Joomla Framework Filter Package

Overview

The Filter Package Build Status

Latest Stable Version Total Downloads Latest Unstable Version License

Installation via Composer

Add "joomla/filter": "~2.0.*@dev" to the require block in your composer.json and then run composer install.

{
	"require": {
		"joomla/filter": "~2.0"
	}
}

Alternatively, you can simply run the following from the command line:

composer require joomla/filter "~2.0"

If you want to include the test sources, use

composer require --prefer-source joomla/filter "~2.0"

Note that the Joomla\Language package is an optional dependency and is only required if the application requires the use of OutputFilter::stringURLSafe.

Upgrades from 1 to 2

Note the InputFilter static class constants have been renamed:

Before After
InputFilter::TAGS_WHITELIST InputFilter::ONLY_ALLOW_DEFINED_TAGS
InputFilter::TAGS_BLACKLIST InputFilter::ONLY_BLOCK_DEFINED_TAGS
InputFilter::ATTR_WHITELIST InputFilter::ONLY_ALLOW_DEFINED_ATTRIBUTES
InputFilter::ATTR_BLACKLIST InputFilter::ONLY_BLOCK_DEFINED_ATTRIBUTES

The public property InputFilter::tagBlacklist has been renamed to InputFilter::blockedTags. Similarly InputFilter::attrBlacklist has been renamed to InputFilter::blockedAttributes

All code usage of these properties remains unchanged.

Comments
  • Handle objects in input filter clean function

    Handle objects in input filter clean function

    Pull Request for Issue https://github.com/joomla/joomla-cms/pull/32207#issuecomment-770230746 .

    Summary of Changes

    Let the input filter also clean objects.

    Due to the recursion, the clean function will also work for nested objects.

    Testing Instructions

    Test https://github.com/joomla/joomla-cms/pull/32207 and see that it fails.

    Then still on the same testing environment, apply the same change as made in this PR here for the 1.x version of the input filter to the local 2.0.0-beta4 version of the input filter, and then test again, and check that it works now and that changed filters are properly saved in database.

    Documentation Changes Required

    None.

    opened by richard67 22
  • Fix Array to String conversion notices in clean()

    Fix Array to String conversion notices in clean()

    • Adds basic first level processing of array's of numbers
      • Fixes Array to String conversion notices in clean() for number cases
    • Replaces decode() with html_entity_decode()
    • Updates pcre patterns for numbers
      • Fixes floats case to properly handle exponent type floats rather than just decimal floats
    • Adds new general cases to test and verify the array of numbers functionality
    • Code style: fixes missing comma at end of array lists.
    opened by photodude 18
  • Saving Global Configuration broken in the 4.0-dev branch of the CMS when updating joomla/filter from 2.0.0-beta2 to 2.0.0-beta3 or 2.0.0-beta4

    Saving Global Configuration broken in the 4.0-dev branch of the CMS when updating joomla/filter from 2.0.0-beta2 to 2.0.0-beta3 or 2.0.0-beta4

    Steps to reproduce the issue

    It seems that beginning with version 2.0.0-beta3, the filter package breaks saving Global Configuration in the 4.0-dev branch of the CMS, see https://github.com/joomla/joomla-cms/pull/32207#issuecomment-770240778 .

    I.e. update the filter package on J4 to version 2.0.0-beta3 or 2.0.0-beta4. Then go to Global Configuration and try to save.

    Expected result

    Works.

    Actual result

    PHP Recoverable fatal error:  Object of class stdClass could not be converted to string
    in /home/richard/lamp/public_html/joomla-cms-4.0-dev/libraries/vendor/joomla/filter/src/InputFilter.php on line 239,
    referer: https://www.joomla-40-dev.vmkubu02.vmnet2.local/administrator/index.php?option=com_config
    

    System information (as much as possible)

    Additional comments

    opened by richard67 17
  • CleanPath: Allow slashes in path pattern for Windows to be able to handle partly normalized paths

    CleanPath: Allow slashes in path pattern for Windows to be able to handle partly normalized paths

    Pull Request for Issue #

    Summary of Changes

    Fix the regex for Windows so it can handle partly normalized paths like e.g. C:\\xampp\\htdocs\\joomla-cms/tmp, which is the $tmp_path in configuration.php after a new installation of a current staging branch of the CMS on an XAMPP on Windows.

