xt9 Escaper, shortcut to escaping strings using php.

v1.1 2015-02-27 15:35 UTC


Packagist Scrutinizer Code Quality Code Coverage Build Status

xt9/Escaper, shortcut to escaping strings using php.


Here is how you set up the object. The constructor takes valid encoding-formats as a constructor argument.


// Create a new escaper object to use as a shared service
$escaper = new \xt9\Escaper\Escaper('UTF-8');

##Escaping maliciously intendended XSS snippets I Stole some examples of malicious inline code from the Phalcon documentation.

    require 'src/Escaper/RFC_Escaper.php';
    require 'src/Escaper/Escaper.php';

    //Document title with malicious extra HTML tags
    $maliciousTitle = '</title><script>alert(1)</script>';
    $maliciousHtml = 'Hello world this is a comment</p><iframe src="http://hackersite.com/attackfile.php" width=100% height=0></iframe>';
    //Malicious CSS class name
    $className = ';`(';

    //Malicious CSS font name
    $fontName = 'Verdana"</style>';

    //Malicious Javascript text
    $javascriptText = "';</script>Hello";


    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

    <title><?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_HTML) ?></title>

    <style type="text/css">
    .<?php echo $escaper->escape($className, FILTER_ESCAPE_CSS) ?> {
        font-family  : "<?php echo $escaper->escape($fontname, FILTER_ESCAPE_CSS) ?>";
        color: red;



    <div class='<?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_HTML) ?>'>hello</div>
    <div><?php echo $escaper->escape($maliciousHtml, FILTER_ESCAPE_HTML) ?></div>
    <script>var some = '<?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_JS) ?>'</script>