PHP Class voku\helper\AntiXSS

ported from "CodeIgniter"

Author: EllisLab Dev Team

Author: Lars Moelleken

Show file Open project: voku/anti-xss Class Usage Examples

Public Methods

Method	Description
__construct ( )	__construct()
addEvilAttributes ( array $strings )	Add some strings to the "_evil_attributes"-array.
removeEvilAttributes ( array $strings )	Remove some strings from the "_evil_attributes"-array.
setReplacement ( string $string )	Set the replacement-string for not allowed strings.
setStripe4byteChars ( $bool )	Set the option to stripe 4-Byte chars.
xss_clean ( mixed $str ) : string \| array \| boolean	XSS Clean

Private Methods

Method	Description
_compact_exploded_words ( array $matches ) : string	Compact Exploded Words
_decode_entity ( array $match ) : string	HTML Entity Decode Callback
_do ( string $str ) : mixed
_do_never_allowed ( string $str ) : string	Do Never Allowed
_do_never_allowed_afterwards ( string $str ) : string	Do Never Allowed Afterwards
_entity_decode ( $str ) : string
_filter_attributes ( string $str ) : string	Filter Attributes
_initNeverAllowedStr ( )	initialize _initNeverAllowedStr
_js_img_removal ( array $match ) : string	JS Image Removal
_js_link_removal ( array $match ) : string	JS Link Removal
_js_removal ( array $match, string $search ) : string	JS Removal
_sanitize_naughty_html ( array $matches ) : string	Sanitize Naughty HTML
compact_exploded_javascript ( string $str ) : string	Compact any exploded words.
decode_string ( string $str ) : string	decode the html-tags via "UTF8::html_entity_decode()" or the string via "UTF8::urldecode()"
make_php_tags_safe ( string $str ) : string	Makes PHP tags safe.
remove_disallowed_javascript ( string $str ) : string	Remove disallowed Javascript in links or img tags We used to do some version comparisons and use of stripos(), but it is dog slow compared to these simplified non-capturing preg_match(), especially if the pattern exists in the string
remove_evil_attributes ( string $str ) : string	Remove Evil HTML Attributes (like event handlers and style)
sanitize_naughty_html ( string $str ) : string	Sanitize naughty HTML elements
sanitize_naughty_javascript ( string $str ) : string	Sanitize naughty scripting elements
xss_hash ( ) : string	XSS Hash

Method Details

__construct() public method

__construct()

public __construct ( )

addEvilAttributes() public method

Add some strings to the "_evil_attributes"-array.

public addEvilAttributes ( array $strings )
$strings	array

removeEvilAttributes() public method

WARNING: Use this method only if you have a really good reason.

public removeEvilAttributes ( array $strings )
$strings	array

setReplacement() public method

Set the replacement-string for not allowed strings.

public setReplacement ( string $string )
$string	string

setStripe4byteChars() public method

INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks

public setStripe4byteChars ( $bool )
$bool

xss_clean() public method

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

See link: Based in part on some code and ideas from Bitflux.

See link: To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs.

public xss_clean ( mixed $str ) : string \| array \| boolean
$str	mixed	input data e.g. string or array
return	string \| array \| boolean	boolean: will return a boolean, if the "is_image"-parameter is true string: will return a string, if the input is a string array: will return a array, if the input is a array