/** * Checks and cleans a URL. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) ampersands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 0.0.1 * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to return value of hq_allowed_protocols() * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); if (0 !== stripos($url, 'mailto:')) { $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); } $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative * link starting with /, # or ? or a php file). */ if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = hq_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } if ('/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = hq_allowed_protocols(); } $good_protocol_url = hq_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } /** * Filter a string cleaned and escaped for output as a URL. * * @since 0.0.1 * * @param string $good_protocol_url The cleaned URL to be returned. * @param string $original_url The URL prior to cleaning. * @param string $_context If 'display', replace ampersands and single quotes only. */ return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 0.0.1 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function hq_kses($string, $allowed_html, $allowed_protocols = array()) { if (empty($allowed_protocols)) { $allowed_protocols = hq_allowed_protocols(); } $string = hq_kses_no_null($string, array('slash_zero' => 'keep')); $string = hq_kses_js_entities($string); $string = hq_kses_normalize_entities($string); $string = hq_kses_hook($string, $allowed_html, $allowed_protocols); // HQ changed the order of these funcs and added args to hq_kses_hook return hq_kses_split($string, $allowed_html, $allowed_protocols); }