PHP Classes
elePHPant
Icontem

PHP Anti XSS Filter: Remove tags from HTML that may cause XSS attacks

Recommend this page to a friend!
  Info   View files Documentation   Demos   View files View files (26)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2017-12-01 (14 days ago) RSS 2.0 feedStarStarStarStar 65%Total: 243 This week: 3All time: 7,649 This week: 230Up
Version License PHP version Categories
anti-xss 2.0.9MIT/X Consortium ...5.3HTML, PHP 5, Security
Collaborate with this project Author

anti-xss - github.com

Description

This class can remove tags from HTML that may cause XSS attacks.

It can parse HTML and remove sequences that may be used to execute JavaScript code that could perform XSS attacks.

The class returns a clean HTML string without dangerous XSS sequences.

  Performance   Level  
Name: Lars Moelleken <contact>
Classes: 17 packages by
Country: Germany Germany
Age: 30
All time rank: 133084 in Germany Germany
Week rank: 7 Up1 in Germany Germany Up
Innovation award
Innovation award
Nominee: 8x

Details

Stories in Ready Build Status Coverage Status codecov.io Scrutinizer Code Quality Codacy Badge SensioLabsInsight Reference Status Dependency Status Latest Stable Version Total Downloads PHP 7 ready License

AntiXSS - Library

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting

DEMO:

http://anti-xss-demo.suckup.de/

NOTES:

1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly

2) Use HTML Purifier if you need a more configurable solution

3) Add "Content Security Policy's" -> Introduction to Content Security Policy

4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!

5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet

6) TEST THIS TOOL -> Zed Attack Proxy (ZAP)

Install via "composer require"

composer require voku/anti-xss

Usage:

$antiXss = new AntiXSS();

Example 1: (HTML Character)

$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site

Example 2: (Hexadecimal HTML Character)

$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <IMG >

Example 3: (Unicode Hex Character)

$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 4: (Unicode Character)

$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 5.1: (non Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $this->security->xss_clean($harm_string);

// <li >

Example 5.2: (with Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

// <li style="list-style-image: url(alert&#40;0&#41;)">

Example 6: (check if an string contains a XSS attack)

$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

// 

$antiXss->isXssFound(); 

// true

Example 7: (allow e.g. iframes)

$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

// <iframe width="560"  height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>

Unit Test:

1) Composer is a prerequisite for running the tests.

composer install

2) The tests can be executed by running this command from the root directory:

./vendor/bin/phpunit
  Files folder image Files  
File Role Description
Files folder imagesrc (1 directory)
Files folder imagetests (7 files, 1 directory)
Accessible without login Plain text file .editorconfig Data Auxiliary data
Accessible without login Plain text file .scrutinizer.yml Data Auxiliary data
Accessible without login Plain text file .styleci.yml Data Auxiliary data
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file CHANGELOG.md Data Auxiliary data
Accessible without login Plain text file circle.yml Data Auxiliary data
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpunit.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation

  Files folder image Files  /  src  
File Role Description
Files folder imagevoku (1 directory)

  Files folder image Files  /  src  /  voku  
File Role Description
Files folder imagehelper (1 file)

  Files folder image Files  /  src  /  voku  /  helper  
File Role Description
  Plain text file AntiXSS.php Class Class source

  Files folder image Files  /  tests  
File Role Description
Files folder imagefixtures (8 files)
  Accessible without login Plain text file bootstrap.php Aux. Auxiliary script
  Plain text file DOMPurifyTest.php Class Class source
  Plain text file JsXssTest.php Class Class source
  Plain text file LaravelSecurityTest.php Class Class source
  Plain text file LibFilterSecurityTest.php Class Class source
  Plain text file XssArrayTest.php Class Class source
  Plain text file XssTest.php Class Class source

  Files folder image Files  /  tests  /  fixtures  
File Role Description
  Accessible without login Plain text file expect.json Data Auxiliary data
  Accessible without login HTML file xss_no_v1.html Doc. Documentation
  Accessible without login HTML file xss_no_v1_clean.html Doc. Documentation
  Accessible without login Plain text file xss_v1.svg Data Auxiliary data
  Accessible without login HTML file xss_v1_clean.html Doc. Documentation
  Accessible without login Plain text file xss_v1_clean.svg Data Auxiliary data
  Accessible without login Plain text file xss_v2.svg Data Auxiliary data
  Accessible without login Plain text file xss_v2_clean.svg Data Auxiliary data

Downloadanti-xss-2017-12-01.zip 79KB
Downloadanti-xss-2017-12-01.tar.gz
Install with ComposerInstall with Composer
Needed packages  
Class DownloadWhy it is needed Dependency
Portable UTF-8 Download .zip .tar.gz String-Handling Required
 Version Control Unique User Downloads Download Rankings  
 100%
Total:243
This week:3
All time:7,649
This week:230Up
User Ratings User Comments (1)
 All time
Utility:93%StarStarStarStarStar
Consistency:93%StarStarStarStarStar
Documentation:87%StarStarStarStarStar
Examples:-
Tests:-
Videos:-
Overall:65%StarStarStarStar
Rank:790
 
nice
1 year ago (muabshir)
52%StarStarStar