API Documentation
\
TriTan
Cache
Command
Common
Acl
Context
Hooks
Options
Plugin
Post
Posttype
Site
User
Exception
Interfaces
Acl
Cache
Hooks
Options
Password
Plugin
Plugins
Post
Posttype
Site
User
Queue
Traits

\TriTan\CommonHtmlPurifier

Summary

Methods
Properties
Constants
__construct()
purify()
entityDecode()
$xss_disalowed_attibutes
$xss_naughty_html
$xss_naughty_scripts
$mbencoding
No constants found
urlDecodeSpaces()
compactExplodedWords()
removeEvilAttributes()
sanitizeNaughtyHtml()
jsLinkRemoval()
jsImgRemoval()
convertAttribute()
filterAttributes()
decodeEntity()
validateEntities()
neverAllowed()
removeInvisibleCharacters()
$never_allowed_str
$never_allowed_regex
N/A
No private methods found
No private properties found
N/A

Properties

$xss_disalowed_attibutes

$xss_disalowed_attibutes : array

Remove bad attributes such as style, onclick and xmlns

Type

array

$xss_naughty_html

$xss_naughty_html : string

If a tag containing any of the words in the list below is found, the tag gets converted to entities.

Type

string

$xss_naughty_scripts

$xss_naughty_scripts : \TriTan\Common\type

Smilar to $this->xss_naughty_html, but instead of looking for tags it looks for PHP and JavaScript commands that are disallowed. Rather than removing the code, it simply converts the parenthesis to entities rendering the code un-executable.

Type

\TriTan\Common\type

$mbencoding

$mbencoding : string

Your mb_string encoding, default is 'utf-8'. Do not change, if not sure.

Type

string

$never_allowed_str

$never_allowed_str :

Type

$never_allowed_regex

$never_allowed_regex : array

List of never allowed regex replacement

Type

array

Methods

__construct()

__construct()

purify()

purify(string  $string, boolean  $is_image = false) : string

Escaping for rich text.

This method should only be used on output. With the exception of uploading images, never use this method on input. All inputted data should be accepted and then purified on output for optimal results. For output of images, make sure to escape with esc_url().

Parameters

string $string
boolean $is_image

Description

Returns

string —

Escaped rich text.

entityDecode()

entityDecode(  $string,   $charset = 'UTF-8') : string

HTML Entities Decode

This function is a replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters

$string
$charset

Returns

string

urlDecodeSpaces()

urlDecodeSpaces(array  $matches) : string

URL-decode taking spaces into account

Parameters

array $matches

Returns

string

compactExplodedWords()

compactExplodedWords(  $matches) : \TriTan\Common\type

Compact Exploded Words

Callback function for $this->purify() to remove whitespace from things like j a v a s c r i p t

Parameters

$matches

Returns

\TriTan\Common\type

removeEvilAttributes()

removeEvilAttributes(  $string,   $is_image)

Parameters

$string
$is_image

sanitizeNaughtyHtml()

sanitizeNaughtyHtml(  $matches) : string

Sanitize Naughty HTML

Callback function for $this->purify() to remove naughty HTML elements

Parameters

$matches

Returns

string

jsLinkRemoval()

jsLinkRemoval(  $match) : string

JS Link Removal

Callback function for $this->purify() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings

Parameters

$match

Returns

string

jsImgRemoval()

jsImgRemoval(  $match) : string

JS Image Removal

Callback function for $this->purify() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings

Parameters

$match

Returns

string

convertAttribute()

convertAttribute(  $match) : string

Attribute Conversion

Used as a callback for Purify

Parameters

$match

Returns

string

filterAttributes()

filterAttributes(  $string) : string

Filter Attributes

Filters tag attributes for consistency and safety

Parameters

$string

Returns

string

decodeEntity()

decodeEntity(  $match) : string

HTML Entity Decode Callback

Used as a callback for Purify

Parameters

$match

Returns

string

validateEntities()

validateEntities(  $string) : string

Validate URL entities

Called by $this->purify()

Parameters

$string

Returns

string

neverAllowed()

neverAllowed(  $string) : string

Never Allowed

A utility function for $this->purify()

Parameters

$string

Returns

string

removeInvisibleCharacters()

removeInvisibleCharacters(  $string,   $url_encoded = true)

Parameters

$string
$url_encoded