voku / anti-xss
anti xss-library
Maintainers
Requires
- php: >=7.0.0
- voku/portable-utf8: ~6.1.0
Requires (Dev)
- phpunit/phpunit: ~7.0 || ~8.0 || ~9.0 || ~10.0 || ~11.0 || ~12.0
- dev-master / 4.1.x-dev
- 4.1.43
- 4.1.42
- 4.1.41
- 4.1.40
- 4.1.39
- 4.1.38
- 4.1.37
- 4.1.36
- 4.1.35
- 4.1.34
- 4.1.33
- 4.1.32
- 4.1.31
- 4.1.30
- 4.1.29
- 4.1.28
- 4.1.27
- 4.1.26
- 4.1.25
- 4.1.24
- 4.1.23
- 4.1.22
- 4.1.21
- 4.1.20
- 4.1.19
- 4.1.18
- 4.1.17
- 4.1.16
- 4.1.15
- 4.1.14
- 4.1.13
- 4.1.12
- 4.1.11
- 4.1.10
- 4.1.9
- 4.1.8
- 4.1.7
- 4.1.6
- 4.1.5
- 4.1.4
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1.0
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0.0
- 3.1.0
- 3.0.1
- 3.0.0
- 2.3.1
- 2.3.0
- 2.2.2
- 2.2.1
- 2.2.0
- 2.1.7
- 2.1.6
- 2.1.5
- 2.1.4
- 2.1.3
- 2.1.2
- 2.1.1
- 2.1.0
- 2.0.10
- 2.0.9
- 2.0.8
- 2.0.7
- 2.0.6
- 2.0.5
- 2.0.4
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.2.14
- 1.2.13
- 1.2.12
- 1.2.11
- 1.2.10
- 1.2.9
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0
- 1.1.1
- 1.1.0
- 1.0.13
- 1.0.12
- 1.0.11
- 1.0.10
- 1.0.9
- 1.0.8
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0
- dev-copilot/integrate-infection-into-ci-pipeline
- dev-copilot/add-new-javascript-properties
- dev-analysis-Y6BZJv
- dev-renovate/phpunit-phpunit-13.x
- dev-analysis-aVJQym
- dev-copilot/add-additional-tests-for-xss
- dev-copilot/fix-false-positive-xss
- dev-copilot/add-warning-for-non-utf8-apps
- dev-copilot/fix-system-filter-issue
- dev-copilot/fix-json-encoded-html-issues
- dev-analysis-Qlpld6
- dev-copilot/fix-xss-issue-in-styles
- dev-copilot/fix-xss-clean-output
- dev-copilot/fix-isxssfound-false-issue
- dev-copilot/investigate-xss-false-positive
- dev-copilot/fix-xss-sanitisation-base64
- dev-copilot/fix-false-positive-xss-geolocation
- dev-copilot/fix-valid-hex-characters-in-url
- dev-copilot/fix-pre-code-tag-handling
- dev-copilot/compatibility-with-php71-to-85
- dev-copilot/fix-phpunit-test-errors
- dev-analysis-BADEN9
- dev-copilot/fix-compatibility-php8-issues
- dev-copilot/update-html-callback-function
- dev-copilot/update-github-ci-pipeline-php-versions
- dev-analysis-541yrr
- dev-analysis-a6oKYx
- dev-renovate/phpunit-phpunit-10.x
- dev-analysis-DyK9KB
- dev-analysis-wjYmvo
- dev-analysis-nNP5Ew
- dev-analysis-KZjy7A
- dev-dependabot/add-v2-config-file
- dev-analysis-bQ6O9M
- dev-php_old
This package is auto-updated.
Last update: 2026-05-02 13:19:33 UTC
README
㊙️ AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
DEMO:
http://anti-xss-demo.suckup.de/
NOTES:
-
Use filter_input() - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
-
Use html-sanitizer or HTML Purifier if you need a more configurable solution
-
Add "Content Security Policy's" -> Introduction to Content Security Policy
-
DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
-
READ THIS TEXT -> XSS (Cross Site Scripting) Prevention Cheat Sheet
-
TEST THIS TOOL -> Zed Attack Proxy (ZAP)
Disable automatic encoding changes
This package depends on voku/portable-utf8, which sets default_charset to UTF-8 via ini_set() during autoloading.
If you need to prevent this behavior, define the following constant before loading the Composer autoloader:
define('PORTABLE_UTF8__DISABLE_AUTO_ENCODING', true); require_once __DIR__ . '/vendor/autoload.php';
Install via "composer require"
composer require voku/anti-xss
Usage:
use voku\helper\AntiXSS; require_once __DIR__ . '/vendor/autoload.php'; // example path $antiXss = new AntiXSS();
Example 1: (HTML Character)
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site"; $harmless_string = $antiXss->xss_clean($harm_string); // Hello, i try to alert('Hack'); your site
Example 2: (Hexadecimal HTML Character)
$harm_string = "<IMG SRC=javascript:alert('XSS')>"; $harmless_string = $antiXss->xss_clean($harm_string); // <IMG >
Example 3: (Unicode Hex Character)
$harm_string = "<a href=' javascript:alert(1)'>CLICK</a>"; $harmless_string = $antiXss->xss_clean($harm_string); // <a >CLICK</a>
Example 4: (Unicode Character)
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>"; $harmless_string = $antiXss->xss_clean($harm_string); // <a >CLICK</a>
Example 5.1: (non Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">'; $harmless_string = $antiXss->xss_clean($harm_string); // <li >
Example 5.2: (with Inline CSS)
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">'; $antiXss->removeEvilAttributes(array('style')); // allow style-attributes $harmless_string = $antiXss->xss_clean($harm_string); // <li style="list-style-image: url(alert(0))">
Example 6: (check if an string contains a XSS attack)
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e"; $harmless_string = $antiXss->xss_clean($harm_string); // $antiXss->isXssFound(); // true
Example 7: (allow e.g. iframes)
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>"; $antiXss->removeEvilHtmlTags(array('iframe')); $harmless_string = $antiXss->xss_clean($harm_string); // <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
Unit Test:
- Composer is a prerequisite for running the tests.
composer install
- The tests can be executed by running this command from the root directory:
XDEBUG_MODE=coverage ./vendor/bin/phpunit -c phpunit.xml
Mutation testing with static analysis:
CI runs Infection with PHPStan integration on the PHP 8.3 pull-request job. This uses infection.json5.dist and keeps the Infection dependency out of the default PHP 7.x install path.
To run the same toolchain locally on PHP 8.3+:
composer config --no-plugins allow-plugins.infection/extension-installer true
composer require --dev phpstan/phpstan:^2.1 infection/infection:^0.32.7 --no-update
composer update
XDEBUG_MODE=coverage ./vendor/bin/infection --configuration=infection.json5.dist
Prompt for future LLM dictionary checks
Use this prompt when you want an LLM to expand regression coverage around AntiXSS dictionaries without manually copying them into tests:
You are working in the voku/anti-xss repository.
1. Run the current PHPUnit suite first with:
XDEBUG_MODE=coverage ./vendor/bin/phpunit -c phpunit.xml
2. Inspect /src/voku/helper/AntiXSS.php for dictionary-style private arrays such as:
- _never_allowed_on_events_afterwards
- _evil_attributes_regex
- _naughty_javascript_patterns
- _naughty_javascript_patterns_strict
- _never_allowed_str_afterwards
3. For each dictionary that has a safe generic assertion shape, add or extend provider-based tests that iterate every current entry automatically.
4. Prefer reflection-backed test providers over copying the source dictionaries into test files, so newly added entries are covered automatically.
5. For each dictionary, test both the intended blocking behavior and at least one important boundary rule when relevant (for example strict vs. whitespace-separated JavaScript callbacks, or executable vs. non-executable event attribute forms).
6. Make the smallest possible production change only if the expanded dictionary coverage exposes a real regression.
7. Re-run PHPUnit after each small step and continue iterating across the targeted dictionaries until you find and fix at least one real regression for the task, or confirm that the remaining dictionaries are already covered.
AntiXss methods
addDoNotCloseHtmlTags(string[] $strings): $this
↑ Add some strings to the "_do_not_close_html_tags"-array.
Parameters:
string[] $strings
Return:
$this
addEvilAttributes(string[] $strings): $this
↑ Add some strings to the "_evil_attributes"-array.
Parameters:
string[] $strings
Return:
$this
addEvilHtmlTags(string[] $strings): $this
↑ Add some strings to the "_evil_html_tags"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedCallStrings(string[] $strings): $this
↑ Add some strings to the "_never_allowed_call_strings"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedJsCallbackRegex(string[] $strings): $this
↑ Add some strings to the "_never_allowed_js_callback_regex"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedOnEventsAfterwards(string[] $strings): $this
↑ Add some strings to the "_never_allowed_on_events_afterwards"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedRegex(string[] $strings): $this
↑ Add some strings to the "_never_allowed_regex"-array.
Parameters:
string[] $strings
Return:
$this
addNeverAllowedStrAfterwards(string[] $strings): $this
↑ Add some strings to the "_never_allowed_str_afterwards"-array.
Parameters:
string[] $strings
Return:
$this
addNaughtyJavascriptPatterns(string[] $strings): $this
↑ Add some strings to the "_naughty_javascript_patterns"-array.
Parameters:
string[] $strings
Return:
$this
isXssFound(): bool|null
↑ Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.
Parameters: nothing
Return:
bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>
removeDoNotCloseHtmlTags(string[] $strings): $this
↑ Remove some strings from the "_do_not_close_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeEvilAttributes(string[] $strings): $this
↑ Remove some strings from the "_evil_attributes"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeEvilHtmlTags(string[] $strings): $this
↑ Remove some strings from the "_evil_html_tags"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedCallStrings(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_call_strings"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedJsCallbackRegex(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_js_callback_regex"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedOnEventsAfterwards(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_on_events_afterwards"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedRegex(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_regex"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
removeNeverAllowedStrAfterwards(string[] $strings): $this
↑ Remove some strings from the "_never_allowed_str_afterwards"-array.
WARNING: Use this method only if you have a really good reason.
Parameters:
string[] $strings
Return:
$this
setReplacement(string $string): $this
↑ Set the replacement-string for not allowed strings.
Parameters:
string $string
Return:
$this
setKeepPreAndCodeTagContent(bool $bool): $this
↑ Set the option to preserve content inside "pre" and "code" tags.
WARNING: Enable this only if you explicitly want literal code-like text in "pre" / "code" blocks to remain untouched.
Parameters:
bool $bool
Return:
$this
setStripe4byteChars(bool $bool): $this
↑ Set the option to stripe 4-Byte chars.
INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
Parameters:
bool $bool
Return:
$this
xss_clean(string|string[] $str): string|string[]
↑ XSS Clean
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
Note: Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
Parameters:
TXssCleanInput $str <p>input data e.g. string or array of strings</p>
Return:
string|string[]
Support
For support and donations please visit Github | Issues | PayPal | Patreon.
For status updates and release announcements please visit Releases | Twitter | Patreon.
For professional support please contact me.
Thanks
- Thanks to GitHub (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to IntelliJ as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to Travis CI for being the most awesome, easiest continous integration tool out there!
- Thanks to StyleCI for the simple but powerfull code style check.
- Thanks to PHPStan && Psalm for relly great Static analysis tools and for discover bugs in the code!