torsten/fvsjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added php download of membershipments

Browse Source
This commit is contained in:
Torsten Schulz
2023-12-27 10:40:24 +01:00
parent ea29b477f6
commit c622398357
2571 changed files with 350456 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

237
vendor/voku/anti-xss/CHANGELOG.md vendored Normal file
View File

@@ -0,0 +1,237 @@
# Changelog
### 4.1.35 (2021-12-08)
- update "portable-utf8"
### 4.1.34 (2021-11-29)
- allow e.g. "< 1 year" (issue 83)
- fix false-positive issue (issue 85 | thx @gharlan)
### 4.1.33 (2021-10-04)
- fix errors in large strings
- fix "_xss_found" if xss string was found in array value
### 4.1.32 (2021-03-29)
- micro-optimize performance
- optimize phpdocs + use phpstan-syntax
### 4.1.31 (2020-12-02)
- optimize performance (thx @staabm)
- update vendor lib (Portable UTF-8)
### 4.1.30 (2020-11-12)
- update vendor lib (Portable UTF-8)
### 4.1.29 (2020-11-09)
- allow e.g. "<35%" (issue #62)
- allow to skip some html tags from auto closing (issue #63)
- run tests with PHP 8.0 rc3
### 4.1.28 (2020-08-28)
- fix allow base64 encoded images in <img>-tags (issue #61)
- fix performance issue of regex with "preg_match_all"
### 4.1.27 (2020-08-23)
- allow e.g. "< $2.20" (issue #60)
- optimize protection against HTML "script" tag stripping evasion
- auto-generate the api documentation into the README
### 4.1.26 (2020-08-08)
- allow base64 encoded images in <img>-tags (issue #59)
### 4.1.25 (2020-06-12)
- fix false-positive (issue #58)
### 4.1.24 (2020-03-08)
- allow to change the "_never_allowed_str_afterwards" (issue #56)
- fix false-positive (issue #55)
### 4.1.23 (2020-03-06)
- use some more bad strings from "https://github.com/s0md3v/AwesomeXSS"
- optimize some regex (use strpos before the regex)
### 4.1.22 (2020-02-06)
- fix false-positive (issue #54)
- optimize internal caching of strings
### 4.1.21 (2019-12-30)
- fix false-positive (issue #53)
- fix for "server-sent events"
- optimize regex for encoded script-tags (%3C && %3E)
### 4.1.20 (2019-12-07)
- fix additional false positives in string (issue #52)
- remove support for "Netscape 4 JS entities"
### 4.1.19 (2019-11-11)
- keep more non XSS content from html input
### 4.1.18 (2019-11-11)
- fix open tags problem e.g. "<img/"
### 4.1.17 (2019-11-08)
- add "addNeverAllowedRegex()"
- add "removeNeverAllowedRegex()"
### 4.1.16 (2019-11-03)
- fix replacing of "-->" (issue #50)
- update vendor lib (Portable UTF-8)
### 4.1.15 (2019-09-26)
- optimize regex
- update vendor lib (Portable UTF-8)
### 4.1.14 (2019-06-27)
- add "removeNeverAllowedOnEventsAfterwards()" && "addNeverAllowedOnEventsAfterwards()"
- update "_never_allowed_on_events_afterwards" -> add "onTouchend" + "onTouchLeave" + "onTouchMove" (thx @DmytroChymyrys)
- optimize phpdoc for array => string[]
### 4.1.13 (2019-06-08)
- fix replacing of false-positive xss words e.g. "<script@gmail.com>" (issue #44)
### 4.1.12 (2019-05-31)
- fix replacing of false-positive xss words e.g. "<video@gmail.com>" (issue #44)
### 4.1.11 (2019-05-28)
- fix replacing of false-positive xss words e.g. "<styler_tester@gmail.com>" (issue #44)
### 4.1.10 (2019-04-19)
- fix replacing of false-positive xss words e.g. "ANAMNESI E VAL!DEFINITE BREVI ORTO" (issue #43)
### 4.1.9 (2019-04-19)
- optimize the spacing regex
### 4.1.8 (2019-04-19)
- fix replacing of false-positive xss words e.g. "MONDRAGÓN" (issue #43)
### 4.1.7 (2019-04-19)
- fix replacing of false-positive xss words e.g. "DE VAL HERNANDEZ" (issue #43)
### 4.1.6 (2019-04-12)
- fix replacing of false-positive xss words e.g. "Mondragon" (issue #43)
### 4.1.5 (2019-02-13)
- fix issue with "()" in some html attributes (issue #41)
### 4.1.4 (2019-01-22)
- use new version of "Portable UTF8"
### 4.1.3 (2018-10-28)
- fix for url-decoded stored-xss
- fix return type (?string -> string)
### 4.1.2 (2018-09-13)
- use new version of "Portable UTF8"
- add some more event listener
- use PHPStan
### 4.1.1 (2018-04-26)
- "UTF7 repack corrected" | thx @alechner #34
### 4.1.0 (2018-04-17)
- keep the input value (+ encoding), if no xss was detected #32
### 4.0.3 (2018-04-12)
- fix "href is getting stripped" #30
### 4.0.2 (2018-02-14)
- fix "URL escaping bug" #29
### 4.0.1 (2018-01-07)
- fix usage of "Portable UTF8"
### 4.0.0 (2017-12-23)
- update "Portable UTF8" from v4 -> v5
-> this is a breaking change without API-changes - but the requirement
from "Portable UTF8" has been changed (it no longer requires all polyfills from Symfony)
### 3.1.0 (2017-11-21)
- add "_evil_html_tags" -> so you can remove / add html-tags
### 3.0.1 (2017-11-19)
- "php": ">=7.0"
* use "strict_types"
- simplify a regex
### 3.0.0 (2017-11-19)
- "php": ">=7.0"
* drop support for PHP < 7.0