    Partly normalized paths like e.g. C:\\xampp\\htdocs\\joomla-cms/tmp are absolutely ok in environments like PHP or like I have it in my job with Java, where paths on any OS are later normalized using "/" as separator (what out Path::clean does).

    So we have to stick here to the rules of PHP how it handles Windows paths, and not to the rules of Windows, where a slash in a file or folder name is not allowed.

    @zero-24 @nibra If having partly normalized paths like described above is not desired, we can replace the slashes / by backslashes \ at the end of the routine here https://github.com/joomla-framework/filter/blob/872338c69e1539959d05059d533a483edcc76978/src/InputFilter.php#L1018 by changing it to return preg_replace('~(\\\\|/)+~', '\\', $source); Then we would not have 'C:\Documents\Newsletters/tmp' or 'C:\Documents/Newsletters/tmp' but 'C:\Documents\Newsletters\tmp' as result of the 2 new unit tests.

    I think we don't need that, i.e. the PR is good as it is, because when appending the update package's file name to the path, the Joomla Update component will anyway use a slash /.

    What do you think?

    Testing Instructions

    Test https://github.com/joomla/joomla-cms/pull/32076 with XAMPP on Windows.

    Documentation Changes Required

    None.

    opened by richard67 16
  • Only perform filter if $type is not empty

    Only perform filter if $type is not empty

    Pull Request for Issue #

    Summary of Changes

    This PR fixes the issue on Joomla CMS PR https://github.com/joomla/joomla-cms/pull/32207. Basically, we should only call the type specific filter method if $type is actually passed (not an empty string).

    I don't know what is testing instructions. Maybe code review should be enough?

    opened by joomdonation 6
  • Port CMS fix 15966

    Port CMS fix 15966

    Pull Request for Issue Port CMS fix 15966

    Summary of Changes

    Port CMS fix 15966 - Fixing InputFilter adding byte offsets to character offset

    Testing Instructions

    Should pass filtering this included content content.txt

    unit tests based on this and other content provided by Joomla users and tests created by @PhilETaylor are included

    Documentation Changes Required

    none

    opened by photodude 5
  • Declare compatibility with PHP 8.0

    Declare compatibility with PHP 8.0

    Pull Request for Issue #N/A

    Summary of Changes

    Currently, joomla/filter cannot be installed on PHP 8.0 due to the following error:

    Problem 2
        - joomla/filter is locked to version 1.3.5 and an update of this package was not requested.
        - joomla/filter 1.3.5 requires php ^5.3.10|~7.0 -> your php version (8.0.3) does not satisfy that requirement.
    

    However, your automated test suite already seems to be testing it against PHP 8.0 and it works just fine! This PR explicitly describes support for PHP 8.0.

    Testing Instructions

    N/A

    Documentation Changes Required

    opened by dennisameling 1
  • Use unknow filter for kill script test with object

    Use unknow filter for kill script test with object

    Pull Request for Issue #

    Summary of Changes

    Fix the new test for object.

    The same test for non-objects uses the unknown filter type ''.

    It should be the same when testing the object.

    Testing Instructions

    CI tests pass.

    Documentation Changes Required

    None.

    opened by richard67 1
  • Add an windows test with slash

    Add an windows test with slash

    Pull Request for Issue https://github.com/joomla/joomla-cms/pull/32076 cc @richard67 @nibra

    Summary of Changes

    Add an windows test with slash

    Todo

    • [ ] extende the regex to allow the slash at the right place or
    • [ ] require the path to be passed via path::clean

    Testing Instructions

    Try to test the PR #32076 the test fails as there is a slash in the regex

    Documentation Changes Required

    none.

    opened by zero-24 1
  • "Raw" filter returns string

    Steps to reproduce the issue

    var_dump((new Joomla\Filter\InputFilter)->clean(1, 'raw'));
    

