PHPonTrax
[ class tree: PHPonTrax ] [ index: PHPonTrax ] [ all elements ]

Class: InputFilter

Source Location: /vendor/trax/input_filter.php

Class Overview


Filter user input to remove potential security threats


Author(s):

Variables

Methods



Class Details

[line 32]
Filter user input to remove potential security threats

InputFilter has three public methods that are useful in protecting a web site from potential security threats from user input.

For usage instructions see the class tutorial.




Tags:

todo:  Check FIXMEs


[ Top ]


Class Variables

$attrArray = array()

[line 52]

User-provided list of attributes to either accept or reject

Whether the attributes in this list are accepted or rejected is determined by the value of $attrMethod. FIXME: static declaration must be after visibility declaration




Tags:

usedby:  InputFilter::filterAttr()
usedby:  InputFilter::__construct()
access:  protected
static:  

Type:   string[]


[ Top ]

$attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc')

[line 132]

List of attributes to be removed

If $xssAuto is true, remove the attributes in this list.




Tags:

var:  FIXME: static declaration must be after visibility declaration
usedby:  InputFilter::filterAttr()
access:  protected
static:  

Type:   string[]


[ Top ]

$attrMethod =  0

[line 90]

How to apply user-provided attribute list

Which method to use when applying the list of attributes provided by the user and stored in $attrArray.




Tags:

var:  Tested by filterAttr() to see whether the user-provide list of tags in $attrArray describes those tags which are forbidden, or those tags which are permitted. Default false.
  • true => Remove those tags which are in $attrArray.
  • false => Allow only those tags which are listed in $attrArray.
FIXME: static declaration must be after visibility declaration
usedby:  InputFilter::filterAttr()
usedby:  InputFilter::__construct()
access:  protected
static:  

Type:   boolean


[ Top ]

$tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed',
              'frame', 'frameset', 'head', 'html', 'id', 'iframe',
              'ilayer', 'layer', 'link', 'meta', 'name', 'object',
              'script', 'style', 'title', 'xml')

[line 119]

List of tags to be removed

If $xssAuto is true, remove the tags in this list.




Tags:

var:  FIXME: static declaration must be after visibility declaration
usedby:  InputFilter::filterTags()
access:  protected
static:  

Type:   string[]


[ Top ]

$tagsArray = array()

[line 42]

User-provided list of tags to either accept or reject

Whether the tags in this list are accepted or rejected is determined by the value of $tagsMethod. FIXME: static declaration must be after visibility declaration




Tags:

usedby:  InputFilter::filterTags()
usedby:  InputFilter::__construct()
access:  protected
static:  

Type:   string[]


[ Top ]

$tagsMethod =  0

[line 71]

How to apply user-provided tags list

Which method to use when applying the list of tags provided by the user and stored in $tagsArray.




Tags:

var:  Tested by filterTags() to see whether the user-provide list of tags in $tagsArray describes those tags which are forbidden, or those tags which are permitted. Default false.
  • true => Remove those tags which are in $tagsArray.
  • false => Allow only those tags which are listed in $tagsArray.
FIXME: static declaration must be after visibility declaration
usedby:  InputFilter::filterTags()
usedby:  InputFilter::__construct()
access:  protected
static:  

Type:   boolean


[ Top ]

$xssAuto =  1

[line 110]

Whether to remove blacklisted tags and attributes



Tags:

var:  Tested by filterAttr() and filterTags() to see whether to remove blacklisted tags and attributes. Default true. FIXME: static declaration must be after visibility declaration
usedby:  InputFilter::filterAttr()
usedby:  InputFilter::filterTags()
access:  protected
static:  

Type:   boolean


[ Top ]



Class Methods


constructor __construct [line 174]

InputFilter __construct( [string[] $tagsArray = array()], [string[] $attrArray = array()], [boolean $tagsMethod = 0], [boolean $attrMethod = 0], [boolean $xssAuto = 1])

Constructor for InputFilter class.



