5.6. Filtering Content: check_plain, check_markup, filter_xss_admin

One major area of security and the Drupal API is filtering user-supplied content. As you've seen so far, this is often done automatically as part of another API, which has its own motivation. However, there are cases where the filtering must be done for its own benefit. In these cases, developers must call the appropriate filter functions directly. The three major functions are check_plain, check_markup, and filter_xss_admin. Table 5-2 gives an overview of each of the functions.

Table 5.2. Overview of Filter Functions
check_plainTo present all HTML as encoded entities.
check_markupTo allow at least some HTML. When a user has selected a specific format. When you are unsure of the format, and need HTML, but need to limit the HTML that is allowed, use the "default" format as a fallback.
filter_xss_adminFor text entered by administrators where HTML may be appropriate.

5.6.1. Escaping Everything: check_plain

There are situations where there simply should not be any HTML characters. The username is a perfect example of such a situation. While the form validation for creating usernames prevents the creation of invalid usernames, modules cannot rely on that to protect site visitors from potentially harmful usernames. The philosophy in Drupal is to validate the data on input but filter the data on output to make it appropriate for the context. So for display in the browser, usernames are sent ...

Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.