    Expected result

    int 1
    

    Actual result

    string '1'
    

    System information (as much as possible)

    Additional comments

    Since https://github.com/joomla-framework/filter/commit/e4d3d158eabae41edfdbfea482a2b5feae71a187.

    opened by SharkyKZ 1
  • more test cases covering ampReplace

    more test cases covering ampReplace

    Back port unit tests from joomla-cms https://github.com/joomla/joomla-cms/commit/61b9fcc4702467fdb0500057c49577037561fcc1

    @mbabker https://github.com/joomla/joomla-cms/issues/16088#issuecomment-302196249

    opened by PhilETaylor 1
  • OutputFilter.php uses broken classes from CMS

    OutputFilter.php uses broken classes from CMS

    Steps to reproduce the issue

    This is an issue that was found out in https://github.com/joomla/joomla-cms/pull/38993 and is still valid in the current codebase of the filter package. In https://github.com/joomla-framework/filter/commit/0556634b23b8f3041576301c5aefb60baff40e93 the language class from the CMS is used in the OutputFilter class and besides that, the use-statement is wrong. So right now this stringUrlSafe() does not work.

    opened by Hackwar 0
  •  PHP 8.1 deprecation Passing null to parameter string

    PHP 8.1 deprecation Passing null to parameter string

    ( ! ) Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in \libraries\vendor\joomla\filter\src\OutputFilter.php on line 157

    Pull Request for Issue #

    Summary of Changes

    Testing Instructions

    Documentation Changes Required

    opened by 810 0
  • Valid hidden Joomla files/folders sometimes fail the filter

    Valid hidden Joomla files/folders sometimes fail the filter

    Steps to reproduce the issue

    1. Apply the path filter to the path

    /var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

    1. Apply the path filter to the path

    /var/www/vhosts/website.net/subdomain.website.net/._hiddenTemp

    Expected result

    1. Should return the cleaned path

    /var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

    1. Should return the cleaned path

    /var/www/vhosts/website.net/subdomain.website.net/._hiddenTemp

    Actual result

    1. Returns the path

    /var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

    1. Returns an empty path

    ``

    Additional comments

    Plesk servers use the domain/subdomain pattern 2 so this is a live issue.

    Additionally the use of hidden files/folders is a valid and security enhancing use case - setting the Joomla tmp or log directory to a hidden *nix folder is a good thing. Also can be used to install a hidden Joomla installation in an obscure and hidden sub-folder of a live site.

    opened by GeraintEdwards 1
  • Fixes wrong replacements when having multibyte characters in tag attr…

    Fixes wrong replacements when having multibyte characters in tag attr…

    …ibute values

    I had a closer look to the problem with the "infinite loop" (which means that at the end you are running into the maximum execution time error) mentioned in joomla/joomla-cms#34967.

    The problem is, that escapeAttributeValues() does not handle multibyte characters correctly. It makes wrong replacements in the tag attribute values which leads to the "infinite loop" in the further processing after the function has been applied.

    One can reproduce the wrong replacement by doing the following changes to a fresch installation of Joomla 4.0.0

    1. Change the access of the function protected function escapeAttributeValues($source) in /libraries/vendor/joomla/filter/src/InputFilter.php from protected to public.
    2. Add the following code to line 179 of administrator/components/com_cpanel/src/View/Cpanel/HtmlView.php
    		$inputFilter = \Joomla\CMS\Filter\InputFilter::getInstance(array(), array(), 1, 1);
    		$testhtml = '<input alt="PayPal – The safer, easier way to pay online!" name="submit" src="https://www.paypalobjects.com/de_DE/CH/i/btn/btn_donateCC_LG.gif" type="image" />';
    
    		echo "<p>Before applying escapeAttributeValues():<br/>";
    		echo(htmlentities($testhtml));
    		echo "</p>";
    		echo "<p>After applying escapeAttributeValues():<br/>";
    		echo(htmlentities($inputFilter->escapeAttributeValues($testhtml)));
    		echo "</p>";
    
    1. Open the Joomla 4 dashboard in the backend. Notice the hyphen in the "alt" attribute of the input tag, which is a multibyte character (3 bytes). See the wrong replacements ... online!&quot; "ame=.

