InputFilter

InputFilter is a class for filtering input from any data source

Forked from the php input filter library by: Daniel Morris dan@rootcube.com Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.

since

1.0

Methods

__construct

Constructor for InputFilter class.

__construct(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = self::TAGS_WHITELIST, integer $attrMethod = self::ATTR_WHITELIST, integer $xssAuto = 1) 
since

1.0

Arguments

$tagsArray

arrayList of user-defined tags

$attrArray

arrayList of user-defined attributes

$tagsMethod

integerWhiteList method = 0, BlackList method = 1

$attrMethod

integerWhiteList method = 0, BlackList method = 1

$xssAuto

integerOnly auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

checkAttribute

Function to determine if contents of an attribute are safe

checkAttribute(array $attrSubSet) : boolean
static
since

1.0

Arguments

$attrSubSet

arrayA 2 element array for attribute's name, value

Response

booleanTrue if bad code is detected

clean

Method to be called by another php script. Processes for XSS and specified bad code.

clean(mixed $source, string $type = 'string') : mixed
since

1.0

Arguments

$source

mixedInput string/array-of-string to be 'cleaned'

$type

stringThe return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.

Response

mixed'Cleaned' version of input parameter

cleanAttributes

Internal method to strip a tag of certain attributes

cleanAttributes(array $attrSet) : array
since

1.0

Arguments

$attrSet

arrayArray of attribute pairs to filter

Response

arrayFiltered array of attribute pairs

cleanTags

Internal method to strip a string of certain tags

cleanTags(string $source) : string
since

1.0

Arguments

$source

stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

decode

Try to convert to plaintext

decode(string $source) : string
deprecated
since

1.0

deprecated

This method will be removed once support for PHP 5.3 is discontinued.

Arguments

$source

stringThe source string.

Response

stringPlaintext string

escapeAttributeValues

Escape < > and " inside attribute values

escapeAttributeValues(string $source) : string
since

1.0

Arguments

$source

stringThe source string.

Response

stringFiltered string

remove

Internal method to iteratively remove all unwanted tags and attributes

remove(string $source) : string
since

1.0

Arguments

$source

stringInput string to be 'cleaned'

Response

string'Cleaned' version of input parameter

stripCssExpressions

Remove CSS Expressions in the form of :expression(.

stripCssExpressions(string $source) : string

..)

since

1.0

Arguments

$source

stringThe source string.

Response

stringFiltered string

Constants

TAGS_WHITELIST

Defines the InputFilter instance should use a whitelist method for sanitising tags.

Value 0
since

1.3.0

Type(s)

integer

TAGS_BLACKLIST

Defines the InputFilter instance should use a blacklist method for sanitising tags.

Value 1
since

1.3.0

Type(s)

integer

ATTR_WHITELIST

Defines the InputFilter instance should use a whitelist method for sanitising attributes.

Value 0
since

1.3.0

Type(s)

integer

ATTR_BLACKLIST

Defines the InputFilter instance should use a blacklist method for sanitising attributes.

Value 1
since

1.3.0

Type(s)

integer

Properties

instances

A container for InputFilter instances.

static deprecated
since

1.0

deprecated

1.2.0

Type(s)

array<mixed,\Joomla\Filter\InputFilter>

tagsArray

The array of permitted tags (whitelist).

since

1.0

Type(s)

array

attrArray

The array of permitted tag attributes (whitelist).

since

1.0

Type(s)

array

tagsMethod

The method for sanitising tags

since

1.0

Type(s)

integer

attrMethod

The method for sanitising attributes

since

1.0

Type(s)

integer

xssAuto

A flag for XSS checks. Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

since

1.0

Type(s)

integer

tagBlacklist

The list of the default blacklisted tags.

since

1.0

Type(s)

array

attrBlacklist

The list of the default blacklisted tag attributes. All event handlers implicit.

since

1.0

Type(s)

array

blacklistedChars

A special list of blacklisted chars

since

1.3.3

Type(s)

array