├── .gitmodules
├── test_nasty_strings.php
├── composer.json
├── sqlinjection.php
├── README.md
├── LICENSE
└── lib
    └── jblond
        └── xss_filter.class.php


/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "teststrings"]
2 | 	path = teststrings
3 | 	url = https://github.com/minimaxir/big-list-of-naughty-strings.git
4 | 


--------------------------------------------------------------------------------
/test_nasty_strings.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header('Content-Type: text/html; charset=utf-8');
 3 | 
 4 | require './lib/jblond/xss_filter.class.php';
 5 | $xss = new jblond\xss_filter();
 6 | 
 7 | // load über nasty test
 8 | $test_lines = file('teststrings/blns.txt',FILE_SKIP_EMPTY_LINES);
 9 | 
10 | 
11 | foreach($test_lines as $test_line){
12 | 	echo $xss->filter_it($test_line) . '<br>' ."\n";
13 | }
14 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "jblond/php-xss-filter",
 3 |   "description": "PHP XSS Filter",
 4 |   "license": "MIT",
 5 |   "keywords": [
 6 |     "php",
 7 |     "xss"
 8 |   ],
 9 |   "authors": [
10 |     {
11 |       "name": "JBlond",
12 |       "email": "leet31337@web.de"
13 |     }
14 |   ],
15 |   "require": {
16 |     "php" : ">= 5.6"
17 | 
18 |   },
19 |   "require-dev": {
20 |     "ext-mysqli": "*"
21 |   },
22 |   "autoload": {
23 |     "psr-4": {
24 |       "jblond\\": "lib/jblond"
25 |     }
26 |   }
27 | }
28 | 


