Anti-XSS for PHP

{ @hacker | "try to bypass this XSS filter" }

github.com/voku/anti-xss



If you need some inspiration for new attacks, take a look at the PHPUnit tests. I have already included test from e.g. "DOMPurify", "JS-XSS" and "LaravelSecurity". Here you can find some more XSS strings:



PS: This demo, is also available at github.com and you can also create pull-requests, here.

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>test('test');</script>

keyword(s):

description:

by adasda | at 2019-08-22 04:04:05

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

你早

result with twig: {{ xss.xss | escape }}:

你早

keyword(s):

description:

by 你早 | at 2019-08-22 04:03:21

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

testprofessional

result with twig: {{ xss.xss | escape }}:

<font color="#ffFF00">testprofessional</font>

keyword(s):

description:

by test | at 2019-08-20 13:04:42

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div><s>I am fine</s></div>

keyword(s):

description:

by test | at 2019-08-20 13:01:20

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="color: red;">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:59:12

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:55:38

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Nonstop

result with twig: {{ xss.xss | escape }}:

Nonstop

keyword(s):

description:

by Nonstop | at 2019-08-19 16:13:33

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 19:48:26

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 16:12:38

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<svg><p><textarea><img ><>

result with twig: {{ xss.xss | escape }}:

<svg><p><textarea><img src="</textarea><img src=x onerror=1//">

keyword(s): foo,bar

description: test from DOMPurify

by Lars | at 2019-08-15 01:27:47

BY LARS MOELLEKEN WITH HATE IN 2015