voku / anti-xss
anti xss-library
Fund package maintenance!
voku
Patreon
Open Collective
Tidelift
www.paypal.me/moelleken
Installs: 13 097 983
Dependents: 75
Suggesters: 1
Security: 0
Stars: 681
Watchers: 32
Forks: 106
Open Issues: 31
Requires
- php: >=7.0.0
- voku/portable-utf8: ~6.0.2
Requires (Dev)
- phpunit/phpunit: ~6.0 || ~7.0 || ~9.0
- dev-master / 4.1.x-dev
- 4.1.42
- 4.1.41
- 4.1.40
- 4.1.39
- 4.1.38
- 4.1.37
- 4.1.36
- 4.1.35
- 4.1.34
- 4.1.33
- 4.1.32
- 4.1.31
- 4.1.30
- 4.1.29
- 4.1.28
- 4.1.27
- 4.1.26
- 4.1.25
- 4.1.24
- 4.1.23
- 4.1.22
- 4.1.21
- 4.1.20
- 4.1.19
- 4.1.18
- 4.1.17
- 4.1.16
- 4.1.15
- 4.1.14
- 4.1.13
- 4.1.12
- 4.1.11
- 4.1.10
- 4.1.9
- 4.1.8
- 4.1.7
- 4.1.6
- 4.1.5
- 4.1.4
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1.0
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0.0
- 3.1.0
- 3.0.1
- 3.0.0
- 2.3.1
- 2.3.0
- 2.2.2
- 2.2.1
- 2.2.0
- 2.1.7
- 2.1.6
- 2.1.5
- 2.1.4
- 2.1.3
- 2.1.2
- 2.1.1
- 2.1.0
- 2.0.10
- 2.0.9
- 2.0.8
- 2.0.7
- 2.0.6
- 2.0.5
- 2.0.4
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.2.14
- 1.2.13
- 1.2.12
- 1.2.11
- 1.2.10
- 1.2.9
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0
- 1.1.1
- 1.1.0
- 1.0.13
- 1.0.12
- 1.0.11
- 1.0.10
- 1.0.9
- 1.0.8
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0
- dev-renovate/actions-cache-4.x
- dev-renovate/actions-cache-3.x
- dev-renovate/codecov-codecov-action-5.x
- dev-renovate/actions-checkout-digest
- dev-renovate/shivammathur-setup-php-2.x
- dev-renovate/major-github-artifact-actions
- dev-renovate/phpunit-phpunit-11.x
- dev-analysis-541yrr
- dev-analysis-a6oKYx
- dev-renovate/phpunit-phpunit-10.x
- dev-analysis-DyK9KB
- dev-analysis-wjYmvo
- dev-analysis-nNP5Ew
- dev-analysis-KZjy7A
- dev-dependabot/add-v2-config-file
- dev-analysis-bQ6O9M
- dev-php_old
This package is auto-updated.
Last update: 2024-12-05 20:28:22 UTC
README
㊙️ AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
DEMO:
http://anti-xss-demo.suckup.de/
NOTES:
-
Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
-
Use html-sanitizer or HTML Purifier if you need a more configurable solution
-
Add "Content Security Policy's" -> Introduction to Content Security Policy
-
DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
-
READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet
-
TEST THIS TOOL -> Zed Attack Proxy (ZAP)
Install via "composer require"
composer require voku/anti-xss
Usage:
use voku\helper\AntiXSS; require_once __DIR__ . '/vendor/autoload.php'; // example path $antiXss = new AntiXSS();
Example 1: (HTML Character)
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site"; $harmless_string = $antiXss->xss_clean($harm_string); // Hello, i try to alert('Hack'); your site
Example 2: (Hexadecimal HTML Character)
$harm_string = "<IMG SRC=javascript:alert('XSS')>"; $harmless_string = $antiXss->xss_clean($harm_string); // <IMG >
Example 3: (Unicode Hex Character)
$harm_string = "<a href=' javascript:alert(1)'>CLICK</a>"; $harmless_string = $antiXss->xss_clean($harm_string); // <a >CLICK</a>
Example 4: (Unicode Character)
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>"; $harmless_string = $antiXss->xss_clean($harm_string); // <a >CLICK</a>
Example 5.1: (non Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">'; $harmless_string = $antiXss->xss_clean($harm_string); // <li >
Example 5.2: (with Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">'; $antiXss->removeEvilAttributes(array('style')); // allow style-attributes $harmless_string = $antiXss->xss_clean($harm_string); // <li style="list-style-image: url(alert(0))">
Example 6: (check if an string contains a XSS attack)
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e"; $harmless_string = $antiXss->xss_clean($harm_string); // $antiXss->isXssFound(); // true
Example 7: (allow e.g. iframes)
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>"; $antiXss->removeEvilHtmlTags(array('iframe')); $harmless_string = $antiXss->xss_clean($harm_string); // <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
Unit Test:
- Composer is a prerequisite for running the tests.
composer install
- The tests can be executed by running this command from the root directory:
./vendor/bin/phpunit
AntiXss methods
addDoNotCloseHtmlTags(string[] $strings): $this
↑ Add some strings to the "_do_not_close_html_tags"-array.
Parameters:
string[] $strings
Return:
$this
addEvilAttributes(string[] $strings): $this
↑ Add some strings to the "_evil_attributes"-array.
Parameters:
string[] $strings
Return:
$this
addEvilHtmlTags(string[] $strings): $this
↑ Add some strings to the "_evil_html_tags"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedCallStrings(string[] $strings): $this
↑ Add some strings to the "_never_allowed_call_strings"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedJsCallbackRegex(string[] $strings): $this
↑ Add some strings to the "_never_allowed_js_callback_regex"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedOnEventsAfterwards(string[] $strings): $this
↑ Add some strings to the "_never_allowed_on_events_afterwards"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedRegex(string[] $strings): $this
↑ Add some strings to the "_never_allowed_regex"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedStrAfterwards(string[] $strings): $this
↑ Add some strings to the "_never_allowed_str_afterwards"-array.
Parameters:
string[] $strings
Return:
$this
isXssFound(): bool|null
↑ Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.
Parameters: nothing
Return:
bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>
removeDoNotCloseHtmlTags(string[] $strings): $this
↑ Remove some strings from the "_do_not_close_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeEvilAttributes(string[] $strings): $this
↑ Remove some strings from the "_evil_attributes"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeEvilHtmlTags(string[] $strings): $this
↑ Remove some strings from the "_evil_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedCallStrings(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_call_strings"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedJsCallbackRegex(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_js_callback_regex"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedOnEventsAfterwards(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_on_events_afterwards"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedRegex(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_regex"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedStrAfterwards(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_str_afterwards"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
setReplacement(string $string): $this
↑ Set the replacement-string for not allowed strings.
Parameters:
string $string
Return:
$this
setStripe4byteChars(bool $bool): $this
↑ Set the option to stripe 4-Byte chars.
INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
Parameters:
bool $bool
Return:
$this
xss_clean(string|string[] $str): string|string[]
↑ XSS Clean
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
Note: Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
Parameters:
TXssCleanInput $str <p>input data e.g. string or array of strings</p>
Return:
string|string[]
Support
For support and donations please visit Github | Issues | PayPal | Patreon.
For status updates and release announcements please visit Releases | Twitter | Patreon.
For professional support please contact me.
Thanks
- Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
- Thanks to StyleCI for the simple but powerfull code style check.
- Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!