voku/anti-xss
GitHub: voku/anti-xss
一个基于 PHP 的跨站脚本(XSS)防护库,提供细粒度的输入清洗与检测方法。
Stars: 706 | Forks: 116
[](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
[](https://github.com/voku/anti-xss/actions)
[](http://codecov.io/github/voku/anti-xss?branch=master)
[](https://www.codacy.com/app/voku/anti-xss)
[](https://packagist.org/packages/voku/anti-xss)
[](https://packagist.org/packages/voku/anti-xss)
[](https://packagist.org/packages/voku/anti-xss)
[](https://www.paypal.me/moelleken)
[](https://www.patreon.com/voku)
# :secret: AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables
attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites
accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
### DEMO:
[http://anti-xss-demo.suckup.de/](http://anti-xss-demo.suckup.de/)
### NOTES:
1. Use [filter_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
2. Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution
3. Add "Content Security Policy's" -> [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
4. DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5. READ THIS TEXT -> [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)
6. TEST THIS TOOL -> [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)
### 通过 "composer require" 安装
```
composer require voku/anti-xss
```
### 用法:
```
use voku\helper\AntiXSS;
require_once __DIR__ . '/vendor/autoload.php'; // example path
$antiXss = new AntiXSS();
```
Example 1: (HTML Character)
```
$harm_string = "Hello, i try to your site";
$harmless_string = $antiXss->xss_clean($harm_string);
// Hello, i try to alert('Hack'); your site
```
Example 2: (Hexadecimal HTML Character)
```
$harm_string = ")
";
$harmless_string = $antiXss->xss_clean($harm_string);
// ![]()
```
Example 3: (Unicode Hex Character)
```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);
// CLICK
```
Example 4: (Unicode Character)
```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);
// CLICK
```
Example 5.1: (non Inline CSS)
```
$harm_string = '';
$harmless_string = $antiXss->xss_clean($harm_string);
//
```
Example 5.2: (with Inline CSS)
```
$harm_string = ' ';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);
//
```
Example 6: (check if an string contains a XSS attack)
```
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);
//
$antiXss->isXssFound();
// true
```
Example 7: (allow e.g. iframes)
```
$harm_string = "";
$antiXss->removeEvilHtmlTags(array('iframe'));
$harmless_string = $antiXss->xss_clean($harm_string);
//
```
### 单元测试:
1. [Composer](https://getcomposer.org) is a prerequisite for running the tests.
```
composer install
```
2. The tests can be executed by running this command from the root directory:
```
./vendor/bin/phpunit
```
## AntiXss 方法
↑
Add some strings to the "_do_not_close_html_tags"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addEvilAttributes(string[] $strings): $this
↑
Add some strings to the "_evil_attributes"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addEvilHtmlTags(string[] $strings): $this
↑
Add some strings to the "_evil_html_tags"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNeverAllowedCallStrings(string[] $strings): $this
↑
Add some strings to the "_never_allowed_call_strings"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNeverAllowedJsCallbackRegex(string[] $strings): $this
↑
Add some strings to the "_never_allowed_js_callback_regex"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNeverAllowedOnEventsAfterwards(string[] $strings): $this
↑
Add some strings to the "_never_allowed_on_events_afterwards"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNeverAllowedRegex(string[] $strings): $this
↑
Add some strings to the "_never_allowed_regex"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNeverAllowedStrAfterwards(string[] $strings): $this
↑
Add some strings to the "_never_allowed_str_afterwards"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## addNaughtyJavascriptPatterns(string[] $strings): $this
↑
Add some strings to the "_naughty_javascript_patterns"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
## isXssFound(): bool|null
↑
Check if the "AntiXSS->xss_clean()" method found an XSS attack in the last run.
**Parameters:**
__nothing__
**Return:**
- `bool|null
Will return null if the "xss_clean()" wasn't running at all.
` ## removeDoNotCloseHtmlTags(string[] $strings): $this ↑ Remove some strings from the "_do_not_close_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Use this method only if you have a really good reason.
WARNING: Enable this only if you explicitly want literal code-like text in "pre" / "code" blocks to remain untouched.
INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
Note: Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
input data e.g. string or array of strings
` **Return:** - `string|string[]` ### 支持 For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku). For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](http://codecov.io/github/voku/anti-xss/coverage.svg?branch=master) | [Patreon](https://www.patreon.com/voku/posts). For professional support please contact [me](https://about.me/voku). ### 谢谢 - Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc. - Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm! - Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there! - Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check. - Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code! ### 许可 [](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)标签:CSRF防护, ffuf, GitHub Advanced Security, HTML净化, PHP安全, PHP库, PHP扩展, Web安全, XML 请求, XSS攻击, XSS防护, 内容安全策略, 前端安全, 反XSS, 安全加固, 安全合规, 安全开发, 安全扫描, 安全编码, 攻击防护, 数据验证, 时序注入, 服务器监控, 漏洞防护, 网络代理, 蓝队分析, 规则仓库, 转义处理, 输入过滤, 输出编码