Secure URL Handling with Drupal

In most cases dynamic data in forms is handled by the forms API which does a pretty good job of keeping it clean. Since the variables in hook_menu() for example are picked up as a % sign and then translated into a callback array, they are “cleansed” as they are passed through the Drupal Core code.

    'page arguments' => array(1),

more code ...

return $items;

On the other hand, there may be times when you you really need to pass dynamic data as a $_GET variable that is tacked onto an URL. In this case you need to pass the code through the urlencode() function.

When you are passing a user submitted URL in a hyperlink, rather than using check_plain(), the Drupal documentation says to use urlencode() instead.

Leave a Reply

Your email address will not be published. Required fields are marked *