Joomla's JInput strips HTML with every filter

1
votes

I'm trying to save HTML text to database safely in Joomla 2.5, so I'm using JInput to get the form data.

According to developer.joomla.org, there is HTML filter:

HTML - Returns a string with HTML entities and tags intact, subject to the white or black lists in the filter.

According to docs.joomla.org, there are these filter which should (logically. They are not explained there) pass HTML tags:

RAW, HTML, SAFE_HTML

At the code JFilterInput::clean which JInput uses for filtering, there is no SAFE_HTML filter. I don't know what it is doing in one documentation and why RAW filter is missing in another. Apart from that, all these filters strip HTML tags anyway.

With just $_POST:

$_POST['shortDescription'];

returns 

<b>Hello <i>world</i></b>

When I use JInput:

$input->get('shortDescription', '', 'RAW');
$input->get('shortDescription', '', 'HTML');
$input->get('shortDescription', '', 'SAFE_HTML');

all returns just

Hello world

without HTML tags. What is it for then? How to use it when I need to store HTML safely?

4
phpjoomlajoomla2.5

4 Answers

2
votes

I bypased it with this method:

public function getHtmlInput($htmlText)
{
    $input_options = JFilterInput::getInstance(
        array(
            'img','p','a','u','i','b','strong','span','div','ul','li','ol','h1','h2','h3','h4','h5',
            'table','tr','td','th','tbody','theader','tfooter','br'
        ),
        array(
            'src','width','height','alt','style','href','rel','target','align','valign','border','cellpading',
            'cellspacing','title','id','class'
        )
    );

    $postData = new JInput($_POST, array('filter' => $input_options));

    return $postData->get($htmlText, '', 'HTML');
}

Usage:

$this->getHtmlInput('documentation');

I hope this is solved in Joomla 3...

1
votes

You should do this:

$jinput = JFactory::getApplication()->input;
$html = JComponentHelper::filterText($jinput->post->get('shortDescription', '', 'raw'));
0
votes

This is an old post but I figured I would throw my 2 cents in as it might help people finding this post searching for a solution.

Using an html editor it still strips the html with using the HTML filter. To get around it I use ARRAY as the filter instead and then just implode the result.

Easy bo breazy.

0
votes

(In the context of Joomla 3.x) The default configuration of a JInputFilter instance is to operate in whitelisting mode, with empty arrays of whitelisted tags and attributes ie. the most restrictive possible mode of HTML filtering that effectively gets rid of everything.

This clearly isn't that useful out of the box, but it is opting for security over convenience, and leaving it up to developers to make a conscious decision to relax the security to accept tags and attributes in the received content by using an alternate JInputFilter instance, either:

A) with a specified whitelist of tags (what @Jon ultimately did in his own answer)

$filter = JInputFilter::getInstance(array('img', ...), array('src', ...));

or

B) configured to operate in blacklist mode

$filter = JInputFilter::getInstance([], [], 1, 1);

As an aside, unless you disable the $xssAuto option (see usage below), Joomla will enforce the following blacklists irrespective of which mode the JInputFilter instance is configured with:

Tags: 'applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'

Attributes: 'action', 'background', 'codebase', 'dynsrc', 'lowsrc'

For reference, here is the usage information for the JFilterInput::getInstance method:

/**
 * Returns an input filter object, only creating it if it doesn't already exist.
 *
 * @param   array    $tagsArray   List of user-defined tags
 * @param   array    $attrArray   List of user-defined attributes
 * @param   integer  $tagsMethod  WhiteList method = 0, BlackList method = 1
 * @param   integer  $attrMethod  WhiteList method = 0, BlackList method = 1
 * @param   integer  $xssAuto     Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
 * @param   integer  $stripUSC    Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1
 *
 * @return  JFilterInput  The JFilterInput object.
 *
 * @since   11.1
 */
public static function &getInstance($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1, $stripUSC = -1)

Joomla also provides configurable filtering rules on the Text Filters tab of the Global Configuration page in the administration interface. Here, you can configure the mode of operation, as well as the tags and attributes to be filtered on a per user group basis. To take advantage of this in your own code, use the JComponentHelper::filterText() method, per @xavip's answer.