InputFilter
Extends InputFilterInputFilter is a class for filtering input from any data source
Forked from the php input filter library by: Daniel Morris [email protected] Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
since |
1.7.0 |
---|---|
package |
Joomla CMS |
Methods
__construct
Constructor for inputFilter class. Only first parameter is required.
__construct(mixed||string|int tagsArray = [], mixed||string|int attrArray = [], tagsMethod, attrMethod, xssAuto = 1, stripUSC) :
since |
1.7.0 |
---|
Arguments
- tagsArray
array<string|int, mixed>
List of user-defined tags- attrArray
array<string|int, mixed>
List of user-defined attributes- tagsMethod
int
The constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS- attrMethod
int
The constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES- xssAuto
int
Only auto clean essentials = 0, Allow clean blocked tags/attributes = 1- stripUSC
int
Strip 4-byte unicode characters = 1, no strip = 0
Response
mixed
clean
Method to be called by another php script. Processes for XSS and specified bad code.
clean( source, type = 'string') :
since |
1.7.0 |
---|
Arguments
- source
mixed
Input string/array-of-string to be 'cleaned'- type
string
The return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.
Response
mixed
'Cleaned' version of input parameter
decode
Try to convert to plaintext
decode( source) :
since |
3.5 |
---|
Arguments
- source
string
The source string.
Response
string
Plaintext string
decodeFileData
Method to decode a file data array.
decodeFileData(mixed||string|int data) : mixed||string|int
since |
3.4 |
---|
Arguments
- data
array<string|int, mixed>
The data array to decode.
Response
array<string|int, mixed>
emailToPunycode
Function to punyencode utf8 mail when saving content
emailToPunycode( text) :
since |
3.5 |
---|
Arguments
- text
string
The strings to encode
Response
string
The punyencoded mail
getInstance
Returns an input filter object, only creating it if it doesn't already exist.
getInstance(mixed||string|int tagsArray = [], mixed||string|int attrArray = [], tagsMethod, attrMethod, xssAuto = 1, stripUSC) : \Joomla\CMS\Filter\InputFilter
since |
1.7.0 |
---|
Arguments
- tagsArray
array<string|int, mixed>
List of user-defined tags- attrArray
array<string|int, mixed>
List of user-defined attributes- tagsMethod
int
The constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS- attrMethod
int
The constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES- xssAuto
int
Only auto clean essentials = 0, Allow clean blocked tags/attributes = 1- stripUSC
int
Strip 4-byte unicode characters = 1, no strip = 0
Response
InputFilter
The InputFilter object.
isSafeFile
Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.
isSafeFile(mixed||string|int file, mixed||string|int options = []) :
The options you can define are:
null_byte Prevent files with a null byte in their name (buffer overflow attack)
forbidden_extensions Do not allow these strings anywhere in the file's extension
php_tag_in_content Do not allow <?php
tag in content
phar_stub_in_content Do not allow the __HALT_COMPILER()
phar stub in content
shorttag_in_content Do not allow short tag <?
in content
shorttag_extensions Which file extensions to scan for short tags in content
fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content
php_ext_content_extensions Which file extensions to scan for .php in content
This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.
since |
3.4 |
---|
Arguments
- file
array<string|int, mixed>
An uploaded file descriptor- options
array<string|int, mixed>
The scanner options (see the code for details)
Response
bool
True of the file is safe
stripUSC
Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.
stripUSC( source) :
since |
3.5 |
---|
Arguments
- source
mixed
The data to filter
Response
mixed
The filtered result
Constants
FORBIDDEN_FILE_EXTENSIONS
An array containing a list of extensions for files that are typically executable directly in the webserver context, potentially resulting in code executions
Value | ['php', 'phps', 'pht', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'asp', 'php8', 'phar', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py', 'aspx'] |
---|---|
since |
4.0.0 |
Properties
stripUSC
A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.
since |
3.5 |
---|
Type(s)
int
instances
A container for InputFilter instances.