Drupal provides a variety of sanitizing functions to make the developer's job easier. Many of these filtering functions are integrated by default into the many APIs that developers use to get the necessary functionality for a module, such as querying the database, translating content to other languages, and creating links to different parts of the site. However, when necessary, developers may use specific text-sanitizing functions to filter user-supplied data.
To filter data, you should use a combination of check_piain, check_markup, and fiiter_xss_admin depending on the type of data that you are filtering. Most of the time when you use the Drupal API, data is filtered automatically. However, there are a few situations where you need to actively filter data—like check boxes and radio buttons in the Form API, drupai_set_message, and drupai_set_titie for 6.x. These apparent inconsistencies in the API are being addressed, though they are sometimes inconsistent because it makes sense in that particular situation to allow unfiltered data.
Was this article helpful?