Class: InputFilter

Source Location: /vendor/trax/input_filter.php

Class Overview

Filter user input to remove potential security threats

Author(s):

Class Details

[line 32]
Filter user input to remove potential security threats

InputFilter has three public methods that are useful in protecting a web site from potential security threats from user input.

safeSQL() protects SQL from the user.
process() protects HTML tags and attributes from the user.
process_all() applies process() to all possible sources of user input

For usage instructions see the class tutorial.

Tags:

todo:

Check FIXMEs

[ Top ]

Class Variables

static $attrArray = array()

[line 50]

User-provided list of attributes to either accept or reject

Whether the attributes in this list are accepted or rejected is determined by the value of $attrMethod.

Tags:

access:	protected
usedby:	InputFilter::filterAttr()
usedby:	InputFilter::init()

Type:

string[]

[ Top ]

static $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc')

[line 132]

List of attributes to be removed

If $xssAuto is true, remove the attributes in this list.

Tags:

access:	protected
usedby:	InputFilter::filterAttr()

Type:

string[]

[ Top ]

static $attrMethod = true

[line 86]

How to apply user-provided attribute list

Which method to use when applying the list of attributes provided by the user and stored in $attrArray.

Tags:

var:	Tested by filterAttr() to see whether the user-provide list of tags in $attrArray describes those tags which are forbidden, or those tags which are permitted. Default false. true => Remove those tags which are in $attrArray. false => Allow only those tags which are listed in $attrArray.
access:	protected
usedby:	InputFilter::filterAttr()
usedby:	InputFilter::init()

Type:

boolean

[ Top ]

static $exception_fields = array()

[line 112]

Fields to ignore that you want html and other banned stuff in.

Tags:

access:

protected

Type:

array

[ Top ]

static $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed',
              'frame', 'frameset', 'head', 'html', 'id', 'iframe',
              'ilayer', 'layer', 'link', 'meta', 'name', 'object',
              'script', 'style', 'title', 'xml')

[line 120]

List of tags to be removed

If $xssAuto is true, remove the tags in this list.

Tags:

access:	protected
usedby:	InputFilter::filterTags()

Type:

string[]

[ Top ]

static $tagsArray = array()

[line 41]

User-provided list of tags to either accept or reject

Whether the tags in this list are accepted or rejected is determined by the value of $tagsMethod.

Tags:

access:	protected
usedby:	InputFilter::filterTags()
usedby:	InputFilter::init()

Type:

string[]

[ Top ]

static $tagsMethod = true

[line 68]

How to apply user-provided tags list

Which method to use when applying the list of tags provided by the user and stored in $tagsArray.

Tags:

var:	Tested by filterTags() to see whether the user-provide list of tags in $tagsArray describes those tags which are forbidden, or those tags which are permitted. Default false. true => Remove those tags which are in $tagsArray. false => Allow only those tags which are listed in $tagsArray.
access:	protected
usedby:	InputFilter::filterTags()
usedby:	InputFilter::init()

Type:

boolean

[ Top ]

static $xssAuto = true

[line 105]

Whether to remove blacklisted tags and attributes

Tags:

var:	Tested by filterAttr() and filterTags() to see whether to remove blacklisted tags and attributes. Default true. true => Remove tags in $tagBlacklist and attributes in $attrBlacklist, in addition to all other potentially suspect tags and attributes. false => Remove potentially suspect tags and attributes without consulting$tagBlacklist or $attrBlacklist.
access:	protected
usedby:	InputFilter::filterAttr()
usedby:	InputFilter::filterTags()

Type:

boolean

[ Top ]

Class Methods

method add_field_exception [line 193]

void add_field_exception(

$field)

Adds a field to exclude from filtering

Tags:

access:

public

Parameters:

$field

[ Top ]

method clear_field_exceptions [line 203]

void clear_field_exceptions(
)

Clears all previous field exceptions

Tags:

access:

public

[ Top ]

method decode [line 535]

string decode(
string
$source)

Convert HTML entities to characters

Convert input string containing HTML entities to the corresponding character (& => &). ISO 8859-1 character set is assumed.

Tags:

return:	Input string, with entities converted to characters
access:	protected
usedby:	InputFilter::process()
uses:	preg_replace()
uses:	html_entity_decode()
uses:	chr()

Parameters:

string

$source

Character string containing HTML entities

[ Top ]

method filterAttr [line 466]

string[] filterAttr(
string[]
$attrSet)

Internal method to strip a tag of certain attributes

Remove potentially dangerous attributes from a set of "attr=value" strings. Attributes considered dangerous are:

Any attribute name containing any non-alphabetic character
Any attribute name beginning "on..."
If $xssAuto is true, any attribute name in $attrBlacklist
Any attribute with a value containing the strings 'javascript:', 'behaviour:', 'vbscript:', 'mocha:', 'livescript:'
Any attribute whose name contains 'style' and whose value contains 'expression'.
If there is a user-provided list of attributes in $attrArray, process according to the value of $attrMethod.

Tags:

return:	Input with potentially dangerous attributes removed
access:	protected
usedby:	InputFilter::filterTags()
uses:	InputFilter::$xssAuto
uses:	InputFilter::$attrMethod
uses:	InputFilter::$attrBlacklist
uses:	InputFilter::$attrArray

Parameters:

string[]

$attrSet

Array of strings "attr=value" parsed from a tag.

[ Top ]

method filterTags [line 338]

string filterTags(
string
$source)

Remove forbidden tags and attributes from a string

Inspect the input for tags "<tagname ...>" and check the tag name against a list of forbidden tag names. Delete all tags with forbidden names. If $xssAuto is true, delete all tags in $tagBlacklist. If there is a user-defined tag list in $tagsArray, process according to the value of $tagsMethod.

