function locale_string_is_safe
| 7.x locale.inc | locale_string_is_safe($string) |
| 6.x locale.inc | locale_string_is_safe($string) |
Check that a string is safe to be added or imported as a translation.
This test can be used to detect possibly bad translation strings. It should not have any false positives. But it is only a test, not a transformation, as it destroys valid HTML. We cannot reliably filter translation strings on import because some strings are irreversibly corrupted. For example, a & in the translation would get encoded to & by filter_xss() before being put in the database, and thus would be displayed incorrectly.
The allowed tag list is like filter_xss_admin(), but omitting div and img as not needed for translation and likely to cause layout issues (div) or a possible attack vector (img).
2 calls to locale_string_is_safe()
- locale_translate_edit_form_validate in drupal-7.x/
modules/ locale/ locale.admin.inc - Validate string editing form submissions.
- _locale_import_one_string_db in drupal-7.x/
includes/ locale.inc - Import one string into the database.
File
- drupal-7.x/
includes/ locale.inc, line 525 - Administration functions for locale.module.
Code
function locale_string_is_safe($string) {
return decode_entities($string) == decode_entities(filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
}