InputFilter
Extends \Joomla\Filter\InputFilterInputFilter is a class for filtering input from any data source
Forked from the php input filter library by: Daniel Morris dan@rootcube.com Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
since |
1.7.0 |
---|
Methods
__construct
Constructor for InputFilter class.
__construct(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = self::ONLY_ALLOW_DEFINED_TAGS, integer $attrMethod = self::ONLY_ALLOW_DEFINED_ATTRIBUTES, integer $xssAuto = 1)
since |
1.0 |
---|
Arguments
- $tagsArray
array
List of permitted HTML tags- $attrArray
array
List of permitted HTML tag attributes- $tagsMethod
integer
Method for filtering tags, should be one of theONLY_*_DEFINED_TAGS
constants- $attrMethod
integer
Method for filtering attributes, should be one of theONLY_*_DEFINED_ATTRIBUTES
constants- $xssAuto
integer
Only auto clean essentials = 0, Allow clean blocked tags/attributes = 1
_cleanAttributes
Internal method to strip a tag of certain attributes
_cleanAttributes(array $attrSet) : array
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::cleanAttributes() instead |
Arguments
- $attrSet
array
Array of attribute pairs to filter
Response
array
Filtered array of attribute pairs
_cleanTags
Internal method to strip a string of certain tags
_cleanTags(string $source) : string
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::cleanTags() instead |
Arguments
- $source
string
Input string to be 'cleaned'
Response
string
'Cleaned' version of input parameter
_decode
Try to convert to plaintext
_decode(string $source) : string
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::decode() instead |
Arguments
- $source
string
The source string.
Response
string
Plaintext string
_escapeAttributeValues
Escape < > and " inside attribute values
_escapeAttributeValues(string $source) : string
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::escapeAttributeValues() instead |
Arguments
- $source
string
The source string.
Response
string
Filtered string
_remove
Internal method to iteratively remove all unwanted tags and attributes
_remove(string $source) : string
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::remove() instead |
Arguments
- $source
string
Input string to be 'cleaned'
Response
string
'Cleaned' version of input parameter
_stripCSSExpressions
Remove CSS Expressions in the form of `
_stripCSSExpressions(string $source) : string
..)`
since |
1.7.0 |
---|---|
deprecated |
4.0 Use InputFilter::stripCSSExpressions() instead |
Arguments
- $source
string
The source string.
Response
string
Filtered string
checkAttribute
Function to determine if contents of an attribute are safe
checkAttribute(array $attrSubSet) : boolean
since |
1.0 |
---|
Arguments
- $attrSubSet
array
A 2 element array for attribute's name, value
Response
boolean
True if bad code is detected
clean
Cleans the given input source based on the instance configuration and specified data type
clean(string|array<mixed,string>|object $source, string $type = 'string') : mixed
since |
1.0 |
---|
Arguments
- $source
string|array<mixed,string>|object
Input string/array-of-string/object to be 'cleaned'- $type
string
The return type for the variable: INT: An integer UINT: An unsigned integer FLOAT: A floating point number BOOLEAN: A boolean value WORD: A string containing A-Z or underscores only (not case sensitive) ALNUM: A string containing A-Z or 0-9 only (not case sensitive) CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive) BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive) STRING: A fully decoded and sanitised string (default) HTML: A sanitised string ARRAY: An array PATH: A sanitised file path TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter) RAW: The raw string is returned with no filtering unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.
Response
mixed
'Cleaned' version of the $source
parameter
cleanAlnum
Alphanumerical filter
cleanAlnum(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanAttributes
Internal method to strip a tag of disallowed attributes
cleanAttributes(array $attrSet) : array
since |
1.0 |
---|
Arguments
- $attrSet
array
Array of attribute pairs to filter
Response
array
Filtered array of attribute pairs
cleanBase64
Base64 filter
cleanBase64(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanBool
Boolean filter
cleanBool(string $source) : boolean
Arguments
- $source
string
The string to be filtered
Response
boolean
The filtered value
cleanBoolean
Alias for cleanBool()
cleanBoolean(string $source) : boolean
Arguments
- $source
string
The string to be filtered
Response
boolean
The filtered value
cleanCmd
Command filter
cleanCmd(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanDouble
Alias for cleanFloat()
cleanDouble(string $source) : float
Arguments
- $source
string
The string to be filtered
Response
float
The filtered value
cleanFloat
Float filter
cleanFloat(string $source) : float
Arguments
- $source
string
The string to be filtered
Response
float
The filtered value
cleanHtml
HTML filter
cleanHtml(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanInt
Integer filter
cleanInt(string $source) : integer
Arguments
- $source
string
The string to be filtered
Response
integer
The filtered value
cleanInteger
Alias for cleanInt()
cleanInteger(string $source) : integer
Arguments
- $source
string
The string to be filtered
Response
integer
The filtered value
cleanPath
Path filter
cleanPath(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanString
String filter
cleanString(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanTags
Internal method to strip a string of disallowed tags
cleanTags(string $source) : string
since |
1.0 |
---|
Arguments
- $source
string
Input string to be 'cleaned'
Response
string
'Cleaned' version of input parameter
cleanTrim
Trim filter
cleanTrim(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanUint
Unsigned integer filter
cleanUint(string $source) : integer
Arguments
- $source
string
The string to be filtered
Response
integer
The filtered value
cleanUsername
Username filter
cleanUsername(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
cleanWord
Word filter
cleanWord(string $source) : string
Arguments
- $source
string
The string to be filtered
Response
string
The filtered string
decode
Try to convert to plaintext
decode(string $source) : string
since |
1.0 |
---|---|
deprecated |
This method will be removed once support for PHP 5.3 is discontinued. |
Arguments
- $source
string
The source string.
