Tuskfish API
  • Package
  • Class

Packages

  • content
  • core
  • database
  • installation
  • security
  • user
  • utilities

Classes

  • TfishFilter
  • TfishSecurityUtility
  • TfishSession
  • TfishYubikeyAuthenticator

Class TfishFilter

Provides methods to validate different data types and to conduct range checks.

WARNING: The methods in this class validate TYPE COMPLIANCE ONLY. They DO NOT PROVIDE DATABASE SAFETY in their own right. Use them in conjunction with prepared statements and bound values to mitigate SQL injection.

  1. Pass ALL STRING type data through the trimString() function first to check for UTF-8 encoding and basic whitespace & control character removal. Note that this function always returns a string, so DO NOT USE IT ON NON-STRINGS.

  2. Use the relevant type and pattern-specific methods to validate that other data types meet your expectations.

Package: security
Copyright: Simon Wilkinson 2013-2017 (https://tuskfish.biz)
License: GNU General Public License (GPL) V2
Author: Simon Wilkinson simon@isengard.biz
Version: Release: 1.0
Since: 1.0
Located at trust_path/libraries/tuskfish/class/TfishFilter.php

Methods summary

public static string
# escape( mixed $output )

Escape data for display to mitigate XSS attacks.

Escape data for display to mitigate XSS attacks.

Casts to string and applies htmlentities to text fields destined for output / display to limit XSS attacks. Encoding of quotes and use of UTF-8 character set is hardcoded in.

Parameters

$output
Unescaped string intended for display.

Returns

string
Escaped output string safe for display.
public static string
# encodeEscapeUrl( string $url )

URL-encode and escape a query string for use in a URL.

URL-encode and escape a query string for use in a URL.

Trims, checks for UTF-8 compliance, rawurlencodes and then escapes with htmlspecialchars(). If you wish to use the data on a landing page you must decode it with htmlspecialchars_decode() followed by rawurldecode() in that order. But really, if you are using any characters that need to be encoded in the first place you should probably just stop.

Parameters

$url
Unescaped input URL.

Returns

string
Encoded and escaped URL.
public static string
# filterHtml( string $dirty_html, array $config_options = array() )

Validate (and to some extent, "sanitise") HTML input to conform with whitelisted tags.

Validate (and to some extent, "sanitise") HTML input to conform with whitelisted tags.

Applies HTMLPurifier to validate and sanitise HTML input. The precise operation can be modified by altering the configuration of HTMLPurifier. Default options are to mandate UTF-8 encoding and to enable HTML5-style IDs (anchor targets).

Parameters

$dirty_html
Unvalidated HTML input.
$config_options
HTMLPurifier configuration options (see HTMLPurifier documentation).

Returns

string
Validated HTML content.
public static boolean
# hasTraversalorNullByte( string $path )

Check if a file path contains traversals (including encoded traversals) or null bytes.

Check if a file path contains traversals (including encoded traversals) or null bytes.

Directory traversals are not permitted in Tuskfish method parameters. If a path is found to contain a traversal it is presumed to be an attack. Encoded traversals are a clear sign of attempted abuse.

In general untrusted data should never be used to construct a file path. This method exists as a second line safety measure.

Parameters

$path

Returns

boolean
True if a traversal or null byte is found, otherwise false.

See

https://www.owasp.org/index.php/Path_Traversal.
public static boolean
# isAlpha( string $alpha )

Check that a string is comprised solely of alphabetical characters.

Check that a string is comprised solely of alphabetical characters.

Tolerates vanilla ASCII only. Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

$alpha
Input to be tested.

Returns

boolean
True if valid alphabetical string, false otherwise.
public static boolean
# isAlnum( string $alnum )

Check that a string is comprised solely of alphanumeric characters.

Check that a string is comprised solely of alphanumeric characters.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

$alnum
Input to be tested.

Returns

boolean
True if valid alphanumerical string, false otherwise.
public static boolean
# isAlnumUnderscore( string $alnumUnderscore )

Check that a string is comprised solely of alphanumeric characters and underscores.

