Recommend this page to a friend! |
Download |
Info | Documentation | Demos | Files | Install with Composer | Download | Reputation | Support forum | Blog | Links |
Ratings | Unique User Downloads | Download Rankings | ||||
65% | Total: 532 This week: 1 | All time: 5,643 This week: 41 |
Version | License | PHP version | Categories | |||
anti-xss 2.0.43 | MIT/X Consortium ... | 5.3 | HTML, PHP 5, Security |
Collaborate with this project | Authors EllisLab Dev Team Contributor | |
anti-xss - github.com Description This class can remove tags from HTML that may cause XSS attacks. |
[//]: # (AUTO-GENERATED BY "PHP README Helper": base file -> docs/base.md)
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
http://anti-xss-demo.suckup.de/
1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
2) Use html-sanitizer or HTML Purifier if you need a more configurable solution
3) Add "Content Security Policy's" -> Introduction to Content Security Policy
4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet
6) TEST THIS TOOL -> Zed Attack Proxy (ZAP)
composer require voku/anti-xss
use voku\helper\AntiXSS;
require_once __DIR__ . '/vendor/autoload.php'; // example path
$antiXss = new AntiXSS();
Example 1: (HTML Character)
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);
// Hello, i try to alert('Hack'); your site
Example 2: (Hexadecimal HTML Character)
$harm_string = "<IMG SRC=javascript:alert('XSS')>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <IMG >
Example 3: (Unicode Hex Character)
$harm_string = "<a href=' javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
Example 4: (Unicode Character)
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
Example 5.1: (non Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);
// <li >
Example 5.2: (with Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);
// <li style="list-style-image: url(alert(0))">
Example 6: (check if an string contains a XSS attack)
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);
//
$antiXss->isXssFound();
// true
Example 7: (allow e.g. iframes)
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";
$antiXss->removeEvilHtmlTags(array('iframe'));
$harmless_string = $antiXss->xss_clean($harm_string);
// <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
1) Composer is a prerequisite for running the tests.
composer install
2) The tests can be executed by running this command from the root directory:
./vendor/bin/phpunit
<p id="voku-php-readme-class-methods"></p><table><tr><td><a href="#adddonotclosehtmltagsstring-strings-this">addDoNotCloseHtmlTags</a> </td><td><a href="#addevilattributesstring-strings-this">addEvilAttributes</a> </td><td><a href="#addevilhtmltagsstring-strings-this">addEvilHtmlTags</a> </td><td><a href="#addneverallowedcallstringsstring-strings-this">addNeverAllowedCallStrings</a> </td></tr><tr><td><a href="#addneverallowedjscallbackregexstring-strings-this">addNeverAllowedJsCallbackRegex</a> </td><td><a href="#addneverallowedoneventsafterwardsstring-strings-this">addNeverAllowedOnEventsAfterwards</a> </td><td><a href="#addneverallowedregexstring-strings-this">addNeverAllowedRegex</a> </td><td><a href="#addneverallowedstrafterwardsstring-strings-this">addNeverAllowedStrAfterwards</a> </td></tr><tr><td><a href="#isxssfound-boolnull">isXssFound</a> </td><td><a href="#removedonotclosehtmltagsstring-strings-this">removeDoNotCloseHtmlTags</a> </td><td><a href="#removeevilattributesstring-strings-this">removeEvilAttributes</a> </td><td><a href="#removeevilhtmltagsstring-strings-this">removeEvilHtmlTags</a> </td></tr><tr><td><a href="#removeneverallowedcallstringsstring-strings-this">removeNeverAllowedCallStrings</a> </td><td><a href="#removeneverallowedjscallbackregexstring-strings-this">removeNeverAllowedJsCallbackRegex</a> </td><td><a href="#removeneverallowedoneventsafterwardsstring-strings-this">removeNeverAllowedOnEventsAfterwards</a> </td><td><a href="#removeneverallowedregexstring-strings-this">removeNeverAllowedRegex</a> </td></tr><tr><td><a href="#removeneverallowedstrafterwardsstring-strings-this">removeNeverAllowedStrAfterwards</a> </td><td><a href="#setreplacementstring-string-this">setReplacement</a> </td><td><a href="#setstripe4bytecharsbool-bool-this">setStripe4byteChars</a> </td><td><a href="#xss_cleanstringstring-str-stringstring">xss_clean</a> </td></tr></table>
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_do_not_close_html_tags"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_evil_attributes"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_evil_html_tags"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_call_strings"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_js_callback_regex"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_on_events_afterwards"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_regex"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_str_afterwards"-array.
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.
Parameters: __nothing__
Return:
- bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_do_not_close_html_tags"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_evil_attributes"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_evil_html_tags"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_call_strings"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_js_callback_regex"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_on_events_afterwards"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_regex"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_str_afterwards"-array.
