InputFilter

Extends \Joomla\Filter\InputFilter

InputFilter is a class for filtering input from any data source

Forked from the php input filter library by: Daniel Morris [email protected] Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.

since

1.7.0

package

Application

Methods

__construct

Constructor for inputFilter class. Only first parameter is required.

__construct(array tagsArray = array(), array attrArray = array(), int tagsMethod, int attrMethod, int xssAuto = 1, int stripUSC) : mixed
since

1.7.0

Arguments

tagsArray

arrayList of user-defined tags

attrArray

arrayList of user-defined attributes

tagsMethod

intThe constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS

attrMethod

intThe constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES

xssAuto

intOnly auto clean essentials = 0, Allow clean blocked tags/attributes = 1

stripUSC

intStrip 4-byte unicode characters = 1, no strip = 0

Response

mixed

clean

Method to be called by another php script. Processes for XSS and specified bad code.

clean(mixed source, string type = 'string') : mixed
since

1.7.0

Arguments

source

mixedInput string/array-of-string to be 'cleaned'

type

stringThe return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.

Response

mixed'Cleaned' version of input parameter

decode

Try to convert to plaintext

decode(string source) : string
since

3.5

Arguments

source

stringThe source string.

Response

stringPlaintext string

decodeFileData

Method to decode a file data array.

decodeFileData(array data) : array
static
since

3.4

Arguments

data

arrayThe data array to decode.

Response

array

emailToPunycode

Function to punyencode utf8 mail when saving content

emailToPunycode(string text) : string
since

3.5

Arguments

text

stringThe strings to encode

Response

stringThe punyencoded mail

getInstance

Returns an input filter object, only creating it if it doesn't already exist.

getInstance(array tagsArray = array(), array attrArray = array(), int tagsMethod, int attrMethod, int xssAuto = 1, int stripUSC) : \Joomla\CMS\Filter\InputFilter
static
since

1.7.0

Arguments

tagsArray

arrayList of user-defined tags

attrArray

arrayList of user-defined attributes

tagsMethod

intThe constant static::ONLY_ALLOW_DEFINED_TAGS or static::BLOCK_DEFINED_TAGS

attrMethod

intThe constant static::ONLY_ALLOW_DEFINED_ATTRIBUTES or static::BLOCK_DEFINED_ATTRIBUTES

xssAuto

intOnly auto clean essentials = 0, Allow clean blocked tags/attributes = 1

stripUSC

intStrip 4-byte unicode characters = 1, no strip = 0

Response

\Joomla\CMS\Filter\InputFilterThe InputFilter object.

isSafeFile

Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.

isSafeFile(array file, array options = array()) : bool
static

The options you can define are: null_byte Prevent files with a null byte in their name (buffer overflow attack) forbidden_extensions Do not allow these strings anywhere in the file's extension php_tag_in_content Do not allow <?php tag in content phar_stub_in_content Do not allow the __HALT_COMPILER() phar stub in content shorttag_in_content Do not allow short tag <? in content shorttag_extensions Which file extensions to scan for short tags in content fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content php_ext_content_extensions Which file extensions to scan for .php in content

This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.

since

3.4

Arguments

file

arrayAn uploaded file descriptor

options

arrayThe scanner options (see the code for details)

Response

boolTrue of the file is safe

stripUSC

Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered.

stripUSC(mixed source) : mixed
since

3.5

Arguments

source

mixedThe data to filter

Response

mixedThe filtered result

Constants

FORBIDDEN_FILE_EXTENSIONS

An array containing a list of extensions for files that are typically executable directly in the webserver context, potentially resulting in code executions

Value ['php', 'phps', 'pht', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'asp', 'php8', 'phar', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py', 'aspx']
since

4.0.0

Properties

stripUSC

A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.

since

3.5

Type(s)

int

instances

A container for InputFilter instances.

static
since

4.0.0

Type(s)

InputFilter[]