Consistently name validation/sanitation functions [#471264]

From #471184: Reconcile Drupal's input security functions with PHP filter_*:

- filter_xss*()
- check_plain()
- check_url()
- valid_email_address()
- valid_url()

- drupal_validate_utf8()
- drupal_valid_http_host()

Similar, so potentially also:

- drupal_query_string_encode()
- _fix_gpc_magic()
- _fix_gpc_magic_files()
- drupal_urlencode()
- drupal_valid_token()

Note that

- check_file()

shares the same prefix, but does not really belong into that list.

Comments

Comment #1

agentrickard

he/him

English

Georgia (US)

commented 24 May 2009 at 15:28

Based on Damien's comments in #471184: Reconcile Drupal's input security functions with PHP filter_*, I think it is important to label these as Drupal-specific functions, since they either improve existing PHP filter_ functions or create ones that do not exist.

So that suggests to me:

drupal_filter_xss*() -or- drupal_output_xss*()
drupal_output_plain() -or- drupal_output_text() -or- drupal_output_escaped()
drupal_output_url()
drupal_validate_url()
drupal_validate_email() -or- drupal_validate_email_address()
drupal_validate_utf8()
drupal_validate_http_host()
drupal_output_query_string()
drupal_fix_gpc_magic()  -or- drupal_secure_gpc_magic()
drupal_fix_gpc_magic_files() -or- drupal_secure_gpc_magic_files()
drupal_output_urlencode()
drupal_validate_token()
-- and -maybe- --
drupal_validate_file()

So my quick take is that we have three families of functions:

-- output functions which sanitize data before rendering. (May also be named drupal_print or drupal_sanitize).
-- validate functions which verify data during processing.
-- fix / secure functions which correct potential security holes in PHP server settings.

I can also see an argument for removing the drupal_ prefix from these functions if we can agree on the family naming conventions.