<p> <br /> WARNING: Use this method only if you have a really good reason. </p>
Parameters:
- string[] $strings
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Set the replacement-string for not allowed strings.
Parameters:
- string $string
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> Set the option to stripe 4-Byte chars.
<p> <br /> INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks </p>
Parameters:
- bool $bool
Return:
- $this
<a href="#voku-php-readme-class-methods">?</a> XSS Clean
<p> <br /> Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof... </p>
<p> <br /> <strong>Note:</strong> Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. </p>
Parameters:
- TXssCleanInput $str <p>input data e.g. string or array of strings</p>
Return:
- string|string[]
For support and donations please visit Github | Issues | PayPal | Patreon.
For status updates and release announcements please visit Releases | Twitter | Patreon.
For professional support please contact me.
Files (51) |
File | Role | Description | ||
---|---|---|---|---|
.github (3 files, 1 directory) | ||||
build (2 files, 1 directory) | ||||
src (1 directory) | ||||
tests (7 files, 1 directory) | ||||
.editorconfig | Data | Auxiliary data | ||
.scrutinizer.yml | Data | Auxiliary data | ||
.styleci.yml | Data | Auxiliary data | ||
.travis.yml | Data | Auxiliary data | ||
.whitesource | Data | Auxiliary data | ||
CHANGELOG.md | Data | Auxiliary data | ||
circle.yml | Data | Auxiliary data | ||
composer.json | Data | Auxiliary data | ||
LICENSE | Lic. | License text | ||
phpcs.php_cs | Example | Example script | ||
phpstan.neon | Data | Auxiliary data | ||
phpunit.xml | Data | Auxiliary data | ||
README.md | Doc. | Documentation | ||
renovate.json | Data | Auxiliary data |
Files (51) | / | .github |
File | Role | Description | ||
---|---|---|---|---|
workflows (1 file) | ||||
CONTRIBUTING.md | Data | Auxiliary data | ||
FUNDING.yml | Data | Auxiliary data | ||
ISSUE_TEMPLATE.md | Data | Auxiliary data |
Files (51) | / | build |
File | Role | Description | ||
---|---|---|---|---|
docs (1 file) | ||||
composer.json | Data | Auxiliary data | ||
generate_docs.php | Example | Example script |
Files (51) | / | src | / | voku | / | helper | / | data |
File | Role | Description |
---|---|---|
entities_fallback.php | Aux. | Auxiliary script |
Files (51) | / | tests |
File | Role | Description | ||
---|---|---|---|---|
fixtures (21 files) | ||||
bootstrap.php | Aux. | Auxiliary script | ||
DOMPurifyTest.php | Class | Class source | ||
JsXssTest.php | Class | Class source | ||
LaravelSecurityTest.php | Class | Class source | ||
LibFilterSecurityTest.php | Class | Class source | ||
XssArrayTest.php | Class | Class source | ||
XssTest.php | Class | Class source |
Files (51) | / | tests | / | fixtures |
File | Role | Description |
---|---|---|
base64_image.html | Doc. | Documentation |
base64_image_big.html | Doc. | Documentation |
expect.json | Data | Auxiliary data |
expect_result.php | Aux. | Auxiliary script |
image.html | Doc. | Documentation |
image_clean.html | Doc. | Documentation |
xss_issue_sample_post_small.html | Doc. | Documentation |
xss_no_v1.html | Doc. | Documentation |
xss_no_v1_clean.html | Doc. | Documentation |
xss_v1.svg | Data | Auxiliary data |
xss_v1_clean.html | Doc. | Documentation |
xss_v1_clean.svg | Data | Auxiliary data |
xss_v1_clean_php81.svg | Data | Auxiliary data |
xss_v2.svg | Data | Auxiliary data |
xss_v2_clean.svg | Data | Auxiliary data |
xss_v3.svg | Data | Auxiliary data |
xss_v3_clean.svg | Data | Auxiliary data |
xss_v4.html | Doc. | Documentation |
xss_v4_clean.html | Doc. | Documentation |
xss_v5.html | Doc. | Documentation |
xss_v5_clean.html | Doc. | Documentation |
The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page. |
Install with Composer |
anti-xss-2023-05-22.zip 931KB | |
anti-xss-2023-05-22.tar.gz 923KB | |
Install with Composer |
Needed packages | ||
Class | Download | Why it is needed | Dependency |
---|---|---|---|
Portable UTF-8 | .zip .tar.gz | String-Handling | Required |
Version Control | Unique User Downloads | Download Rankings | |||||||||||||||
100% |
|
|
User Ratings | User Comments (1) | ||||||||||||||||||||||||||||||||||
|
|
Applications that use this package |
If you know an application of this package, send a message to the author to add a link here.