PHP Classes

PHP Input Filter: Filter out unwanted PHP / Javascript / HTML tags.

Recommend this page to a friend!

  Author Author  
Name: Daniel Morris <contact>
Classes: 1 package by
Country: United Kingdom United Kingdom
Age: 33
All time rank: 796 in United Kingdom United Kingdom
Week rank: 344 Down10 in United Kingdom United Kingdom Down
Innovation award
Innovation award
Nominee: 1x

  Detailed description   Download Download .zip .tar.gz   Install with Composer Install with Composer  
This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.


In Brief
Any website that has html forms should really use some sort of `cleaning` process
to filter out malicious code, or simply unwanted html tags for style reasons.

This class can filter input of stray or malicious PHP, Javascript or HTML tags.
It can be used to prevent cross-site scripting (XSS) attacks.
It should be used to filter input supplied by the user, such as an HTML code 
entered in form fields. You would create the filter object, configure it with your 
own settings, then call its process method to clean the form input values.

Initially this class was developed to allow developers such as myself to strip certain tags from user input, 
for stylistic reasons. I'm not a big fan of BBTags such as [url]. The scope of this tool was expanded however 
to allow automated and extensive filtering of input with anti-XSS capabilities.

XSS related reading
Unfortunately, php's inbuilt strip_tags($) doesn't filter out unwanted attributes. 
This can allow XSS (Cross Site Scripting) attacks to launch malicious javascript or code.

Introduction to XSS:

XSS Cheat Sheet (Required reference reading!):

This class's XSS blacklist page:

Using the inputFilter class is simple, and described below;

0) Include Class-File
Goes somewhat without saying to move the version of the classfile 
you would like to use into your website's classfiles directory and include it.

1) User-Defined Arrays
Setup either just a tags array, or additionally an attributes array.

Eg.. $tags = array("em", "strong");

2) New Object
(If you do not enter any parameters, problem-tag stripping will still take place)

Instantiate the class with your settings.
1st (tags array):    Optional (since 1.2.0)
2nd (attr array):    Optional
3rd (tags method):   0 = remove ALL BUT these tags (default)
                     1 = remove ONLY these tags
4th (attr method):   0 = remove ALL BUT these attributes (default)
                     1 = remove ONLY these attributes
5th (xss autostrip): 1 = remove all identified problem tags (default)
                     0 = turn this feature off

Eg.. $myFilter = new InputFilter($tags, $attributes, 0, 0);

3) Process inputs
Process as many input variables as you like. 
The example.php file shows you working examples.
You can pass a string variable or an array-of-strings.

Another real-world example could be to `clean` a submitted HTML form
reading for processing. You would simply setup the filter and call...

$_POST = $myFilter->process($_POST);
$_GET["name"] = $myFilter->process($_GET["name"]);


(If you don't implement a secure cookie method, running the filter could prove wise!)

SQL Injection (Experimental)
This feature is new, for more info, go here:

Methods of use...
- $connection is valid MySQL-Resource variable.
- $source is some string containing SQL injection attack(s).

0) Similar to standard usage
$myFilter = new InputFilter();
$source = $myFilter->safeSQL($source, $connection);

1) Alongside standard usage
$myFilter = new InputFilter();
$source = $myFilter->safeSQL($myFilter->process($source), $connection);

2) As class method
$source = InputFilter::safeSQL($source, $connection);

3) Perform on array-of-strings
$_POST = InputFilter::safeSQL($_POST, $connection);

Advanced Features In Brief

1) XHTML ----------------------

single tags:                    - Before:  <br> 
                                - After:   <br />
single attributes:              - Before:  <tag attr>
                                - After:   <tag attr="attr">
2) XSS ------------------------

customisation:                  - You have control over which tags and attributes to allow.

Automation:                     - Auto-strip tags whose tagnames contain non-alpha characters (<?php for instance)
                                - Auto-strip attributes containing javascript.
                                - Auto-strip blacklisted tags and attributes, as well as ALL action listener attributes.
				( Available at )

Blacklist:                      - Choose to strip blacklisted problem tags and attributes.

Anti-sneak:                     - Embedded newlines and other whitespace or encoded characters do not fool the parser

Nested-tag protection:          - Before:  test <stron<strong>g>message</stron</strong>g>
                                - After:   test message

It has come to my attention that there is indeed a PEAR package to format bad html and XSS.

I do feel they take a different approach to me, and do not offer customisible tag-stripping.
They do however offer more substantial XHTML reconstructing, and a stable alternative to this tool.
I have included the link so you can judge for yourself. :-)

Request For Comments
I'd love to know if you're using the InputFilter class, and what you think of it.
Please feel free to email me:

Patch Contributors
Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.

Many Thanks to everyone else who has emailed!

(Line numbers reference the commented php4/php5 version of classfile)

1.2.2    - Improved nested tag detection.
	 - Patch accepted: Ghislain Picard. Changed eregi() to preg_match(), 
	   and well as allowing for numeric characters in tags on line 133.
	 - Patch accepted: Marco Wandschneider - Wrote PHP5 version that does not cause any E_STRICT warnings.
	 - Patch accepted: Chris Tobin - SQL Injection attack code (Lines 259-312 added.)
	 - Patch accepted: Andrew Eddie - Added explicit cast to array for user-specified
	   array parameters in constructor (Lines 37-38 changed.)
	 - Requested feature: Lukas Slansky - <tag attr='blah'> converted to <tag attr="blah"> 
	   allowing for incorrect input to conform to XHTML standards. (Lines 213-215 added.)
	 - Bugfix: Fixed a really dumb bug that was causing arrays to not be parsed.
	   (Changed for() loop to a foreach() on line 52.)
	 - Bugfix: Parser was mistaking attribute values "0" for a null value. (Lines 234-235 added.)

1.2.1    - Patch accepted: Gianpaolo Racca - Added trim() to line 195.

1.2.0    - Updated example-factory page - looks nicer, added "inject sample data" feature.
         - Many more XSS blocking features.
         - Rewrote some of the parser code over to be more efficient.
         - Have stopped producing seperate classfiles for php4 and php5. The current classfile will work with either!
           (If anyone would like be to continue making seperate files for each, drop me an email.)

1.1.2    - All tag and attribute names with non-alpha characters in are automatically stripped from now on
           (This applies to all programming tags, html comments and doctype tags too.)
         - User-defined arrays are converted to lowercase at object creation. A somewhat obvious problem I initially missed!
           (Had caused tag and attr matching to fail if Capitals used in arrays)

1.1.1    - Bugfix: to do with spaces in between attr name and value.
         - Bugfix: to do with single attributes.

1.1.0    - Support for array as input.
         - PHP5 version of class available.

1.0.1    - Bugfix: involved ignored tag attribute values with spaces in.

1.0.0    - Release version.

  Classes of Daniel Morris  >  PHP Input Filter  >  Download Download .zip .tar.gz  >  Support forum Support forum (25)  >  Blog Blog  >  RSS 1.0 feed RSS 2.0 feed Latest changes  
Name: PHP Input Filter
Base name: inputfilter
Description: Filter out unwanted PHP / Javascript / HTML tags.
Version: 1.0.0
PHP version: -
License: GNU General Public License (GPL)
All time users: 20389 users
All time rank: 30
Week users: 2 users
Week rank: 381 Down
  Groups   Screenshots Screenshots   Rate classes User ratings  
  Trackback   Applications   Related pages   Files Files  

Group folder image Text processing Manipulating and validating text data View top rated classes
Group folder image Security Security protection and attack detection View top rated classes

  Files folder image Screenshots  
File Role Description
Accessible without login Image file testsuite.png Screen Shows testsuite script in action.


Input Filter
strip unwanted tags , words in post method

  Innovation Award  
PHP Programming Innovation award nominee
March 2005
Number 4

Prize: One subscription to the PDF edition of the magazine by PHP Architect
One of the most common security problems of Web sites is the vulnerability to cross-site scripting (XSS) attacks.

It allows to steal values of cookies that can be sent to different sites from those that originated the cookie values. This may allow an attacker to access a site impersonating an authenticated user by taking advantage of a stollen session cookie.

This kind of vulnerability exists on sites that display information provided by the users without properly escaping it before presenting in HTML pages. If the user supplied information to be displayed is unformatted text, it can be easily escaped by using the PHP function HTMLEntities().

However, if an user can submit HTML code to a site that displays it without previous validation and eventual cleaning of malicious Javascript or PHP code, the site is vulnerable to eventual cross-site scripting attacks.

This class provides a solution to perform the necessary cleaning of HTML code from dangerous cross-site scripting attack code.

