Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/voku/anti-xss

㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP
https://github.com/voku/anti-xss

composer hacktoberfest html-character php xss xss-attacks

Last synced: about 2 months ago
JSON representation

㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

Awesome Lists containing this project

README 

        
[//]: # (AUTO-GENERATED BY "PHP README Helper": base file -> docs/base.md)

[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)



[![Build Status](https://github.com/voku/anti-xss/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/voku/anti-xss/actions)

[![codecov.io](http://codecov.io/github/voku/anti-xss/coverage.svg?branch=master)](http://codecov.io/github/voku/anti-xss?branch=master)

[![Codacy Badge](https://api.codacy.com/project/badge/Grade/8e3c9da417124971b8d8e0c1046c24c7)](https://www.codacy.com/app/voku/anti-xss)

[![Latest Stable Version](https://poser.pugx.org/voku/anti-xss/v/stable)](https://packagist.org/packages/voku/anti-xss) 

[![Total Downloads](https://poser.pugx.org/voku/anti-xss/downloads)](https://packagist.org/packages/voku/anti-xss)

[![License](https://poser.pugx.org/voku/anti-xss/license)](https://packagist.org/packages/voku/anti-xss)

[![Donate to this project using Paypal](https://img.shields.io/badge/paypal-donate-yellow.svg)](https://www.paypal.me/moelleken)

[![Donate to this project using Patreon](https://img.shields.io/badge/patreon-donate-yellow.svg)](https://www.patreon.com/voku)



# :secret: AntiXSS



"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables 

attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be 

used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites 

accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting



### DEMO:

[http://anti-xss-demo.suckup.de/](http://anti-xss-demo.suckup.de/)



### NOTES:

1) Use [filter_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly



2) Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution



3) Add "Content Security Policy's" -> [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)



4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!



5) READ THIS TEXT -> [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)



6) TEST THIS TOOL -> [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)



### Install via "composer require"

```shell

composer require voku/anti-xss

```



### Usage:



```php



use voku\helper\AntiXSS;



require_once __DIR__ . '/vendor/autoload.php'; // example path



$antiXss = new AntiXSS();

```



Example 1: (HTML Character)



```php

$harm_string = "Hello, i try to alert('Hack'); your site";

$harmless_string = $antiXss->xss_clean($harm_string);



// Hello, i try to alert('Hack'); your site

```



Example 2: (Hexadecimal HTML Character)



```php

$harm_string = "";

$harmless_string = $antiXss->xss_clean($harm_string);

    

// 

```

    

Example 3: (Unicode Hex Character)



```php

$harm_string = "CLICK";

$harmless_string = $antiXss->xss_clean($harm_string);

    

// CLICK

```



Example 4: (Unicode Character)



```php

$harm_string = "CLICK";

$harmless_string = $antiXss->xss_clean($harm_string);

    

// CLICK

