:secret: AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables
attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites
accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
DEMO:
http://anti-xss-demo.suckup.de/
NOTES:
-
Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
-
Use html-sanitizer or HTML Purifier if you need a more configurable solution
-
Add "Content Security Policy's" -> Introduction to Content Security Policy
-
DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
-
READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet
-
TEST THIS TOOL -> Zed Attack Proxy (ZAP)
Install via "composer require"
composer require voku/anti-xss
Usage:
use voku\helper\AntiXSS;
require_once __DIR__ . '/vendor/autoload.php'; // example path
$antiXss = new AntiXSS();
Example 1: (HTML Character)
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);
// Hello, i try to alert('Hack'); your site
Example 2: (Hexadecimal HTML Character)
$harm_string = "<IMG SRC=javascript:alert('XSS')>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <IMG >
Example 3: (Unicode Hex Character)
$harm_string = "<a href=' javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
Example 4: (Unicode Character)
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
Example 5.1: (non Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);
// <li >
Example 5.2: (with Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);
// <li style="list-style-image: url(alert(0))">
Example 6: (check if an string contains a XSS attack)
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);
//
$antiXss->isXssFound();
// true
Example 7: (allow e.g. iframes)
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";
$antiXss->removeEvilHtmlTags(array('iframe'));
$harmless_string = $antiXss->xss_clean($harm_string);
// <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
Unit Test:
- Composer is a prerequisite for running the tests.
composer install
- The tests can be executed by running this command from the root directory:
./vendor/bin/phpunit
Support
For support and donations please visit Github, Issues, PayPal, Patreon.
For status updates and release announcements please visit Releases, Twitter, Patreon.
For professional support please contact me.
Thanks
- Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
- Thanks to StyleCI for the simple but powerfull code style check.
- Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!
License
