JFilterInput is a class for filtering input from any data source
Forked from the php input filter library by: Daniel Morris <dan@rootcube.com> Original
Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin
and Andrew Eddie.
public
|
#
__construct( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = 0, integer $attrMethod = 0, integer $xssAuto = 1, integer $stripUSC = -1 )
Constructor for inputFilter class. Only first parameter is required.
Constructor for inputFilter class. Only first parameter is required.
Parameters
- $tagsArray
array - $tagsArray List of user-defined tags- $attrArray
array - $attrArray List of user-defined attributes- $tagsMethod
integer - $tagsMethod WhiteList method = 0, BlackList method = 1- $attrMethod
integer - $attrMethod WhiteList method = 0, BlackList method = 1- $xssAuto
integer - $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1- $stripUSC
integer - $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database
driver = -1 Since
11.1
Overrides
|
public static
JFilterInput
&
|
#
getInstance( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod = 0, integer $attrMethod = 0, integer $xssAuto = 1, integer $stripUSC = -1 )
Returns an input filter object, only creating it if it doesn't already
exist.
Returns an input filter object, only creating it if it doesn't already
exist.
Parameters
- $tagsArray
array - $tagsArray List of user-defined tags- $attrArray
array - $attrArray List of user-defined attributes- $tagsMethod
integer - $tagsMethod WhiteList method = 0, BlackList method = 1- $attrMethod
integer - $attrMethod WhiteList method = 0, BlackList method = 1- $xssAuto
integer - $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1- $stripUSC
integer - $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database
driver = -1 Returns
Since
11.1
|
public
mixed
|
#
clean( mixed $source, string $type = 'string' )
Method to be called by another php script. Processes for XSS and specified
bad code.
Method to be called by another php script. Processes for XSS and specified
bad code.
Parameters
- $source
mixed - $source Input string/array-of-string to be 'cleaned'- $type
string - $type The return type for the variable: INT: An integer, or an array of
integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A
floating point number, or an array of floating point numbers, BOOLEAN: A boolean
value, WORD: A string containing A-Z or underscores only (not case sensitive),
ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string
containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive),
BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case
sensitive), STRING: A fully decoded and sanitised string (default), HTML: A
sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of
sanitised file paths, TRIM: A string trimmed from normal, non-breaking and
multibyte spaces USERNAME: Do not use (use an application specific filter), RAW:
The raw string is returned with no filtering, unknown: An unknown filter will
act like STRING. If the input is an array it will return an array of fully
decoded and sanitised strings. Returns
mixed - 'Cleaned' version of input parameter
Since
11.1
Overrides
|
public
string
|
#
emailToPunycode( string $text )
Function to punyencode utf8 mail when saving content
Function to punyencode utf8 mail when saving content
Parameters
- $text
string - $text The strings to encode Returns
string - The punyencoded mail
Since
3.5
|
public static
boolean
|
#
isSafeFile( array $file, array $options = array() )
Checks an uploaded for suspicious naming and potential PHP contents which
could indicate a hacking attempt.
Checks an uploaded for suspicious naming and potential PHP contents which
could indicate a hacking attempt.
The options you can define are: null_byte Prevent files with a null byte in
their name (buffer overflow attack) forbidden_extensions Do not allow these
strings anywhere in the file's extension php_tag_in_content Do not allow
<?php tag in content shorttag_in_content Do not allow short tag
<? in content shorttag_extensions Which file extensions to scan
for short tags in content fobidden_ext_in_content Do not allow
forbidden_extensions anywhere in content php_ext_content_extensions Which file
extensions to scan for .php in content
This code is an adaptation and improvement of Admin Tools' UploadShield
feature, relicensed and contributed by its author.
Parameters
- $file
array - $file An uploaded file descriptor- $options
array - $options The scanner options (see the code for details) Returns
boolean - True of the file is safe
Since
3.4
|
protected static
array
|
#
decodeFileData( array $data )
Method to decode a file data array.
Method to decode a file data array.
Parameters
- $data
array - $data The data array to decode. Returns
array
Since
3.4
|
protected
string
|
#
_remove( string $source )
Internal method to iteratively remove all unwanted tags and attributes
Internal method to iteratively remove all unwanted tags and attributes
Deprecated
4.0 Use JFilterInput::remove() instead
Parameters
- $source
string - $source Input string to be 'cleaned' Returns
string - 'Cleaned' version of input parameter
Since
11.1
|
protected
string
|
#
remove( string $source )
Internal method to iteratively remove all unwanted tags and attributes
Internal method to iteratively remove all unwanted tags and attributes
Parameters
- $source
string - $source Input string to be 'cleaned' Returns
string - 'Cleaned' version of input parameter
Since
3.5
Overrides
|
protected
string
|
#
_cleanTags( string $source )
Internal method to strip a string of certain tags
Internal method to strip a string of certain tags
Deprecated
4.0 Use JFilterInput::cleanTags() instead
Parameters
- $source
string - $source Input string to be 'cleaned' Returns
string - 'Cleaned' version of input parameter
Since
11.1
|
protected
string
|
#
cleanTags( string $source )
Internal method to strip a string of certain tags
Internal method to strip a string of certain tags
Parameters
- $source
string - $source Input string to be 'cleaned' Returns
string - 'Cleaned' version of input parameter
Since
3.5
Overrides
|
protected
array
|
#
_cleanAttributes( array $attrSet )
Internal method to strip a tag of certain attributes
Internal method to strip a tag of certain attributes
Deprecated
4.0 Use JFilterInput::cleanAttributes() instead
Parameters
- $attrSet
array - $attrSet Array of attribute pairs to filter Returns
array - Filtered array of attribute pairs
Since
11.1
|
protected
string
|
#
escapeAttributeValues( string $source )
Escape < > and " inside attribute values
Escape < > and " inside attribute values
Parameters
- $source
string - $source The source string. Returns
string - Filtered string
Since
3.5
Overrides
|
protected
string
|
#
_decode( string $source )
Try to convert to plaintext
Try to convert to plaintext
Deprecated
4.0 Use JFilterInput::decode() instead
Parameters
- $source
string - $source The source string. Returns
string - Plaintext string
Since
11.1
|
protected
string
|
#
decode( string $source )
Try to convert to plaintext
Try to convert to plaintext
Parameters
- $source
string - $source The source string. Returns
string - Plaintext string
Since
3.5
Overrides
|
protected
string
|
#
_escapeAttributeValues( string $source )
Escape < > and " inside attribute values
Escape < > and " inside attribute values
Deprecated
4.0 Use JFilterInput::escapeAttributeValues() instead
Parameters
- $source
string - $source The source string. Returns
string - Filtered string
Since
11.1
|
protected
string
|
#
_stripCSSExpressions( string $source )
Remove CSS Expressions in the form of
<property>:expression(...)
Remove CSS Expressions in the form of
<property>:expression(...)
Deprecated
4.0 Use JFilterInput::stripCSSExpressions() instead
Parameters
- $source
string - $source The source string. Returns
string - Filtered string
Since
11.1
|
protected
mixed
|
#
stripUSC( mixed $source )
Recursively strip Unicode Supplementary Characters from the source. Not:
objects cannot be filtered.
Recursively strip Unicode Supplementary Characters from the source. Not:
objects cannot be filtered.
Parameters
- $source
mixed - $source The data to filter Returns
mixed - The filtered result
Since
3.5
|
JFilterInput