Download the PHP package voku/anti-xss without Composer

On this page you can find all versions of the php package voku/anti-xss. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package anti-xss

SWUbanner

Build Status codecov.io Codacy Badge Latest Stable Version Total Downloads License Donate to this project using Paypal Donate to this project using Patreon

:secret: AntiXSS

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting

DEMO:

http://anti-xss-demo.suckup.de/

NOTES:

1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly

2) Use html-sanitizer or HTML Purifier if you need a more configurable solution

3) Add "Content Security Policy's" -> Introduction to Content Security Policy

4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!

5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet

6) TEST THIS TOOL -> Zed Attack Proxy (ZAP)

Install via "composer require"

Usage:

Example 1: (HTML Character)

Example 2: (Hexadecimal HTML Character)

Example 3: (Unicode Hex Character)

Example 4: (Unicode Character)

Example 5.1: (non Inline CSS)

Example 5.2: (with Inline CSS)

Example 6: (check if an string contains a XSS attack)

Example 7: (allow e.g. iframes)

Unit Test:

1) Composer is a prerequisite for running the tests.

2) The tests can be executed by running this command from the root directory:

AntiXss methods

addDoNotCloseHtmlTags addEvilAttributes addEvilHtmlTags addNeverAllowedCallStrings
addNeverAllowedJsCallbackRegex addNeverAllowedOnEventsAfterwards addNeverAllowedRegex addNeverAllowedStrAfterwards
isXssFound removeDoNotCloseHtmlTags removeEvilAttributes removeEvilHtmlTags
removeNeverAllowedCallStrings removeNeverAllowedJsCallbackRegex removeNeverAllowedOnEventsAfterwards removeNeverAllowedRegex
removeNeverAllowedStrAfterwards setReplacement setStripe4byteChars xss_clean
## addDoNotCloseHtmlTags(string[] $strings): $this ↑ Add some strings to the "_do_not_close_html_tags"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addEvilAttributes(string[] $strings): $this ↑ Add some strings to the "_evil_attributes"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addEvilHtmlTags(string[] $strings): $this ↑ Add some strings to the "_evil_html_tags"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addNeverAllowedCallStrings(string[] $strings): $this ↑ Add some strings to the "_never_allowed_call_strings"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addNeverAllowedJsCallbackRegex(string[] $strings): $this ↑ Add some strings to the "_never_allowed_js_callback_regex"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addNeverAllowedOnEventsAfterwards(string[] $strings): $this ↑ Add some strings to the "_never_allowed_on_events_afterwards"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addNeverAllowedRegex(string[] $strings): $this ↑ Add some strings to the "_never_allowed_regex"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## addNeverAllowedStrAfterwards(string[] $strings): $this ↑ Add some strings to the "_never_allowed_str_afterwards"-array. **Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## isXssFound(): bool|null ↑ Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run. **Parameters:** __nothing__ **Return:** - `bool|null

Will return null if the "xss_clean()" wasn't running at all.

` -------- ## removeDoNotCloseHtmlTags(string[] $strings): $this ↑ Remove some strings from the "_do_not_close_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeEvilAttributes(string[] $strings): $this ↑ Remove some strings from the "_evil_attributes"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeEvilHtmlTags(string[] $strings): $this ↑ Remove some strings from the "_evil_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeNeverAllowedCallStrings(string[] $strings): $this ↑ Remove some strings from the "_never_allowed_call_strings"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeNeverAllowedJsCallbackRegex(string[] $strings): $this ↑ Remove some strings from the "_never_allowed_js_callback_regex"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeNeverAllowedOnEventsAfterwards(string[] $strings): $this ↑ Remove some strings from the "_never_allowed_on_events_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeNeverAllowedRegex(string[] $strings): $this ↑ Remove some strings from the "_never_allowed_regex"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## removeNeverAllowedStrAfterwards(string[] $strings): $this ↑ Remove some strings from the "_never_allowed_str_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

**Parameters:** - `string[] $strings` **Return:** - `$this` -------- ## setReplacement(string $string): $this ↑ Set the replacement-string for not allowed strings. **Parameters:** - `string $string` **Return:** - `$this` -------- ## setStripe4byteChars(bool $bool): $this ↑ Set the option to stripe 4-Byte chars.


INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks

**Parameters:** - `bool $bool` **Return:** - `$this` -------- ## xss_clean(string|string[] $str): string|string[] ↑ XSS Clean


Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof...


Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

**Parameters:** - `TXssCleanInput $str

input data e.g. string or array of strings

` **Return:** - `string|string[]` -------- ### Support For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku). For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts). For professional support please contact [me](https://about.me/voku). ### Thanks - Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc. - Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm! - Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there! - Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check. - Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code! ### License [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

All versions of anti-xss with dependencies

PHP Build Version
Package Version
Requires php Version >=7.0.0
voku/portable-utf8 Version ~6.0.2
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package voku/anti-xss contains the following files

Loading the files please wait ....