If the tag name is OK, then call filterAttr() to check all attributes of the tag and delete forbidden attributes.

Tags:

return:	Cleaned version of input parameter
access:	protected
usedby:	InputFilter::remove()
uses:	InputFilter::filterAttr()
uses:	InputFilter::$xssAuto
uses:	InputFilter::$tagsArray
uses:	InputFilter::$tagsMethod
uses:	InputFilter::$tagBlacklist

Parameters:

string

$source

Input string to be 'cleaned'

[ Top ]

method init [line 174]

void init(
[string[]
$tagsArray = array()], [string[]
$attrArray = array()], [boolean
$tagsMethod = true], [boolean
$attrMethod = true], [boolean
$xssAuto = true])

Initializer for InputFilter class.

Tags:

access:	public
uses:	InputFilter::$tagsMethod
uses:	InputFilter::$tagsArray
uses:	InputFilter::$attrMethod
uses:	InputFilter::$attrArray

Parameters:

string[]	$tagsArray	User-provided list of tags to either accept or reject. Default: none
string[]	$attrArray	User-provided list of attributes to either accept or reject. Default: none
boolean	$tagsMethod	How to apply the list of tags in $tagsArray: true => Remove those tags which are listed in $tagsArray. false => Allow only those tags which are listed in $tagsArray. Default: false
boolean	$attrMethod	How to apply the list of attributess in $attrArray: true => Remove those attributes which are listed in $attrArray. false => Allow only those attributes which are listed in $attrArray. Default: false
boolean	$xssAuto	Behavior of filterTags(): true => Remove tags in $tagBlacklist and attributes in $attrBlacklist, in addition to all other potentially suspect tags and attributes. false => Remove potentially suspect tags and attributes without consulting$tagBlacklist or $attrBlacklist. Default: true

[ Top ]

method process [line 279]

mixed process(
mixed
$source, [
$extra_key = null])

Remove forbidden tags and attributes from array of strings

Accept a string or array of strings. For each string in the source, remove the forbidden tags and attributes from the string.

Tags:

return:	'cleaned' version of input parameter
access:	public
usedby:	InputFilter::process_all()
uses:	InputFilter::remove()
uses:	InputFilter::decode()

Parameters:

mixed	$source	- input string/array-of-string to be 'cleaned'
	$extra_key

[ Top ]

method process_all [line 253]

void process_all(
[string[]
$tagsArray = array()], [string[]
$attrArray = array()], [boolean
$tagsMethod = true], [boolean
$attrMethod = true], [boolean
$xssAuto = true])

Remove forbidden tags and attributes from user input

Construct an InputFilter object. Then apply the process() method to each of the user input arrays $_POST, $_GET and $_REQUEST. FIXME: isn't it partly redundant to do this to $_REQUEST? Shouldn't we do it to $_COOKIE instead?

Tags:

author:	John Peterson
todo:	Check out FIXMEs
access:	public
usedby:	Dispatcher::dispatch()
uses:	__construct()
uses:	InputFilter::process()

Parameters:

string[]	$tagsArray	User-provided list of tags to either accept or reject. Default: none
string[]	$attrArray	User-provided list of attributes to either accept or reject. Default: none
boolean	$tagsMethod	How to apply the list of tags in $tagsArray: true => Remove those tags which are listed in $tagsArray. false => Allow only those tags which are listed in $tagsArray. Default: false
boolean	$attrMethod	How to apply the list of attributess in $attrArray: true => Remove those attributes which are listed in $attrArray. false => Allow only those attributes which are listed in $attrArray. Default: false
boolean	$xssAuto	Behavior of filterTags(): true => Remove tags in $tagBlacklist and attributes in $attrBlacklist, in addition to all other potentially suspect tags and attributes. false => Remove potentially suspect tags and attributes without consulting$tagBlacklist or $attrBlacklist. Default: true

[ Top ]

method remove [line 310]

string remove(
string
$source)

Remove forbidden tags and attributes from a string iteratively

Call filterTags() repeatedly until no change in the input is produced.

Tags:

return:	'cleaned' version of $source
access:	protected
usedby:	InputFilter::process()
uses:	InputFilter::filterTags()

Parameters:

string

$source

Input string to be 'cleaned'

[ Top ]

Documentation generated on Mon, 21 May 2007 22:28:41 -0600 by phpDocumentor 1.3.2

Class: InputFilter

Class Overview

Author(s):

Variables

Methods

Class Details

Tags:

Class Variables

static $attrArray = array()

Tags:

static $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc')

Tags:

static $attrMethod = true

Tags:

static $exception_fields = array()

Tags:

static $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml')

Tags:

static $tagsArray = array()

Tags:

static $tagsMethod = true

Tags:

static $xssAuto = true

Tags:

Class Methods

method add_field_exception [line 193]

Tags:

Parameters:

method clear_field_exceptions [line 203]

Tags:

method decode [line 535]

Tags:

Parameters:

method filterAttr [line 466]

Tags:

Parameters:

method filterTags [line 338]

Tags:

Parameters:

method init [line 174]

Tags:

Parameters:

method process [line 279]

Tags:

Parameters:

method process_all [line 253]

Tags:

Parameters:

method remove [line 310]

Tags:

Parameters:

static $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed',
'frame', 'frameset', 'head', 'html', 'id', 'iframe',
'ilayer', 'layer', 'link', 'meta', 'name', 'object',
'script', 'style', 'title', 'xml')