diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2012-12-26 18:53:56 -0800 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-12-26 18:53:56 -0800 |
commit | 6993acd9a4cadb901c4a2ed532ffcccc700f8fde (patch) | |
tree | a2df5bca45d9efc87a1595a024d99f3cfa24414c /includes/bootstrap.inc | |
parent | 761550f9817c5845c44f53b8069efc611bb5a676 (diff) | |
download | brdo-6993acd9a4cadb901c4a2ed532ffcccc700f8fde.tar.gz brdo-6993acd9a4cadb901c4a2ed532ffcccc700f8fde.tar.bz2 |
Issue #1873608 by David_Rothstein: Improve documentation of format_string() to emphasize that it is used to prepare variables for HTML display.
Diffstat (limited to 'includes/bootstrap.inc')
-rw-r--r-- | includes/bootstrap.inc | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index dcab7df07..036bfc9ce 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1484,21 +1484,33 @@ function t($string, array $args = array(), array $options = array()) { } /** - * Replaces placeholders with sanitized values in a string. + * Formats a string for HTML display by replacing variable placeholders. + * + * This function replaces variable placeholders in a string with the requested + * values and escapes the values so they can be safely displayed as HTML. It + * should be used on any unknown text that is intended to be printed to an HTML + * page (especially text that may have come from untrusted users, since in that + * case it prevents cross-site scripting and other security problems). + * + * In most cases, you should use t() rather than this function, since it will + * translate the text (on non-English-only sites) in addition to formatting it. * * @param $string * A string containing placeholders. * @param $args * An associative array of replacements to make. Occurrences in $string of - * any key in $args are replaced with the corresponding value, after - * sanitization. The sanitization function depends on the first character of - * the key: - * - !variable: Inserted as is. Use this for text that has already been - * sanitized. - * - @variable: Escaped to HTML using check_plain(). Use this for anything - * displayed on a page on the site. - * - %variable: Escaped as a placeholder for user-submitted content using - * drupal_placeholder(), which shows up as <em>emphasized</em> text. + * any key in $args are replaced with the corresponding value, after optional + * sanitization and formatting. The type of sanitization and formatting + * depends on the first character of the key: + * - @variable: Escaped to HTML using check_plain(). Use this as the default + * choice for anything displayed on a page on the site. + * - %variable: Escaped to HTML and formatted using drupal_placeholder(), + * which makes it display as <em>emphasized</em> text. + * - !variable: Inserted as is, with no sanitization or formatting. Only use + * this for text that has already been prepared for HTML display (for + * example, user-supplied text that has already been run through + * check_plain() previously, or is expected to contain some limited HTML + * tags and has already been run through filter_xss() previously). * * @see t() * @ingroup sanitization |