summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDries Buytaert2010-06-24 18:51:33 (GMT)
committerDries Buytaert2010-06-24 18:51:33 (GMT)
commit65d3b5dd43a0690600dbb023b841e01efb8a5d38 (patch)
treed1b59bc7ba71a7ad10923f3c80dc6b9e607303f1
parent136cb18aac11e5cd0a67290ece949dbffc1018aa (diff)
- Patch #834710 by solotandem, jhodgdon: filter_xss() documentation does not indicate a return value.
-rw-r--r--includes/common.inc29
1 files changed, 17 insertions, 12 deletions
diff --git a/includes/common.inc b/includes/common.inc
index 1722d20..d2b9c24 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1224,25 +1224,30 @@ function filter_xss_admin($string) {
}
/**
- * Filter XSS.
+ * Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
*
- * Based on kses by Ulf Harnhammar, see
- * http://sourceforge.net/projects/kses
- *
- * For examples of various XSS attacks, see:
- * http://ha.ckers.org/xss.html
+ * Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses.
+ * For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
*
* This code does four things:
- * - Removes characters and constructs that can trick browsers
- * - Makes sure all HTML entities are well-formed
- * - Makes sure all HTML tags and attributes are well-formed
- * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:)
+ * - Removes characters and constructs that can trick browsers.
+ * - Makes sure all HTML entities are well-formed.
+ * - Makes sure all HTML tags and attributes are well-formed.
+ * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g.
+ * javascript:).
*
* @param $string
- * The string with raw HTML in it. It will be stripped of everything that can cause
- * an XSS attack.
+ * The string with raw HTML in it. It will be stripped of everything that can
+ * cause an XSS attack.
* @param $allowed_tags
* An array of allowed tags.
+ *
+ * @return
+ * An XSS safe version of $string, or an empty string if $string is not
+ * valid UTF-8.
+ *
+ * @see drupal_validate_utf8()
+ * @ingroup sanitization
*/
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross