public bool
test
(\SimpleXMLElement $element, mixed $value, mixed $group = null, \Joomla\Registry\Registry $input = null, \Joomla\CMS\Form\Form $form = null)
/**
* Method to test if the file path is valid
*
* @param \SimpleXMLElement $element The SimpleXMLElement object representing the `<field>` tag for the form field object.
* @param mixed $value The form field value to validate.
* @param string $group The field name group control value. This acts as an array container for the field.
* For example if the field has name="foo" and the group value is set to "bar" then the
* full field name would end up being "bar[foo]".
* @param Registry $input An optional Registry object with the entire data set to validate against the entire form.
* @param Form $form The form object for which the field is being tested.
*
* @return boolean True if the value is valid, false otherwise.
*
* @since 3.9.21
*/
public function test(\SimpleXMLElement $element, $value, $group = null, Registry $input = null, Form $form = null)
{
$value = trim($value);
// If the field is empty and not required, the field is valid.
$required = (string) $element['required'] == 'true' || (string) $element['required'] == 'required';
if (!$required && empty($value)) {
return true;
}
// Get the exclude setting from the xml
$exclude = (array) explode('|', (string) $element['exclude']);
// Exclude current folder '.' to be safe from full path disclosure
$exclude[] = '.';
// Check the exclude setting
$path = preg_split('/[\\/\\\\]/', $value);
if (in_array(strtolower($path[0]), $exclude) || empty($path[0])) {
return false;
}
// Prepend the root path
$value = JPATH_ROOT . '/' . $value;
// Check if $value is a valid path, which includes not allowing to break out of the current path
try {
Path::check($value);
} catch (\Exception $e) {
// When there is an exception in the check path this is not valid
return false;
}
// When there are no exception this rule should pass.
// See: https://github.com/joomla/joomla-cms/issues/30500#issuecomment-683290162
return true;
}