PHP Classes

PHP Anti XSS Filter: Remove tags from HTML that may cause XSS attacks

Recommend this page to a friend!
  Info   Documentation   Demos   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 65%Total: 532 This week: 1All time: 5,643 This week: 41Up
Version License PHP version Categories
anti-xss 2.0.43MIT/X Consortium ...5.3HTML, PHP 5, Security
Collaborate with this project 

Authors

EllisLab Dev Team
Lars Moelleken


Contributor

anti-xss - github.com

Description

This class can remove tags from HTML that may cause XSS attacks.

It can parse HTML and remove sequences that may be used to execute JavaScript code that could perform XSS attacks.

The class returns a clean HTML string without dangerous XSS sequences.

Picture of Lars Moelleken
  Performance   Level  
Name: Lars Moelleken <contact>
Classes: 25 packages by
Country: Germany Germany
Age: 36
All time rank: 62140 in Germany Germany
Week rank: 22 Up2 in Germany Germany Up
Innovation award
Innovation award
Nominee: 11x

Winner: 1x

Documentation

[//]: # (AUTO-GENERATED BY "PHP README Helper": base file -> docs/base.md) SWUbanner

Build Status codecov.io Codacy Badge Latest Stable Version Total Downloads License Donate to this project using Paypal Donate to this project using Patreon

:secret: AntiXSS

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting

DEMO:

http://anti-xss-demo.suckup.de/

NOTES:

1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly

2) Use html-sanitizer or HTML Purifier if you need a more configurable solution

3) Add "Content Security Policy's" -> Introduction to Content Security Policy

4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!

5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet

6) TEST THIS TOOL -> Zed Attack Proxy (ZAP)

Install via "composer require"

composer require voku/anti-xss

Usage:


use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();

Example 1: (HTML Character)

$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site

Example 2: (Hexadecimal HTML Character)

$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <IMG >

Example 3: (Unicode Hex Character)

$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 4: (Unicode Character)

$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 5.1: (non Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);

// <li >

Example 5.2: (with Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

// <li style="list-style-image: url(alert&#40;0&#41;)">

Example 6: (check if an string contains a XSS attack)

$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

// 

$antiXss->isXssFound(); 

// true

Example 7: (allow e.g. iframes)

$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

// <iframe width="560"  height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>

Unit Test:

1) Composer is a prerequisite for running the tests.

composer install

2) The tests can be executed by running this command from the root directory:

./vendor/bin/phpunit

AntiXss methods

<p id="voku-php-readme-class-methods"></p><table><tr><td><a href="#adddonotclosehtmltagsstring-strings-this">addDoNotCloseHtmlTags</a> </td><td><a href="#addevilattributesstring-strings-this">addEvilAttributes</a> </td><td><a href="#addevilhtmltagsstring-strings-this">addEvilHtmlTags</a> </td><td><a href="#addneverallowedcallstringsstring-strings-this">addNeverAllowedCallStrings</a> </td></tr><tr><td><a href="#addneverallowedjscallbackregexstring-strings-this">addNeverAllowedJsCallbackRegex</a> </td><td><a href="#addneverallowedoneventsafterwardsstring-strings-this">addNeverAllowedOnEventsAfterwards</a> </td><td><a href="#addneverallowedregexstring-strings-this">addNeverAllowedRegex</a> </td><td><a href="#addneverallowedstrafterwardsstring-strings-this">addNeverAllowedStrAfterwards</a> </td></tr><tr><td><a href="#isxssfound-boolnull">isXssFound</a> </td><td><a href="#removedonotclosehtmltagsstring-strings-this">removeDoNotCloseHtmlTags</a> </td><td><a href="#removeevilattributesstring-strings-this">removeEvilAttributes</a> </td><td><a href="#removeevilhtmltagsstring-strings-this">removeEvilHtmlTags</a> </td></tr><tr><td><a href="#removeneverallowedcallstringsstring-strings-this">removeNeverAllowedCallStrings</a> </td><td><a href="#removeneverallowedjscallbackregexstring-strings-this">removeNeverAllowedJsCallbackRegex</a> </td><td><a href="#removeneverallowedoneventsafterwardsstring-strings-this">removeNeverAllowedOnEventsAfterwards</a> </td><td><a href="#removeneverallowedregexstring-strings-this">removeNeverAllowedRegex</a> </td></tr><tr><td><a href="#removeneverallowedstrafterwardsstring-strings-this">removeNeverAllowedStrAfterwards</a> </td><td><a href="#setreplacementstring-string-this">setReplacement</a> </td><td><a href="#setstripe4bytecharsbool-bool-this">setStripe4byteChars</a> </td><td><a href="#xss_cleanstringstring-str-stringstring">xss_clean</a> </td></tr></table>

addDoNotCloseHtmlTags(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_do_not_close_html_tags"-array.