    The problem is, that $matches[0][1] counts in bytes and $attributeValue = StringHelper::substr($remainder, $nextBefore, $nextAfter - $nextBefore); counts in multibyte characters.

    After applying the patch there is no wrong replacement any more.

    opened by Erftralle 4
  • Path filter does not allow dots at the beginning of folders / files names

    Path filter does not allow dots at the beginning of folders / files names

    Paths with dots at the beginning of folder or file name doesn't pass current path filter regular expressions. For example /var/www/.secret doesn't pass, even it is valid path. This influence Joomla CMS update system, when used such path for global temp dir.

    Steps to reproduce the issue

    Set in Joomla global configuration Temp path with hidden folder (starting with dot), for example /var/www/.tmp. Go to Joomla update component and try to download and install update.

    Expected result

    No error, update is installed.

    Actual result

    Error is displayed, update is not installed.

    System information (as much as possible)

    Joomla CMS with Joomla Filter 1.4.3

    Additional comments

    This is B/C break in Joomla CMS, as it influence Joomla update system. Path doesn't pass filter, so returns empty string, which causes updater to fail download update file, with incorrect error message.

    Tried to solve it in https://github.com/joomla/joomla-cms/pull/33151, which was incorrect, as I was noticed of double dots folders (and also PR to wrong project :))

    opened by n3t 1
  • Custom test to demonstrate everything breaks

    Custom test to demonstrate everything breaks

    So if you run a string containing a symbol < through the filter class then you find that it gets stripped.

    It's something inside the tag cleaning - but obviously we don't want all < tags to be stripped

    opened by wilsonge 8
Releases(2.0.2)
  • 2.0.2(Aug 15, 2022)

  • 1.4.4(Mar 29, 2022)

    Security Release

    [20220308] Low Severity - Moderate Impact - CVE-2022-23800 - Inadequate content filtering within the filter code (affecting joomla/filter 1.0.0 through 1.4.3 and 2.0.0) More information »

    What's Changed

    • Declare compatibility with PHP 8.0 by @dennisameling in https://github.com/joomla-framework/filter/pull/46
    • Fix/clean path by @nibra in https://github.com/joomla-framework/filter/pull/45

    New Contributors

    • @dennisameling made their first contribution in https://github.com/joomla-framework/filter/pull/46

    Full Changelog: https://github.com/joomla-framework/filter/compare/1.4.3...1.4.4

    Source code(tar.gz)
    Source code(zip)
  • 2.0.1(Mar 29, 2022)

    Security Release

    Security Release [20220308] Low Severity - Moderate Impact - CVE-2022-23800 - Inadequate content filtering within the filter code (affecting joomla/filter 1.0.0 through 1.4.3 and 2.0.0) More information »

    What's Changed

    • make sure we get rid of the additional < when its nested by @zero-24 in https://github.com/joomla-framework/filter/pull/53

    Full Changelog: https://github.com/joomla-framework/filter/compare/2.0.0...2.0.1

    Source code(tar.gz)
    Source code(zip)
Owner
Joomla! Framework
A PHP application framework
Joomla! Framework
Home of the Joomla! Content Management System

Joomla! CMS™ Build Status Drone-CI AppVeyor PHP Node npm Overview This is the source of Joomla! 4.x. Joomla's Official website. Joomla! 4.0 version hi

Joomla! 4.3k Jan 1, 2023
A package to filter laravel model based on query params or retrieved model collection

Laravel Filterable A package to filter laravel model based on query params or retrived model collection. Installation Require/Install the package usin

Touhidur Rahman 17 Jan 20, 2022
🖖Repository Pattern in Laravel. The package allows to filter by request out-of-the-box, as well as to integrate customized criteria and any kind of filters.

