New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAFEHTML filter is missing in InputFilter #7304
Comments
Reset priority according to docs This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304. |
The I'm not sure exactly what you want. If you need the tags, then RAW is the option you need. But then you need to take care of security yourself. |
If HTML does the job of SAFEHTML, I wouldn't have escalated this issue. But HTML filter does the same of STRING filter and therefore it strips all the html code from the input. Test the following code and you will know the result. $string = " sample description ";$filter = JFilterInput::getInstance(); echo $filter->clean($string, 'html'); echo $filter->clean($string, 'string'); echo $filter->clean($string, 'raw'); If you see the actual filter in /libraries/vendor/joomla/filter/src/InputFilter.php for string and HTML, both are similar. case 'STRING': case 'HTML': I would like to confirm that both filter are same and HTML strips the html tags. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304. |
@akfaisel use: $desc = JComponentHelper::filterText($app->input->get('description', '', 'raw')); Joomla use |
Yes, that was in my first post. SAFEHTML is available in form.php but missing in InputFilter.php Joomla is using JForm for rendering its pages but we like custom component developer (from JoomBri) cannot use JForm and we resort to use basic HTML fields and validate/filter the input from our users. Therefore, I cannot use filter method from form.php but use inputfilter.php to sanitise the inputs. Yes, later I discovered this code to sanitise the html input. $rawDesc = $app->input->get('description', '', 'RAW'); I would be glad if SAFEHTML filter can be added to InputFilter.php or at least make change to the existing HTML filter to allow html tags. At the moment, HTML filter is buggy that is copying the job of STRING filter. Thank you very much for you time. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304. |
It will be nice to filter in just one line instead of using 'raw' and again filtering it. Thanks anyway 😄 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304. |
closing this because there are enough different ways to achieve the filtering as requested |
Steps to reproduce the issue
I am displaying an editor to get input from my users. In my controller, I'm using
$app = JFactory::getApplication();
$desc = $app->input->get('description', '', 'RAW');
In the above code, I'm using 'RAW' in order not to strip the html code in the editor. I cannot use 'HTML' because it strips away all the html code.
Expected result
Sample description
Actual result
Sample description
System information (as much as possible)
I would like to use "SAFEHTML" filter which is available in /libraries/joomla/form/form.php but it is missing in libraries/vendor/joomla/filter/src/InputFilter.php
Additional comments
Please add 'SAFEHTML' filter to input filter. I'm using RAW but it looks like this is dangerous. I just want to allow basic HTML tags only.
The text was updated successfully, but these errors were encountered: