class Sanitize

This class includes various sanitization methods that can be called statically

Methods

static boolean
checkLink(string $url, boolean $http = false, boolean $other = false)

Checks whether given link is valid

static string
replaceBBLink(array $found)

Callback function for replacing [a@link@target] links in bb code.

static string
replaceDocLink(array $found)

Callback function for replacing [doc@anchor] links in bb code.

static string
sanitizeMessage(string $message, boolean $escape = false, boolean $safe = false)

Sanitizes $message, taking into account our special codes for formatting.

static string
sanitizeFilename(string $filename, boolean $replaceDots = false)

Sanitize a filename by removing anything besides legit characters

static string
jsFormat(string $a_string = '', boolean $add_backquotes = true)

Format a string so it can be a string inside JavaScript code inside an eventhandler (onclick, onchange, on.

static string
escapeJsString(string $string)

escapes a string to be inserted as string a JavaScript block enclosed by <![CDATA[ .

static string
formatJsVal(string $value)

Formats a value for javascript code.

static string
getJsValue(string $key, mixed $value, bool $escape = true)

Formats an javascript assignment with proper escaping of a value and support for assigning array of strings.

static void
printJsValue(string $key, mixed $value)

Prints an javascript assignment with proper escaping of a value and support for assigning array of strings.

static string
getJsValueForFormValidation(string $key, string $value, boolean $addOn, boolean $comma)

Formats javascript assignment for form validation api with proper escaping of a value.

static void
printJsValueForFormValidation(string $key, string $value, boolean $addOn = false, boolean $comma = true)

Prints javascript assignment for form validation api with proper escaping of a value.

static void
removeRequestVars(string[] $whitelist)

Removes all variables from request except whitelisted ones.

Details

Checks whether given link is valid

Parameters

string $url URL to check
boolean $http Whether to allow http links
boolean $other Whether to allow ftp and mailto links

Return Value

boolean True if string can be used as link

Callback function for replacing [a@link@target] links in bb code.

Parameters

array $found Array of preg matches

Return Value

string Replaced string

Callback function for replacing [doc@anchor] links in bb code.

Parameters

array $found Array of preg matches

Return Value

string Replaced string

at line 149
static string sanitizeMessage(string $message, boolean $escape = false, boolean $safe = false)

Sanitizes $message, taking into account our special codes for formatting.

If you want to include result in element attribute, you should escape it.

Examples:

bar

Parameters

string $message the message
boolean $escape whether to escape html in result
boolean $safe whether string is safe (can keep < and > chars)

Return Value

string the sanitized message

at line 219
static string sanitizeFilename(string $filename, boolean $replaceDots = false)

Sanitize a filename by removing anything besides legit characters

Intended usecase: When using a filename in a Content-Disposition header the value should not contain ; or "

When exporting, avoiding generation of an unexpected double-extension file

Parameters

string $filename The filename
boolean $replaceDots Whether to also replace dots

Return Value

string the sanitized filename

at line 245
static string jsFormat(string $a_string = '', boolean $add_backquotes = true)

Format a string so it can be a string inside JavaScript code inside an eventhandler (onclick, onchange, on.

.., ). This function is used to displays a javascript confirmation box for "DROP/DELETE/ALTER" queries.

Parameters

string $a_string the string to format
boolean $add_backquotes whether to add backquotes to the string or not

Return Value

string the formatted string

at line 270
static string escapeJsString(string $string)

escapes a string to be inserted as string a JavaScript block enclosed by <![CDATA[ .

.. ]]> this requires only to escape ' with \' and end of script block

We also remove NUL byte as some browsers (namely MSIE) ignore it and inserting it anywhere inside </script would allow to bypass this check.

Parameters

string $string the string to be escaped

Return Value

string the escaped string

at line 296
static string formatJsVal(string $value)

Formats a value for javascript code.

Parameters

string $value String to be formatted.

Return Value

string formatted value.

at line 324
static string getJsValue(string $key, mixed $value, bool $escape = true)

Formats an javascript assignment with proper escaping of a value and support for assigning array of strings.

Parameters

string $key Name of value to set
mixed $value Value to set, can be either string or array of strings
bool $escape Whether to escape value or keep it as it is (for inclusion of js code)

Return Value

string Javascript code.

at line 350
static void printJsValue(string $key, mixed $value)

Prints an javascript assignment with proper escaping of a value and support for assigning array of strings.

Parameters

string $key Name of value to set
mixed $value Value to set, can be either string or array of strings

Return Value

void

at line 366
static string getJsValueForFormValidation(string $key, string $value, boolean $addOn, boolean $comma)

Formats javascript assignment for form validation api with proper escaping of a value.

Parameters

string $key Name of value to set
string $value Value to set
boolean $addOn Check if $.validator.format is required or not
boolean $comma Check if comma is required

Return Value

string Javascript code.

at line 393
static void printJsValueForFormValidation(string $key, string $value, boolean $addOn = false, boolean $comma = true)

Prints javascript assignment for form validation api with proper escaping of a value.

Parameters

string $key Name of value to set
string $value Value to set
boolean $addOn Check if $.validator.format is required or not
boolean $comma Check if comma is required

Return Value

void

at line 406
static void removeRequestVars(string[] $whitelist)

Removes all variables from request except whitelisted ones.

Parameters

string[] $whitelist list of variables to allow

Return Value

void