Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By poker10 on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x
Introduced in version:
7.92
Issue links:
Description:
The l()
function now strips dangerous protocols from the $path variable using drupal_strip_dangerous_protocols()
.
If you are using the l()
function to output links with other than allowed protocols (see variable_get('filter_allowed_protocols')
) then the output link will be no longer working as expected. In this case you can either update the filter_allowed_protocols
variable to whitelist the stripped protocol (however we do not recommend this for specific protocols like javascript:
), or replace the usage of the l()
function with different logic to output the desired link.
Before:
// Prints a link which will trigger alert once clicked: <a href="javascript:alert('XSS')">link</a>
print l('link', "javascript:alert('XSS')", array('external' => TRUE));
After:
// Prints a non-functional link: <a href="alert('XSS')">link</a>
print l('link', "javascript:alert('XSS')", array('external' => TRUE));
Impacts:
Module developers
Themers