Filter Laravel Package
joomla/filter
Joomla Filter provides input sanitization and filtering utilities for PHP apps. Use InputFilter to allow/block specific HTML tags and attributes, and OutputFilter for safe output helpers like URL-safe strings. Composer installable, lightweight, framework-ready.
Getting Started
Install the package via Composer: composer require joomla/filter "~3.0" (or ~4.0 for PHP 8.3+). Start with the Joomla\Filter\InputFilter class for sanitizing user input—especially HTML content—before storage or output. The primary use case is preventing XSS attacks by filtering HTML strings, e.g., InputFilter::clean($html, 'html'). For simple scalar values (strings, integers), use InputFilter::clean($value, 'cmd') or 'int'. Check the InputFilter::TAGS_WHITELIST → ONLY_ALLOW_DEFINED_TAGS and ATTR_BLACKLIST → ONLY_BLOCK_DEFINED_ATTRIBUTES constant renamings if upgrading from v1.
Implementation Patterns
- HTML sanitization: Use
InputFilter::clean($input, 'html')with default tag/attribute filtering; customize viablockedTags,blockedAttributes,allowedTags,allowedAttributesarrays in the constructor or via static setters. - Custom filtering: Extend
Joomla\Filter\InputFilterto create domain-specific filters (e.g.,PostFilter extends InputFilter) and overridefilter()or implementpreFilter()/postFilter()hooks. - Security-first defaults: When filtering user-submitted content (e.g., comments), use strict modes:
$filter = new InputFilter([], [], InputFilter::ONLY_ALLOW_DEFINED_TAGS, InputFilter::ONLY_BLOCK_DEFINED_ATTRIBUTES, true); // $xssAuto = true - Integration with Laravel: Wrap
InputFilterin a service provider or helper (e.g.,filter_html($html)) and register it for injection. For request validation, callInputFilter::clean()in custom validation rules. - String safety: Use
OutputFilter::stringURLSafe($string)for generating SEO-friendly slugs (requiresjoomla/languageoptionally, for multibyte support).
Gotchas and Tips
- XSS evasion characters: Versions ≥2.0.6, ≥3.0.5, and ≥4.0.1 now strip common XSS tricks (e.g.,
javascript:,',j). Always upgrade to patch releases—critical vulnerabilities were found in earlier versions (CVE-2022-23800). - Case insensitivity & recursion: Bug fixes in
stripImages/stripIframes(v3.0.2+) handle<img style="..."/>and nested tags correctly. Usegrepto verify your version if filtering HTML5 media. - Multibyte gotchas: In earlier versions, mbstring functions were used inconsistently; newer versions default to non-multibyte methods. For multibyte input (e.g., non-Latin slugs), ensure
OutputFilter::stringURLSafe()is used withjoomla/languageinstalled. - Configuration quirk: The static
InputFilterclass maintains global state; avoid it in long-running processes (e.g., Swoole). Instantiate per-request instead:(new InputFilter($blockedTags, $blockedAttrs, ...)). - Extension point: Override
getClean()to add custom filter types (e.g.,'markdown','bbcode') by registering them in your child class’sfilter()method. - Testing tip: Validate your filter rules with known XSS payloads (e.g.,
<img src=x onerror=alert(1)>) using PHPUnit—preferably in integration tests to catch regressions after version bumps.
How can I help you explore Laravel packages today?