Response
string
Plaintext string
decodeFileData
Method to decode a file data array.
decodeFileData(array $data) : array
since |
3.4 |
---|
Arguments
- $data
array
The data array to decode.
Response
array
emailToPunycode
Function to punyencode utf8 mail when saving content
emailToPunycode(string $text) : string
since |
3.5 |
---|
Arguments
- $text
string
The strings to encode
Response
string
The punyencoded mail
escapeAttributeValues
Escape < > and " inside attribute values
escapeAttributeValues(string $source) : string
since |
1.0 |
---|
Arguments
- $source
string
The source string.
Response
string
Filtered string
getInstance
Returns an input filter object, only creating it if it doesn't already exist.
getInstance(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1) : \Joomla\CMS\Filter\InputFilter
since |
1.7.0 |
---|
Arguments
- $tagsArray
array
List of user-defined tags- $attrArray
array
List of user-defined attributes- $tagsMethod
integer
WhiteList method = 0, BlackList method = 1- $attrMethod
integer
WhiteList method = 0, BlackList method = 1- $xssAuto
integer
Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1- $stripUSC
integer
Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1
Response
\Joomla\CMS\Filter\InputFilter
The InputFilter object.
isSafeFile
Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.
isSafeFile(array $file, array $options = array()) : boolean
The options you can define are:
null_byte Prevent files with a null byte in their name (buffer overflow attack)
forbidden_extensions Do not allow these strings anywhere in the file's extension
php_tag_in_content Do not allow <?php
tag in content
phar_stub_in_content Do not allow the __HALT_COMPILER()
phar stub in content
shorttag_in_content Do not allow short tag <?
in content
shorttag_extensions Which file extensions to scan for short tags in content
fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content
php_ext_content_extensions Which file extensions to scan for .php in content
This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.
since |
3.4 |
---|
Arguments
- $file
array
An uploaded file descriptor- $options
array
The scanner options (see the code for details)
Response
boolean
True of the file is safe
remove
Internal method to iteratively remove all unwanted tags and attributes
remove(string $source) : string
since |
1.0 |
---|
Arguments
- $source
string
Input string to be 'cleaned'
Response
string
'Cleaned' version of input parameter
stripCssExpressions
Remove CSS Expressions in the form of
stripCssExpressions(string $source) : string
..)
since |
1.0 |
---|
Arguments
- $source
string
The source string.
Response
string
Filtered string
stripUSC
Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.
stripUSC(mixed $source) : mixed
since |
3.5 |
---|
Arguments
- $source
mixed
The data to filter
Response
mixed
The filtered result
Constants
TAGS_WHITELIST
Defines the InputFilter instance should use a whitelist method for sanitising tags.
Value | 0 |
---|---|
since |
1.3.0 |
deprecated |
2.0 Use the |
Type(s)
integer
TAGS_BLACKLIST
Defines the InputFilter instance should use a blacklist method for sanitising tags.
Value | 1 |
---|---|
since |
1.3.0 |
deprecated |
2.0 Use the |
Type(s)
integer
ATTR_WHITELIST
Defines the InputFilter instance should use a whitelist method for sanitising attributes.
Value | 0 |
---|---|
since |
1.3.0 |
deprecated |
2.0 Use the |
Type(s)
integer
ATTR_BLACKLIST
Defines the InputFilter instance should use a blacklist method for sanitising attributes.
Value | 1 |
---|---|
since |
1.3.0 |
deprecated |
2.0 Use the |
Type(s)
integer
ONLY_ALLOW_DEFINED_TAGS
Defines the InputFilter instance should only allow the supplied list of HTML tags.
Value | 0 |
---|---|
since |
1.4.0 |
Type(s)
integer
ONLY_BLOCK_DEFINED_TAGS
Defines the InputFilter instance should block the defined list of HTML tags and allow all others.
Value | 1 |
---|---|
since |
1.4.0 |
Type(s)
integer
ONLY_ALLOW_DEFINED_ATTRIBUTES
Defines the InputFilter instance should only allow the supplied list of attributes.
Value | 0 |
---|---|
since |
1.4.0 |
Type(s)
integer
ONLY_BLOCK_DEFINED_ATTRIBUTES
Defines the InputFilter instance should block the defined list of attributes and allow all others.
Value | 1 |
---|---|
since |
1.4.0 |
Type(s)
integer
Properties
stripUSC
A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.
since |
3.5 |
---|
Type(s)
integer
instances
A container for InputFilter instances.
tagsArray
The array of permitted tags.
since |
1.0 |
---|
Type(s)
array
attrArray
The array of permitted tag attributes.
since |
1.0 |
---|
Type(s)
array
tagsMethod
The method for sanitising tags
since |
1.0 |
---|
Type(s)
integer
attrMethod
The method for sanitising attributes
since |
1.0 |
---|
Type(s)
integer
xssAuto
A flag for XSS checks. Only auto clean essentials = 0, Allow clean blocked tags/attr = 1
since |
1.0 |
---|
Type(s)
integer
tagBlacklist
The list the blocked tags for the instance.
since |
1.0 |
---|---|
note |
This property will be renamed to $blockedTags in version 2.0 |
Type(s)
array<mixed,string>
attrBlacklist
The list of blocked tag attributes for the instance.
since |
1.0 |
---|---|
note |
This property will be renamed to $blockedAttributes in version 2.0 |
Type(s)
array<mixed,string>
blockedChars
A special list of blocked characters.
since |
1.3.3 |
---|
Type(s)
array<mixed,string>