```



Example 5.1: (non Inline CSS)



```php

$harm_string = '
  • ';

    $harmless_string = $antiXss->xss_clean($harm_string);
    


    // 
  • 

    ```
    


    Example 5.2: (with Inline CSS)
    


    ```php

    $harm_string = '
  • ';

    $antiXss->removeEvilAttributes(array('style')); // allow style-attributes

    $harmless_string = $antiXss->xss_clean($harm_string);
    


    // 
  • 

    ```
    


    Example 6: (check if an string contains a XSS attack)
    


    ```php

    $harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";

    $harmless_string = $antiXss->xss_clean($harm_string);
    


    // 
    


    $antiXss->isXssFound(); 
    


    // true

    ```
    


    Example 7: (allow e.g. iframes)
    


    ```php

    $harm_string = "";
    


    $antiXss->removeEvilHtmlTags(array('iframe'));
    


    $harmless_string = $antiXss->xss_clean($harm_string);
    


    // 

    ```
    


    ### Unit Test:
    


    1) [Composer](https://getcomposer.org) is a prerequisite for running the tests.
    


    ```

    composer install

    ```
    


    2) The tests can be executed by running this command from the root directory:
    


    ```bash

    ./vendor/bin/phpunit

    ```
    


    ## AntiXss methods
    


    

    addDoNotCloseHtmlTags

    addEvilAttributes

    addEvilHtmlTags

    addNeverAllowedCallStrings

    addNeverAllowedJsCallbackRegex

    addNeverAllowedOnEventsAfterwards

    addNeverAllowedRegex

    addNeverAllowedStrAfterwards

    isXssFound

    removeDoNotCloseHtmlTags

    removeEvilAttributes

    removeEvilHtmlTags

    removeNeverAllowedCallStrings

    removeNeverAllowedJsCallbackRegex

    removeNeverAllowedOnEventsAfterwards

    removeNeverAllowedRegex

    removeNeverAllowedStrAfterwards

    setReplacement

    setStripe4byteChars

    xss_clean
    


    ## addDoNotCloseHtmlTags(string[] $strings): $this

    

    Add some strings to the "_do_not_close_html_tags"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addEvilAttributes(string[] $strings): $this

    

    Add some strings to the "_evil_attributes"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addEvilHtmlTags(string[] $strings): $this

    

    Add some strings to the "_evil_html_tags"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addNeverAllowedCallStrings(string[] $strings): $this

    

    Add some strings to the "_never_allowed_call_strings"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addNeverAllowedJsCallbackRegex(string[] $strings): $this

    

    Add some strings to the "_never_allowed_js_callback_regex"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addNeverAllowedOnEventsAfterwards(string[] $strings): $this

    

    Add some strings to the "_never_allowed_on_events_afterwards"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addNeverAllowedRegex(string[] $strings): $this

    

    Add some strings to the "_never_allowed_regex"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## addNeverAllowedStrAfterwards(string[] $strings): $this

    

    Add some strings to the "_never_allowed_str_afterwards"-array.
    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## isXssFound(): bool|null

    

    Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.
    


    **Parameters:**

    __nothing__
    


    **Return:**

    - `bool|null 
    Will return null if the "xss_clean()" wasn't running at all.
    `
    


    --------
    


    ## removeDoNotCloseHtmlTags(string[] $strings): $this

    

    Remove some strings from the "_do_not_close_html_tags"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeEvilAttributes(string[] $strings): $this

    

    Remove some strings from the "_evil_attributes"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeEvilHtmlTags(string[] $strings): $this

    

    Remove some strings from the "_evil_html_tags"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeNeverAllowedCallStrings(string[] $strings): $this

    

    Remove some strings from the "_never_allowed_call_strings"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeNeverAllowedJsCallbackRegex(string[] $strings): $this

    

    Remove some strings from the "_never_allowed_js_callback_regex"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeNeverAllowedOnEventsAfterwards(string[] $strings): $this

    

    Remove some strings from the "_never_allowed_on_events_afterwards"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeNeverAllowedRegex(string[] $strings): $this

    

    Remove some strings from the "_never_allowed_regex"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## removeNeverAllowedStrAfterwards(string[] $strings): $this

    

    Remove some strings from the "_never_allowed_str_afterwards"-array.
    


    


    

    WARNING: Use this method only if you have a really good reason.

    


    **Parameters:**

    - `string[] $strings`
    


    **Return:**

    - `$this`
    


    --------
    


    ## setReplacement(string $string): $this

    

    Set the replacement-string for not allowed strings.
    


    **Parameters:**

    - `string $string`
    


    **Return:**

    - `$this`
    


    --------
    


    ## setStripe4byteChars(bool $bool): $this

    

    Set the option to stripe 4-Byte chars.
    


    


    

    INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks

    


    **Parameters:**

    - `bool $bool`
    


    **Return:**

    - `$this`
    


    --------
    


    ## xss_clean(string|string[] $str): string|string[]

    

    XSS Clean
    


    


    

    Sanitizes data so that "Cross Site Scripting" hacks can be

    prevented. This method does a fair amount of work but

    it is extremely thorough, designed to prevent even the

    most obscure XSS attempts. But keep in mind that nothing

    is ever 100% foolproof...

    


    


    

    Note: Should only be used to deal with data upon submission.

      It's not something that should be used for general

      runtime processing.

    


    **Parameters:**

    - `TXssCleanInput $str 
    input data e.g. string or array of strings
    `
    


    **Return:**

    - `string|string[]`
    


    --------
    


    ### Support
    


    For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku).
    


    For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts).
    


    For professional support please contact [me](https://about.me/voku).
    


    ### Thanks
    


    - Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.

    - Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!

    - Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there!

    - Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check.

    - Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code!
    


    ### License

    [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

    •