Repository Repository Pattern in Laravel. The package allows to filter by request out-of-the-box, as well as to integrate customized criteria and any

Awes.io 160 Dec 26, 2022
An Eloquent Way To Filter Laravel Models And Their Relationships

Eloquent Filter An Eloquent way to filter Eloquent Models and their relationships Introduction Lets say we want to return a list of users filtered by

Eric Tucker 1.5k Jan 7, 2023
Filter resources with request parameters

FilterWhere Filter resources with request parameters Author: Thomas Jakobi [email protected] License: GNU GPLv2 Features With this MODX Revolu

Thomas Jakobi 1 Jul 12, 2022
A Laravel 8 and Livewire 2 demo showing how to search and filter by tags, showing article and video counts for each tag (Polymorphic relationship)

Advanced search and filter with Laravel and Livewire A demo app using Laravel 8 and Livewire 2 showing how to implement a list of articles and tags, v

Sérgio Jardim 19 Aug 29, 2022
An Eloquent Way To Filter Laravel Models And Their Relationships

Eloquent Filter An Eloquent way to filter Eloquent Models and their relationships Introduction Lets say we want to return a list of users filtered by

Eric Tucker 1.5k Dec 30, 2022
Laravel Nova filter for Spatie/laravel-tags

SpatieTagsNovaFilter This package allows you to filter resources by tags. (using the awesome Spatie/laravel-tags and Vue-MultiSelect ) Installation Fi

Mahi-Mahi 3 Aug 4, 2022
A generic filter for contao entities.

Contao filter bundle This bundle offers a generic filter module to use with arbitrary contao entities containing standard filter with initial filters

Heimrich & Hannot GmbH 2 Jan 7, 2022
Framework - 🙃 Phony. Real-like Fake Data Generation Framework

?? Framework This repository contains the ?? Phony Framework. ?? Start generating fake data with ?? Phony Framework, visit the main Phony Repository.

Phonyland 5 Oct 31, 2022
Stapler-based file upload package for the Laravel framework.

laravel-stapler Laravel-Stapler is a Stapler-based file upload package for the Laravel framework. It provides a full set of Laravel commands, a migrat

Code Sleeve 565 Dec 9, 2022
Framework agnostic PHP package for marking navigation items active.

Ekko Framework agnostic PHP package for marking navigation items active. Features Framework agnostic. Can be modified for any custom application and U

Laravelista 275 Jul 27, 2022
A simple PHP package to show SweetAlerts with the Laravel Framework

Easy Sweet Alert Messages for Laravel Installation Require the package using Composer. composer require uxweb/sweet-alert If using laravel < 5.5 inclu

Uziel Bueno 824 Jan 7, 2023
This package wraps up the standalone executable version of the Tailwind CSS framework for a Laravel application.

Tailwind CSS for Laravel Introduction This package wraps the standalone Tailwind CSS CLI tool. No Node.js required. Inspiration This package was inspi

Tony Messias 240 Nov 19, 2022
Stapler-based file upload package for the Laravel framework.

laravel-stapler Laravel-Stapler is a Stapler-based file upload package for the Laravel framework. It provides a full set of Laravel commands, a migrat

Code Sleeve 565 Dec 9, 2022
A mostly useless package to display framework versions at the bottom of the Admin navigation panel.

A mostly useless package to display framework versions at the bottom of the Filament Admin navigation panel and an optional widget to do the same in the dashboard or custom pages.

Adam Weston 10 Nov 8, 2022
Jetstrap is a lightweight laravel 8 package that focuses on the VIEW side of Jetstream / Breeze package installed in your Laravel application

A Laravel 8 package to easily switch TailwindCSS resources generated by Laravel Jetstream and Breeze to Bootstrap 4.

null 686 Dec 28, 2022
This package provides extended support for our spatie/enum package in Laravel.

Laravel support for spatie/enum This package provides extended support for our spatie/enum package in Laravel. Installation You can install the packag

Spatie 264 Dec 23, 2022
A Laravel chat package. You can use this package to create a chat/messaging Laravel application.

Chat Create a Chat application for your multiple Models Table of Contents Click to expand Introduction Installation Usage Adding the ability to partic

Tinashe Musonza 931 Dec 24, 2022