Parameters: - string[] $strings

Return: - $this

addEvilAttributes(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_evil_attributes"-array.

Parameters: - string[] $strings

Return: - $this

addEvilHtmlTags(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_evil_html_tags"-array.

Parameters: - string[] $strings

Return: - $this

addNeverAllowedCallStrings(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_call_strings"-array.

Parameters: - string[] $strings

Return: - $this

addNeverAllowedJsCallbackRegex(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_js_callback_regex"-array.

Parameters: - string[] $strings

Return: - $this

addNeverAllowedOnEventsAfterwards(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_on_events_afterwards"-array.

Parameters: - string[] $strings

Return: - $this

addNeverAllowedRegex(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_regex"-array.

Parameters: - string[] $strings

Return: - $this

addNeverAllowedStrAfterwards(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Add some strings to the "_never_allowed_str_afterwards"-array.

Parameters: - string[] $strings

Return: - $this

isXssFound(): bool|null

<a href="#voku-php-readme-class-methods">?</a> Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.

Parameters: __nothing__

Return: - bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>

removeDoNotCloseHtmlTags(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_do_not_close_html_tags"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeEvilAttributes(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_evil_attributes"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeEvilHtmlTags(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_evil_html_tags"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeNeverAllowedCallStrings(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_call_strings"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeNeverAllowedJsCallbackRegex(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_js_callback_regex"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeNeverAllowedOnEventsAfterwards(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_on_events_afterwards"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeNeverAllowedRegex(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_regex"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

removeNeverAllowedStrAfterwards(string[] $strings): $this

<a href="#voku-php-readme-class-methods">?</a> Remove some strings from the "_never_allowed_str_afterwards"-array.

<p> <br /> WARNING: Use this method only if you have a really good reason. </p>

Parameters: - string[] $strings

Return: - $this

setReplacement(string $string): $this

<a href="#voku-php-readme-class-methods">?</a> Set the replacement-string for not allowed strings.

Parameters: - string $string

Return: - $this

setStripe4byteChars(bool $bool): $this

<a href="#voku-php-readme-class-methods">?</a> Set the option to stripe 4-Byte chars.

<p> <br /> INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks </p>

Parameters: - bool $bool

Return: - $this

xss_clean(string|string[] $str): string|string[]

<a href="#voku-php-readme-class-methods">?</a> XSS Clean

<p> <br /> Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof... </p>

<p> <br /> <strong>Note:</strong> Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. </p>

Parameters: - TXssCleanInput $str <p>input data e.g. string or array of strings</p>

Return: - string|string[]

Support

For support and donations please visit Github | Issues | PayPal | Patreon.

For status updates and release announcements please visit Releases | Twitter | Patreon.

For professional support please contact me.

Thanks

  • Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
  • Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
  • Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
  • Thanks to StyleCI for the simple but powerfull code style check.
  • Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!

License

FOSSA Status


  Anti-XSSExternal page  
  Files folder image Files (51)  
File Role Description
Files folder image.github (3 files, 1 directory)
Files folder imagebuild (2 files, 1 directory)
Files folder imagesrc (1 directory)
Files folder imagetests (7 files, 1 directory)
Accessible without login Plain text file .editorconfig Data Auxiliary data
Accessible without login Plain text file .scrutinizer.yml Data Auxiliary data
Accessible without login Plain text file .styleci.yml Data Auxiliary data
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file .whitesource Data Auxiliary data
Accessible without login Plain text file CHANGELOG.md Data Auxiliary data
Accessible without login Plain text file circle.yml Data Auxiliary data
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpcs.php_cs Example Example script
Accessible without login Plain text file phpstan.neon Data Auxiliary data
Accessible without login Plain text file phpunit.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation
Accessible without login Plain text file renovate.json Data Auxiliary data

