Re: [jbs] JFilterInput::_cleanTags

Showing 1-15 of 15 messages
Re: [jbs] JFilterInput::_cleanTags Mark Dexter 11/2/12 4:55 PM
I believe filter='HTML' means you should filter based on the default setting for the group (set in Global Configuration). By default, I believe this is supposed to be black list.

Can you make a simple test case and post it to the issue tracker? It sounds like a bug if it is not allowing any HTML. 

Thanks. Mark

On Fri, Nov 2, 2012 at 4:44 PM, oasisfleeting <> wrote:
I'm working on a plugin with a param that is set to allow HTML into one of the params.
When I add this tag into the textarea it's always filtered out.
<a class="addthis_button" href=";pubid=ra-5074648507240536"><img src="" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a>

I stepped through JFilterInput::_cleanTags to see where the data was being stripped out and it happens after this line of code

$this->tagsArray is an empty array so all html elements are filtered.
I am logged in as super user and filtering is set to "No Filtering" for all users. 
The jformfield tag has a filter type of "HTML" and looks like this.


Is this a bug or am I missing something?

joomla 2.5.7

You received this message because you are subscribed to the Google Groups "Joomla! bug Squad" group.
To view this discussion on the web visit
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/2/12 5:18 PM
I submitted a test case here

The default filtering for super user is no filtering and I've also set all users to No Filtering in my testing.

I accidentally submitted the test case twice and I'm unable to delete the first one. It is missing the vote.xml file required for testing.
Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 7:16 AM
In my "Test Instructions" submitted on the tracker, I added the html I was testing with and it actually renders the html output in that area. 
Is that a bug in the trackers filtering also? 
Re: [jbs] JFilterInput::_cleanTags Elin 11/3/12 10:34 AM
It's not a bug, it is the expected behavior on the web for html to be rendered as html. 

Re: [jbs] JFilterInput::_cleanTags Elin 11/3/12 10:48 AM
Sorry posted without being finished.

I think the html filter is not going to be overridden by raw, it is going to just use the html filter plus the black list as Mark mentioned.

Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 1:50 PM
No, I successfully performed an xss injection in the text instructions portion of the tracker.
I just edited it again now and the html does not render so either a fix was made between when I submitted the instructions and now or the bug still exists and I just can't duplicate it. 
But thanks anyway. 11/3/12 1:52 PM <This message has been deleted.>
Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 2:31 PM
What does that mean? When using the html filter the $this->tagsArray variable is empty in JFilterInput::_cleanTags.
The default filtering for super users in No Filtering.

I don't know what you are talking about when you say "html filter being overridden by raw".
Re: JFilterInput::_cleanTags oasisfleeting 11/3/12 3:53 PM
I've confirmed this behavior in joomla 3.0 as well.
Re: JFilterInput::_cleanTags oasisfleeting 11/4/12 6:03 AM
HTML is apparently not a valid filter type.
I stepped through the code when saving a plugin. The HTML param in jfilterinput is NOT the filters to be used. The correct filters to use are in JForm::filterField
RAW (this filter will allow html),
SAFEHTML (this filter will allow html),

Then there is a default case in the switch which will pass on the filter to the JFilterInput::getInstance()->clean($value, $filter); and all html will be filtered by default regardless of passing in $filter='HTML' in this function. 
Re: JFilterInput::_cleanTags oasisfleeting 11/4/12 6:26 AM
I believe I have identified the bug.
In libraries/joomla/form/form.php JForm::filterfield

In the default switch case the instance of JFilterInput is being called like so
$return = JFilterInput::getInstance()->clean($value, $filter);
When in fact it should be called like so
$return = JFilterInput::getInstance(null, null, 1, 1)->clean($value, $filter);
By not passing the 1,1 into the function you're setting JFilterInput to filter by whitelist instead of the default blacklist. So if the user has not entered in a whitelist of safe html then everything is filtered.

Here is the param list for the JFilterInput constructor.
* Constructor for inputFilter class. Only first parameter is required.
* @param   array    $tagsArray   List of user-defined tags
* @param   array    $attrArray   List of user-defined attributes
* @param   integer  $tagsMethod  WhiteList method = 0, BlackList method = 1
* @param   integer  $attrMethod  WhiteList method = 0, BlackList method = 1
* @param   integer  $xssAuto     Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
* @since   11.1

And here is the signature

public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
Re: [jbs] JFilterInput::_cleanTags Elin 11/4/12 5:08 PM
You have specified the html filter in your field. Having a less restrictive filter as the default for the group is not going to override that, that filter in the field is going to override the less restrictive one. 

Re: JFilterInput::_cleanTags Elin 11/4/12 5:25 PM
So the filtering is acting as expected but the question is ... would you want to by default check a black list that most people have not set and is blank by default.  It would certainly be an interesting filter that uses a blank black list :). On the whole Joomla is going to by default be extremely  strong in the assumption that all user input is malevolent.  Therefore it is up to the developer to make a conscious decision to increase risk, it is not something that the core is going to be responsible for. Not knowing what your plugin does, I think you might want to require users to add to the white list.

Re: [jbs] Re: JFilterInput::_cleanTags Admin 11/4/12 7:11 PM
The filtering is working as expected if you consider filter="HTML" to be an invalid value for the filter attribute.
You received this message because you are subscribed to the Google Groups "Joomla! bug Squad" group.
To view this discussion on the web visit

To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Re: JFilterInput::_cleanTags Elin 11/5/12 12:04 PM
Actually the blacklist is not blank by default, it does include a basic list of tags.