22
vendor/voku/anti-xss/LICENSE vendored Normal file
View File

@@ -0,0 +1,22 @@
The MIT License (MIT)
Copyright (c) 2015 Lars Moelleken
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

426
vendor/voku/anti-xss/README.md vendored Normal file
View File

@@ -0,0 +1,426 @@
[//]: # (AUTO-GENERATED BY "PHP README Helper": base file -> docs/base.md)
[![Build Status](https://github.com/voku/anti-xss/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/voku/anti-xss/actions)
[![codecov.io](http://codecov.io/github/voku/anti-xss/coverage.svg?branch=master)](http://codecov.io/github/voku/anti-xss?branch=master)
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/8e3c9da417124971b8d8e0c1046c24c7)](https://www.codacy.com/app/voku/anti-xss)
[![Latest Stable Version](https://poser.pugx.org/voku/anti-xss/v/stable)](https://packagist.org/packages/voku/anti-xss)
[![Total Downloads](https://poser.pugx.org/voku/anti-xss/downloads)](https://packagist.org/packages/voku/anti-xss)
[![License](https://poser.pugx.org/voku/anti-xss/license)](https://packagist.org/packages/voku/anti-xss)
[![Donate to this project using Paypal](https://img.shields.io/badge/paypal-donate-yellow.svg)](https://www.paypal.me/moelleken)
[![Donate to this project using Patreon](https://img.shields.io/badge/patreon-donate-yellow.svg)](https://www.patreon.com/voku)
# :secret: AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables
attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites
accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
### DEMO:
[http://anti-xss-demo.suckup.de/](http://anti-xss-demo.suckup.de/)
### NOTES:
1) Use [filter_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
2) Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution
3) Add "Content Security Policy's" -> [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5) READ THIS TEXT -> [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)
6) TEST THIS TOOL -> [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)
### Install via "composer require"
```shell
composer require voku/anti-xss
```
### Usage:
```php
use voku\helper\AntiXSS;
require_once __DIR__ . '/vendor/autoload.php'; // example path
$antiXss = new AntiXSS();
```
Example 1: (HTML Character)
```php
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);
// Hello, i try to alert&#40;'Hack'&#41;; your site
```
Example 2: (Hexadecimal HTML Character)
```php
$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <IMG >
```
Example 3: (Unicode Hex Character)
```php
$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
```
Example 4: (Unicode Character)
```php
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
```
Example 5.1: (non Inline CSS)
```php
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);
// <li >
```
Example 5.2: (with Inline CSS)
```php
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);
// <li style="list-style-image: url(alert&#40;0&#41;)">
```
Example 6: (check if an string contains a XSS attack)
```php
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);
//
$antiXss->isXssFound();
// true
```
Example 7: (allow e.g. iframes)
```php
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";
$antiXss->removeEvilHtmlTags(array('iframe'));
$harmless_string = $antiXss->xss_clean($harm_string);
// <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
```
### Unit Test:
1) [Composer](https://getcomposer.org) is a prerequisite for running the tests.
```
composer install
```
2) The tests can be executed by running this command from the root directory:
```bash
./vendor/bin/phpunit
```
## AntiXss methods
<p id="voku-php-readme-class-methods"></p><table><tr><td><a href="#adddonotclosehtmltagsstring-strings-this">addDoNotCloseHtmlTags</a>
</td><td><a href="#addevilattributesstring-strings-this">addEvilAttributes</a>
</td><td><a href="#addevilhtmltagsstring-strings-this">addEvilHtmlTags</a>
</td><td><a href="#addneverallowedoneventsafterwardsstring-strings-this">addNeverAllowedOnEventsAfterwards</a>
</td></tr><tr><td><a href="#addneverallowedregexstring-strings-this">addNeverAllowedRegex</a>
</td><td><a href="#addneverallowedstrafterwardsstring-strings-this">addNeverAllowedStrAfterwards</a>
</td><td><a href="#isxssfound-boolnull">isXssFound</a>
</td><td><a href="#removedonotclosehtmltagsstring-strings-this">removeDoNotCloseHtmlTags</a>
</td></tr><tr><td><a href="#removeevilattributesstring-strings-this">removeEvilAttributes</a>
