initphp/escaper
Composer 安装命令:
composer require initphp/escaper
包简介
Context-aware output escaper (HTML, attribute, JavaScript, CSS, URL) for safely rendering untrusted user input.
README 文档
README
Context-aware output escaper for PHP. Safely render untrusted user input inside HTML, HTML attributes, JavaScript, CSS and URLs.
htmlspecialchars() is not enough on its own. Each output context — an HTML
body, an attribute, a JavaScript string literal, a CSS value, a URL parameter
— needs its own escaping rules, and using the wrong one can leave you exposed
to XSS even when you think you have escaped your data.
initphp/escaper implements the rules from the
OWASP XSS Prevention Cheat Sheet
for the five most common contexts, behind a small, dependency-free API.
Installation
composer require initphp/escaper
Requirements
- PHP 7.4 or newer
ext-ctypeext-mbstring(required);ext-iconvis used when present and preferred over mbstring
Quick start
use InitPHP\Escaper\Esc; echo Esc::esc('<script>alert(1)</script>'); // <script>alert(1)</script> echo Esc::esc('faketitle onmouseover=alert(1);', 'attr'); // faketitle onmouseover=alert(1); echo Esc::esc('"; alert(1); var x="', 'js'); // \x22\x3B\x20alert\x281\x29\x3B\x20var\x20x\x3D\x22 echo Esc::esc('</style><script>alert(1)</script>', 'css'); // \3C \2F style\3E \3C script\3E alert\28 1\29 \3C \2F script\3E echo Esc::esc('" onmouseover="alert(1)', 'url'); // %22%20onmouseover%3D%22alert%281%29
Esc::esc() also accepts arrays and recurses into them, so escaping a whole
request payload at the view boundary is a one-liner:
$safe = Esc::esc($_GET, 'html');
API
Esc::esc()
public static function esc( array|string $data, string $context = 'html', ?string $encoding = null ): array|string;
| Argument | Description |
|---|---|
$data |
A string, or an array (which is escaped recursively). |
$context |
html, attr, js, css, url, or raw (returns input unchanged). |
$encoding |
Output encoding. null resolves to UTF-8. See Encodings. |
Throws InitPHP\Escaper\Exception\InvalidContextException for unknown contexts.
Escaper
For lower-level use, instantiate Escaper directly. Each instance is bound to
one encoding and exposes one method per context:
use InitPHP\Escaper\Escaper; $escaper = new Escaper(); // utf-8 $escaper = new Escaper('windows-1252'); $escaper->escHtml($string); $escaper->escHtmlAttr($string); $escaper->escJs($string); $escaper->escCss($string); $escaper->escUrl($string);
Documentation
The docs/ directory contains a per-context walkthrough with
examples, do-and-don't guidance and security notes:
- Getting started
- HTML body context
- HTML attribute context
- JavaScript context
- CSS context
- URL context
- Encodings
- Exceptions
- Security notes
A word of warning
Output escaping prevents XSS but it is not a substitute for input validation, authentication, or authorisation. It is also context-sensitive: the JavaScript escaper assumes the caller wraps the result in quotes, the HTML attribute escaper assumes the value is used as a single attribute value, and so on. Read the per-context docs before mixing contexts.
Contributing
Contributions are welcome. Please read the org-wide CONTRIBUTING guide for the workflow, coding standards and test expectations.
A typical loop is:
git clone https://github.com/InitPHP/Escaper.git cd Escaper composer install composer ci # cs-check + phpstan + phpunit
Individual steps are also available:
| Command | What it does |
|---|---|
composer test |
Run PHPUnit |
composer stan |
Run PHPStan (max level) |
composer cs-check |
Report PHP-CS-Fixer violations, no changes |
composer cs-fix |
Apply PHP-CS-Fixer changes |
Security
If you discover a security issue, please follow the disclosure process documented in SECURITY.md rather than opening a public issue.
License
Released under the MIT License. © InitPHP.
initphp/escaper 适用场景与选型建议
initphp/escaper 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 38 次下载、GitHub Stars 达 1, 最近一次更新时间为 2022 年 03 月 16 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「javascript」 「css」 「url」 「html」 「xss」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 initphp/escaper 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 initphp/escaper 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 initphp/escaper 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Generates a Blade directive exporting all of your named Laravel routes. Also provides a nice route() helper function in JavaScript.
A Twig extension to insert css as inline styles with a tag
Caching and compression for Twig assets (JavaScript and CSS).
A pretty nice way to expose your translation messages to your JavaScript.
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
统计信息
- 总下载量: 38
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 1
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2022-03-16