Manuel Lemos

  User ratings  
RatingsUtility Consistency Documentation Examples Tests Videos Overall Rank
All time: Good (90%) Good (83%) Good (83%) Good (87%) - - Sufficient (70%) 309
Month: Not yet rated by the users

  Pages that reference this package  
Classe php per filtrare gli input degli
Classe php per filtrare gli input degli utenti...
Cleaning up your inputs
Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you re looking at security of your PHP applications. You can prevent most kinds on Cross Site Scripting (XSS) attacks if you know how to clean up the user inputs. Her...
Cleaning up Your Inputs in PHP
Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you’re looking at security of your PHP applications...
Cleaning Up Your Inputs In PHP
Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you’re looking at security of your PHP applications...
Filtering Out Unwanted XHTML/HTML Tags
For a project I am working on right now, I wanted to allow users to add a little bit of HTML in a description field, but not too much. I only wanted to allow a few tags and a few attributes. I, never one to reinvent the wheel, headed to Google (a programmer’s best friend) on a code hunt. I tried several php filter functions and classes and I was left wanting. I was just about to give up and write something myself when I stumbled across the PHP Input Filter class on PHP (you have to be a member to download code, but membership is free)...
Filtering output with a white list
Filtra tus input con "inputfilter"
Esta clase puede filtrar la entrada de las etiquetas perdidas o malévolas de PHP, del Javascript o del HTML y prevenir ataques scripting del XSS (XSS)...
Funktion/Klasse wie htmlentities(), aber gewisse Tags erlauben
Ich benutzte die folgende Klasse dafür:...
How to Avoid Cross Site Scripting Attack In PHP?
...the problem is that, many people are using it and most of the time don’t consider vulnerabilities or attacks going to their sites...
InputFilter, Protege tus variables en PHP de XSS
Uno de los problemas más comunes del internet es la vulnerabilidad cross-site scripting XSS, este tipo de vulverabilidad está en que normalmente no se validan correctamente los datos de entrada que son usados en cierta aplicación...
Libraries to avoid problems in PHP (Spanish)
We talked to two major errors in web applications and tips to avoid the API was preparing the people of OWASP , ESAPI order to simplify the security issues for Java developers...
PHP Input Cleaning Class
If you need a nice class that will clean pretty much anything for your PHP app, grab this class...
PHP Security (French)
The current level is charged hack, it's time to leave a small item with different methods of securing PHP applications. I will briefly introduce you to different libraries or classes oriented PHP security...
Prevent XSS attacks in PHP (Spanish)
An XSS (Cross Site Scripting) attack is one on which the attacker entered JavaScript in HTML in forms and if these are not filtered properly you will display this code in your site by altering the original content...
Sanitizing PHP input values
Server Side Validation - Importance
Time and again, there are countless number of articles written on not to trust user input and do a server side validation of all input... ve XSS açigi
Bugün Türkiye'nin popüler alisveris sitesi'da ürünlere gözatarken, XSS'i (Cross-Site Scripting) test amaciyla arama kutusuna JavaScript kodu yazdim ve çal&#305;sti
The text editor (ckeditor, TinyMCE, FCKeditor safety data from ....)
I'm using this...

Latest pages that reference packages Latest pages that reference packages

  Applications that use this package  
Team of dutch IT specialists.
PHP simple news ticker
Mambo Server
A very popular open source CMS

Add link image If you know an application of this package, send a message to the author to add a link here.

  Related pages  
Project Homepage
Project Details and Interactive demonstration
Tag and Attribute Blacklist.
Lists what tags etc are blocked if "xssauto" feature is on.
XSS Cheat Sheet
Interesting page for reference purposes.

  Files folder image Files  
File Role Description
Accessible without login Plain text file class.inputfilter.php Class PHP4/PHP5 with comments
Plain text file class.inputfilter.php5 Class PHP5-Strict with comments
Accessible without login Plain text file class.inputfilter_clean.php Class PHP4/PHP5 without comments
Plain text file class.inputfilter_clean.php5 Class PHP5-Strict without comments
Accessible without login Plain text file index.php Example Play around with your own examples on the fly.
Accessible without login Plain text file readme.txt Doc. Blurb / Instructions / Features

Install with Composer Install with Composer - Download Download all files: inputfilter.tar.gz
NOTICE: if you are using a download manager program like 'GetRight', please Login before trying to download this archive.