Cross-Site Scripting Prevention in PHP Php by Rajesh Kumar Sahanee - February 9, 2020February 9, 20200 Post Views: 4,656 Hello Friends, Today we’ll see Cross-Site Scripting Prevention in PHP. Cross-Site Scripting (XSS) is a web application Vulnerability in which attackers injects client site malicious scripts into web pages which then executes inside victims browser. To Prevent Cross-Site Scripting here we’ll use htmLawed. htmLawed is PHP library to purify & filter HTML. So Here is the code, we can use different config according to our need and to know more about config you can visit http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2 index.php index.php PHP <?php include 'htmLawed.php'; ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>XSS Prevention</title> <style> .input { width: 100%; } strong { font-size: 14px; } .output { width: 100%; background: #efffef; padding: 5px; } </style> </head> <body> <form method="post"> <strong>Input</strong> <textarea class="input" name="content"><?= isset($_POST['content']) ? $_POST['content'] : "" ?></textarea> <input type="submit" name="filter" value="Filter"/> </form> <br/><br/> <strong>1. Fully Secured </strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('safe' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>2. Allow All</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>3. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and allow all attributes and schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>4. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow all schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>5. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow http url in href and no urls in style schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*', 'schemes' => 'href: http; style: !'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> </body> </html> 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 <?php include 'htmLawed.php'; ?><!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>XSS Prevention</title> <style> .input { width: 100%; } strong { font-size: 14px; } .output { width: 100%; background: #efffef; padding: 5px; } </style> </head> <body> <form method="post"> <strong>Input</strong> <textarea class="input" name="content"><?= isset($_POST['content']) ? $_POST['content'] : "" ?></textarea> <input type="submit" name="filter" value="Filter"/> </form> <br/><br/> <strong>1. Fully Secured </strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('safe' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>2. Allow All</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>3. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and allow all attributes and schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>4. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow all schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>5. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow http url in href and no urls in style schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*', 'schemes' => 'href: http; style: !'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> </body></html> Output Download Code XSS Prevention 1 file(s) 16.69 KB Download Thanks for stopping by Please do share it helped
