php - 我应该如何使用 filter_xss？即使我正在使用它，编码器也给我一个问题

Question

+269：[严重] 潜在问题：drupal_set_message http://api.drupal.org/api/function/drupal_set_message/()仅接受过滤后的文本，请确保所有 !placeholders for $variables in t http://api.drupal .org/api/function/t/()使用 check_plain http://api.drupal.org/api/function/check_plain/()， filter_xss http://api.drupal.org/api/function/ filter_xss/()或类似的。

与此代码有关：

      drupal_set_message(t('Batch complete!  View/Download !results', array(
        '!results' => filter_xss(l(t('simple results'), file_create_url($filename))),
      )), 'info');

怎么了？

Answer 1

您使用的方法位于可翻译字符串中动态或静态链接的“不要做这些事情”部分下。您需要将其更改为批准的方法之一。以供参考：

<?php
  // DO NOT DO THESE THINGS
  $BAD_EXTERNAL_LINK = t('Look at Drupal documentation at !handbook.', array('!handbook' => '<a href="http://drupal.org/handbooks">'. t('the Drupal Handbooks') .'</a>'));
  $ANOTHER_BAD_EXTERNAL_LINK = t('Look at Drupal documentation at <a href="http://drupal.org/handbooks">the Drupal Handbooks</a>.');
  $BAD_INTERNAL_LINK = t('To get an overview of your administration options, go to !administer in the main menu.', array('!administer' => l(t('the Administer screen'), 'admin'));

  // Do this instead.
  $external_link = t('Look at Drupal documentation at <a href="@drupal-handbook">the Drupal Handbooks</a>.', array('@drupal-handbook' => 'http://drupal.org/handbooks'));
  $internal_link = t('To get an overview of your administration options, go to <a href="@administer-page">the Administer screen</a> in the main menu.', array('@administer-page' => url('admin')));
?>