockquote style="border-left:2px solid rgb(16,16,255);margin-left:5px;margin-top:5px;padding-left:5px">
<div style="font-family:arial,helvetica,sans-serif;font-size:12pt"> <div style="font-family:times new roman,new york,times,serif;font-size:12pt"> <div dir="ltr"> <font face="Arial"> <hr size="1"> <b><span style="font-weight:bold">From:</span></b> Vaibhav Jain</font><br>
</div><div class="im"><br><div>I am using D6, want to use check_plain and check_markup functions.<br>What is the best time to use these functions and why ?<br>Should they be used before data is saved to DB<br>OR<br>Just before the data is rendered.<br>
<br>I am trying to use both the functions on the same piece of text, firstly escape with check_plain and then implement check_markup to implement few set of filters.<br> </div></div></div> </div> </blockquote></div> </div>
</div><br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Vaibhav Jain<br>