Anti-XSS for PHP

{ @hacker | "try to bypass this XSS filter" }

github.com/voku/anti-xss



If you need some inspiration for new attacks, take a look at the PHPUnit tests. I have already included test from e.g. "DOMPurify", "JS-XSS" and "LaravelSecurity". Here you can find some more XSS strings:



PS: This demo, is also available at github.com and you can also create pull-requests, here.


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

asssssssssssssssssss

result with twig: {{ xss.xss | escape }}:

asssssssssssssssssss

keyword(s): asdas

description: asdasdasdasdasd

by the"=T84s(9831)" | at 2019-08-23 22:53:49


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

the"=T84s(9831)"

result with twig: {{ xss.xss | escape }}:

the"onmouseover=T84s(9831)"

keyword(s): nasil

description: kardes

by yarragim | at 2019-08-23 22:52:45


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>test('test');</script>

keyword(s):

description:

by adasda | at 2019-08-22 04:04:05


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

你早

result with twig: {{ xss.xss | escape }}:

你早

keyword(s):

description:

by 你早 | at 2019-08-22 04:03:21


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

testprofessional

result with twig: {{ xss.xss | escape }}:

<font color="#ffFF00">testprofessional</font>

keyword(s):

description:

by test | at 2019-08-20 13:04:42


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div><s>I am fine</s></div>

keyword(s):

description:

by test | at 2019-08-20 13:01:20


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="color: red;">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:59:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:55:38


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Nonstop

result with twig: {{ xss.xss | escape }}:

Nonstop

keyword(s):

description:

by Nonstop | at 2019-08-19 16:13:33


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 19:48:26


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 16:12:38


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<svg><p><textarea><img ><>

result with twig: {{ xss.xss | escape }}:

<svg><p><textarea><img src="</textarea><img src=x onerror=1//">

keyword(s): foo,bar

description: test from DOMPurify

by Lars | at 2019-08-15 01:27:47