Tags:



Parameters:

string[]   $tagsArray   User-provided list of tags to either accept or reject. Default: none
string[]   $attrArray   User-provided list of attributes to either accept or reject. Default: none
boolean   $tagsMethod   How to apply the list of tags in $tagsArray:
  • true => Remove those tags which are listed in $tagsArray.
  • false => Allow only those tags which are listed in $tagsArray.
Default: false
boolean   $attrMethod   How to apply the list of attributess in $attrArray:
  • true => Remove those attributes which are listed in $attrArray.
  • false => Allow only those attributes which are listed in $attrArray.
Default: false
boolean   $xssAuto   Behavior of filterTags(): Default: true

[ Top ]

method decode [line 508]

string decode( string $source)

Convert HTML entities to characters

Convert input string containing HTML entities to the corresponding character (& => &). ISO 8859-1 character set is assumed.




Tags:

return:  Input string, with entities converted to characters
usedby:  InputFilter::process()
usedby:  InputFilter::safeSQL()
access:  protected
uses:  preg_replace()
uses:  html_entity_decode()
uses:  chr()


Parameters:

string   $source   Character string containing HTML entities

[ Top ]

method escapeString [line 601]

string escapeString( string $string, resource &$connection)

Escape SQL special characters in string

Escape SQL special characters in the input string, taking into account the character set of the connection.

FIXME: since we require PHP 5 can't we remove the use of mysql_esacape_string()?

FIXME:Shouldn't we pass the connection to mysql_real_escape_string()?

FIXME:Is this really RDBMS independent?




Tags:

return:  Value of $string with characters special in SQL escaped by '\'s
uses:  version_compare()
access:  protected
usedby:  InputFilter::quoteSmart()
uses:  phpversion()
uses:  mysql_real_escape_string()
author:  Chris Tobin, Daniel Morris
uses:  mysql_escape_string()
todo:  Check FIXMEs


Parameters:

string   $string   String to be protected
resource   $connection   - An open MySQL connection

[ Top ]

method filterAttr [line 446]

string[] filterAttr( string[] $attrSet)

Internal method to strip a tag of certain attributes

Remove potentially dangerous attributes from a set of "attr=value" strings. Attributes considered dangerous are:

  • Any attribute name containing any non-alphabetic character
  • Any attribute name beginning "on..."
  • If $xssAuto is true, any attribute name in $attrBlacklist
  • Any attribute with a value containing the strings 'javascript:', 'behaviour:', 'vbscript:', 'mocha:', 'livescript:'
  • Any attribute whose name contains 'style' and whose value contains 'expression'.
  • If there is a user-provided list of attributes in $attrArray, process according to the value of $attrMethod.




Tags:

return:  Input with potentially dangerous attributes removed
access:  protected
usedby:  InputFilter::filterTags()
uses:  InputFilter::$xssAuto
uses:  InputFilter::$attrMethod
uses:  InputFilter::$attrBlacklist
uses:  InputFilter::$attrArray


Parameters:

string[]   $attrSet   Array of strings "attr=value" parsed from a tag.

[ Top ]

method filterTags [line 318]

string filterTags( string $source)

Remove forbidden tags and attributes from a string

Inspect the input for tags "<tagname ...>" and check the tag name against a list of forbidden tag names. Delete all tags with forbidden names. If $xssAuto is true, delete all tags in $tagBlacklist. If there is a user-defined tag list in $tagsArray, process according to the value of $tagsMethod.

If the tag name is OK, then call filterAttr() to check all attributes of the tag and delete forbidden attributes.




