Joomla! API

Constructor for InputFilter class.

__construct(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = self::TAGS_WHITELIST, integer $attrMethod = self::ATTR_WHITELIST, integer $xssAuto = 1)

since	1.0

Arguments

$tagsArray: arrayList of user-defined tags
$attrArray: arrayList of user-defined attributes
$tagsMethod: integerWhiteList method = 0, BlackList method = 1
$attrMethod: integerWhiteList method = 0, BlackList method = 1
$xssAuto: integerOnly auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

Internal method to strip a tag of certain attributes

_cleanAttributes(array $attrSet) : array

deprecated

since	1.7.0
deprecated	4.0 Use InputFilter::cleanAttributes() instead

Arguments

$attrSet: arrayArray of attribute pairs to filter

Response

arrayFiltered array of attribute pairs

Internal method to strip a string of certain tags

_cleanTags(string $source) : string

deprecated

since	1.7.0
deprecated	4.0 Use InputFilter::cleanTags() instead

Arguments

$source: stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

Try to convert to plaintext

_decode(string $source) : string

deprecated

since	1.7.0
deprecated	4.0 Use InputFilter::decode() instead

Arguments

$source: stringThe source string.

Response

stringPlaintext string

Escape < > and " inside attribute values

_escapeAttributeValues(string $source) : string

deprecated

since	1.7.0
deprecated	4.0 Use InputFilter::escapeAttributeValues() instead

Arguments

$source: stringThe source string.

Response

stringFiltered string

Internal method to iteratively remove all unwanted tags and attributes

_remove(string $source) : string

deprecated

since	1.7.0
deprecated	4.0 Use InputFilter::remove() instead

Arguments

$source: stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

Remove CSS Expressions in the form of `:expression(.

_stripCSSExpressions(string $source) : string

deprecated

..)`

since	1.7.0
deprecated	4.0 Use InputFilter::stripCSSExpressions() instead

Arguments

$source: stringThe source string.

Response

stringFiltered string

Function to determine if contents of an attribute are safe

checkAttribute(array $attrSubSet) : boolean

static

since	1.0

Arguments

$attrSubSet: arrayA 2 element array for attribute's name, value

Response

booleanTrue if bad code is detected

Method to be called by another php script. Processes for XSS and specified bad code.

clean(mixed $source, string $type = 'string') : mixed

since	1.0

Arguments

$source: mixedInput string/array-of-string to be 'cleaned'
$type: stringThe return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.

Response

mixed'Cleaned' version of input parameter

Internal method to strip a tag of certain attributes

cleanAttributes(array $attrSet) : array

since	1.0

Arguments

$attrSet: arrayArray of attribute pairs to filter

Response

arrayFiltered array of attribute pairs

Internal method to strip a string of certain tags

cleanTags(string $source) : string

since	1.0

Arguments

$source: stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

Try to convert to plaintext

decode(string $source) : string

deprecated

since	1.0
deprecated	This method will be removed once support for PHP 5.3 is discontinued.

Arguments

$source: stringThe source string.

Response

stringPlaintext string

Method to decode a file data array.

decodeFileData(array $data) : array

static

since	3.4

Arguments

$data: arrayThe data array to decode.

Response

array

Function to punyencode utf8 mail when saving content

emailToPunycode(string $text) : string

since	3.5

Arguments

$text: stringThe strings to encode

Response

stringThe punyencoded mail

Escape < > and " inside attribute values

escapeAttributeValues(string $source) : string

since	1.0

Arguments

$source: stringThe source string.

Response

stringFiltered string

Returns an input filter object, only creating it if it doesn't already exist.

getInstance(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1) : \Joomla\CMS\Filter\InputFilter

static

since	1.7.0

Arguments

$tagsArray: arrayList of user-defined tags
$attrArray: arrayList of user-defined attributes
$tagsMethod: integerWhiteList method = 0, BlackList method = 1
$attrMethod: integerWhiteList method = 0, BlackList method = 1
$xssAuto: integerOnly auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
$stripUSC: integerStrip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1

Response

\Joomla\CMS\Filter\InputFilterThe InputFilter object.

Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.

isSafeFile(array $file, array $options = array()) : boolean

static

The options you can define are: null_byte Prevent files with a null byte in their name (buffer overflow attack) forbidden_extensions Do not allow these strings anywhere in the file's extension php_tag_in_content Do not allow <?php tag in content phar_stub_in_content Do not allow the __HALT_COMPILER() phar stub in content shorttag_in_content Do not allow short tag <? in content shorttag_extensions Which file extensions to scan for short tags in content fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content php_ext_content_extensions Which file extensions to scan for .php in content

This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.

since	3.4

Arguments

$file: arrayAn uploaded file descriptor
$options: arrayThe scanner options (see the code for details)

Response

booleanTrue of the file is safe

Internal method to iteratively remove all unwanted tags and attributes

remove(string $source) : string

since	1.0

Arguments

$source: stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

Remove CSS Expressions in the form of :expression(.

stripCssExpressions(string $source) : string

..)

since	1.0

Arguments

$source: stringThe source string.

Response

stringFiltered string

Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.

stripUSC(mixed $source) : mixed

since	3.5

Arguments

$source: mixedThe data to filter

Response

mixedThe filtered result

Defines the InputFilter instance should use a whitelist method for sanitising tags.

since	1.3.0

Defines the InputFilter instance should use a blacklist method for sanitising tags.

since	1.3.0

Defines the InputFilter instance should use a whitelist method for sanitising attributes.

since	1.3.0

Defines the InputFilter instance should use a blacklist method for sanitising attributes.

since	1.3.0

A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.

since	3.5

Type(s)

integer

A container for InputFilter instances.

static deprecated

since	1.0
deprecated	1.2.0

Type(s)

array<mixed,\Joomla\Filter\InputFilter>

The array of permitted tags (whitelist).

since	1.0

Type(s)

array

The array of permitted tag attributes (whitelist).

since	1.0

Type(s)

array

The method for sanitising tags

since	1.0

Type(s)

integer

The method for sanitising attributes

since	1.0

Type(s)

integer

A flag for XSS checks. Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

since	1.0

Type(s)

integer

The list of the default blacklisted tags.

since	1.0

Type(s)

array

The list of the default blacklisted tag attributes. All event handlers implicit.

since	1.0

Type(s)

array

A special list of blacklisted chars

since	1.3.3

Type(s)

array

InputFilter

Methods

__construct

Arguments

_cleanAttributes

Arguments

Response

_cleanTags

Arguments

Response

_decode

Arguments

Response

_escapeAttributeValues

Arguments

Response

_remove

Arguments

Response

_stripCSSExpressions

Arguments

Response

checkAttribute

Arguments

Response

clean

Arguments

Response

cleanAttributes

Arguments

Response

cleanTags

Arguments

Response

decode

Arguments

Response

decodeFileData

Arguments

Response

emailToPunycode

Arguments

Response

escapeAttributeValues

Arguments

Response

getInstance

Arguments

Response

isSafeFile

Arguments

Response

remove

Arguments

Response

stripCssExpressions

Arguments

Response

stripUSC

Arguments

Response

Constants

TAGS_WHITELIST

TAGS_BLACKLIST

ATTR_WHITELIST

ATTR_BLACKLIST

Properties

stripUSC

Type(s)

instances

Type(s)

tagsArray

Type(s)

attrArray

Type(s)

tagsMethod

Type(s)

attrMethod

Type(s)

xssAuto