abacaphiliac / php-no-html
Safely encode content for rendering in an HTML document.
0.2.0
2016-08-12 00:42 UTC
Requires
- php: >=5.4
Requires (Dev)
- jakub-onderka/php-parallel-lint: ^0.9
- johnkary/phpunit-speedtrap: ^1.0
- phing/phing: ^2.14
- phpunit/phpunit: ^5.4|^4.8
- squizlabs/php_codesniffer: ^2.2
This package is auto-updated.
Last update: 2024-10-25 11:58:05 UTC
README
abacaphiliac/php-no-html
Description
Safely encode content for rendering in an HTML document.
Brief XSS Mitigation Guide
A quote from (Paragon Initiative's blog)[https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know]:
- If your framework has a templating engine that offers automatic contextual filtering, use that.
echo htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8');
is a safe and effective way to stop all XSS attacks on a UTF-8 encoded web page, but doesn't allow any HTML.- If your requirements allow you to use Markdown instead of HTML, don't use HTML.
- If you need to allow some HTML and aren't using a templating engine (see #1), use HTML Purifier.
Installation
composer require abacaphiliac/php-no-html
Usage
The following code is an example of an XSS exploit:
$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=$value;?>" /><?php
Simply escape the value in the response to prevent the exploit:
$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=\NoHtml\NoHtml::filter($value);?>" /><?php
Dependencies
See composer.json.
Contributing
composer update && vendor/bin/phing
This library attempts to comply with PSR-1, PSR-2, and PSR-4. If you notice compliance oversights, please send a patch via pull request.