By stefan.r on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
8.0.x
Issue links: 
https://www.drupal.org/node/2557467
https://www.drupal.org/node/3029336
Description: 

check_url() is deprecated and the return value has been changed to no longer be known to be safe.

Use UrlHelper::stripDangerousProtocols() or UrlHelper::filterBadProtocol() instead.

UrlHelper::stripDangerousProtocols() can be used in conjunction with SafeMarkup::format() (or t()) along with a placeholder which will perform the necessary escaping:

Two examples from core include:

  1. In core/includes/install.core.inc: 
            'description' => t('The %language translation file could not be downloaded. <a href=":url">Choose a different language</a> or select English and translate your website later.', array('%language' => $language, ':url' => $_SERVER['SCRIPT_NAME'])),

    In this case the :url placeholder uses UrlHelper::stripDangerousProtocols() to remove the dangerous protocol and escapes the URL.

  2. In core/modules/aggregator/aggregator.theme.inc we do:
       $variables['url'] = UrlHelper::stripDangerousProtocols($item->getLink());

    Where we feed the url variable into a Twig template and let Twig autoescape.

UrlHelper::filterBadProtocol() is an equivalent method apart from the fact the it can be called multiple times on the same url without double escaping.

Related change records

See also New :variable placeholder for URLs in HTML attributes added to SafeMarkup::format() and t().
And, see Twig autoescape enabled and text sanitization APIs updated for a full list of related change records.

Impacts: 
Module developers