Difference between revisions of "Category:OWASP PHP AntiXSS Library Project"

From OWASP
Jump to: navigation, search
(Downloads)
(Downloads)
Line 45: Line 45:
 
* owasp.antixss.php
 
* owasp.antixss.php
 
* demo.owasp.antixss.php
 
* demo.owasp.antixss.php
 +
 +
== Troubleshooting ==
 +
 +
=== Encoding ===
 +
 +
The AntiXSS class will use any character encoding supported by libmbfl, the library upon which the mbstring functions are based, with the exception of 7bit and BASE64.
 +
 +
A list of supported character sets is available at PHP.net: [http://us2.php.net/mb_string]
 +
 +
The Owasp AntiXSS class utilizes the following encodings: UTF-32, HTML-ENTITIES
 +
 +
Typically, your doctype definition will match the encoding of your source files and your database source.  If you run into issues where some characters don't display or display wrong, check the encoding of every data source and file involved.
 +
 +
And particularly if you wish to output extended or multibyte characters from within your source files, make sure the encoding of all files involved matches the output format, unless you will be handling your conversions manually using mb_convert_encoding.

Revision as of 13:17, 23 April 2007

Contents

Introduction

AntiXSS is a class for use with PHP 5+ that helps to reduce XSS (cross-site scripting) vulnerabilities by automatically encoding output to behave only as intended.

Requirements

  • PHP5 and above
  • mb_string PHP extension

Usage

  1. Make sure the mb_string extension is available with your PHP installation. If you are using Apache on Windows, this can most likely be done by adding (or un-commenting) a line in your php.ini file. On other platforms, you may need to recompile PHP. See [1] for more information.
  2. To make the code available to your program, include the owasp.antixss.php file, using a line like this: require_once "/path/to/owasp.antixss.php";
  3. It is not necessary to instantiate the class, though you may if you wish. Instead, make calls using the Scope Resolution Operator (::), like this: echo AntiXSS::HTMLEncode($myOutput);

Examples

HTML

Hello, <php echo AntiXSS:HTMLEncode($nameOfMyUser); ?>!

JavaScript

... alert(myFunction('<?php echo AntiXSS:JavaScriptEncode($myVariable); ?>'); ...

URL

... http://example.com/myscript.php?<?php echo AntiXSS::URLEncode($myQueryStringValue); ?> ...

XML

<myelement myattribute="<?php echo AntiXSS::XMLAttributeEncode($myAttributeValue); ?>"><?php echo AntiXSS::XMLEncode($myElementValue); ?></myelement >

Downloads

Downloads are not yet available.

  • owasp.antixss.php
  • demo.owasp.antixss.php

Troubleshooting

Encoding

The AntiXSS class will use any character encoding supported by libmbfl, the library upon which the mbstring functions are based, with the exception of 7bit and BASE64.

A list of supported character sets is available at PHP.net: [2]

The Owasp AntiXSS class utilizes the following encodings: UTF-32, HTML-ENTITIES

Typically, your doctype definition will match the encoding of your source files and your database source. If you run into issues where some characters don't display or display wrong, check the encoding of every data source and file involved.

And particularly if you wish to output extended or multibyte characters from within your source files, make sure the encoding of all files involved matches the output format, unless you will be handling your conversions manually using mb_convert_encoding.

This category currently contains no pages or media.