  Files folder image Files (51)  /  .github  
File Role Description
Files folder imageworkflows (1 file)
  Accessible without login Plain text file CONTRIBUTING.md Data Auxiliary data
  Accessible without login Plain text file FUNDING.yml Data Auxiliary data
  Accessible without login Plain text file ISSUE_TEMPLATE.md Data Auxiliary data

  Files folder image Files (51)  /  .github  /  workflows  
File Role Description
  Accessible without login Plain text file ci.yml Data Auxiliary data

  Files folder image Files (51)  /  build  
File Role Description
Files folder imagedocs (1 file)
  Accessible without login Plain text file composer.json Data Auxiliary data
  Accessible without login Plain text file generate_docs.php Example Example script

  Files folder image Files (51)  /  build  /  docs  
File Role Description
  Accessible without login Plain text file base.md Data Auxiliary data

  Files folder image Files (51)  /  src  
File Role Description
Files folder imagevoku (1 directory)

  Files folder image Files (51)  /  src  /  voku  
File Role Description
Files folder imagehelper (1 file, 1 directory)

  Files folder image Files (51)  /  src  /  voku  /  helper  
File Role Description
Files folder imagedata (1 file)
  Plain text file AntiXSS.php Class Class source

  Files folder image Files (51)  /  src  /  voku  /  helper  /  data  
File Role Description
  Accessible without login Plain text file entities_fallback.php Aux. Auxiliary script

  Files folder image Files (51)  /  tests  
File Role Description
Files folder imagefixtures (21 files)
  Accessible without login Plain text file bootstrap.php Aux. Auxiliary script
  Plain text file DOMPurifyTest.php Class Class source
  Plain text file JsXssTest.php Class Class source
  Plain text file LaravelSecurityTest.php Class Class source
  Plain text file LibFilterSecurityTest.php Class Class source
  Plain text file XssArrayTest.php Class Class source
  Plain text file XssTest.php Class Class source

  Files folder image Files (51)  /  tests  /  fixtures  
File Role Description
  Accessible without login HTML file base64_image.html Doc. Documentation
  Accessible without login HTML file base64_image_big.html Doc. Documentation
  Accessible without login Plain text file expect.json Data Auxiliary data
  Accessible without login Plain text file expect_result.php Aux. Auxiliary script
  Accessible without login HTML file image.html Doc. Documentation
  Accessible without login HTML file image_clean.html Doc. Documentation
  Accessible without login HTML file xss_issue_sample_post_small.html Doc. Documentation
  Accessible without login HTML file xss_no_v1.html Doc. Documentation
  Accessible without login HTML file xss_no_v1_clean.html Doc. Documentation
  Accessible without login Plain text file xss_v1.svg Data Auxiliary data
  Accessible without login HTML file xss_v1_clean.html Doc. Documentation
  Accessible without login Plain text file xss_v1_clean.svg Data Auxiliary data
  Accessible without login Plain text file xss_v1_clean_php81.svg Data Auxiliary data
  Accessible without login Plain text file xss_v2.svg Data Auxiliary data
  Accessible without login Plain text file xss_v2_clean.svg Data Auxiliary data
  Accessible without login Plain text file xss_v3.svg Data Auxiliary data
  Accessible without login Plain text file xss_v3_clean.svg Data Auxiliary data
  Accessible without login HTML file xss_v4.html Doc. Documentation
  Accessible without login HTML file xss_v4_clean.html Doc. Documentation
  Accessible without login HTML file xss_v5.html Doc. Documentation
  Accessible without login HTML file xss_v5_clean.html Doc. Documentation

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
Downloadanti-xss-2023-05-22.zip 931KB
Downloadanti-xss-2023-05-22.tar.gz 923KB
Install with ComposerInstall with Composer
Needed packages  
Class DownloadWhy it is needed Dependency
Portable UTF-8 Download .zip .tar.gz String-Handling Required
 Version Control Unique User Downloads Download Rankings  
 100%
Total:532
This week:1
All time:5,643
This week:41Up
User Ratings User Comments (1)
 All time
Utility:95%StarStarStarStarStar
Consistency:95%StarStarStarStarStar
Documentation:85%StarStarStarStarStar
Examples:-
Tests:-
Videos:-
Overall:65%StarStarStarStar
Rank:625
 
nice
7 years ago (muabshir)
52%StarStarStar