VOKU_ANTI_XSS_GT
VOKU_ANTI_XSS_GT = 'voku::anti-xss::gt'
AntiXSS - ported from "CodeIgniter"
$_never_allowed_regex : string[]
List of never allowed regex replacements.
$_do_not_close_html_tags : string[]
List of html tags that will not close automatically.
$_never_allowed_js_callback_regex : string[]
List of never allowed call statements.
$_never_allowed_call_strings : string[]
List of simple never allowed call statements.
$_never_allowed_str_afterwards : string[]
$_never_allowed_on_events_afterwards : string[]
List of never allowed strings, afterwards.
$_evil_attributes_regex : string[]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
$_evil_html_tags : string[]
$_spacing_regex : string
$_replacement : string
The replacement-string for not allowed strings.
$_never_allowed_str : string[]
List of never allowed strings.
$_stripe_4byte_chars : bool
If your DB (MySQL) encoding is "utf8" and not "utf8mb4", then you can't save 4-Bytes chars from UTF-8 and someone can create stored XSS-attacks.
$_xss_found : bool|null
$_cache_evil_attributes_regex_string : string
$_cache_never_allowed_regex_string : string
$_cache__evil_html_tags_str : string
xss_clean(string|string[] $str) : string|string[]
XSS Clean
Sanitizes data so that "Cross Site Scripting" hacks can be
prevented. This method does a fair amount of work but
it is extremely thorough, designed to prevent even the
most obscure XSS attempts. But keep in mind that nothing
is ever 100% foolproof...
Note: Should only be used to deal with data upon submission.
It's not something that should be used for general
runtime processing.
| string|string[] | $str | input data e.g. string or array of strings |
_js_link_removal_callback(string[] $match) : string
Callback method for xss_clean() to sanitize links.
INFO: This limits the PCRE backtracks, making it more performance friendly
and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
PHP 5.2+ on link-heavy strings.
| string[] | $match |
_js_removal_callback(string[] $match, string $search) : string
Callback method for xss_clean() to sanitize tags.
INFO: This limits the PCRE backtracks, making it more performance friendly
and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
PHP 5.2+ on image tag heavy strings.
| string[] | $match | |
| string | $search |
_js_src_removal_callback(string[] $match) : string
Callback method for xss_clean() to sanitize image tags.
INFO: This limits the PCRE backtracks, making it more performance friendly
and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
PHP 5.2+ on image tag heavy strings.
| string[] | $match |
_remove_disallowed_javascript(string $str) : string
Remove disallowed Javascript in links or img tags
We used to do some version comparisons and use of stripos(),
but it is dog slow compared to these simplified non-capturing
preg_match(), especially if the pattern exists in the string
Note: It was reported that not only space characters, but all in
the following pattern can be parsed as separators between a tag name
and its attributes: [\d\s"\'`;,\/\=\(\x00\x0B\x09\x0C]
... however, UTF8::clean() above already strips the
hex-encoded ones, so we'll skip them below.
| string | $str |
_remove_evil_attributes(string $str) : string
Remove Evil HTML Attributes (like event handlers and style).
It removes the evil attribute and either:
| string | $str | The string to check. |
The string with the evil attributes removed.
_sanitize_naughty_javascript(string $str) : string
Sanitize naughty scripting elements
Similar to above, only instead of looking for tags it looks for PHP and JavaScript commands that are disallowed. Rather than removing the code, it simply converts the parenthesis to entities rendering the code un-executable.
For example:
eval('some code')
eval('some code')
| string | $str |