PHPackages                             erfanhemmati/anti-xss - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. erfanhemmati/anti-xss

ActiveLibrary[Security](/categories/security)

erfanhemmati/anti-xss
=====================

anti xss-library

03PHP

Since Apr 23Pushed 3y ago1 watchersCompare

[ Source](https://github.com/erfanhemmati/anti-xss-4.1.35)[ Packagist](https://packagist.org/packages/erfanhemmati/anti-xss)[ RSS](/packages/erfanhemmati-anti-xss/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependenciesVersions (1)Used By (0)

[![Build Status](https://github.com/voku/anti-xss/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/voku/anti-xss/actions)[![codecov.io](https://camo.githubusercontent.com/ba36a8a85a7809240240480dc1f33e10cf4cc8f2975cb476b1c1aebf4ea1d146/687474703a2f2f636f6465636f762e696f2f6769746875622f766f6b752f616e74692d7873732f636f7665726167652e7376673f6272616e63683d6d6173746572)](http://codecov.io/github/voku/anti-xss?branch=master)[![Codacy Badge](https://camo.githubusercontent.com/0a9e26de62a3209b8fb0273bc3c56dcef5d80aad1c2d9b4a83bceadabcad2a63/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3865336339646134313731323439373162386438653063313034366332346337)](https://www.codacy.com/app/voku/anti-xss)[![Latest Stable Version](https://camo.githubusercontent.com/9e369d5ded6cec3dee1a220ac07dfc0c92ef07fe64a1fcd725bf653ae77f1c0c/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f762f737461626c65)](https://packagist.org/packages/voku/anti-xss)[![Total Downloads](https://camo.githubusercontent.com/0a45a1a0a00a83243cbc9b057bd67d9892bdd7f70725225086c9c518d0bf82e3/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f646f776e6c6f616473)](https://packagist.org/packages/voku/anti-xss)[![License](https://camo.githubusercontent.com/04f8ffdc0137cf191f2363b8ddea80319ec262debabe74cfe4ae2e044f9eba6e/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f6c6963656e7365)](https://packagist.org/packages/voku/anti-xss)[![Donate to this project using Paypal](https://camo.githubusercontent.com/0d6e4d8b50b5983a58205941b1a581b1305903393b7a39da574e3f60af3c7f5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f70617970616c2d646f6e6174652d79656c6c6f772e737667)](https://www.paypal.me/moelleken)[![Donate to this project using Patreon](https://camo.githubusercontent.com/f9e075baad95563481d35174d43ef50757281abb6bc795d0f473fad452afa030/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f70617472656f6e2d646f6e6174652d79656c6c6f772e737667)](https://www.patreon.com/voku)

㊙️ AntiXSS
==========

[](#secret-antixss)

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - [http://en.wikipedia.org/wiki/Cross-site\_scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)

### DEMO:

[](#demo)

### NOTES:

[](#notes)

1. Use [filter\_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $\_SESSION, $\_GET, $\_POST, $\_SERVER) directly
2. Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution
3. Add "Content Security Policy's" -&gt; [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
4. DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5. READ THIS TEXT -&gt; [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)
6. TEST THIS TOOL -&gt; [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)

### Install via "composer require"

[](#install-via-composer-require)

```
composer require voku/anti-xss
```

### Usage:

[](#usage)

```
use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();
```

Example 1: (HTML Character)

```
$harm_string = "Hello, i try to alert('Hack'); your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site
```

Example 2: (Hexadecimal HTML Character)

```
$harm_string = "";
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 3: (Unicode Hex Character)

```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);

// CLICK
```

Example 4: (Unicode Character)

```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);

// CLICK
```

Example 5.1: (non Inline CSS)

```
$harm_string = '';
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 5.2: (with Inline CSS)

```
$harm_string = '';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 6: (check if an string contains a XSS attack)

```
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

//

$antiXss->isXssFound();

// true
```

Example 7: (allow e.g. iframes)

```
$harm_string = "";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

//
```

### Unit Test:

[](#unit-test)

1. [Composer](https://getcomposer.org) is a prerequisite for running the tests.

```
composer install

```

2. The tests can be executed by running this command from the root directory:

