Download the PHP package voku/anti-xss without Composer
On this page you can find all versions of the php package voku/anti-xss. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download voku/anti-xss
More information about voku/anti-xss
Files in voku/anti-xss
Informations about the package anti-xss
:secret: AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
DEMO:
http://anti-xss-demo.suckup.de/
NOTES:
1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
2) Use html-sanitizer or HTML Purifier if you need a more configurable solution
3) Add "Content Security Policy's" -> Introduction to Content Security Policy
4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet
6) TEST THIS TOOL -> Zed Attack Proxy (ZAP)
Install via "composer require"
Usage:
Example 1: (HTML Character)
Example 2: (Hexadecimal HTML Character)
Example 3: (Unicode Hex Character)
Example 4: (Unicode Character)
Example 5.1: (non Inline CSS)
Example 5.2: (with Inline CSS)
Example 6: (check if an string contains a XSS attack)
Example 7: (allow e.g. iframes)
Unit Test:
1) Composer is a prerequisite for running the tests.
2) The tests can be executed by running this command from the root directory:
AntiXss methods
addDoNotCloseHtmlTags | addEvilAttributes | addEvilHtmlTags | addNeverAllowedCallStrings |
addNeverAllowedJsCallbackRegex | addNeverAllowedOnEventsAfterwards | addNeverAllowedRegex | addNeverAllowedStrAfterwards |
isXssFound | removeDoNotCloseHtmlTags | removeEvilAttributes | removeEvilHtmlTags |
removeNeverAllowedCallStrings | removeNeverAllowedJsCallbackRegex | removeNeverAllowedOnEventsAfterwards | removeNeverAllowedRegex |
removeNeverAllowedStrAfterwards | setReplacement | setStripe4byteChars | xss_clean |
Will return null if the "xss_clean()" wasn't running at all.
` -------- ## removeDoNotCloseHtmlTags(string[] $strings): $this ↑ Remove some strings from the "_do_not_close_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
Note: Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
input data e.g. string or array of strings
` **Return:** - `string|string[]` -------- ### Support For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku). For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts). For professional support please contact [me](https://about.me/voku). ### Thanks - Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc. - Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm! - Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there! - Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check. - Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code! ### License [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)