--------------------------------------------------------------------------------
/sqlinjection.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header('Content-Type: text/html; charset=utf-8');
 3 | 
 4 | require './lib/jblond/xss_filter.class.php';
 5 | $xss = new jblond\xss_filter();
 6 | 
 7 | $string = "teilnehmer_nr=1&singleTarif=1 AND (SELECT * FROM (SELECT(SLEEP(5)))lVqc)&abschlussart=jahresabschluss&reisebeginn=-1&reiseende=-1&beginnJahresVers=1445292000&teilnmAlter=29&weltgeltung=1";
 8 | 
 9 | echo $xss->filter_it($string) . '<br><br><br>';
10 | 
11 | $mysqli = new \mysqli("localhost", "root", "", "mysql");
12 | 
13 | /* check connection */
14 | if (mysqli_connect_errno()) {
15 | 	printf("Connect failed: %s\n", mysqli_connect_error());
16 | }
17 | else
18 | {
19 | 	echo $mysqli->real_escape_string($string);
20 | }
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [![Code Climate](https://codeclimate.com/github/JBlond/PHP-XSS-Filter/badges/gpa.svg)](https://codeclimate.com/github/JBlond/PHP-XSS-Filter) [![SensioLabsInsight](https://insight.sensiolabs.com/projects/bf1c2ba8-b292-49de-bebc-93e39344a169/mini.png)](https://insight.sensiolabs.com/projects/bf1c2ba8-b292-49de-bebc-93e39344a169) [![Codacy Badge](https://api.codacy.com/project/badge/grade/a345b27631f240779f8b016abec85460)](https://www.codacy.com/app/leet31337/PHP-XSS-Filter)
 2 | 
 3 | # PHP-XSS-Filter
 4 | 
 5 | ## Install
 6 | 
 7 | ```BASH
 8 | composer require jblond/php-xss-filter
 9 | ```
10 | 
11 | ## Example
12 | ```PHP
13 | 	require './xss_filter.class.php';
14 | 	$xss = new xss_filter();
15 | 	$string = '<iframe>blah';
16 | 	$string = $xss->filter_it($string );
17 | 	echo $string;
18 | ```
19 | ## Contribute
20 | 
21 | Open a PR, open an issue
22 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2013 - 2021 Mario
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/lib/jblond/xss_filter.class.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | namespace jblond;
  3 | /**
  4 | * xss_filter
  5 | *
  6 | * @author mario.brandt
  7 | * @copyright Copyright (c) 2013 - 2017
  8 | * @access public
  9 |  */
 10 | class xss_filter {
 11 | 
 12 | 	/**
 13 | 	* @var bool $allow_http_value
 14 | 	* @access private
 15 | 	*/
 16 | 	private $allow_http_value = false;
 17 | 
 18 | 	/**
 19 | 	* @var string $input
 20 | 	* @access private
 21 | 	*/
 22 | 	private $input;
 23 | 	/**
 24 | 	* @var array $preg_patterns
 25 | 	* @access private
 26 | 	*/
 27 | 	private $preg_patterns = array(
 28 | 		// Fix &entity\n
 29 | 		'!(&#0+[0-9]+)!' => '$1;',
 30 | 		'/(&#*\w+)[\x00-\x20]+;/u' => '$1;>',
 31 | 		'/(&#x*[0-9A-F]+);*/iu' => '$1;',
 32 | 		//any attribute starting with "on" or xml name space
 33 | 		'#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu' => '$1>',
 34 | 		//javascript: and VB script: protocols
 35 | 		'#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu' => '$1=$2nojavascript...',
 36 | 		'#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu' => '$1=$2novbscript...',
 37 | 		'#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u' => '$1=$2nomozbinding...',
 38 | 		// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
 39 | 		'#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i' => '$1>',
 40 | 		'#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu' => '$1>',
 41 | 		// namespace elements
 42 | 		'#</*\w+:\w[^>]*+>#i' => '',
 43 | 		//unwanted tags
 44 | 		'#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i' => ''
 45 | 	);
 46 | 
 47 | 	/**
 48 | 	 * @var array
 49 | 	 */
 50 | 	private $normal_patterns = array(
 51 | 		'\'' => '&apos;',
 52 | 		'"' => '&quot;',
 53 | 		'&' => '&amp;',
 54 | 		'<' => '&lt;',
 55 | 		'>' => '&gt;',
 56 | 		//possible SQL injection remove from string with there is no '
 57 | 		'SELECT * FROM' => '',
 58 | 		'SELECT(' => '',
 59 | 		'SLEEP(' => '',
 60 | 		'AND (' => '',
 61 | 		' AND' => '',
 62 | 		'(CASE' => ''
 63 | 	);
 64 | 
 65 | 	/**
 66 | 	* xss_filter::filter_it()
 67 | 	*
 68 | 	* @access public
 69 | 	* @param string $input
 70 | 	* @return string
 71 | 	*/
 72 | 	public function filter_it($input){
 73 | 		$this->input = html_entity_decode($input, ENT_NOQUOTES, 'UTF-8');
 74 | 		$this->normal_replace();
 75 | 		$this->do_grep();
 76 | 		return $this->input;
 77 | 	}
 78 | 
 79 | 	/**
 80 | 	* xss_filter::allow_http()
 81 | 	*
 82 | 	* @access public
 83 | 	*/
 84 | 	public function allow_http(){
 85 | 		$this->allow_http_value = true;
 86 | 	}
 87 | 
 88 | 	/**
 89 | 	* xss_filter::disallow_http()
 90 | 	*
 91 | 	* @access public
 92 | 	*/
 93 | 	public function disallow_http(){
 94 | 		$this->allow_http_value = false;
 95 | 	}
 96 | 
 97 | 	/**
 98 | 	* xss_filter::remove_get_parameters()
 99 | 	*
100 | 	* @access public
101 | 	* @param $url string
102 | 	* @return string
103 | 	*/
104 | 	public function remove_get_parameters($url){
105 | 		return preg_replace('/\?.*/', '', $url);
106 | 	}
107 | 
108 | 	/**
109 | 	* xss_filter::normal_replace()
110 | 	*
111 | 	* @access private
112 | 	*/
113 | 	private function normal_replace(){
114 | 		$this->input = str_replace(array('&amp;', '&lt;', '&gt;'), array('&amp;amp;', '&amp;lt;', '&amp;gt;'), $this->input);
115 | 		if($this->allow_http_value === false){
116 | 			$this->input = str_replace(array('&', '%', 'script', 'http', 'localhost'), array('', '', '', '', ''), $this->input);
117 | 		}
118 | 		else
119 | 		{
120 | 			$this->input = str_replace(array('&', '%', 'script', 'localhost', '../'), array('', '', '', '', ''), $this->input);
121 | 		}
122 | 		foreach($this->normal_patterns as $pattern => $replacement){
123 | 			$this->input = str_replace($pattern,$replacement,$this->input);
124 | 		}
125 | 	}
126 | 
127 | 	/**
128 | 	* xss_filter::do_grep()
129 | 	*
130 | 	* @access private
131 | 	*/
132 | 	private function do_grep(){
133 | 		foreach($this->preg_patterns as $pattern => $replacement){
134 | 			$this->input = preg_replace($pattern,$replacement,$this->input);
135 | 		}
136 | 	}
137 | }
138 | 


--------------------------------------------------------------------------------