This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP PHP AntiXSS Library Project"

From OWASP
Jump to: navigation, search
m (URL)
(Examples)
Line 18: Line 18:
  
 
=== HTML ===
 
=== HTML ===
 
+
<tt>
 
<p>Hello, <strong><php echo AntiXSS:HTMLEncode($nameOfMyUser); ?></strong>!</p>
 
<p>Hello, <strong><php echo AntiXSS:HTMLEncode($nameOfMyUser); ?></strong>!</p>
 
+
</tt>
 
=== JavaScript ===
 
=== JavaScript ===
 
+
<tt>
 
...
 
...
 
alert(myFunction('<?php echo AntiXSS:JavaScriptEncode($myVariable); ?>');
 
alert(myFunction('<?php echo AntiXSS:JavaScriptEncode($myVariable); ?>');
 
...
 
...
 
+
</tt>
 
=== URL ===
 
=== URL ===
 +
<tt>
 
...
 
...
 
<nowiki>
 
<nowiki>
Line 33: Line 34:
 
</nowiki>
 
</nowiki>
 
...
 
...
 +
</tt>
  
 
=== XML ===
 
=== XML ===
 +
<tt>
 
<myelement myattribute="<?php echo AntiXSS::XMLAttributeEncode($myAttributeValue); ?>"><?php echo AntiXSS::XMLEncode($myElementValue); ?></myelement >
 
<myelement myattribute="<?php echo AntiXSS::XMLAttributeEncode($myAttributeValue); ?>"><?php echo AntiXSS::XMLEncode($myElementValue); ?></myelement >
 
+
</tt>
  
 
== Downloads ==
 
== Downloads ==

Revision as of 18:11, 23 April 2007

Introduction

AntiXSS is a class for use with PHP 5+ that helps to reduce XSS (cross-site scripting) vulnerabilities by automatically encoding output to behave only as intended.

Requirements

  • PHP5 and above
  • mb_string PHP extension

Usage

  1. Make sure the mb_string extension is available with your PHP installation. If you are using Apache on Windows, this can most likely be done by adding (or un-commenting) a line in your php.ini file. On other platforms, you may need to recompile PHP. See [1] for more information.
  2. To make the code available to your program, include the owasp.antixss.php file, using a line like this: require_once "/path/to/owasp.antixss.php";
  3. It is not necessary to instantiate the class, though you may if you wish. Instead, make calls using the Scope Resolution Operator (::), like this: echo AntiXSS::HTMLEncode($myOutput);

Examples

HTML

Hello, <php echo AntiXSS:HTMLEncode($nameOfMyUser); ?>!

JavaScript

... alert(myFunction('<?php echo AntiXSS:JavaScriptEncode($myVariable); ?>'); ...

URL

... http://example.com/myscript.php?<?php echo AntiXSS::URLEncode($myQueryStringValue); ?> ...

XML

<myelement myattribute="<?php echo AntiXSS::XMLAttributeEncode($myAttributeValue); ?>"><?php echo AntiXSS::XMLEncode($myElementValue); ?></myelement >

Downloads

  • owasp.antixss.php
  • demo.owasp.antixss.php

This category currently contains no pages or media.