Skip to content
forked from voku/anti-xss

iHasco branch "php83" forks voku tag v4.1.35

License

Notifications You must be signed in to change notification settings

ihasco/anti-xss

 
 

Repository files navigation

SWUbanner

Build Status codecov.io Codacy Badge Latest Stable Version Total Downloads License Donate to this project using Paypal Donate to this project using Patreon

㊙️ AntiXSS

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting

DEMO:

http://anti-xss-demo.suckup.de/

NOTES:

  1. Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly

  2. Use html-sanitizer or HTML Purifier if you need a more configurable solution

  3. Add "Content Security Policy's" -> Introduction to Content Security Policy

  4. DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!

  5. READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet

  6. TEST THIS TOOL -> Zed Attack Proxy (ZAP)

Install via "composer require"

composer require voku/anti-xss

Usage:

use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();

Example 1: (HTML Character)

$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site

Example 2: (Hexadecimal HTML Character)

$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <IMG >

Example 3: (Unicode Hex Character)

$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 4: (Unicode Character)

$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
    
// <a >CLICK</a>

Example 5.1: (non Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);

// <li >

Example 5.2: (with Inline CSS)

$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

// <li style="list-style-image: url(alert&#40;0&#41;)">

Example 6: (check if an string contains a XSS attack)

$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

// 

$antiXss->isXssFound(); 

// true

Example 7: (allow e.g. iframes)

$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

// <iframe width="560"  height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>

Unit Test:

  1. Composer is a prerequisite for running the tests.
composer install
  1. The tests can be executed by running this command from the root directory:
./vendor/bin/phpunit

AntiXss methods

addDoNotCloseHtmlTags addEvilAttributes addEvilHtmlTags addNeverAllowedCallStrings
addNeverAllowedJsCallbackRegex addNeverAllowedOnEventsAfterwards addNeverAllowedRegex addNeverAllowedStrAfterwards
isXssFound removeDoNotCloseHtmlTags removeEvilAttributes removeEvilHtmlTags
removeNeverAllowedCallStrings removeNeverAllowedJsCallbackRegex removeNeverAllowedOnEventsAfterwards removeNeverAllowedRegex
removeNeverAllowedStrAfterwards setReplacement setStripe4byteChars xss_clean

addDoNotCloseHtmlTags(string[] $strings): $this

Add some strings to the "_do_not_close_html_tags"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addEvilAttributes(string[] $strings): $this

Add some strings to the "_evil_attributes"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addEvilHtmlTags(string[] $strings): $this

Add some strings to the "_evil_html_tags"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedCallStrings(string[] $strings): $this

Add some strings to the "_never_allowed_call_strings"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedJsCallbackRegex(string[] $strings): $this

Add some strings to the "_never_allowed_js_callback_regex"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedOnEventsAfterwards(string[] $strings): $this

Add some strings to the "_never_allowed_on_events_afterwards"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedRegex(string[] $strings): $this

Add some strings to the "_never_allowed_regex"-array.

Parameters:

  • string[] $strings

Return:

  • $this

addNeverAllowedStrAfterwards(string[] $strings): $this

Add some strings to the "_never_allowed_str_afterwards"-array.

Parameters:

  • string[] $strings

Return:

  • $this

isXssFound(): bool|null

Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.

Parameters: nothing

Return:

  • bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>

removeDoNotCloseHtmlTags(string[] $strings): $this

Remove some strings from the "_do_not_close_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeEvilAttributes(string[] $strings): $this

Remove some strings from the "_evil_attributes"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeEvilHtmlTags(string[] $strings): $this

Remove some strings from the "_evil_html_tags"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedCallStrings(string[] $strings): $this

Remove some strings from the "_never_allowed_call_strings"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedJsCallbackRegex(string[] $strings): $this

Remove some strings from the "_never_allowed_js_callback_regex"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedOnEventsAfterwards(string[] $strings): $this

Remove some strings from the "_never_allowed_on_events_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedRegex(string[] $strings): $this

Remove some strings from the "_never_allowed_regex"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

removeNeverAllowedStrAfterwards(string[] $strings): $this

Remove some strings from the "_never_allowed_str_afterwards"-array.


WARNING: Use this method only if you have a really good reason.

Parameters:

  • string[] $strings

Return:

  • $this

setReplacement(string $string): $this

Set the replacement-string for not allowed strings.

Parameters:

  • string $string

Return:

  • $this

setStripe4byteChars(bool $bool): $this

Set the option to stripe 4-Byte chars.


INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks

Parameters:

  • bool $bool

Return:

  • $this

xss_clean(string|string[] $str): string|string[]

XSS Clean


Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof...


Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

Parameters:

  • TXssCleanInput $str <p>input data e.g. string or array of strings</p>

Return:

  • string|string[]

Support

For support and donations please visit Github | Issues | PayPal | Patreon.

For status updates and release announcements please visit Releases | Twitter | Patreon.

For professional support please contact me.

Thanks

  • Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
  • Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
  • Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
  • Thanks to StyleCI for the simple but powerfull code style check.
  • Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!

License

FOSSA Status

About

iHasco branch "php83" forks voku tag v4.1.35

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • PHP 100.0%