Commit 65d3b5dd authored by Dries's avatar Dries

- Patch #834710 by solotandem, jhodgdon: filter_xss() documentation does not...

- Patch #834710 by solotandem, jhodgdon: filter_xss() documentation does not indicate a return value.
parent 136cb18a
...@@ -1224,25 +1224,30 @@ function filter_xss_admin($string) { ...@@ -1224,25 +1224,30 @@ function filter_xss_admin($string) {
} }
/** /**
* Filter XSS. * Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
* *
* Based on kses by Ulf Harnhammar, see * Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses.
* http://sourceforge.net/projects/kses * For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
*
* For examples of various XSS attacks, see:
* http://ha.ckers.org/xss.html
* *
* This code does four things: * This code does four things:
* - Removes characters and constructs that can trick browsers * - Removes characters and constructs that can trick browsers.
* - Makes sure all HTML entities are well-formed * - Makes sure all HTML entities are well-formed.
* - Makes sure all HTML tags and attributes are well-formed * - Makes sure all HTML tags and attributes are well-formed.
* - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:) * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g.
* javascript:).
* *
* @param $string * @param $string
* The string with raw HTML in it. It will be stripped of everything that can cause * The string with raw HTML in it. It will be stripped of everything that can
* an XSS attack. * cause an XSS attack.
* @param $allowed_tags * @param $allowed_tags
* An array of allowed tags. * An array of allowed tags.
*
* @return
* An XSS safe version of $string, or an empty string if $string is not
* valid UTF-8.
*
* @see drupal_validate_utf8()
* @ingroup sanitization
*/ */
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross // Only operate on valid UTF-8 strings. This is necessary to prevent cross
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment