Do not use /e in preg_replace() - use preg_replace_callback() instead
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
Security advisories such as SA-CONTRIB-2010-027 and SA-CONTRIB-2010-030 have pointed out the risk of passing user input through regular expressions that use the /e flag which causes matches to be evaluated as PHP code.
Mistakes in escaping strings can lead to arbitrary code execution vulnerabilities - this will likely lead to total compromise of your Drupal site.
For this reason, the /e flag should be avoided as insecure. It is generally possible to instead use preg_replace_callback() to transform the matches and generate a replacement string while avoiding the risk that user input may be executed as PHP.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion