InputFilter
Extends \Joomla\Filter\InputFilterInputFilter is a class for filtering input from any data source
Forked from the php input filter library by: Daniel Morris dan@rootcube.com Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
| since |
1.7.0 |
|---|
Methods
__construct
Constructor for InputFilter class.
__construct(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = self::TAGS_WHITELIST, integer $attrMethod = self::ATTR_WHITELIST, integer $xssAuto = 1)
| since |
1.0 |
|---|
Arguments
- $tagsArray
arrayList of user-defined tags- $attrArray
arrayList of user-defined attributes- $tagsMethod
integerWhiteList method = 0, BlackList method = 1- $attrMethod
integerWhiteList method = 0, BlackList method = 1- $xssAuto
integerOnly auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
_cleanAttributes
Internal method to strip a tag of certain attributes
_cleanAttributes(array $attrSet) : array
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::cleanAttributes() instead |
Arguments
- $attrSet
arrayArray of attribute pairs to filter
Response
arrayFiltered array of attribute pairs
_cleanTags
Internal method to strip a string of certain tags
_cleanTags(string $source) : string
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::cleanTags() instead |
Arguments
- $source
stringInput string to be 'cleaned'
Response
string'Cleaned' version of input parameter
_decode
Try to convert to plaintext
_decode(string $source) : string
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::decode() instead |
Arguments
- $source
stringThe source string.
Response
stringPlaintext string
_escapeAttributeValues
Escape < > and " inside attribute values
_escapeAttributeValues(string $source) : string
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::escapeAttributeValues() instead |
Arguments
- $source
stringThe source string.
Response
stringFiltered string
_remove
Internal method to iteratively remove all unwanted tags and attributes
_remove(string $source) : string
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::remove() instead |
Arguments
- $source
stringInput string to be 'cleaned'
Response
string'Cleaned' version of input parameter
_stripCSSExpressions
Remove CSS Expressions in the form of `
_stripCSSExpressions(string $source) : string
..)`
| since |
1.7.0 |
|---|---|
| deprecated |
4.0 Use InputFilter::stripCSSExpressions() instead |
Arguments
- $source
stringThe source string.
Response
stringFiltered string
checkAttribute
Function to determine if contents of an attribute are safe
checkAttribute(array $attrSubSet) : boolean
| since |
1.0 |
|---|
Arguments
- $attrSubSet
arrayA 2 element array for attribute's name, value
Response
booleanTrue if bad code is detected
clean
Method to be called by another php script. Processes for XSS and specified bad code.
clean(mixed $source, string $type = 'string') : mixed
| since |
1.0 |
|---|
Arguments
- $source
mixedInput string/array-of-string to be 'cleaned'- $type
stringThe return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.
Response
mixed'Cleaned' version of input parameter
cleanAttributes
Internal method to strip a tag of certain attributes
cleanAttributes(array $attrSet) : array
| since |
1.0 |
|---|
Arguments
- $attrSet
arrayArray of attribute pairs to filter
Response
arrayFiltered array of attribute pairs
cleanTags
Internal method to strip a string of certain tags
cleanTags(string $source) : string
| since |
1.0 |
|---|
Arguments
- $source
stringInput string to be 'cleaned'
Response
string'Cleaned' version of input parameter
decode
Try to convert to plaintext
decode(string $source) : string
| since |
1.0 |
|---|---|
| deprecated |
This method will be removed once support for PHP 5.3 is discontinued. |
Arguments
- $source
stringThe source string.
Response
stringPlaintext string
decodeFileData
Method to decode a file data array.
decodeFileData(array $data) : array
| since |
3.4 |
|---|
Arguments
- $data
arrayThe data array to decode.
Response
array
emailToPunycode
Function to punyencode utf8 mail when saving content
emailToPunycode(string $text) : string
| since |
3.5 |
|---|
Arguments
- $text
stringThe strings to encode
Response
stringThe punyencoded mail
escapeAttributeValues
Escape < > and " inside attribute values
escapeAttributeValues(string $source) : string
| since |
1.0 |
|---|
Arguments
- $source
stringThe source string.
