Five functions for OWASP's five rules of XSS prevention
Switch branches/tags
Nothing to show
Clone or download
Latest commit 976a9c8 Dec 17, 2015
Permalink
Failed to load latest commit information.
LICENSE.md Create LICENSE.md Dec 17, 2015
README.md readme Dec 17, 2015
xss-filter.php XSS filters Dec 17, 2015

README.md

php-xss-filter

Five functions for implementing OWASP's XSS prevention rule 1-5. Simple and light weight if you don't need to pull in a full security library like OWASP ESAPI for PHP.

Methods

  • encodeForHTML — When you want to put untrusted data into HTML element content

  • encodeForHTMLAttribute — When you want to put untrusted data into HTML attribute values. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover (use URL and JavaScript encode)

  • encodeForJavaScript — When you want to put untrusted data into JavaScript script blocks and event-handler attributes. Only safe place to put untrusted data in this case is inside a quoted "data values"

  • encodeForCSS — When you want to put untrusted data into a stylesheet or a style tag. Only use for property value and not into other places in style data

  • encodeForURL — When you want to put untrusted data into HTTP GET parameter value

More: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet