Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

mncs's avatar
mncs
OP
10 years ago
Level 2

Validation: filter/sanitize input

I need to filter / sanitize user input during validation.

I have request data which needs to be filtered/sanitized (html input with only a few html tags allowed) during validation.

As far as I understand custom validation rules, you only can reject or pass an value for an attribute. But I want to filter / sanitize (for example with HtmlPurifier) a value and passing the filtered value to the next validation rule.

Is this possible or do I have to do that for my request data before passing it to the Validator?

0 likes
4 replies
mstnorris's avatar
mstnorris
10 years ago
Best Answer
Level 55

Well, you either let it pass validation and then sanitise it (I'm not recommending this way), or, you sanitise it so that it can pass validation. It is up to you.

I would do it on the Form Request, and then pass it through the validation. That way you know that it should pass.

mncs's avatar
mncs
OP
10 years ago
Level 2

Yeah I definitely would want to sanitize before validation. Just was not sure if the Validator could also do filtering (CodeIgniter for example is doing that).

thanks.

mstnorris's avatar

I think it is best to separate them (think of the S in SOLID).

teooe's avatar

You could create a MiddleWare class with an implemention of htmlPurifier, example:

<?php namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Log;

/**
 * User: theo
 * Date: 19-05-15
 * Time: 13:22
 */
class purifierMiddleware {

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $input = $request->all();

        //Purify input requests
        if(count($input) > 0)
        {
            $htmlPurifierConfig = \HTMLPurifier_Config::createDefault();
            $htmlPurifierConfig->set('Core.Encoding', 'UTF-8');
            $htmlPurifierConfig->set('HTML.Doctype', 'HTML 4.01 Transitional');

            if (defined('PURIFIER_CACHE')) {
                $htmlPurifierConfig->set('Cache.SerializerPath', PURIFIER_CACHE);
            } else {
                # Disable the cache entirely
                $htmlPurifierConfig->set('Cache.DefinitionImpl', null);
            }
            $filterHTMLPurifier = new \HTMLPurifier($htmlPurifierConfig);

            $this->PurifyList($request, $input, $filterHTMLPurifier);
        }

        return $next($request);
    }

    /**
     * @param $request
     * @param $input
     * @param $filterHTMLPurifier
     */
    public function PurifyList($request, $input, $filterHTMLPurifier)
    {
        foreach ($input as $key => $value) {

            if (is_array($value)) {
                $this->PurifyList($request, $value, $filterHTMLPurifier);
            } else {

                $init = $value;

                $value = $filterHTMLPurifier->purify($value);

                //Clean the data
                if (!empty($init) && $init != $value) {
                    Log::warning('Htmlpurifier: ' . $init);
                    
                    abort(401, "Htmlpurifier request data is not correct: " . $init);
                }
            }
        }
    }

}
2 likes

Please or to participate in this conversation.