Docs For Class JFilterInput

Description

JFilterInput is a class for filtering input from any data source

Forked from the php input filter library by: Daniel Morris <dan@rootcube.com> Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.

since: 11.1

Located in /libraries/joomla/filter/input.php (line 22)

Variable Summary

static array $instances

array $attrArray

array $attrBlacklist

integer $attrMethod

array $tagBlacklist

array $tagsArray

integer $tagsMethod

integer $xssAuto

Method Summary

static boolean checkAttribute (array $attrSubSet)

static JFilterInput &getInstance ([array $tagsArray = array()], [array $attrArray = array()], [integer $tagsMethod = 0], [integer $attrMethod = 0], [integer $xssAuto = 1])

JFilterInput __construct ([array $tagsArray = array()], [array $attrArray = array()], [integer $tagsMethod = 0], [integer $attrMethod = 0], [integer $xssAuto = 1])

mixed clean (mixed $source, [string $type = 'string'])

array _cleanAttributes (array $attrSet)

string _cleanTags (string $source)

string _decode (string $source)

string _escapeAttributeValues (string $source)

string _remove (string $source)

string _stripCSSExpressions (string $source)

Variables

static array $instances = array() (line 30)

A container for JFilterInput instances.

since: 11.3
access: protected

array $attrArray (line 46)

The array of permitted tag attributes (white list).

since: 11.1
access: public

array $attrBlacklist = array(
'action',
'background',
'codebase',
'dynsrc',
'lowsrc'
) (line 109)

The list of the default blacklisted tag attributes. All event handlers implicit.

since: 11.1
access: public

integer $attrMethod (line 62)

The method for sanitising attributes: WhiteList method = 0 (default), BlackList method = 1

since: 11.1
access: public

array $tagBlacklist = array(
'applet',
'body',
'bgsound',
'base',
'basefont',
'embed',
'frame',
'frameset',
'head',
'html',
'id',
'iframe',
'ilayer',
'layer',
'link',
'meta',
'name',
'object',
'script',
'style',
'title',
'xml'
) (line 78)

The list of the default blacklisted tags.

since: 11.1
access: public

array $tagsArray (line 38)

The array of permitted tags (white list).

since: 11.1
access: public

integer $tagsMethod (line 54)

The method for sanitising tags: WhiteList method = 0 (default), BlackList method = 1

since: 11.1
access: public

integer $xssAuto (line 70)

A flag for XSS checks. Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

since: 11.1
access: public

Methods

static checkAttribute (line 310)

Function to determine if contents of an attribute are safe

return: True if bad code is detected
since: 11.1
access: public

static boolean checkAttribute (array $attrSubSet)

array $attrSubSet: A 2 element array for attribute's name, value

static getInstance (line 155)

Returns an input filter object, only creating it if it doesn't already exist.

return: The JFilterInput object.
since: 11.1
access: public

static JFilterInput &getInstance ([array $tagsArray = array()], [array $attrArray = array()], [integer $tagsMethod = 0], [integer $attrMethod = 0], [integer $xssAuto = 1])

array $tagsArray: List of user-defined tags
array $attrArray: List of user-defined attributes
integer $tagsMethod: WhiteList method = 0, BlackList method = 1
integer $attrMethod: WhiteList method = 0, BlackList method = 1
integer $xssAuto: Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

Constructor __construct (line 128)

Constructor for inputFilter class. Only first parameter is required.

since: 11.1
access: public

JFilterInput __construct ([array $tagsArray = array()], [array $attrArray = array()], [integer $tagsMethod = 0], [integer $attrMethod = 0], [integer $xssAuto = 1])

array $tagsArray: List of user-defined tags
array $attrArray: List of user-defined attributes
integer $tagsMethod: WhiteList method = 0, BlackList method = 1
integer $attrMethod: WhiteList method = 0, BlackList method = 1
integer $xssAuto: Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1

clean (line 194)

Method to be called by another php script. Processes for XSS and specified bad code.

return: 'Cleaned' version of input parameter
since: 11.1
access: public

mixed clean (mixed $source, [string $type = 'string'])

mixed $source: Input string/array-of-string to be 'cleaned'
string $type: The return type for the variable: INT: An integer, UINT: An unsigned integer, FLOAT: A floating point number, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.

_cleanAttributes (line 581)

Internal method to strip a tag of certain attributes

return: Filtered array of attribute pairs
since: 11.1
access: protected

array _cleanAttributes (array $attrSet)

array $attrSet: Array of attribute pairs to filter

_cleanTags (line 352)

Internal method to strip a string of certain tags

return: 'Cleaned' version of input parameter
since: 11.1
access: protected

string _cleanTags (string $source)

string $source: Input string to be 'cleaned'

_decode (line 683)

Try to convert to plaintext

return: Plaintext string
since: 11.1
access: protected

string _decode (string $source)

string $source: The source string.

_escapeAttributeValues (line 733)

Escape < > and " inside attribute values

return: Filtered string
since: 11.1
access: protected

string _escapeAttributeValues (string $source)

string $source: The source string.

_remove (line 329)

Internal method to iteratively remove all unwanted tags and attributes

return: 'Cleaned' version of input parameter
since: 11.1
access: protected

string _remove (string $source)

string $source: Input string to be 'cleaned'

_stripCSSExpressions (line 788)

Remove CSS Expressions in the form of <property>:expression(...)

return: Filtered string
since: 11.1
access: protected

string _stripCSSExpressions (string $source)

string $source: The source string.