xt9/escaper

xt9 Escaper, shortcut to escaping strings using php.

v1.1 2015-02-27 15:35 UTC

README

Packagist Scrutinizer Code Quality Code Coverage Build Status

xt9/Escaper, shortcut to escaping strings using php.

Usage

Here is how you set up the object. The constructor takes valid encoding-formats as a constructor argument.

<?php

// Create a new escaper object to use as a shared service
$escaper = new \xt9\Escaper\Escaper('UTF-8');

##Escaping maliciously intendended XSS snippets I Stole some examples of malicious inline code from the Phalcon documentation.

//template.tpl.php
<?php
    require 'src/Escaper/RFC_Escaper.php';
    require 'src/Escaper/Escaper.php';

    //Document title with malicious extra HTML tags
    $maliciousTitle = '</title><script>alert(1)</script>';
    $maliciousHtml = 'Hello world this is a comment</p><iframe src="http://hackersite.com/attackfile.php" width=100% height=0></iframe>';
    //Malicious CSS class name
    $className = ';`(';

    //Malicious CSS font name
    $fontName = 'Verdana"</style>';

    //Malicious Javascript text
    $javascriptText = "';</script>Hello";

?>

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

    <title><?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_HTML) ?></title>

    <style type="text/css">
    .<?php echo $escaper->escape($className, FILTER_ESCAPE_CSS) ?> {
        font-family  : "<?php echo $escaper->escape($fontname, FILTER_ESCAPE_CSS) ?>";
        color: red;
    }
    </style>

</head>

<body>

    <div class='<?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_HTML) ?>'>hello</div>
    <div><?php echo $escaper->escape($maliciousHtml, FILTER_ESCAPE_HTML) ?></div>
    <script>var some = '<?php echo $escaper->escape($maliciousTitle, FILTER_ESCAPE_JS) ?>'</script>

</body>
</html>