abacaphiliac/php-no-html

Safely encode content for rendering in an HTML document.


Keywords
filter, html, xss
License
MIT

Documentation

Scrutinizer Code Quality Code Coverage Build Status

abacaphiliac/php-no-html

Description

Safely encode content for rendering in an HTML document.

Brief XSS Mitigation Guide

A quote from (Paragon Initiative's blog)[https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know]:

  1. If your framework has a templating engine that offers automatic contextual filtering, use that.
  2. echo htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8'); is a safe and effective way to stop all XSS attacks on a UTF-8 encoded web page, but doesn't allow any HTML.
  3. If your requirements allow you to use Markdown instead of HTML, don't use HTML.
  4. If you need to allow some HTML and aren't using a templating engine (see #1), use HTML Purifier.

Installation

composer require abacaphiliac/php-no-html

Usage

The following code is an example of an XSS exploit:

$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=$value;?>" /><?php

Simply escape the value in the response to prevent the exploit:

$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=\NoHtml\NoHtml::filter($value);?>" /><?php

Dependencies

See composer.json.

Contributing

composer update && vendor/bin/phing

This library attempts to comply with PSR-1, PSR-2, and PSR-4. If you notice compliance oversights, please send a patch via pull request.