SAFEHTML filter is missing in InputFilter

[akfaisel]

Steps to reproduce the issue

I am displaying an editor to get input from my users. In my controller, I'm using

$app = JFactory::getApplication();
$desc = $app->input->get('description', '', 'RAW');

In the above code, I'm using 'RAW' in order not to strip the html code in the editor. I cannot use 'HTML' because it strips away all the html code.

Expected result

Sample description

Actual result

Sample description

System information (as much as possible)

I would like to use "SAFEHTML" filter which is available in /libraries/joomla/form/form.php but it is missing in libraries/vendor/joomla/filter/src/InputFilter.php

Additional comments

Please add 'SAFEHTML' filter to input filter. I'm using RAW but it looks like this is dangerous. I just want to allow basic HTML tags only.

[brianteeman]

Reset priority according to docs

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304.}

[Bakual]

The SAFEHTML filter in JForm uses JFilterInput->clean($value, 'html'), which does exactly the same as JInputFilter->clean($value, 'html'). It removes blacklisted HTML tags from the input.

I'm not sure exactly what you want. If you need the tags, then RAW is the option you need. But then you need to take care of security yourself.

[akfaisel]

If HTML does the job of SAFEHTML, I wouldn't have escalated this issue. But HTML filter does the same of STRING filter and therefore it strips all the html code from the input.

Test the following code and you will know the result.

$string = "

sample description

";
$filter = JFilterInput::getInstance();
echo $filter->clean($string, 'html');
echo $filter->clean($string, 'string');
echo $filter->clean($string, 'raw');

If you see the actual filter in /libraries/vendor/joomla/filter/src/InputFilter.php for string and HTML, both are similar.

case 'STRING':
$result = (string) $this->remove($this->decode((string) $source));
break;

case 'HTML':
$result = (string) $this->remove((string) $source);
break;

I would like to confirm that both filter are same and HTML strips the html tags.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304.}

[Fedik]

@akfaisel check https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/form/form.php#L1294
there `JFilterInput::getInstance(null, null, 1, 1)->clean($value, 'html');``
well, I missed that in your description sorry!

use:

$desc = JComponentHelper::filterText($app->input->get('description', '', 'raw'));

Joomla use JComponentHelper::filterText for the editor input

[akfaisel]

Yes, that was in my first post. SAFEHTML is available in form.php but missing in InputFilter.php

Joomla is using JForm for rendering its pages but we like custom component developer (from JoomBri) cannot use JForm and we resort to use basic HTML fields and validate/filter the input from our users. Therefore, I cannot use filter method from form.php but use inputfilter.php to sanitise the inputs.

Yes, later I discovered this code to sanitise the html input.

$rawDesc = $app->input->get('description', '', 'RAW');
$description = JFilterInput::getInstance(null, null, 1, 1)->clean($rawDesc, 'html');

I would be glad if SAFEHTML filter can be added to InputFilter.php or at least make change to the existing HTML filter to allow html tags. At the moment, HTML filter is buggy that is copying the job of STRING filter.

Thank you very much for you time.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304.}

[akfaisel]

It will be nice to filter in just one line instead of using 'raw' and again filtering it.

Thanks anyway 😄

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7304.}

[rdeutz]

closing this because there are enough different ways to achieve the filtering as requested