</td><td><a href="#removeevilhtmltagsstring-strings-this">removeEvilHtmlTags</a>
</td><td><a href="#removeneverallowedoneventsafterwardsstring-strings-this">removeNeverAllowedOnEventsAfterwards</a>
</td><td><a href="#removeneverallowedregexstring-strings-this">removeNeverAllowedRegex</a>
</td></tr><tr><td><a href="#removeneverallowedstrafterwardsstring-strings-this">removeNeverAllowedStrAfterwards</a>
</td><td><a href="#setreplacementstring-string-this">setReplacement</a>
</td><td><a href="#setstripe4bytecharsbool-bool-this">setStripe4byteChars</a>
</td><td><a href="#xss_cleanstringstring-str-stringstring">xss_clean</a>
</td></tr></table>
## addDoNotCloseHtmlTags(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_do_not_close_html_tags"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## addEvilAttributes(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_evil_attributes"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## addEvilHtmlTags(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_evil_html_tags"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## addNeverAllowedOnEventsAfterwards(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_never_allowed_on_events_afterwards"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## addNeverAllowedRegex(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_never_allowed_regex"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## addNeverAllowedStrAfterwards(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Add some strings to the "_never_allowed_str_afterwards"-array.
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## isXssFound(): bool|null
<a href="#voku-php-readme-class-methods">↑</a>
Check if the "AntiXSS->xss_clean()"-method found an XSS attack in the last run.
**Parameters:**
__nothing__
**Return:**
- `bool|null <p>Will return null if the "xss_clean()" wasn't running at all.</p>`
--------
## removeDoNotCloseHtmlTags(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_do_not_close_html_tags"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## removeEvilAttributes(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_evil_attributes"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## removeEvilHtmlTags(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_evil_html_tags"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## removeNeverAllowedOnEventsAfterwards(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_never_allowed_on_events_afterwards"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## removeNeverAllowedRegex(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_never_allowed_regex"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## removeNeverAllowedStrAfterwards(string[] $strings): $this
<a href="#voku-php-readme-class-methods">↑</a>
Remove some strings from the "_never_allowed_str_afterwards"-array.
<p>
<br />
WARNING: Use this method only if you have a really good reason.
</p>
**Parameters:**
- `string[] $strings`
**Return:**
- `$this`
--------
## setReplacement(string $string): $this
<a href="#voku-php-readme-class-methods">↑</a>
Set the replacement-string for not allowed strings.
**Parameters:**
- `string $string`
**Return:**
- `$this`
--------
## setStripe4byteChars(bool $bool): $this
<a href="#voku-php-readme-class-methods">↑</a>
Set the option to stripe 4-Byte chars.
<p>
<br />
INFO: use it if your DB (MySQL) can't use "utf8mb4" -> preventing stored XSS-attacks
</p>
**Parameters:**
- `bool $bool`
**Return:**
- `$this`
--------
## xss_clean(string|string[] $str): string|string[]
<a href="#voku-php-readme-class-methods">↑</a>
XSS Clean
<p>
<br />
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
</p>
<p>
<br />
<strong>Note:</strong> Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
</p>
**Parameters:**
- `TXssCleanInput $str <p>input data e.g. string or array of strings</p>`
**Return:**
- `string|string[]`
--------
### Support
For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku).
For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts).
For professional support please contact [me](https://about.me/voku).
### Thanks
- Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there!
- Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check.
- Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code!
### License
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

