OWASP - User contributions [en]

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:17:55Z

Bjfield: /* Downloads */

== Introduction ==

AntiXSS is a class for use with PHP 5+ that helps to reduce XSS (cross-site scripting) vulnerabilities by automatically encoding output to behave only as intended.

== Requirements ==

* PHP5 and above
* mb_string PHP extension

== Usage ==

# Make sure the '''mb_string''' extension is available with your PHP installation. If you are using Apache on Windows, this can most likely be done by adding (or un-commenting) a line in your php.ini file. On other platforms, you may need to recompile PHP. See [http://us2.php.net/mb_string] for more information.
# To make the code available to your program, '''include the owasp.antixss.php file''', using a line like this: require_once "/path/to/owasp.antixss.php";
# It is not necessary to instantiate the class, though you may if you wish. Instead, '''make calls using the Scope Resolution Operator (::)''', like this: echo AntiXSS::HTMLEncode($myOutput);

== Examples ==

=== HTML ===
<tt>
<p>Hello, <strong><php echo AntiXSS:HTMLEncode($nameOfMyUser); ?></strong>!</p>
</tt>
=== JavaScript ===
<tt>
...
alert(myFunction('<?php echo AntiXSS:JavaScriptEncode($myVariable); ?>');
...
</tt>
=== URL ===
<tt>
...
<nowiki>
http://example.com/myscript.php?<?php echo AntiXSS::URLEncode($myQueryStringValue); ?>
</nowiki>
...
</tt>

=== XML ===
<tt>
<myelement myattribute="<?php echo AntiXSS::XMLAttributeEncode($myAttributeValue); ?>"><?php echo AntiXSS::XMLEncode($myElementValue); ?></myelement >
</tt>

== Downloads ==
Downloads are not yet available.
* owasp.antixss.php
* demo.owasp.antixss.php

== Troubleshooting ==

=== Encoding ===

The AntiXSS class will use any character encoding supported by libmbfl, the library upon which the mbstring functions are based, with the exception of 7bit and BASE64.

A list of supported character sets is available at PHP.net: [http://us2.php.net/mb_string]

The Owasp AntiXSS class utilizes the following encodings: UTF-32, HTML-ENTITIES

Typically, your doctype definition will match the encoding of your source files and your database source. If you run into issues where some characters don't display or display wrong, check the encoding of every data source and file involved.

And particularly if you wish to output extended or multibyte characters from within your source files, make sure the encoding of all files involved matches the output format, unless you will be handling your conversions manually using mb_convert_encoding.

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:12:03Z

Bjfield: /* Downloads */

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:11:29Z

Bjfield: /* Examples */

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:10:36Z

Bjfield: /* URL */

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:07:27Z

Bjfield: /* Installation */

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:07:12Z

Bjfield: /* Installation */

Category:OWASP PHP AntiXSS Library Project

2007-04-23T18:04:32Z

Bjfield: New page: == Introduction == AntiXSS is a class for use with PHP 5+ that helps to reduce XSS (cross-site scripting) vulnerabilities by automatically encoding output to behave only as intended. == ...

Category:OWASP Project

2007-04-23T17:46:35Z

Bjfield: /* Alpha Status Projects */

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.

==Release Quality Projects==

<table><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services

</td><td>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics

; [[:Category:OWASP Guide Project|OWASP Guide Project]]
: a massive document covering all aspects of web application and web service security

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on contracting for secure software

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities

</td></tr></table>

==Beta Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications.

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: a CD containing ready to use versions of application security analysis and testing tools

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc...

; [[OWASP_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intended to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.

; [[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]
: OWASP WeBekci is a web based ModSecurity 2.x management tool. WeBekci is written in PHP, Its backend is powered by MySQL and the frontend by XAJAX framework.
</td><td>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security

; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]
: a project to capture best practices for reviewing code

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.

</td></tr></table>

==Alpha Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP PHP AntiXSS Library Project|OWASP PHP AntiXSS Library Project]]
: reduce cross-site scripting vulnerabilities by encoding your output

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: a testing tool for XML web service and Ajax interfaces

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: a project focused on the development of a flexible code review engine

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications

</td><td>

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences

</td></tr></table>

__NOTOC__