Hello Friends, Today we’ll see Cross-Site Scripting Prevention in PHP. Cross-Site Scripting (XSS) is a web application Vulnerability in which attackers injects client site malicious scripts into web pages which then executes inside victims browser. To Prevent Cross-Site Scripting here we’ll use htmLawed. htmLawed is PHP library to purify & filter HTML. So Here is the code, we can use different config according to our need and to know more about config you can visit http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2
index.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
<?php include 'htmLawed.php'; ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>XSS Prevention</title> <style> .input { width: 100%; } strong { font-size: 14px; } .output { width: 100%; background: #efffef; padding: 5px; } </style> </head> <body> <form method="post"> <strong>Input</strong> <textarea class="input" name="content"><?= isset($_POST['content']) ? $_POST['content'] : "" ?></textarea> <input type="submit" name="filter" value="Filter"/> </form> <br/><br/> <strong>1. Fully Secured </strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('safe' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>2. Allow All</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>3. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and allow all attributes and schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>4. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow all schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> <br/> <strong>5. Allow All Elements except "-applet -audio -canvas -embed -iframe -object -script -video" and deny all event attributes and allow http url in href and no urls in style schemes</strong> <div class="output"> <xmp> <?php if (isset($_POST['content'])) { $config = array('comment' => 0, 'cdata' => 1, 'elements' => '* -applet -audio -canvas -embed -iframe -object -script -video', 'deny_attribute' => 'on*', 'schemes' => 'href: http; style: !'); echo htmLawed($_POST['content'], $config); } ?> </xmp> </div> </body> </html> |
Output
Download Code
XSS Prevention
1 file(s) 16.69 KB
Thanks for stopping by
Please do share it helped
Comments