Appendix B. Joomla! Filter Types
Filtering data is an important aspect of creating a secure website. Data coming from untrusted sources, such as the URL or a form, should always be filtered using the most restrictive filter possible for the situation.
The JFilterInput class (libraries/joomla/filter/filterinput.php) is used to provide the built-in filtering functionality in Joomla!. Table B.1 shows the filtering types that are available.
Table B.1. Joomla Filter Types
HTML Filtering
The HTML and STRING filter types both include HTML filtering. Two different types of filtering are available: white list and black list.
White list filtering allows you to define a list of allowable HTML elements and attributes and removes any elements or attributes that are not on the list. Black list filtering allows you to define a list of elements and attributes that are not allowed and removes these elements (leaving elements and attributes that are not on the black list).
The default filtering method in Joomla is black list. The default elements that are not allowed are
applet, body, bgsound, base, basefone, embed, brame, frameset, head, html,
id, iframe, ilayer, layer, link, meta, name, object, script, style, title,
xml.
The default black list attributes are
action, background, codebase, dynsrc, lowsrc.
Using Filtering in Joomla Applications
There are several ways to access the filtering methods in Joomla. The classes JForm, JRequest, and JInput incorporate filtering into their operation. Also, you can use JFilterInput directly.
Filtering in JForm
When we create a JForm XML file, we can add filtering to an element using the filter attribute. For example, the attribute
filter="integer"
will cause the value entered in a field to be filtered using the INTEGER method.
In addition to the filter types listed in Table B.1, JForm provides the additional filter types listed in Table B.2.
Table B.2. JForm Additional Filter Types
In addition to these built-in types, you can also add custom filtering for JForm fields.
Filtering in JRequest and JInput
JRequest and JInput can filter values using any of the JFilterInput types listed in Table B.1. For JRequest, you can use one of two forms. The general form uses JRequest::getVar(). The fourth argument for the getVar() method specifies the filter type and can be any of the types listed in Table A.1. For example, the following uses the ARRAY filter type:
$data = JRequest::getVar('jform', array(), 'post', 'array'),
Note that the default filter type for getVar() is “none,” so you always want to specify a filter type when calling it. Otherwise, no filtering is done.
JRequest includes the following convenience methods that include filtering: getInt(), getUInt(), getFloat(), getBool(), getWord(), getCmd(), and getString().
JInput is a new class that was added to the platform in version 11.1 to eventually replace JRequest. JInput uses a get() method that is similar to the JRequest::getVar() method. In the JInput get() method, the third argument specifies the filter type. For example, the following three commands are equivalent:
$x = JRequest::getVar('option', 'post', 'default', 'cmd');
$x = JRequest:: getCmd ('option', 'default'),
$x = JFactory::getApplication()->input->get('option', 'default', 'cmd');
The JRequest class is deprecated in the Joomla platform as of version 12.1. As of version 2.5, JRequest is used in the Joomla content management system (CMS) code base in over 700 places. Eventually these will be replaced with calls to JInput.
Using JFilterInput Directly
It is easy to use JFilterInput directly anywhere inside a Joomla application. For example, the following code filters the body of an e-mail message using the STRING filter:
$message_body = JFilterInput::getInstance()->clean($message_body, 'string'),
Here we use the getInstance() method to get a JFilterInput object and then run the clean() method to filter the desired value.