Check that a string is comprised solely of alphanumeric characters and underscores.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

$alnumUnderscore
Input to be tested.

Returns

boolean
True if valid alphanumerical or underscore string, false otherwise.
public static boolean
# isBool( mixed $bool )

Validate boolean input.

Validate boolean input.

Be careful with the return value; this method simply determines if a value is boolean or not; it does not return the actual value of the parameter.

Parameters

$bool
Input to be tested.

Returns

boolean
True if a valid boolean value, false otherwise.
public static boolean
# isDigit( string $digit )

Check that a string is comprised solely of digits.

Check that a string is comprised solely of digits.

Parameters

$digit
Input to be tested.

Returns

boolean
True if valid digit string, false otherwise.
public static boolean
# isEmail( string $email )

Check if an email address is valid.

Check if an email address is valid.

Note that single quotes ' are a valid character in email addresses, so the output of this filter does NOT indicate that the value is database safe.

Parameters

$email
Input to be tested.

Returns

boolean
True if valid email address, otherwise false.
public static boolean
# isFloat( mixed $float )

Validate float (decimal point allowed).

Validate float (decimal point allowed).

Note that is_float() allows exponents.

Parameters

$float
Input to be tested.

Returns

boolean
True if valid float, otherwise false.
public static boolean
# isInt( mixed $int, integer $min = null, integer $max = null )

Validate integer, optionally include range check.

Validate integer, optionally include range check.

Parameters

$int
Input to be tested.
$min
Minimum acceptable value.
$max
Maximum acceptable value.

Returns

boolean
True if valid int and within optional range check, false otherwise.
public static boolean
# isIp( string $ip, integer $version = null )

Validates IP addresses. Accepts private (but not reserved) ranges. Optionally IPV6.

Validates IP addresses. Accepts private (but not reserved) ranges. Optionally IPV6.

Parameters

$ip
Input to be tested.
$version
IP address version ('4' or '6').

Returns

boolean
True if valid IP address, false otherwise.
public static boolean
# isUtf8( string $dirty_string )

Check if the character encoding of text is UTF-8.

Check if the character encoding of text is UTF-8.

All strings received from external sources must be passed through this function, particularly prior to storage in the database.

Parameters

$dirty_string
Input string to check.

Returns

boolean
True if string is UTF-8 encoded otherwise false.
public static boolean
# isUrl( string $url )

Validate URL.

Validate URL.

Only accepts http:// and https:// protocol and ASCII characters. Other protocols and internationalised domain names will fail validation due to limitation of filter.

Parameters

$url
Input to be tested.

Returns

boolean
True if valid URL otherwise false.
public static boolean
# isArray( mixed $array )

Test if input is an array.

Test if input is an array.

Parameters

$array
Input to be tested.

Returns

boolean
True if valid array otherwise false.
public static boolean
# isObject( mixed $object )

Test if input is an object.

Test if input is an object.

Parameters

$object
Input to be tested.

Returns

boolean
True if valid object otherwise false.
public static boolean
# isNull( mixed $null )

Tests if the input is null (ie set but without an assigned value) or not.

Tests if the input is null (ie set but without an assigned value) or not.

Parameters

$null
Input to be tested.

Returns

boolean
True if input is null otherwise false.
public static boolean
# isResource( mixed $resource )

Tests if input is a resource.

Tests if input is a resource.

Parameters

$resource
Input to be tested.

Returns

boolean
True if valid resource otherwise false.
public static string
# trimString( mixed $dirty_string )

Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.

Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.

Removes trailing whitespace and control characters (ASCII <= 32), checks for UTF-8 character set and casts input to a string. Note that the data returned by this function still requires escaping at the point of use; it is not database or XSS safe.

As the input is cast to a string do NOT apply this function to non-string types (int, float, bool, object, resource, null, array, etc).

Parameters

$dirty_string
Input to be trimmed.

Returns

string
Trimmed and UTF-8 validated string.
Tuskfish API API documentation generated by ApiGen