```
./vendor/bin/phpunit
```

AntiXss methods
---------------

[](#antixss-methods)

[addDoNotCloseHtmlTags](#adddonotclosehtmltagsstring-strings-this)[addEvilAttributes](#addevilattributesstring-strings-this)[addEvilHtmlTags](#addevilhtmltagsstring-strings-this)[addNeverAllowedOnEventsAfterwards](#addneverallowedoneventsafterwardsstring-strings-this)[addNeverAllowedRegex](#addneverallowedregexstring-strings-this)[addNeverAllowedStrAfterwards](#addneverallowedstrafterwardsstring-strings-this)[isXssFound](#isxssfound-boolnull)[removeDoNotCloseHtmlTags](#removedonotclosehtmltagsstring-strings-this)[removeEvilAttributes](#removeevilattributesstring-strings-this)[removeEvilHtmlTags](#removeevilhtmltagsstring-strings-this)[removeNeverAllowedOnEventsAfterwards](#removeneverallowedoneventsafterwardsstring-strings-this)[removeNeverAllowedRegex](#removeneverallowedregexstring-strings-this)[removeNeverAllowedStrAfterwards](#removeneverallowedstrafterwardsstring-strings-this)[setReplacement](#setreplacementstring-string-this)[setStripe4byteChars](#setstripe4bytecharsbool-bool-this)[xss\_clean](#xss_cleanstringstring-str-stringstring)addDoNotCloseHtmlTags(string\[\] $strings): $this
-------------------------------------------------

[](#adddonotclosehtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_do\_not\_close\_html\_tags"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addEvilAttributes(string\[\] $strings): $this
---------------------------------------------

[](#addevilattributesstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_evil\_attributes"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addEvilHtmlTags(string\[\] $strings): $this
-------------------------------------------

[](#addevilhtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_evil\_html\_tags"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedOnEventsAfterwards(string\[\] $strings): $this
-------------------------------------------------------------

[](#addneverallowedoneventsafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_on\_events\_afterwards"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedRegex(string\[\] $strings): $this
------------------------------------------------

[](#addneverallowedregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_regex"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedStrAfterwards(string\[\] $strings): $this
--------------------------------------------------------

[](#addneverallowedstrafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_str\_afterwards"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

isXssFound(): bool|null
-----------------------

[](#isxssfound-boolnull)

[↑](#voku-php-readme-class-methods)Check if the "AntiXSS-&gt;xss\_clean()"-method found an XSS attack in the last run.

**Parameters:****nothing**

**Return:**

- `bool|null Will return null if the "xss_clean()" wasn't running at all.`

---

removeDoNotCloseHtmlTags(string\[\] $strings): $this
----------------------------------------------------

[](#removedonotclosehtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_do\_not\_close\_html\_tags"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeEvilAttributes(string\[\] $strings): $this
------------------------------------------------

[](#removeevilattributesstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_evil\_attributes"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeEvilHtmlTags(string\[\] $strings): $this
----------------------------------------------

[](#removeevilhtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_evil\_html\_tags"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedOnEventsAfterwards(string\[\] $strings): $this
----------------------------------------------------------------

[](#removeneverallowedoneventsafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_on\_events\_afterwards"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedRegex(string\[\] $strings): $this
---------------------------------------------------

[](#removeneverallowedregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_regex"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedStrAfterwards(string\[\] $strings): $this
-----------------------------------------------------------

[](#removeneverallowedstrafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_str\_afterwards"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

setReplacement(string $string): $this
-------------------------------------

[](#setreplacementstring-string-this)

[↑](#voku-php-readme-class-methods)Set the replacement-string for not allowed strings.

**Parameters:**

- `string $string`

**Return:**

- `$this`

---

setStripe4byteChars(bool $bool): $this
--------------------------------------

[](#setstripe4bytecharsbool-bool-this)

[↑](#voku-php-readme-class-methods)Set the option to stripe 4-Byte chars.

INFO: use it if your DB (MySQL) can't use "utf8mb4" -&gt; preventing stored XSS-attacks

**Parameters:**

- `bool $bool`

**Return:**

- `$this`

---

xss\_clean(string|string\[\] $str): string|string\[\]
-----------------------------------------------------

[](#xss_cleanstringstring-str-stringstring)

[↑](#voku-php-readme-class-methods)XSS Clean

Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof...

**Note:** Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

**Parameters:**

- `TXssCleanInput $str input data e.g. string or array of strings`

**Return:**

- `string|string[]`

---

### Support

[](#support)

For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku).

For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts).

For professional support please contact [me](https://about.me/voku).

### Thanks

[](#thanks)

- Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there!
- Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check.
- Thanks to [PHPStan](https://github.com/phpstan/phpstan) &amp;&amp; [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code!

### License

[](#license)

[![FOSSA Status](https://camo.githubusercontent.com/a00d4011718395631cb29883db5cd3b10ae23aae3b3e7426095b82650345bdd3/68747470733a2f2f6170702e666f7373612e696f2f6170692f70726f6a656374732f6769742532426769746875622e636f6d253246766f6b75253246616e74692d7873732e7376673f747970653d6c61726765)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

###  Health Score

13

—

LowBetter than 1% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity3

Limited adoption so far

Community4

Small or concentrated contributor base

Maturity22

Early-stage or recently created project

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/926de636a540c26039c73522e4a469a819cf36853406c1d48202579b7935f32a?d=identicon)[erfanhemmati](/maintainers/erfanhemmati)

### Embed Badge

![Health badge](/badges/erfanhemmati-anti-xss/health.svg)

```
[![Health](https://phpackages.com/badges/erfanhemmati-anti-xss/health.svg)](https://phpackages.com/packages/erfanhemmati-anti-xss)
```

###  Alternatives

[defuse/php-encryption

Secure PHP Encryption Library

3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories

Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs

A PHP library for XML Security

41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php

Realistic password strength estimation PHP library based on Zxcvbn JS

86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker

A PHP dependency vulnerabilities scanner based on the Security Advisories Database.

33732.2M110](/packages/enlightn-security-checker)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)