1. class
  2. Joomla
  3. CMS
  4. Filter
  5. InputFilter

InputFilter

class InputFilter extends InputFilter

InputFilter is a class for filtering input from any data source

Forked from the php input filter library by: Daniel Morris dan@rootcube.com Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.

Properties

integer $stripUSC A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping.

Methods

__construct( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1)

Constructor for inputFilter class. Only first parameter is required.

static  InputFilter
getInstance( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1)

Returns an input filter object, only creating it if it doesn't already exist.

mixed
clean( mixed $source, string $type = 'string')

Method to be called by another php script. Processes for XSS and specified bad code.

string
emailToPunycode( string $text)

Function to punyencode utf8 mail when saving content

static  boolean
isSafeFile( array $file, array $options = array())

Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.

Details

__construct( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1)

Constructor for inputFilter class. Only first parameter is required.

Parameters

array $tagsArray List of user-defined tags
array $attrArray List of user-defined attributes
integer $tagsMethod WhiteList method = 0, BlackList method = 1
integer $attrMethod WhiteList method = 0, BlackList method = 1
integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
integer $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1

static InputFilter getInstance( array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1, integer $stripUSC = -1)

Returns an input filter object, only creating it if it doesn't already exist.

Parameters

array $tagsArray List of user-defined tags
array $attrArray List of user-defined attributes
integer $tagsMethod WhiteList method = 0, BlackList method = 1
integer $attrMethod WhiteList method = 0, BlackList method = 1
integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
integer $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1

Return Value

InputFilter The InputFilter object.

mixed clean( mixed $source, string $type = 'string')

Method to be called by another php script. Processes for XSS and specified bad code.

Parameters

mixed $source Input string/array-of-string to be 'cleaned'
string $type The return type for the variable: INT: An integer, or an array of integers, UINT: An unsigned integer, or an array of unsigned integers, FLOAT: A floating point number, or an array of floating point numbers, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, or an array of sanitised file paths, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.

Return Value

mixed 'Cleaned' version of input parameter

string emailToPunycode( string $text)

Function to punyencode utf8 mail when saving content

Parameters

string $text The strings to encode

Return Value

string The punyencoded mail

static boolean isSafeFile( array $file, array $options = array())

Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.

The options you can define are: nullbyte Prevent files with a null byte in their name (buffer overflow attack) forbiddenextensions Do not allow these strings anywhere in the file's extension phptagincontent Do not allow <?php tag in content pharstubincontent Do not allow the __HALT_COMPILER() phar stub in content shorttagincontent Do not allow short tag <? in content shorttagextensions Which file extensions to scan for short tags in content fobiddenextincontent Do not allow forbiddenextensions anywhere in content phpextcontentextensions Which file extensions to scan for .php in content

This code is an adaptation and improvement of Admin Tools' UploadShield feature, relicensed and contributed by its author.

Parameters

array $file An uploaded file descriptor
array $options The scanner options (see the code for details)

Return Value

boolean True of the file is safe