Filter: Describe sanitization flags in constant page

Girgias · Girgias · commit 6305d207729e · 2024-11-26T00:33:45.000Z
diff --git a/reference/filter/book.xml b/reference/filter/book.xml
@@ -1,42 +1,53 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- $Revision$ -->
-
 <book xml:id="book.filter" xmlns="http://docbook.org/ns/docbook">
  <?phpdoc extension-membership="bundled" ?>
  <title>Data Filtering</title>
  <titleabbrev>Filter</titleabbrev>
 
  <preface xml:id="intro.filter">
   &reftitle.intro;
-  <para>
-   This extension filters data by either validating or sanitizing it. This is 
-   especially useful when the data source contains unknown (or foreign) data,
-   like user supplied input. For example, this data may come from an HTML form.
-  </para>
-  <para>
+  <simpara>
+   This extension provides filters which can be used to validate or sanitize data.
+   This is especially useful when the data source contains unknown (or foreign) data,
+   like user supplied input.
+   For example, this data may come from an <acronym>HTML</acronym> form.
+  </simpara>
+  <simpara>
    There are two main types of filtering:
    <emphasis>validation</emphasis> and <emphasis>sanitization</emphasis>.
-  </para>
-  <para>
-   Validation is used to
-   validate or check if the data meets certain qualifications. For example,
-   passing in <constant>FILTER_VALIDATE_EMAIL</constant> will determine if
-   the data is a valid email address, but will not change the data itself.
-  </para>
-  <para>
-   <link linkend="filter.filters.sanitize">Sanitization</link> will
-   sanitize the data, so it may alter it by removing undesired characters.
-   For example, passing in <constant>FILTER_SANITIZE_EMAIL</constant> will
+  </simpara>
+  <simpara>
+   A validation filter is used to check if the data meets certain criteria.
+   These filters are identified by the
+   <constant>FILTER_VALIDATE_<replaceable>*</replaceable></constant>
+   constants.
+   For example, the <constant>FILTER_VALIDATE_EMAIL</constant> filter
+   can be used to determine if the data is a valid email address.
+   However, it will never alter the input data.
+  </simpara>
+  <simpara>
+   Sanitization on the other hand will "clean up" the data,
+   therefore it may alter the input data by adding or removing characters.
+   These filters are identified by the
+   <constant>FILTER_SANITIZE_<replaceable>*</replaceable></constant>
+   constants.
+   For example, the <constant>FILTER_SANITIZE_EMAIL</constant> filter will
    remove characters that are inappropriate for an email address to contain.
-   That said, it does not validate the data.
-  </para>
-  <para>
-   <emphasis>Flags</emphasis> are optionally used with both validation and
-   sanitization to tweak behaviour according to need. For example, passing
-   in <constant>FILTER_FLAG_PATH_REQUIRED</constant> while filtering an
-   <acronym>URL</acronym> will require a path (like <literal>/foo</literal> 
-   in <literal>http://example.org/foo</literal>) to be present.
-  </para>
+   However, the sanitized data is not validated to check if it is a valid
+   email address.
+  </simpara>
+  <simpara>
+   Most filters support optional <emphasis>flags</emphasis> that can tweak
+   the behavior of the filter.
+   These flags are identified by the
+   <constant>FILTER_FLAG_<replaceable>*</replaceable></constant>
+   constants.
+   For example, using the <constant>FILTER_FLAG_PATH_REQUIRED</constant> with
+   the <constant>FILTER_VALIDATE_URL</constant> validation filter
+   requires that the <acronym>URL</acronym> has a path
+   (e.g. <literal>/foo</literal> in <literal>https://example.org/foo</literal>).
+  </simpara>
  </preface>
 
  &reference.filter.setup;
@@ -46,7 +57,6 @@
  &reference.filter.reference;
 
 </book>
-
 <!-- Keep this comment at the end of the file
 Local variables:
 mode: sgml
diff --git a/reference/filter/constants.xml b/reference/filter/constants.xml
@@ -831,7 +831,13 @@
    </term>
    <listitem>
     <simpara>
-     ID of "unsafe_raw" filter.
+     This filter does nothing.
+    </simpara>
+    <simpara>
+     However, it can strip or encode special characters if used together with
+     the <constant>FILTER_FLAG_STRIP_<replaceable>*</replaceable></constant>
+     and <constant>FILTER_FLAG_ENCODE_<replaceable>*</replaceable></constant>
+     filter sanitization flags.
     </simpara>
    </listitem>
   </varlistentry>
@@ -853,10 +859,24 @@
    </term>
    <listitem>
     <simpara>
-     ID of "string" filter.
-     (<emphasis>Deprecated</emphasis> as of PHP 8.1.0,
-     use <function>htmlspecialchars</function> instead.)
+     This filter strips tags and HTML-encodes double and single quotes.
+    </simpara>
+    <simpara>
+     Optionally it can strip or encode specified characters if used together with
+     the <constant>FILTER_FLAG_STRIP_<replaceable>*</replaceable></constant>
+     and <constant>FILTER_FLAG_ENCODE_<replaceable>*</replaceable></constant>
+     filter sanitization flags.
     </simpara>
+    <simpara>
+     The behaviour of encoding quotes can be disabled by using the
+     <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant> filter flag.
+    </simpara>
+    <warning>
+     <simpara>
+      <emphasis>Deprecated</emphasis> as of PHP 8.1.0,
+      use <function>htmlspecialchars</function> instead.
+     </simpara>
+    </warning>
    </listitem>
   </varlistentry>
   <varlistentry xml:id="constant.filter-sanitize-stripped">
@@ -879,7 +899,13 @@
    </term>
    <listitem>
     <simpara>
-     ID of "encoded" filter.
+     This filter URL-encodes a string.
+    </simpara>
+    <simpara>
+     Optionally it can strip or encode specified characters if used together with
+     the <constant>FILTER_FLAG_STRIP_<replaceable>*</replaceable></constant>
+     and <constant>FILTER_FLAG_ENCODE_<replaceable>*</replaceable></constant>
+     filter sanitization flags.
     </simpara>
    </listitem>
   </varlistentry>
@@ -889,8 +915,22 @@
     (<type>int</type>)
    </term>
    <listitem>
+    <para>
+     This filter HTML-encodes
+     <simplelist type="inline">
+      <member><literal>'</literal></member>
+      <member><literal>"</literal></member>
+      <member><literal>&lt;</literal></member>
+      <member><literal>&gt;</literal></member>
+      <member><literal>&amp;</literal></member>
+     </simplelist>
+     and characters with an ASCII value less than 32.
+    </para>
     <simpara>
-     ID of "special_chars" filter.
+     Optionally it can strip specified characters if used together with
+     the <constant>FILTER_FLAG_STRIP_<replaceable>*</replaceable></constant>
+     filter sanitization flags, and it can encode characters with ASCII value
+     greater than 127 using <constant>FILTER_FLAG_ENCODE_HIGH</constant>.
     </simpara>
    </listitem>
   </varlistentry>
@@ -901,8 +941,22 @@
    </term>
    <listitem>
     <simpara>
-     ID of "full_special_chars" filter.
+     This filter is equivalent to calling <function>htmlspecialchars</function>
+     with <constant>ENT_QUOTES</constant> set.
     </simpara>
+    <simpara>
+     The behaviour of encoding quotes can be disabled by using the
+     <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant> filter flag.
+    </simpara>
+    <warning>
+     <simpara>
+      Like <function>htmlspecialchars</function>, this filter is aware of the
+      <link linkend="ini.default-charset">default_charset</link> INI setting.
+      If a sequence of bytes is detected that makes up an invalid character
+      in the current character set then the entire string is rejected
+      resulting in a empty string being returned.
+     </simpara>
+    </warning>
    </listitem>
   </varlistentry>
   <varlistentry xml:id="constant.filter-sanitize-email">
diff --git a/reference/filter/filters.xml b/reference/filter/filters.xml
@@ -3,132 +3,6 @@
 <chapter xml:id="filter.filters" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
  <title>Types of filters</title>
 
- <!-- Sanitize filters: {{{-->
- <section xml:id="filter.filters.sanitize">
-  <title>Sanitize filters</title>
-   <para>
-    <table>
-     <title>List of filters for sanitization</title>
-     <tgroup cols="5">
-      <thead>
-       <row>
-        <entry>ID</entry>
-        <entry>Name</entry>
-        <entry>Flags</entry>
-        <entry>Description</entry>
-       </row>
-      </thead>
-      <tbody>
-       <row>
-        <entry><constant>FILTER_SANITIZE_ENCODED</constant></entry>
-        <entry>"encoded"</entry>
-        <entry>
-         <constant>FILTER_FLAG_STRIP_LOW</constant>,
-         <constant>FILTER_FLAG_STRIP_HIGH</constant>,
-         <constant>FILTER_FLAG_STRIP_BACKTICK</constant>,
-         <constant>FILTER_FLAG_ENCODE_LOW</constant>,
-         <constant>FILTER_FLAG_ENCODE_HIGH</constant>
-        </entry>
-        <entry>URL-encode string, optionally strip or encode special characters.</entry>
-       </row>
-       <row>
-        <entry><constant>FILTER_SANITIZE_SPECIAL_CHARS</constant></entry>
-        <entry>"special_chars"</entry>
-        <entry>
-         <constant>FILTER_FLAG_STRIP_LOW</constant>,
-         <constant>FILTER_FLAG_STRIP_HIGH</constant>,
-         <constant>FILTER_FLAG_STRIP_BACKTICK</constant>,
-         <constant>FILTER_FLAG_ENCODE_HIGH</constant>
-        </entry>
-        <entry>
-         HTML-encode <literal>'"&lt;&gt;&amp;</literal> and characters with
-         ASCII value less than 32, optionally strip or encode other special
-         characters.
-        </entry>
-       </row>
-       <row>
-        <entry><constant>FILTER_SANITIZE_FULL_SPECIAL_CHARS</constant></entry>
-        <entry>"full_special_chars"</entry>
-        <entry>
-         <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>
-        </entry>
-        <entry>
-         Equivalent to calling <function>htmlspecialchars</function> with <constant>ENT_QUOTES</constant> set. Encoding quotes can
-         be disabled by setting <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>. Like <function>htmlspecialchars</function>, this
-         filter is aware of the <link linkend="ini.default-charset">default_charset</link> and if a sequence of bytes is detected that
-         makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
-         When using this filter as a default filter, see the warning below about setting the default flags to 0.
-        </entry>
-       </row>
-       <row>
-        <entry><constant>FILTER_SANITIZE_STRING</constant></entry>
-        <entry>"string"</entry>
-        <entry>
-         <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>,
-         <constant>FILTER_FLAG_STRIP_LOW</constant>,
-         <constant>FILTER_FLAG_STRIP_HIGH</constant>,
-         <constant>FILTER_FLAG_STRIP_BACKTICK</constant>,
-         <constant>FILTER_FLAG_ENCODE_LOW</constant>,
-         <constant>FILTER_FLAG_ENCODE_HIGH</constant>,
-         <constant>FILTER_FLAG_ENCODE_AMP</constant>
-        </entry>
-        <entry>
-         Strip tags and HTML-encode double and single quotes, optionally strip
-         or encode special characters. Encoding quotes can be
-         disabled by setting <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>.
-         (<emphasis>Deprecated</emphasis> as of PHP 8.1.0,
-         use <function>htmlspecialchars</function> instead.)
-        </entry>
-       </row>
-       <row>
-        <entry><constant>FILTER_UNSAFE_RAW</constant></entry>
-        <entry>"unsafe_raw"</entry>
-        <entry>
-         <constant>FILTER_FLAG_STRIP_LOW</constant>,
-         <constant>FILTER_FLAG_STRIP_HIGH</constant>,
-         <constant>FILTER_FLAG_STRIP_BACKTICK</constant>,
-         <constant>FILTER_FLAG_ENCODE_LOW</constant>,
-         <constant>FILTER_FLAG_ENCODE_HIGH</constant>,
-         <constant>FILTER_FLAG_ENCODE_AMP</constant>
-        </entry>
-        <entry>
-         Do nothing, optionally strip or encode special characters. This
-         filter is also aliased to <constant>FILTER_DEFAULT</constant>.
-        </entry>
-       </row>
-      </tbody>
-     </tgroup>
-    </table>
-   </para>
-
-  <simplesect role="changelog">
-   &reftitle.changelog;
-   <para>
-    <informaltable>
-     <tgroup cols="2">
-      <thead>
-       <row>
-        <entry>&Version;</entry>
-        <entry>&Description;</entry>
-       </row>
-      </thead>
-      <tbody>
-       <row>
-        <entry>8.1.0</entry>
-        <entry>
-         <constant>FILTER_SANITIZE_STRING</constant> and
-         <constant>FILTER_SANITIZE_STRIPPED</constant> have been deprecated.
-        </entry>
-       </row>
-      </tbody>
-     </tgroup>
-    </informaltable>
-   </para>
-  </simplesect>
-
- </section>
- <!--}}}-->
-
  <!-- Filter flags: {{{-->
  <section xml:id="filter.filters.flags">
   <title>Filter flags</title>
