Source for file XSSFilter.class.php
Documentation is available at XSSFilter.class.php
* Simple configurable data filter.
* Note that it is not perfect but should provide a good starting point for
* // The params for XSSFilter are: remove_html, remove_javascript,
* // escape_html, urlencode_html, extended_return
* // For more information on what each does see the code docs in the class
* $f = new XSSFilter(True, True, False, True, True);
* $safer = $f->filter($_GET);
* $f = new XSSFilter(True, True, False, True, True);
* $result = $f->filter($input);
* if ($result->changes) {
* print('Your input has been modified');
* @author Steve 'Ashcrow' Milner
* @link http://bitbucket.org/ashcrow/php-xssfilter
* Array wrapper for safe arrays.
* Class variable noting if the data had been changed.
* Extended response of filtered array data.
* @param data array input array which is already safe.
* @param changes bool if changes had to be made.
$this->changes =
$changes;
foreach($data as $key =>
$value) {
$this->offsetSet($key, $value);
* Converts the instance to a String.
* Used to return data requested.
* @param property string requested attribute.
function __get($property)
if ($property ==
'changes') {
} elseif ($property ==
'data') {
return $this->getArrayCopy();
* String wrapper for safer strings.
* Class variable noting if the data had been changed.
* Class variable holding the data directly.
* Extended response of filtered string data.
* @param string data input array which is already safe.
* @param bool change if changes had to be made.
$this->changes =
$changes;
* Converts instance to a String.
return (string)
$this->data;
* Used to return data requested.
* @param string property requested attribute.
function __get($property)
if ($property ==
'changes') {
} elseif ($property ==
'data') {
* Configurable XSSFilter for use by developers.
* Class variable noting if html should be removed.
* Class variable noting if javascript should be removed.
* Class variable noting if html should be escaped.
* Class variable noting if html should be urlencoded.
* Class variable noting if the return value should be a structure
* which includes the scrubbed data and a boolean noting if the data
* A return of False means no changes, True means changes.
* A filter object that attempts to strip out evil data.
* @param bool remove_html if html should be removed.
* @param bool remove_javascript if javascript should be removed.
* @param bool escape_html if html should be escaped.
* @param bool urlencode_html if html should be urlencoded.
* @param bool extended_return if an extended object should be used.
function __construct($remove_html=
False, $remove_javascript=
False,
$escape_html=
True, $urlencode_html=
False, $extended_return=
False) {
* Forward method for filtering input.
* @param string data the data to filter.
* Filters a single input item
* @param string data the data to filter.
* @return string a safer string.
"@<script[^>]*?>.*?</script[^>]*?>@si", "", $data);
// The regex should catch it all, but can't hurt to double check it
"@<.*[^>]*?>.*?</.*>@si", "", $data));
$data, $original_data !=
$data ?
True :
False);
* Filters a single level array.
* @param array data the data filled array to filter.
* @return array a safer array.
foreach ($data as $key =>
$value) {
$result =
$this->filter($value);
$safe[$key] =
$result->data;
$result->changes and $changes =
True;
Documentation generated on Mon, 01 Nov 2010 10:59:03 -0400 by phpDocumentor 1.4.3