5
vendor/voku/anti-xss/build/composer.json vendored Normal file
View File

@@ -0,0 +1,5 @@
{
"require-dev": {
"voku/php-readme-helper": "~0.6"
}
}

167
vendor/voku/anti-xss/build/docs/base.md vendored Normal file
View File

@@ -0,0 +1,167 @@
[![Build Status](https://github.com/voku/anti-xss/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/voku/anti-xss/actions)
[![codecov.io](http://codecov.io/github/voku/anti-xss/coverage.svg?branch=master)](http://codecov.io/github/voku/anti-xss?branch=master)
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/8e3c9da417124971b8d8e0c1046c24c7)](https://www.codacy.com/app/voku/anti-xss)
[![Latest Stable Version](https://poser.pugx.org/voku/anti-xss/v/stable)](https://packagist.org/packages/voku/anti-xss)
[![Total Downloads](https://poser.pugx.org/voku/anti-xss/downloads)](https://packagist.org/packages/voku/anti-xss)
[![License](https://poser.pugx.org/voku/anti-xss/license)](https://packagist.org/packages/voku/anti-xss)
[![Donate to this project using Paypal](https://img.shields.io/badge/paypal-donate-yellow.svg)](https://www.paypal.me/moelleken)
[![Donate to this project using Patreon](https://img.shields.io/badge/patreon-donate-yellow.svg)](https://www.patreon.com/voku)
# :secret: AntiXSS
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables
attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites
accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - http://en.wikipedia.org/wiki/Cross-site_scripting
### DEMO:
[http://anti-xss-demo.suckup.de/](http://anti-xss-demo.suckup.de/)
### NOTES:
1) Use [filter_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $_SESSION, $_GET, $_POST, $_SERVER) directly
2) Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution
3) Add "Content Security Policy's" -> [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
4) DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5) READ THIS TEXT -> [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)
6) TEST THIS TOOL -> [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)
### Install via "composer require"
```shell
composer require voku/anti-xss
```
### Usage:
```php
use voku\helper\AntiXSS;
require_once __DIR__ . '/vendor/autoload.php'; // example path
$antiXss = new AntiXSS();
```
Example 1: (HTML Character)
```php
$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
$harmless_string = $antiXss->xss_clean($harm_string);
// Hello, i try to alert&#40;'Hack'&#41;; your site
```
Example 2: (Hexadecimal HTML Character)
```php
$harm_string = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <IMG >
```
Example 3: (Unicode Hex Character)
```php
$harm_string = "<a href='&#x2000;javascript:alert(1)'>CLICK</a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
```
Example 4: (Unicode Character)
```php
$harm_string = "<a href=\"\u0001java\u0003script:alert(1)\">CLICK<a>";
$harmless_string = $antiXss->xss_clean($harm_string);
// <a >CLICK</a>
```
Example 5.1: (non Inline CSS)
```php
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$harmless_string = $antiXss->xss_clean($harm_string);
