GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → TYPO3 → html-sanitizer

TYPO3 / html-sanitizer

Licence: MIT license
HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.

Programming Languages

PHP
23972 projects - #3 most used programming language

Labels

htmlsanitizationsecurityparserxss

Projects that are alternatives of or similar to html-sanitizer

Bluemonday
bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
Stars: ✭ 2,135 (+11761.11%)
Mutual labels:  sanitization, xss
security-cheat-sheet
Minimalist cheat sheet for developpers to write secure code
Stars: ✭ 47 (+161.11%)
Mutual labels:  xss
Sanitize
Ruby HTML and CSS sanitizer.
Stars: ✭ 1,940 (+10677.78%)
Mutual labels:  sanitization
vaf
Vaf is a cross-platform very advanced and fast web fuzzer written in nim
Stars: ✭ 294 (+1533.33%)
Mutual labels:  xss
pathvalidate
A Python library to sanitize/validate a string such as filenames/file-paths/etc.
Stars: ✭ 139 (+672.22%)
Mutual labels:  sanitization
SuperXSS
Make XSS Great Again
Stars: ✭ 57 (+216.67%)
Mutual labels:  xss
Govalidator
[Go] Package of validators and sanitizers for strings, numerics, slices and structs
Stars: ✭ 5,163 (+28583.33%)
Mutual labels:  sanitization
XSS-Payload-without-Anything
XSS Payload without Anything.
Stars: ✭ 74 (+311.11%)
Mutual labels:  xss
xss-http-injector
XSS HTTP Inject0r is a proof of concept tool that shows how XSS (Cross Site Scripting) flags can be exploited easily. It is written in HTML + Javascript + PHP and released under GPLv3.
Stars: ✭ 22 (+22.22%)
Mutual labels:  xss
laravel-xss-filter
Filter user input for XSS but don't touch other html
Stars: ✭ 38 (+111.11%)
Mutual labels:  xss
html-contextual-autoescaper-java
Prevents XSS by figuring out how to escape untrusted values in templates
Stars: ✭ 15 (-16.67%)
Mutual labels:  xss
coldfusion-10-11-xss
Proof of Concept code for CVE-2015-0345 (APSB15-07)
Stars: ✭ 22 (+22.22%)
Mutual labels:  xss
xssfinder
Toolset for detecting reflected xss in websites
Stars: ✭ 105 (+483.33%)
Mutual labels:  xss
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (+188.89%)
Mutual labels:  xss
hackable
A python flask app that is purposefully vulnerable to SQL injection and XSS attacks. To be used for demonstrating attacks
Stars: ✭ 61 (+238.89%)
Mutual labels:  xss
Wordlist404
Small but effective wordlist for brute-forcing and discovering hidden things.
Stars: ✭ 101 (+461.11%)
Mutual labels:  xss
flask-vuln
Pretty vulnerable flask app..
Stars: ✭ 23 (+27.78%)
Mutual labels:  xss
vue-dompurify-html
Safe replacement for the v-html directive
Stars: ✭ 104 (+477.78%)
Mutual labels:  xss
sanitizer-polyfill
rewrite constructor arguments, call DOMPurify, profit
Stars: ✭ 46 (+155.56%)
Mutual labels:  xss
solutions-bwapp
In progress rough solutions to bWAPP / bee-box
Stars: ✭ 158 (+777.78%)
Mutual labels:  xss
View All Similar Projects ➔

tests

TYPO3 HTML Sanitizer

ℹ️ Common safe HTML tags & attributes as given in \TYPO3\HtmlSanitizer\Builder\CommonBuilder still might be adjusted, extended or rearranged to more specific builders.

In a Nutshell

This typo3/html-sanitizer package aims to be a standalone component that can be used by any PHP-based project or library. Albeit it is released within the TYPO3 namespace, it is agnostic to specifics of TYPO3 CMS.

  • \TYPO3\HtmlSanitizer\Behavior contains declarative settings for a particular process for sanitizing HTML.
  • \TYPO3\HtmlSanitizer\Visitor\VisitorInterface (multiple different visitors can exist at the same time) are actually doing the work based on the declared Behavior. Visitors can modify nodes or mark them for deletion.
  • \TYPO3\HtmlSanitizer\Sanitizer can be considered as the working instance, invoking visitors, parsing and serializing HTML. In general this instance does not contain much logic on how to handle particular nodes, attributes or values
  • \TYPO3\HtmlSanitizer\Builder\BuilderInterface can be used to create multiple different builder instances - in terms of "presets" - which combine declaring a particular Behavior, initialization of VisitorInterface instances, and finally returning a ready-to-use Sanitizer instance

Installation

composer req typo3/html-sanitizer

Example & API

<?php
use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Sanitizer;
use TYPO3\HtmlSanitizer\Visitor\CommonVisitor;

require_once 'vendor/autoload.php';

$commonAttrs = [
    new Behavior\Attr('id'),
    new Behavior\Attr('class'),
    new Behavior\Attr('data-', Behavior\Attr::NAME_PREFIX),
];
$hrefAttr = (new Behavior\Attr('href'))
    ->addValues(new Behavior\RegExpAttrValue('#^https?://#'));

// attention: only `Behavior` implementation uses immutability
// (invoking `withFlags()` or `withTags()` returns new instance)
$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG)
    ->withTags(
        (new Behavior\Tag('div', Behavior\Tag::ALLOW_CHILDREN))
            ->addAttrs(...$commonAttrs),
        (new Behavior\Tag('a', Behavior\Tag::ALLOW_CHILDREN))
            ->addAttrs($hrefAttr, ...$commonAttrs),
        (new Behavior\Tag('br'))
    );

$visitors = [new CommonVisitor($behavior)];
$sanitizer = new Sanitizer(...$visitors);

$html = <<< EOH
<div id="main">
    <a href="https://typo3.org/" data-type="url" wrong-attr="is-removed">TYPO3</a><br>
    (the <span>SPAN, SPAN, SPAN</span> tag shall be encoded to HTML entities)
</div>
EOH;

echo $sanitizer->sanitize($html);

will result in the following sanitized output

<div id="main">
    <a href="https://typo3.org/" data-type="url">TYPO3</a><br>
    (the &lt;span&gt;SPAN, SPAN, SPAN&lt;/span&gt; tag shall be encoded to HTML entities)
</div>

Behavior flags

  • Behavior::ENCODE_INVALID_TAG keeps invalid tags, but "disarms" them (see <span> in example)
  • Behavior::ENCODE_INVALID_ATTR keeps invalid attributes, but "disarms" the whole(!) tag
  • Behavior::REMOVE_UNEXPECTED_CHILDREN removes children for Tag entities that were created without explicitly using Tag::ALLOW_CHILDREN, but actually contained child nodes
  • Behavior::ALLOW_CUSTOM_ELEMENTS allow using custom elements (having a hyphen -) - however, it is suggested to explicitly name all known and allowed tags and avoid using this flag

License

In general the TYPO3 core is released under the GNU General Public License version 2 or any later version (GPL-2.0-or-later). In order to avoid licensing issues and incompatibilities this package is licenced under the MIT License. In case you duplicate or modify source code, credits are not required but really appreciated.

Security Contact

In case of finding additional security issues in the TYPO3 project or in this package in particular, please get in touch with the TYPO3 Security Team.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].