InputFilter
Extends InputFilterInputFilter is a class for filtering input from any data source
Forked from the php input filter library by: Daniel Morris [email protected] Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
| since |
1.7.0 |
|---|---|
| package |
Joomla CMS |
Methods
__construct
Constructor for inputFilter class. Only first parameter is required.
__construct(mixed||string|int tagsArray = [], mixed||string|int attrArray = [], tagsMethod, attrMethod, xssAuto = 1, stripUSC) :
| since |
1.7.0 |
|---|
Arguments
- tagsArray
array<string|int, mixed>List of user-defined tags- attrArray
array<string|int, mixed>List of user-defined attributes- tagsMethod
intThe constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS- attrMethod
intThe constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES- xssAuto
intOnly auto clean essentials = 0, Allow clean blocked tags/attributes = 1- stripUSC
intStrip 4-byte unicode characters = 1, no strip = 0
Response
mixed
clean
Method to be called by another php script. Processes for XSS and specified bad code.
clean( source, type = 'string') :
| since |
1.7.0 |
|---|
Arguments
- source
mixedInput string/array-of-string to be 'cleaned'- type
stringThe return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.
Response
mixed'Cleaned' version of input parameter
decode
Try to convert to plaintext
decode( source) :
| since |
3.5 |
|---|
Arguments
- source
stringThe source string.
Response
stringPlaintext string
decodeFileData
Method to decode a file data array.
decodeFileData(mixed||string|int data) : mixed||string|int
| since |
3.4 |
|---|
Arguments
- data
array<string|int, mixed>The data array to decode.
Response
array<string|int, mixed>
emailToPunycode
Function to punyencode utf8 mail when saving content
emailToPunycode( text) :
| since |
3.5 |
|---|
Arguments
- text
stringThe strings to encode
Response
stringThe punyencoded mail
getInstance
Returns an input filter object, only creating it if it doesn't already exist.
getInstance(mixed||string|int tagsArray = [], mixed||string|int attrArray = [], tagsMethod, attrMethod, xssAuto = 1, stripUSC) : \Joomla\CMS\Filter\InputFilter
| since |
1.7.0 |
|---|
Arguments
- tagsArray
array<string|int, mixed>List of user-defined tags- attrArray
array<string|int, mixed>List of user-defined attributes- tagsMethod
intThe constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS- attrMethod
intThe constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES- xssAuto
intOnly auto clean essentials = 0, Allow clean blocked tags/attributes = 1- stripUSC
intStrip 4-byte unicode characters = 1, no strip = 0
Response
InputFilterThe InputFilter object.
isSafeFile
Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.
isSafeFile(mixed||string|int file, mixed||string|int options = []) :
The options you can define are:
null_byte Prevent files with a null byte in their name (buffer overflow attack)
forbidden_extensions Do not allow these strings anywhere in the file's extension
php_tag_in_content Do not allow <?php tag in content
phar_stub_in_content Do not allow the __HALT_COMPILER() phar stub in content
shorttag_in_content Do not allow short tag <? in content
shorttag_extensions Which file extensions to scan for short tags in content
fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content
php_ext_content_extensions Which file extensions to scan for .php in content
This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.
| since |
3.4 |
|---|
Arguments
- file
array<string|int, mixed>An uploaded file descriptor- options
array<string|int, mixed>The scanner options (see the code for details)
Response
boolTrue of the file is safe
stripUSC
Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.
stripUSC( source) :
| since |
3.5 |
|---|
Arguments
- source
mixedThe data to filter
Response
mixedThe filtered result
Constants
FORBIDDEN_FILE_EXTENSIONS
An array containing a list of extensions for files that are typically executable directly in the webserver context, potentially resulting in code executions
| Value | ['php', 'phps', 'pht', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'asp', 'php8', 'phar', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py', 'aspx'] |
|---|---|
| since |
4.0.0 |
Properties
stripUSC
A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.
| since |
3.5 |
|---|
Type(s)
int
instances
A container for InputFilter instances.