Hello All,
I am using D6, want to use check_plain and check_markup functions. What is the best time to use these functions and why ? Should they be used before data is saved to DB OR Just before the data is rendered.
I am trying to use both the functions on the same piece of text, firstly escape with check_plain and then implement check_markup to implement few set of filters.
Please advice.
The standard Drupal mantra is "Filter on output." So do not filter before saving to the DB. You should filter when rendering the data. You should not use both functions together - that's asking for double encoding issues. Check_markup() will run the data through your input filters and make it safe - assuming that your filters are properly set up.
Nancy
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Vaibhav Jain
I am using D6, want to use check_plain and check_markup functions. What is the best time to use these functions and why ? Should they be used before data is saved to DB OR Just before the data is rendered.
I am trying to use both the functions on the same piece of text, firstly escape with check_plain and then implement check_markup to implement few set of filters.
Nancy,
I am trying to escape XSS attacks, like alerts.... and on the same end, want to convert text URL into links.
I am doing this $text = check_plain($text); $text = check_markup($text,1); print $text;
is this a correct way, or can there be a better way to achieve this.
On Wed, Sep 26, 2012 at 4:19 PM, Ms. Nancy Wichmann nan_wich@bellsouth.netwrote:
The standard Drupal mantra is "Filter on output." So do not filter before saving to the DB. You should filter when rendering the data. You should not use both functions together - that's asking for double encoding issues. Check_markup() will run the data through your input filters and make it safe - assuming that your filters are properly set up.
*Nancy* Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
*From:* Vaibhav Jain
I am using D6, want to use check_plain and check_markup functions. What is the best time to use these functions and why ? Should they be used before data is saved to DB OR Just before the data is rendered.
I am trying to use both the functions on the same piece of text, firstly escape with check_plain and then implement check_markup to implement few set of filters.
-- [ Drupal support list | http://lists.drupal.org/ ]
You don't want check_plain and check_markup together. Just use check_markup and the appropriate filter (or create one that does the filtering you want).
One other thing:
$text = check_markup($text,1);
That's fine for D7, but D6 should be:
$text = check_markup($text, 1, FALSE);
That prevents any permission problems.
In D7 if you want to cache the filtered output, then use:
$text = check_markup($text, 1, '', TRUE);
Jamie Holly http://www.intoxination.net http://www.hollyit.net
On 9/26/2012 6:55 AM, Vaibhav Jain wrote:
Nancy,
I am trying to escape XSS attacks, like alerts.... and on the same end, want to convert text URL into links.
I am doing this $text = check_plain($text); $text = check_markup($text,1); print $text;
is this a correct way, or can there be a better way to achieve this.
On Wed, Sep 26, 2012 at 4:19 PM, Ms. Nancy Wichmann <nan_wich@bellsouth.net mailto:nan_wich@bellsouth.net> wrote:
The standard Drupal mantra is "Filter on output." So do not filter before saving to the DB. You should filter when rendering the data. You should not use both functions together - that's asking for double encoding issues. Check_markup() will run the data through your input filters and make it safe - assuming that your filters are properly set up. /*Nancy*/ Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr. ------------------------------------------------------------------------ *From:* Vaibhav Jain I am using D6, want to use check_plain and check_markup functions. What is the best time to use these functions and why ? Should they be used before data is saved to DB OR Just before the data is rendered. I am trying to use both the functions on the same piece of text, firstly escape with check_plain and then implement check_markup to implement few set of filters. -- [ Drupal support list | http://lists.drupal.org/ ]-- Regards, Vaibhav Jain
-
Jamie Holly -
Ms. Nancy Wichmann -
Vaibhav Jain