Filtering data is an important aspect of creating a secure website. Data coming from untrusted sources, such as the URL or a form, should always be filtered using the most restrictive filter possible for the situation.
The JFilterInput
class (libraries/joomla/filter/filterinput.php
) is used to provide the built-in filtering functionality in Joomla!. Table B.1 shows the filtering types that are available.
The HTML and STRING filter types both include HTML filtering. Two different types of filtering are available: white list and black list.
White list filtering allows you to define a list of allowable HTML elements and attributes and removes any elements or attributes that are not on the list. Black list filtering allows you to define a list of elements and attributes that are not allowed and removes these elements (leaving elements and attributes that are not on the black list).
The default filtering method in Joomla is black list. The default elements that are not allowed are
applet, body, bgsound, base, basefone, embed, brame, frameset, head, html,
id, iframe, ilayer, layer, link, meta, name, object, script, style, title,
xml.
The default black list attributes are
action, background, codebase, dynsrc, lowsrc.
There are several ways to access the filtering methods in Joomla. The classes JForm
, JRequest
, and JInput
incorporate filtering into their operation. Also, you can use JFilterInput
directly.
When we create a JForm
XML file, we can add filtering to an element using the filter attribute. For example, the attribute
filter="integer"
will cause the value entered in a field to be filtered using the INTEGER method.
In addition to the filter types listed in Table B.1, JForm
provides the additional filter types listed in Table B.2.
In addition to these built-in types, you can also add custom filtering for JForm
fields.
JRequest
and JInput
can filter values using any of the JFilterInput
types listed in Table B.1. For JRequest
, you can use one of two forms. The general form uses JRequest::getVar()
. The fourth argument for the getVar()
method specifies the filter type and can be any of the types listed in Table A.1. For example, the following uses the ARRAY filter type:
$data = JRequest::getVar('jform', array(), 'post', 'array'),
Note that the default filter type for getVar()
is “none,” so you always want to specify a filter type when calling it. Otherwise, no filtering is done.
JRequest
includes the following convenience methods that include filtering: getInt()
, getUInt()
, getFloat()
, getBool()
, getWord()
, getCmd()
, and getString()
.
JInput
is a new class that was added to the platform in version 11.1 to eventually replace JRequest
. JInput
uses a get()
method that is similar to the JRequest::getVar()
method. In the JInput get()
method, the third argument specifies the filter type. For example, the following three commands are equivalent:
$x = JRequest::getVar('option', 'post', 'default', 'cmd');
$x = JRequest:: getCmd ('option', 'default'),
$x = JFactory::getApplication()->input->get('option', 'default', 'cmd');
The JRequest
class is deprecated in the Joomla platform as of version 12.1. As of version 2.5, JRequest
is used in the Joomla content management system (CMS) code base in over 700 places. Eventually these will be replaced with calls to JInput
.
It is easy to use JFilterInput directly anywhere inside a Joomla application. For example, the following code filters the body of an e-mail message using the STRING filter:
$message_body = JFilterInput::getInstance()->clean($message_body, 'string'),
Here we use the getInstance()
method to get a JFilterInput
object and then run the clean()
method to filter the desired value.