// <li >
```
Example 5.2: (with Inline CSS)
```php
$harm_string = '<li style="list-style-image: url(javascript:alert(0))">';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);
// <li style="list-style-image: url(alert&#40;0&#41;)">
```
Example 6: (check if an string contains a XSS attack)
```php
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);
//
$antiXss->isXssFound();
// true
```
Example 7: (allow e.g. iframes)
```php
$harm_string = "<iframe width="560" onclick="alert('xss')" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>";
$antiXss->removeEvilHtmlTags(array('iframe'));
$harmless_string = $antiXss->xss_clean($harm_string);
// <iframe width="560" height="315" src="https://www.youtube.com/embed/foobar?rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
```
### Unit Test:
1) [Composer](https://getcomposer.org) is a prerequisite for running the tests.
```
composer install
```
2) The tests can be executed by running this command from the root directory:
```bash
./vendor/bin/phpunit
```
## AntiXss methods
%__functions_index__voku\helper\AntiXSS__%
%__functions_list__voku\helper\AntiXSS__%
### Support
For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku).
For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts).
For professional support please contact [me](https://about.me/voku).
### Thanks
- Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there!
- Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check.
- Thanks to [PHPStan](https://github.com/phpstan/phpstan) && [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code!
### License
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

11
vendor/voku/anti-xss/build/generate_docs.php vendored Normal file
View File

@@ -0,0 +1,11 @@
<?php
require __DIR__ . '/../vendor/autoload.php';
require __DIR__ . '/vendor/autoload.php';
$readmeText = (new \voku\PhpReadmeHelper\GenerateApi())->generate(
__DIR__ . '/../src/voku/helper/AntiXSS.php',
__DIR__ . '/docs/base.md'
);
file_put_contents(__DIR__ . '/../README.md', $readmeText);

41
vendor/voku/anti-xss/composer.json vendored Normal file
View File

@@ -0,0 +1,41 @@
{
"name": "voku/anti-xss",
"description": "anti xss-library",
"type": "library",
"keywords": [
"anti-xss",
"clean",
"security",
"xss"
],
"homepage": "https://github.com/voku/anti-xss",
"license": "MIT",
"authors": [
{
"name": "EllisLab Dev Team",
"homepage": "http://ellislab.com/"
},
{
"name": "Lars Moelleken",
"email": "lars@moelleken.org",
"homepage": "https://www.moelleken.org/"
}
],
"require": {
"php": ">=7.0.0",
"voku/portable-utf8": "~6.0.0"
},
"require-dev": {
"phpunit/phpunit": "~6.0 || ~7.0 || ~9.0"
},
"autoload": {
"psr-4": {
"voku\\helper\\": "src/voku/helper/"
}
},
"extra": {
"branch-alias": {
"dev-master": "4.1.x-dev"
}
}
}

2143
vendor/voku/anti-xss/src/voku/helper/AntiXSS.php vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1514
vendor/voku/anti-xss/src/voku/helper/data/entities_fallback.php vendored Normal file
View File

File diff suppressed because it is too large Load Diff