PHPackages soosyze/kses - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Search & Filtering](/categories/search) 4. / 5. soosyze/kses ActiveLibrary[Search & Filtering](/categories/search) soosyze/kses ============ An HTML/XHTML filter written in PHP. Checks on attribute values. Can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things. 3.2.0(3y ago)1258.5k↓10.8%11LGPL-2.0-onlyPHPPHP >=7.2 Since Jul 7Pushed 3y ago1 watchersCompare [ Source](https://github.com/soosyze/kses)[ Packagist](https://packagist.org/packages/soosyze/kses)[ RSS](/packages/soosyze-kses/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)Dependencies (5)Versions (7)Used By (1) Soosyze kses (kses strips evil scripts) ======================================= [](#soosyze-kses-kses-strips-evil-scripts) [![Build Status](https://github.com/soosyze/kses/workflows/Tests/badge.svg?branch=master)](https://github.com/soosyze/kses/actions?query=branch:master "Tests")[![Coverage Status](https://camo.githubusercontent.com/6ecb38ec3db173d7866c2f62ea53ad6dee7a38cb7f2579b72cc8152eb1216b3f/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f736f6f73797a652f6b7365732f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/soosyze/kses?branch=master "Coveralls")[![GitHub](https://camo.githubusercontent.com/fcd2002712e5320615042a1b06666f6c1efb41f6ad8bfdf88379934776eddd63/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f736f6f73797a652f6b736573)](https://github.com/soosyze/kses/blob/master/LICENSE "LICENSE")[![Packagist](https://camo.githubusercontent.com/083749e6636423c10f02f96c22fb4441b0e4d7020c24b326bc70323614575b8d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736f6f73797a652f6b7365732e737667)](https://packagist.org/packages/soosyze/kses "Packagist")[![PHP from Packagist](https://camo.githubusercontent.com/c22100e48931e48ab33fed2281aa7f01096c5feb8af1a14b5b05a461226fb47b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f736f6f73797a652f6b7365732e737667)](#version-php) Introduction ------------ [](#introduction) Welcome to kses - an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, no matter how malformed HTML input you give it. Checks on attribute values. Can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things. Pass the tests of protection against XSS attacks proposed by the [OWASP® Foundation](https://owasp.org/www-community/xss-filter-evasion-cheatsheet). Features -------- [](#features) Some of kses current features are: - It will only allow the HTML elements and attributes that it was explicitly told to allow, - Element and attribute names are case-insensitive (`a href` vs `A HREF`), - It will understand and process whitespace correctly, - Attribute values can be surrounded with quotes, apostrophes or nothing, - It will accept valueless attributes with just names and no values (selected), - It will accept XHTML's closing ` /` marks, - Attribute values that are surrounded with nothing will get quotes to avoid producing non-W3C conforming HTML, - Example : `` works but isn't valid HTML. - It handles lots of types of malformed HTML, by interpreting the existing code the best it can and then rebuilding new code from it. That's a better approach than trying to process existing code, as you're bound to forget about some weird special case somewhere. It handles problems like never-ending quotes and tags gracefully, - It will remove additional `` characters that people may try to sneak in somewhere, - It supports checking attribute values for minimum/maximum length and minimum/maximum value, to protect against Buffer Overflows and Denial of Service attacks against WWW clients and various servers. You can stop `` from having too high values for width and height, for instance, - It has got a system for allowed listing URL protocols. You can say that attribute values may only start with `http:`, `https:`, `ftp:` and `gopher:`, but no other URL protocols (`javascript:`, `java:`, `about:`, `telnet:`..). The functions that do this work handle whitespace, upper/lower case, HTML entities (`javascript:`) and repeated entries (`javascript:javascript:alert(57)`), - It also normalizes HTML entities as a nice side effect, - It removes Netscape 4's JavaScript entities `&{alert(57)};`, - It handles `NULL` bytes and Opera's `chr(173)` whitespace characters, - Provides allowlists of tag and protocol. Requirements ------------ [](#requirements) ### Version PHP [](#version-php) Version PHPSoosyze Kses 3.x<= 7.1✗ Unsupported7.2 / 7.3 / 7.4✓ Supported8.0 / 8.1 / 8.2✓ SupportedInstallation ------------ [](#installation) ### Composer [](#composer) To install **Kses** via Composer you must have the installer or the binary file [Composer](https://getcomposer.org/download/) Go to your project directory, open a command prompt and run the following command: ``` composer require soosyze/kses --no-dev ``` Or, if you use the binary file, ``` php composer.phar require soosyze/kses --no-dev ``` Use It ------ [](#use-it) It's very easy to use kses in your own PHP web application! Basic usage looks like this: ```