voku/anti-xss

anti xss-library

, _(*1)

, _(*2)

:secret: AntiXSS

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting, _(*3)

DEMO:

http://anti-xss-demo.suckup.de/, _(*4)

NOTES:

1) Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly, _(*5)

2) Use html-sanitizer or HTML Purifier if you need a more configurable solution, _(*6)

3) Add "Content Security Policy's" -> Introduction to Content Security Policy, _(*7)

4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!, _(*8)

5) READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet, _(*9)

6) TEST THIS TOOL -> Zed Attack Proxy (ZAP), _(*10)

Install via "composer require"

composer require voku/anti-xss

Usage:

use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();

Example 1: (HTML Character), _(*11)

$harm_string = "Hello, i try to  your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert('Hack'); your site

Example 2: (Hexadecimal HTML Character), _(*12)

$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);

// <IMG >

Example 3: (Unicode Hex Character), _(*13)

$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);

// <a >CLICK</a>

Example 4: (Unicode Character), _(*14)

$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);

// <a >CLICK</a>

Example 5.1: (non Inline CSS), _(*15)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);

// <li >

Example 5.2: (with Inline CSS), _(*16)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

// <li style="list-style-image: url(alert&#40;0&#41;)">

Example 6: (check if an string contains a XSS attack), _(*17)

$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

// 

$antiXss->isXssFound(); 

// true

Example 7: (allow e.g. iframes), _(*18)

$harm_string = "



";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

// 

Unit Test:

1) Composer is a prerequisite for running the tests., _(*19)

composer install

2) The tests can be executed by running this command from the root directory:, _(*20)

./vendor/bin/phpunit

AntiXss methods

, _(*21)

addDoNotCloseHtmlTags(string[] $strings): $this

↑ Add some strings to the "_do_not_close_html_tags"-array., _(*22)

Parameters: - string[] $strings, _(*23)

Return: - $this, _(*24)

addEvilAttributes(string[] $strings): $this

↑ Add some strings to the "_evil_attributes"-array., _(*25)

Parameters: - string[] $strings, _(*26)

Return: - $this, _(*27)

addEvilHtmlTags(string[] $strings): $this

↑ Add some strings to the "_evil_html_tags"-array., _(*28)

Parameters: - string[] $strings, _(*29)

Return: - $this, _(*30)

addNeverAllowedCallStrings(string[] $strings): $this

↑ Add some strings to the "_never_allowed_call_strings"-array., _(*31)

Parameters: - string[] $strings, _(*32)

Return: - $this, _(*33)

addNeverAllowedJsCallbackRegex(string[] $strings): $this

↑ Add some strings to the "_never_allowed_js_callback_regex"-array., _(*34)

Parameters: - string[] $strings, _(*35)

Return: - $this, _(*36)

addNeverAllowedOnEventsAfterwards(string[] $strings): $this

↑ Add some strings to the "_never_allowed_on_events_afterwards"-array., _(*37)

Parameters: - string[] $strings, _(*38)

Return: - $this, _(*39)

addNeverAllowedRegex(string[] $strings): $this

↑ Add some strings to the "_never_allowed_regex"-array., _(*40)

Parameters: - string[] $strings, _(*41)

Return: - $this, _(*42)

addNeverAllowedStrAfterwards(string[] $strings): $this

↑ Add some strings to the "_never_allowed_str_afterwards"-array., _(*43)

Parameters: - string[] $strings, _(*44)

Return: - $this, _(*45)

isXssFound(): bool|null

↑ Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run., _(*46)

Parameters: nothing, _(*47)

Return: - bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>, _(*48)

removeDoNotCloseHtmlTags(string[] $strings): $this

↑ Remove some strings from the "_do_not_close_html_tags"-array., _(*49)

WARNING: Use this method only if you have a really good reason. , _(*50)

Parameters: - string[] $strings, _(*51)

Return: - $this, _(*52)

removeEvilAttributes(string[] $strings): $this

↑ Remove some strings from the "_evil_attributes"-array., _(*53)

WARNING: Use this method only if you have a really good reason. , _(*54)

Parameters: - string[] $strings, _(*55)

Return: - $this, _(*56)

removeEvilHtmlTags(string[] $strings): $this

↑ Remove some strings from the "_evil_html_tags"-array., _(*57)

WARNING: Use this method only if you have a really good reason. , _(*58)

Parameters: - string[] $strings, _(*59)

Return: - $this, _(*60)

removeNeverAllowedCallStrings(string[] $strings): $this

↑ Remove some strings from the "_never_allowed_call_strings"-array., _(*61)

WARNING: Use this method only if you have a really good reason. , _(*62)

Parameters: - string[] $strings, _(*63)

Return: - $this, _(*64)

removeNeverAllowedJsCallbackRegex(string[] $strings): $this

↑ Remove some strings from the "_never_allowed_js_callback_regex"-array., _(*65)

WARNING: Use this method only if you have a really good reason. , _(*66)

Parameters: - string[] $strings, _(*67)

Return: - $this, _(*68)

removeNeverAllowedOnEventsAfterwards(string[] $strings): $this

↑ Remove some strings from the "_never_allowed_on_events_afterwards"-array., _(*69)

WARNING: Use this method only if you have a really good reason. , _(*70)

Parameters: - string[] $strings, _(*71)

Return: - $this, _(*72)

removeNeverAllowedRegex(string[] $strings): $this

↑ Remove some strings from the "_never_allowed_regex"-array., _(*73)

WARNING: Use this method only if you have a really good reason. , _(*74)

Parameters: - string[] $strings, _(*75)

Return: - $this, _(*76)

removeNeverAllowedStrAfterwards(string[] $strings): $this

↑ Remove some strings from the "_never_allowed_str_afterwards"-array., _(*77)

WARNING: Use this method only if you have a really good reason. , _(*78)

Parameters: - string[] $strings, _(*79)

Return: - $this, _(*80)

setReplacement(string $string): $this

↑ Set the replacement-string for not allowed strings., _(*81)

Parameters: - string $string, _(*82)

Return: - $this, _(*83)

setStripe4byteChars(bool $bool): $this

↑ Set the option to stripe 4-Byte chars., _(*84)

INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks , _(*85)

Parameters: - bool $bool, _(*86)

Return: - $this, _(*87)

xss_clean(string|string[] $str): string|string[]

↑ XSS Clean, _(*88)

Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof... , _(*89)

Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. , _(*90)

Parameters: - TXssCleanInput $str <p>input data e.g. string or array of strings</p>, _(*91)

Return: - string|string[], _(*92)

Support

For support and donations please visit Github | Issues | PayPal | Patreon., _(*93)

For status updates and release announcements please visit Releases | Twitter | Patreon., _(*94)

For professional support please contact me., _(*95)

Thanks

• Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
• Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
• Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
• Thanks to StyleCI for the simple but powerfull code style check.
• Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!

License

, _(*96)