Download the PHP package thisispiers/xss-escape without Composer

On this page you can find all versions of the php package thisispiers/xss-escape. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package xss-escape

\thisispiers\Xss\Escape

A PHP implementation of OWASP's Cross Site Scripting Prevention Cheat Sheet

Released under LGPL v3.0. Requires PHP >= 7.1 and mbstring extension

Install with Composer composer require thisispiers/xss-escape

Usage

Untrusted data should be encoded differently depending on context. This library provides a static method for each context.

Text in HTML Body

i.e. <span>UNTRUSTED DATA</span>

$untrusted_data is cast to string

HTML in HTML body

i.e. <div>UNTRUSTED HTML</div>

Use a full HTML validator in this context, such as HTML Purifier or DOMPurify

Safe HTML attributes

i.e. <input type="text" name="field_name" value="UNTRUSTED DATA">

$attr must be one of

$untrusted_data is cast to string

If $wrap is true, the returned string is prefixed by a space, the attribute name, an equal sign and wrapped in double quote marks i.e. value="ENCODED DATA".

URLs

URLs in src or href HTML attributes i.e. <iframe src="UNTRUSTED URL" /> or <a href="UNTRUSTED URL">link</a>

$untrusted_data is cast to string

Untrusted URLs are currently only checked to be HTTPS. This is a crude check to avoid becoming a full URL parsing library. It is highly recommended that you run more sophisticated validation on your untrusted URLs, such as rejecting URLs by hostname.

JavaScript variables

i.e. <script>var someValue='UNTRUSTED DATA';</script> or <script>someFunction('UNTRUSTED DATA');</script>

$untrusted_data is cast to string

CSS values

i.e. <div style="width: UNTRUSTED DATA;">

$untrusted_data is cast to string

URL parameters

i.e. <a href="/site/search?value=UNTRUSTED DATA">link</a>

$untrusted_data is cast to string

JSON in HTML

$untrusted_data is cast to string

Output JSON inside a hidden element before calling JSON.parse e.g.

Contributing & Help

Don't expect frequent updates, but pull requests for security and performance improvements are welcome!

There is no guarantee this library complies with the latest OWASP cheat sheet recommendations. Create an issue if you think it's out of date, or start a pull request.

To save keystrokes, you might want to create an alias for this class e.g. class_alias('\\thisispiers\Xss\\Escape', '\\esc');


All versions of xss-escape with dependencies

PHP Build Version
Package Version
Requires php Version >=7.1
ext-mbstring Version *
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package thisispiers/xss-escape contains the following files

Loading the files please wait ....