abacaphiliac/php-no-html
Composer 安装命令:
composer require abacaphiliac/php-no-html
包简介
Safely encode content for rendering in an HTML document.
README 文档
README
abacaphiliac/php-no-html
Description
Safely encode content for rendering in an HTML document.
Brief XSS Mitigation Guide
A quote from (Paragon Initiative's blog)[https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know]:
- If your framework has a templating engine that offers automatic contextual filtering, use that.
echo htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8');is a safe and effective way to stop all XSS attacks on a UTF-8 encoded web page, but doesn't allow any HTML.- If your requirements allow you to use Markdown instead of HTML, don't use HTML.
- If you need to allow some HTML and aren't using a templating engine (see #1), use HTML Purifier.
Installation
composer require abacaphiliac/php-no-html
Usage
The following code is an example of an XSS exploit:
$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=$value;?>" /><?php
Simply escape the value in the response to prevent the exploit:
$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=\NoHtml\NoHtml::filter($value);?>" /><?php
Dependencies
See composer.json.
Contributing
composer update && vendor/bin/phing
This library attempts to comply with PSR-1, PSR-2, and PSR-4. If you notice compliance oversights, please send a patch via pull request.
统计信息
- 总下载量: 31
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 1
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2016-08-11