User-provided list of attributes to either accept or reject
Whether the attributes in this list are accepted or rejected is determined by the value of $attrMethod. FIXME: static declaration must be after visibility declaration
Which method to use when applying the list of attributes provided by the user and stored in $attrArray.
Tags:
var:
Tested by filterAttr() to see whether the user-provide list of tags in $attrArray describes those tags which are forbidden, or those tags which are permitted. Default false.
true => Remove those tags which are in
$attrArray.
false => Allow only those tags which are listed in
$attrArray.
FIXME: static declaration must be after visibility declaration
User-provided list of tags to either accept or reject
Whether the tags in this list are accepted or rejected is determined by the value of $tagsMethod. FIXME: static declaration must be after visibility declaration
Which method to use when applying the list of tags provided by the user and stored in $tagsArray.
Tags:
var:
Tested by filterTags() to see whether the user-provide list of tags in $tagsArray describes those tags which are forbidden, or those tags which are permitted. Default false.
true => Remove those tags which are in
$tagsArray.
false => Allow only those tags which are listed in
$tagsArray.
FIXME: static declaration must be after visibility declaration
Remove forbidden tags and attributes from a string
Inspect the input for tags "<tagname ...>" and check the tag name against a list of forbidden tag names. Delete all tags with forbidden names. If $xssAuto is true, delete all tags in $tagBlacklist. If there is a user-defined tag list in $tagsArray, process according to the value of $tagsMethod.
If the tag name is OK, then call filterAttr() to check all attributes of the tag and delete forbidden attributes.
Remove forbidden tags and attributes from user input
Construct an InputFilter object. Then apply the process() method to each of the user input arrays $_POST, $_GET and $_REQUEST. FIXME: isn't it partly redundant to do this to $_REQUEST? Shouldn't we do it to $_COOKIE instead?
Remove GPC magic quotes from input string & escape SQL special characters
The input is a string that came from a GET or POST HTTP operation, or a cookie. If GPC magic quotes are currently in effect, the resulting slashes are stripped. Then any SQL special characters in the string are escaped, taking into account the character set in use on $connection.
Tags:
return:
Input string with any GPC magic quotes stripped and SQL special characters escaped
Remove HTML entities and magic quotes, insert SQL special character escapes
If the input is a string or an array of strings, then each string is edited to convert any HTML entities to the corresponding character and remove slashes inserted by magic quotes, then the result has SQL special characters escaped.
Tags:
return:
with HTML entities and GPC magic quotes removed from, and SQL special character escapes inserted in, the string or array of strings.