public static
string
|
#
escape( mixed $output )
Escape data for display to mitigate XSS attacks.
Escape data for display to mitigate XSS attacks.
Casts to string and applies htmlentities to text fields destined for output / display to
limit XSS attacks. Encoding of quotes and use of UTF-8 character set is hardcoded in.
Parameters
- $output
- Unescaped string intended for display.
Returns
string
Escaped output string safe for display.
|
public static
string
|
#
encodeEscapeUrl( string $url )
URL-encode and escape a query string for use in a URL.
URL-encode and escape a query string for use in a URL.
Trims, checks for UTF-8 compliance, rawurlencodes and then escapes with htmlspecialchars().
If you wish to use the data on a landing page you must decode it with
htmlspecialchars_decode() followed by rawurldecode() in that order. But really, if you are
using any characters that need to be encoded in the first place you should probably just
stop.
Parameters
- $url
- Unescaped input URL.
Returns
string
Encoded and escaped URL.
|
public static
string
|
#
filterHtml( string $dirty_html, array $config_options = array() )
Validate (and to some extent, "sanitise") HTML input to conform with whitelisted tags.
Validate (and to some extent, "sanitise") HTML input to conform with whitelisted tags.
Applies HTMLPurifier to validate and sanitise HTML input. The precise operation can be
modified by altering the configuration of HTMLPurifier. Default options are to mandate
UTF-8 encoding and to enable HTML5-style IDs (anchor targets).
Parameters
- $dirty_html
- Unvalidated HTML input.
- $config_options
- HTMLPurifier configuration options (see HTMLPurifier documentation).
Returns
string
Validated HTML content.
|
public static
boolean
|
#
hasTraversalorNullByte( string $path )
Check if a file path contains traversals (including encoded traversals) or null bytes.
Check if a file path contains traversals (including encoded traversals) or null bytes.
Directory traversals are not permitted in Tuskfish method parameters. If a path is found to
contain a traversal it is presumed to be an attack. Encoded traversals are a clear sign of
attempted abuse.
In general untrusted data should never be used to construct a file path. This method exists
as a second line safety measure.
Parameters
Returns
boolean
True if a traversal or null byte is found, otherwise false.
See
https://www.owasp.org/index.php/Path_Traversal.
|
public static
boolean
|
#
isAlpha( string $alpha )
Check that a string is comprised solely of alphabetical characters.
Check that a string is comprised solely of alphabetical characters.
Tolerates vanilla ASCII only. Accented regional characters are rejected. This method is
designed to be used to check database identifiers or object property names.
Parameters
- $alpha
- Input to be tested.
Returns
boolean
True if valid alphabetical string, false otherwise.
|
public static
boolean
|
#
isAlnum( string $alnum )
Check that a string is comprised solely of alphanumeric characters.
Check that a string is comprised solely of alphanumeric characters.
Accented regional characters are rejected. This method is designed to be used to check
database identifiers or object property names.
Parameters
- $alnum
- Input to be tested.
Returns
boolean
True if valid alphanumerical string, false otherwise.
|
public static
boolean
|
#
isAlnumUnderscore( string $alnumUnderscore )
Check that a string is comprised solely of alphanumeric characters and underscores.
Check that a string is comprised solely of alphanumeric characters and underscores.
Accented regional characters are rejected. This method is designed to be used to check
database identifiers or object property names.
Parameters
- $alnumUnderscore
- Input to be tested.
Returns
boolean
True if valid alphanumerical or underscore string, false otherwise.
|
public static
boolean
|
#
isBool( mixed $bool )
Validate boolean input.
Be careful with the return value; this method simply determines if a value is boolean or
not; it does not return the actual value of the parameter.
Parameters
- $bool
- Input to be tested.
Returns
boolean
True if a valid boolean value, false otherwise.
|
public static
boolean
|
#
isDigit( string $digit )
Check that a string is comprised solely of digits.
Check that a string is comprised solely of digits.
Parameters
- $digit
- Input to be tested.
Returns
boolean
True if valid digit string, false otherwise.
|
public static
boolean
|
#
isEmail( string $email )
Check if an email address is valid.
Check if an email address is valid.
Note that single quotes ' are a valid character in email addresses, so the output of this
filter does NOT indicate that the value is database safe.
Parameters
- $email
- Input to be tested.
Returns
boolean
True if valid email address, otherwise false.
|
public static
boolean
|
#
isFloat( mixed $float )
Validate float (decimal point allowed).
Validate float (decimal point allowed).
Note that is_float() allows exponents.
Parameters
- $float
- Input to be tested.
Returns
boolean
True if valid float, otherwise false.
|
public static
boolean
|
#
isInt( mixed $int, integer $min = null, integer $max = null )
Validate integer, optionally include range check.
Validate integer, optionally include range check.
Parameters
- $int
- Input to be tested.
- $min
- Minimum acceptable value.
- $max
- Maximum acceptable value.
Returns
boolean
True if valid int and within optional range check, false otherwise.
|
public static
boolean
|
#
isIp( string $ip, integer $version = null )
Validates IP addresses. Accepts private (but not reserved) ranges. Optionally IPV6.
Validates IP addresses. Accepts private (but not reserved) ranges. Optionally IPV6.
Parameters
- $ip
- Input to be tested.
- $version
- IP address version ('4' or '6').
Returns
boolean
True if valid IP address, false otherwise.
|
public static
boolean
|
#
isUtf8( string $dirty_string )
Check if the character encoding of text is UTF-8.
Check if the character encoding of text is UTF-8.
All strings received from external sources must be passed through this function, particularly
prior to storage in the database.
Parameters
- $dirty_string
- Input string to check.
Returns
boolean
True if string is UTF-8 encoded otherwise false.
|
public static
boolean
|
#
isUrl( string $url )
Validate URL.
Only accepts http:// and https:// protocol and ASCII characters. Other protocols
and internationalised domain names will fail validation due to limitation of filter.
Parameters
Returns
boolean
True if valid URL otherwise false.
|
public static
boolean
|
#
isArray( mixed $array )
Test if input is an array.
Test if input is an array.
Parameters
- $array
- Input to be tested.
Returns
boolean
True if valid array otherwise false.
|
public static
boolean
|
#
isObject( mixed $object )
Test if input is an object.
Test if input is an object.
Parameters
- $object
- Input to be tested.
Returns
boolean
True if valid object otherwise false.
|
public static
boolean
|
#
isNull( mixed $null )
Tests if the input is null (ie set but without an assigned value) or not.
Tests if the input is null (ie set but without an assigned value) or not.
Parameters
- $null
- Input to be tested.
Returns
boolean
True if input is null otherwise false.
|
public static
boolean
|
#
isResource( mixed $resource )
Tests if input is a resource.
Tests if input is a resource.
Parameters
- $resource
- Input to be tested.
Returns
boolean
True if valid resource otherwise false.
|
public static
string
|
#
trimString( mixed $dirty_string )
Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.
Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.
Removes trailing whitespace and control characters (ASCII <= 32), checks for UTF-8 character
set and casts input to a string. Note that the data returned by this function still
requires escaping at the point of use; it is not database or XSS safe.
As the input is cast to a string do NOT apply this function to non-string types (int, float,
bool, object, resource, null, array, etc).
Parameters
- $dirty_string
- Input to be trimmed.
Returns
string
Trimmed and UTF-8 validated string.
|