Table of ContentsDeveloper's Manual
To do this, YANA offers a function named untaintInput().
The function has the following parameters:
|
Parameter |
Type |
Default |
Description |
|---|---|---|---|
| value | mixed | n/a | data to be cleaned |
| type | string | "" |
Data type In addition to the supported native types of PHP the following values are allowed:
|
| length | integer | 0 | Maximum length of data |
| escape | integer | 0 | see table |
List of parameters for untaintInput
The parameter $escape can be any one of the following constants.
| Identifier | Description |
|---|---|
| YANA_ESCAPE_NONE | No changes (Default) |
| YANA_ESCAPE_SLASHED | Converts single and double quotation marks to their respective escape sequences in C-notation |
| YANA_ESCAPE_TOKEN | replaces token by their HTML entities |
| YANA_ESCAPE_CODED | replaces HTML symbols, such as Tags, by entities |
| YANA_ESCAPE_LINEBREAK | converts all whitespace characters (particularly line breaks) into spaces |
| YANA_ESCAPE_USERTEXT | for treatment of input from text area fields |
Valid values for parameter $escape, function untaintInput
For INPUT fields you should always call untaintInput() with the parameter YANA_ESCAPE_LINEBREAK. This will prevent an attacker from smuggling line breaks into the output, which might be a possible threat. For TEXTAREA fields you should use YANA_ESCAPE_USERTEXT. This prevents many forms of flooding, by constantly repeated texts (Copy'n'Paste Flooding), and will wrap oversized text strings, trim white space and thus will ensure, the layout of your page is not broken.
Thomas Meyer, www.yanaframework.net
E-mails