In Drupal there are two common functions that are sometimes misused, but are quite important to everyday Drupal development.  These functions both complete their primary functions, but also sanitize data and make sure it is safe for the user.

The two functions that will be covered in this article are:

• t() - Translator function
• l() - Link or URL function

The t() function:

The t() function is a bit of a multi-use function because it is for translation, but can also sanitize data that will be displayed to users.   Before I go any further:

Sanitizing data is data that has been "cleaned" before being presented to the user.  Sanitized data makes XSS or cross site scripting attacks and injection more difficult and can prevent future vulnerabilities.

Drupal uses the t() function for localization, which are placeholders for strings that have multiple translations or for future translation.  This means the same code could be used for multiple languages and does not require multiple versions. In other words, use the t() function when you are to output a string to a user, form or a module even if it will not be used for localization.  It is easy to do and does not require much more time.

Proper Use of t:

$output = t('Welcome @username to Orangespike.ca',

    array('@username' => $user->name));

Notice that we do not just use inject the $user->name value into the translated string.  It is done through an array.

Improper Use of t:

$output = t('Welcome '.$user->name .' to Orangespike.ca');

Notice that this is similar to what a beginner would probably write in their code. If the user had known with a simple example or knew the Drupal API this mistake could have been easily avoidable.  

The l() function and url():

The l() and url() function are two methods for linking to content.  They internally will add the site-domain and directories for correct referencing.  These functions are especially useful for dynamic links and moving sites from one server to another domain for example. 

The l() function's purpose is to sanitize the data that is to be formatted into a link.  It is an alternative to the url() function.  The Drupal API suggests when creating links to use the l() function and not the url() function.

Proper use of l()

$output = l($name, 'user/'. $object->uid, array(

  array('title' => t('View user profile'))));

Which would produce a link similar to:

<a href="/user/1234" title="View user profile">Username</a>

Improper use of l()

$form['busted'] = array(

  '#value' => '<a href="'. $userLink,'">'.$userLink.'</a>',

);

Notice that the actual HTML for the link has a direct variable that is being used.  This can be exploited in an XSS attack and is a common mistake.

Analysis:

It is easy to write more secure code when Drupal provides easy to use functions like the ones highlighted in this article.  Alot of XSS vulnerabilities could have been avoided if developers and community users knew about functions like these.  The problem is that users do not know about them or their proper use. 

A solution is in awareness and proper examples on the API and examples that use these in the handbooks.  However, if there is an easy way - and their usually is, coders will do it the vulnerable way if it saves five seconds.