PHP Class voku\helper\AntiXSS

ported from "CodeIgniter"
Author: EllisLab Dev Team
Author: Lars Moelleken
Mostrar archivo Open project: voku/anti-xss Class Usage Examples

Public Methods

Method Description
__construct ( ) __construct()
addEvilAttributes ( array $strings ) Add some strings to the "_evil_attributes"-array.
removeEvilAttributes ( array $strings ) Remove some strings from the "_evil_attributes"-array.
setReplacement ( string $string ) Set the replacement-string for not allowed strings.
setStripe4byteChars ( $bool ) Set the option to stripe 4-Byte chars.
xss_clean ( mixed $str ) : string | array | boolean XSS Clean

Private Methods

Method Description
_compact_exploded_words ( array $matches ) : string Compact Exploded Words
_decode_entity ( array $match ) : string HTML Entity Decode Callback
_do ( string $str ) : mixed
_do_never_allowed ( string $str ) : string Do Never Allowed
_do_never_allowed_afterwards ( string $str ) : string Do Never Allowed Afterwards
_entity_decode ( $str ) : string
_filter_attributes ( string $str ) : string Filter Attributes
_initNeverAllowedStr ( ) initialize _initNeverAllowedStr
_js_img_removal ( array $match ) : string JS Image Removal
_js_link_removal ( array $match ) : string JS Link Removal
_js_removal ( array $match, string $search ) : string JS Removal
_sanitize_naughty_html ( array $matches ) : string Sanitize Naughty HTML
compact_exploded_javascript ( string $str ) : string Compact any exploded words.
decode_string ( string $str ) : string decode the html-tags via "UTF8::html_entity_decode()" or the string via "UTF8::urldecode()"
make_php_tags_safe ( string $str ) : string Makes PHP tags safe.
remove_disallowed_javascript ( string $str ) : string Remove disallowed Javascript in links or img tags We used to do some version comparisons and use of stripos(), but it is dog slow compared to these simplified non-capturing preg_match(), especially if the pattern exists in the string
remove_evil_attributes ( string $str ) : string Remove Evil HTML Attributes (like event handlers and style)
sanitize_naughty_html ( string $str ) : string Sanitize naughty HTML elements
sanitize_naughty_javascript ( string $str ) : string Sanitize naughty scripting elements
xss_hash ( ) : string XSS Hash

Method Details

__construct() public method

__construct()
public __construct ( )

addEvilAttributes() public method

Add some strings to the "_evil_attributes"-array.
public addEvilAttributes ( array $strings )
$strings array

removeEvilAttributes() public method

WARNING: Use this method only if you have a really good reason.
public removeEvilAttributes ( array $strings )
$strings array

setReplacement() public method

Set the replacement-string for not allowed strings.
public setReplacement ( string $string )
$string string

setStripe4byteChars() public method

INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
public setStripe4byteChars ( $bool )
$bool

xss_clean() public method

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.
public xss_clean ( mixed $str ) : string | array | boolean
$str mixed input data e.g. string or array
return string | array | boolean boolean: will return a boolean, if the "is_image"-parameter is true string: will return a string, if the input is a string array: will return a array, if the input is a array