Tags:

return:  Cleaned version of input parameter
access:  protected
usedby:  InputFilter::remove()
uses:  InputFilter::$xssAuto
uses:  InputFilter::$tagsMethod
uses:  InputFilter::$tagBlacklist
uses:  InputFilter::$tagsArray
uses:  InputFilter::filterAttr()


Parameters:

string   $source   Input string to be 'cleaned'

[ Top ]

method process [line 260]

mixed process( mixed $source)

Remove forbidden tags and attributes from array of strings

Accept a string or array of strings. For each string in the source, remove the forbidden tags and attributes from the string.




Tags:

return:  'cleaned' version of input parameter
usedby:  InputFilter::process_all()
access:  public
uses:  InputFilter::remove()
uses:  InputFilter::decode()


Parameters:

mixed   $source   - input string/array-of-string to be 'cleaned'

[ Top ]

method process_all [line 234]

void process_all( [string[] $tagsArray = array()], [string[] $attrArray = array()], [boolean $tagsMethod = 0], [boolean $attrMethod = 0], [boolean $xssAuto = 1])

Remove forbidden tags and attributes from user input

Construct an InputFilter object. Then apply the process() method to each of the user input arrays $_POST, $_GET and $_REQUEST. FIXME: isn't it partly redundant to do this to $_REQUEST? Shouldn't we do it to $_COOKIE instead?




Tags:

access:  public
usedby:  Dispatcher::dispatch()
todo:  Check out FIXMEs
uses:  InputFilter::process()
uses:  InputFilter::__construct()
author:  John Peterson


Parameters:

string[]   $tagsArray   User-provided list of tags to either accept or reject. Default: none
string[]   $attrArray   User-provided list of attributes to either accept or reject. Default: none
boolean   $tagsMethod   How to apply the list of tags in $tagsArray:
  • true => Remove those tags which are listed in $tagsArray.
  • false => Allow only those tags which are listed in $tagsArray.
Default: false
boolean   $attrMethod   How to apply the list of attributess in $attrArray:
  • true => Remove those attributes which are listed in $attrArray.
  • false => Allow only those attributes which are listed in $attrArray.
Default: false
boolean   $xssAuto   Behavior of filterTags(): Default: true

[ Top ]

method quoteSmart [line 569]

string quoteSmart( string $source, resource &$connection)

Remove GPC magic quotes from input string & escape SQL special characters

The input is a string that came from a GET or POST HTTP operation, or a cookie. If GPC magic quotes are currently in effect, the resulting slashes are stripped. Then any SQL special characters in the string are escaped, taking into account the character set in use on $connection.




Tags:

return:  Input string with any GPC magic quotes stripped and SQL special characters escaped
access:  protected
usedby:  InputFilter::safeSQL()
uses:  stripslashes()
uses:  get_magic_quotes_gpc()
uses:  InputFilter::escapeString()
author:  Chris Tobin, Daniel Morris


Parameters:

string   $source   Input string to be converted
resource   $connection   An open MySQL connection

[ Top ]

method remove [line 287]

string remove( string $source)

Remove forbidden tags and attributes from a string iteratively

Call filterTags() repeatedly until no change in the input is produced.




Tags:

return:  'cleaned' version of $source
usedby:  InputFilter::process()
access:  protected
uses:  InputFilter::filterTags()


Parameters:

string   $source   Input string to be 'cleaned'

[ Top ]

method safeSQL [line 536]

mixed safeSQL( mixed $source, resource &$connection)

Remove HTML entities and magic quotes, insert SQL special character escapes

If the input is a string or an array of strings, then each string is edited to convert any HTML entities to the corresponding character and remove slashes inserted by magic quotes, then the result has SQL special characters escaped.




Tags:

return:  with HTML entities and GPC magic quotes removed from, and SQL special character escapes inserted in, the string or array of strings.
access:  public
uses:  InputFilter::quoteSmart()
uses:  InputFilter::decode()


Parameters:

mixed   $source   Input to be 'cleaned'
resource   $connection   An open MySQL connection

[ Top ]


Documentation generated on Thu, 04 May 2006 19:47:49 -0600 by phpDocumentor 1.3.0RC4