Response
stringFiltered string
getInstance
Returns an input filter object, only creating it if it doesn't already exist.
getInstance(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1) : \Joomla\CMS\Filter\InputFilter
| since |
1.7.0 |
|---|
Arguments
- $tagsArray
arrayList of user-defined tags- $attrArray
arrayList of user-defined attributes- $tagsMethod
integerWhiteList method = 0, BlackList method = 1- $attrMethod
integerWhiteList method = 0, BlackList method = 1- $xssAuto
integerOnly auto clean essentials = 0, Allow clean blacklisted tags/attr = 1- $stripUSC
integerStrip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1
Response
\Joomla\CMS\Filter\InputFilterThe InputFilter object.
isSafeFile
Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.
isSafeFile(array $file, array $options = array()) : boolean
The options you can define are:
null_byte Prevent files with a null byte in their name (buffer overflow attack)
forbidden_extensions Do not allow these strings anywhere in the file's extension
php_tag_in_content Do not allow <?php tag in content
phar_stub_in_content Do not allow the __HALT_COMPILER() phar stub in content
shorttag_in_content Do not allow short tag <? in content
shorttag_extensions Which file extensions to scan for short tags in content
fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content
php_ext_content_extensions Which file extensions to scan for .php in content
This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.
| since |
3.4 |
|---|
Arguments
- $file
arrayAn uploaded file descriptor- $options
arrayThe scanner options (see the code for details)
Response
booleanTrue of the file is safe
remove
Internal method to iteratively remove all unwanted tags and attributes
remove(string $source) : string
| since |
1.0 |
|---|
Arguments
- $source
stringInput string to be 'cleaned'
Response
string'Cleaned' version of input parameter
stripCssExpressions
Remove CSS Expressions in the form of
stripCssExpressions(string $source) : string
..)
| since |
1.0 |
|---|
Arguments
- $source
stringThe source string.
Response
stringFiltered string
stripUSC
Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.
stripUSC(mixed $source) : mixed
| since |
3.5 |
|---|
Arguments
- $source
mixedThe data to filter
Response
mixedThe filtered result
Constants
TAGS_WHITELIST
Defines the InputFilter instance should use a whitelist method for sanitising tags.
| Value | 0 |
|---|---|
| since |
1.3.0 |
Type(s)
integer
TAGS_BLACKLIST
Defines the InputFilter instance should use a blacklist method for sanitising tags.
| Value | 1 |
|---|---|
| since |
1.3.0 |
Type(s)
integer
ATTR_WHITELIST
Defines the InputFilter instance should use a whitelist method for sanitising attributes.
| Value | 0 |
|---|---|
| since |
1.3.0 |
Type(s)
integer
ATTR_BLACKLIST
Defines the InputFilter instance should use a blacklist method for sanitising attributes.
| Value | 1 |
|---|---|
| since |
1.3.0 |
Type(s)
integer
Properties
stripUSC
A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.
| since |
3.5 |
|---|
Type(s)
integer
instances
A container for InputFilter instances.
tagsArray
The array of permitted tags (whitelist).
| since |
1.0 |
|---|
Type(s)
array
attrArray
The array of permitted tag attributes (whitelist).
| since |
1.0 |
|---|
Type(s)
array
tagsMethod
The method for sanitising tags
| since |
1.0 |
|---|
Type(s)
integer
attrMethod
The method for sanitising attributes
| since |
1.0 |
|---|
Type(s)
integer
xssAuto
A flag for XSS checks. Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
| since |
1.0 |
|---|
Type(s)
integer
tagBlacklist
The list of the default blacklisted tags.
| since |
1.0 |
|---|
Type(s)
array
attrBlacklist
The list of the default blacklisted tag attributes. All event handlers implicit.
| since |
1.0 |
|---|
Type(s)
array
blacklistedChars
A special list of blacklisted chars
| since |
1.3.3 |
|---|
Type(s)
array