• Stars
    star
    623
  • Rank 72,088 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created over 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

SWUbanner

Build Status codecov.io Codacy Badge Latest Stable Version Total Downloads License Donate to this project using Paypal Donate to this project using Patreon

㊙️ AntiXSS

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting

DEMO:

http://anti-xss-demo.suckup.de/

NOTES:

  1. Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly

  2. Use html-sanitizer or HTML Purifier if you need a more configurable solution

  3. Add "Content Security Policy's" -> Introduction to Content Security Policy

  4. DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!

  5. READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet

  6. TEST THIS TOOL -> Zed Attack Proxy (ZAP)

Install via "composer require"

composer require voku/anti-xss

Usage:

use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();

Example 1: (HTML Character)

$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site

Example 2: (Hexadecimal HTML Character)

$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <IMG >

Example 3: (Unicode Hex Character)

$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 4: (Unicode Character)

$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 5.1: (non Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);

// <li >

Example 5.2: (with Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

// <li style="list-style-image: url(alert&#40;0&#41;)">

Example 6: (check if an string contains a XSS attack)

$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

// 

$antiXss->isXssFound(); 

// true

Example 7: (allow e.g. iframes)

$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

// <iframe width="560"  height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>

Unit Test:

  1. Composer is a prerequisite for running the tests.
composer install
  1. The tests can be executed by running this command from the root directory:
./vendor/bin/phpunit

AntiXss methods

addDoNotCloseHtmlTags addEvilAttributes addEvilHtmlTags addNeverAllowedCallStrings
addNeverAllowedJsCallbackRegex addNeverAllowedOnEventsAfterwards addNeverAllowedRegex addNeverAllowedStrAfterwards
isXssFound removeDoNotCloseHtmlTags removeEvilAttributes removeEvilHtmlTags
removeNeverAllowedCallStrings removeNeverAllowedJsCallbackRegex removeNeverAllowedOnEventsAfterwards removeNeverAllowedRegex
removeNeverAllowedStrAfterwards setReplacement setStripe4byteChars xss_clean

addDoNotCloseHtmlTags(string[] $strings): $this

Add some strings to the "_do_not_close_html_tags"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addEvilAttributes(string[] $strings): $this

Add some strings to the "_evil_attributes"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addEvilHtmlTags(string[] $strings): $this

Add some strings to the "_evil_html_tags"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedCallStrings(string[] $strings): $this

Add some strings to the "_never_allowed_call_strings"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedJsCallbackRegex(string[] $strings): $this

Add some strings to the "_never_allowed_js_callback_regex"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedOnEventsAfterwards(string[] $strings): $this

Add some strings to the "_never_allowed_on_events_afterwards"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedRegex(string[] $strings): $this

Add some strings to the "_never_allowed_regex"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedStrAfterwards(string[] $strings): $this

Add some strings to the "_never_allowed_str_afterwards"-array.

Parameters:

  • string[] $strings

Return:

  • $this

isXssFound(): bool|null

Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.

Parameters: nothing

Return:

  • bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>

removeDoNotCloseHtmlTags(string[] $strings): $this

Remove some strings from the "_do_not_close_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeEvilAttributes(string[] $strings): $this

Remove some strings from the "_evil_attributes"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeEvilHtmlTags(string[] $strings): $this

Remove some strings from the "_evil_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedCallStrings(string[] $strings): $this

Remove some strings from the "_never_allowed_call_strings"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedJsCallbackRegex(string[] $strings): $this

Remove some strings from the "_never_allowed_js_callback_regex"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedOnEventsAfterwards(string[] $strings): $this

Remove some strings from the "_never_allowed_on_events_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedRegex(string[] $strings): $this

Remove some strings from the "_never_allowed_regex"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedStrAfterwards(string[] $strings): $this

Remove some strings from the "_never_allowed_str_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

setReplacement(string $string): $this

Set the replacement-string for not allowed strings.

Parameters:

  • string $string

Return:

  • $this

setStripe4byteChars(bool $bool): $this

Set the option to stripe 4-Byte chars.


INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks

Parameters:

  • bool $bool

Return:

  • $this

xss_clean(string|string[] $str): string|string[]

XSS Clean


Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof...


Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

Parameters:

  • TXssCleanInput $str <p>input data e.g. string or array of strings</p>

Return:

  • string|string[]

Support

For support and donations please visit Github | Issues | PayPal | Patreon.

For status updates and release announcements please visit Releases | Twitter | Patreon.

For professional support please contact me.

Thanks

  • Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
  • Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
  • Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
  • Thanks to StyleCI for the simple but powerfull code style check.
  • Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!

License

FOSSA Status

More Repositories

1

portable-utf8

🉑 Portable UTF-8 library - performance optimized (unicode) string functions for PHP.
PHP
490
star
2

Arrayy

🗃 Array manipulation library for PHP, called Arrayy!
PHP
462
star
3

portable-ascii

🔡 Portable ASCII library - performance optimized (ascii) string functions for PHP.
PHP
413
star
4

HtmlMin

🗜️ HtmlMin: HTML Compressor and Minifier via PHP
PHP
143
star
5

stop-words

PHP | A collection of stop words for e.g. search-functions.
PHP
76
star
6

PHPDoctor

🏥 PHPDoctor: Check files, full directories or strings for missing or bad PHPDoc types.
PHP
53
star
7

email-check

✉️ E-Mail Address Validator (syntax, dns, trash, typo)
PHP
45
star
8

Simple-PHP-Code-Parser

❤ Simple PHP Code Parser | A simple data structure from your PHP code.
PHP
40
star
9

simple-cache

⚡ Simple Cache Abstraction Layer for PHP
PHP
29
star
10

phpstan-rules

Provides additional rules for phpstan
PHP
23
star
11

CONFIG--nginx---php-fpm---mysql

my config for WordPress Multi with nginx + php-fpm
Shell
20
star
12

phonetic-algorithms

Phonetic-Algorithms for fuzzy searching | PHP
PHP
16
star
13

anti-xss-twig

AntiXSS for Twig
PHP
11
star
14

weather

PHP
6
star
15

Php-Readme-Helper

📖 PHP README Helper
PHP
5
star
16

awesome-web

A curated list of awesome lists / links / feeds and more ...
5
star
17

php-doc-fixer

This is an experiment! Let's check / fix the PHP documentation automatically.
PHP
4
star
18

simple-active-record

💍 Active Record Pattern via PHP
PHP
4
star
19

value_objects

PHP
3
star
20

stoppropaganda

🇺🇦
PHP
3
star
21

HtmlFormValidator

🔦 HtmlFormValidator | HTML Form Validation via DOM Parsing
PHP
3
star
22

Android-Tweak

2
star
23

Web-Analyse-Tools-for-Chrome

Chome: This extension shows links to some good Website-Analysis-Tools for the current tab.
JavaScript
2
star
24

android_packages_apps_GenKiller

SpicagenMod task manager
Java
2
star
25

external-alsa-utils

C
1
star
26

diridea

📁 Diridea: process your different directory types
PHP
1
star
27

DO-EPIC-SHIT-Demo

Demo: Open Source Workflow für Webdeveloper (OpenRheinRuhr 2014)
CSS
1
star
28

external-alsa-lib

C
1
star
29

snappy

https://code.google.com/p/snappy/
C
1
star
30

DO-EPIC-SHIT

Presentation: Open Source Workflow für Webdeveloper (OpenRheinRuhr 2014)
CSS
1
star
31

desing_pattern_frontend

CSS
1
star
32

weather-demo

Demo for https://github.com/voku/weather
PHP
1
star