Link and URL Building Functions

These five functions sanitize user-provided text and make sure that user-provided URLs are safe for inclusion in links or as src elements in tags. The l function was covered in Chapter 5.

n Description: Creates full HTML for links after filtering the title through check_plain and filtering the URL through check_url.

n Example: Linking node types to the edit page in content_ types.inc.

l($name, 'admin/content/node-type/1. $type_url_str), check_plain($type->type), filter_xss_admin($type->description),

a Description: Similar to l, tests URLs by passing them through filtering functions so that they are formatted to use in HTTP headers like Location:. Note that it does not do newline stripping, so that needs to be done separately.

a Use: Functionally, to build links that will work regardless of a new domain name or Drupal being installed in a subdirectory. From a security perspective, very little, actually.

□ Example: Redirecting users in common.inc.

$url = url($path, array('query' => $query, 'fragment' => $fragment,

'absolute' => TRUE)); // Remove newlines from the URL to avoid header injection attacks. $url = str_replace(array(''\n'', ''\r''), '', $url);

// Even though session_write_close() is registered as a shutdown function, we // need all session data written to the database before redirecting. session_write_close();

header('Location: '. $url, TRUE, $http_response_code);

Description: Similar to l, tests URLs by passing them through filtering functions so that they are safe to use in HTML tags like

□ Use: Inserting user-supplied data in a URL that will be embedded in HTML.

□ Example: From profile_view_field in profile.module.

if (isset($user->{$field->name}) && $value = $user->{$field->name}) { switch ($field->type) { case 'textarea1:

return check_markup($value); case 'textfield': case 'selection':

return $browse ? l($value, 'profile/'. $field->name .'/'. $value) : check_plain($value);

case 'checkbox':

return $browse ? l($field->title, 'profile/'. $field->name) : check_plain($field->title); case 'url':

return '<a href="'. check_url($value) .'">'. check_plain($value) .'</a>';

a Description: More a utility than specifically a security function; creates the URL to a file in the files directory.

n Use: Getting the URL of an image.

n Example: User avatars.

if (!empty($account->picture) && file_exists($account->picture)) { $picture = file_create_url($account->picture);

else if (variable_get('user_picture_default', '')) { $picture = variable_get('user_picture_default', '');

$alt = t("@user's picture", array('@user' => $account->name ? $account->name : variable_get('anonymous', t('Anonymous'))));

$variables['picture'] = theme('image', $picture, $alt, $alt, '', FALSE); if (!empty($account->uid) && user_access('access user profiles')) { $attributes = array('attributes' =>

array('title' => t('View user profile.')), 'html' => TRUE); $variables['picture'] = l($variables['picture'], ''user/$account->uid'', $attributes);

■ l($sanitized_html, $tainted_path, array('html' => TRUE))

□ Description: When you need to include HTML such as an image into a link, use the XYZ parameter so that your text will not be filtered. Be sure that you perform your own appropriate filtering so that the link stays safe.

Use: Creating links with images as the linked elements.

Example: Linking an image to a website.

function theme_system_powered_by($image_path) { $image = theme('image', $image_path, t('Powered by Drupal, an open source content management system'), t('Powered by Drupal, an open source content management system')); return l($image, 'http://drupal.org', array('html' => TRUE, 'absolute' => TRUE, 'external' => TRUE));

NOTE

li!»m In this example the call to theme_image includes the call to check_url, which makes it safe to directly insert the $image.

□ Description: Takes in a string that, when combined with the current user's session, will be unique and returns a unique hash value based on the string, the session, and a site-specific secret value. Used in the Form API to reduce CSRF. Can be used to secure links against CSRF when those links are used for AJAX. Check the validity of a link with drupal_valid_token.

n Use: Outside the Form API where it is leveraged by default, useful for creating links that alter data and are protected from CSRF.

□ Example: Protecting nodequeue manipulation links from CSRF.

function nodequeue_get_query_string($seed, $destination = FALSE,

if ($dest = drupal_get_destination()) { $query[] = $dest;

function nodequeue_get_token($nid) {

return token='. drupal_get_token($nid);

function nodequeue_check_token($seed) {

Was this article helpful?

0 0

Post a comment