Added a new public method stringHasXss, useful when we just want to know if the given string has or not a malicious XSS code. Useful in a pre-dispatch method, to make sure we are going to call a safe URL when typed by the user.

Updated the unit tests for the new method.

This change is 

Hello, I am using the library to prevent XSS attacks. When I input the string Mondragon, the string is recognized as XSS because it contains the word ondrag, which is in the $_never_allowed_str_afterwards list. I was wondering if there is any chance in improving the detection algorithm, maybe an equal sign shoud follow some of the $_never_allowed_str_afterwards words? (For example onDrag= instead of onDrag) Or maybe would it be possible to have a method to customize the $_never_allowed_str_afterwards list, in order to remove some of the words in it? I see that is it possible to remove evil html tags (removeEvilHtmlTags) and attributes (removeEvilAttributes) but no modification is allowed on the $_never_allowed_str_afterwards list.

Thanks for the help,

Hi,

I would like use your anti-xss library, but I have an error message. So, I write a native php code and included your AntiXSS.php.

include "inc/AntiXSS.php";

Then I call:

$antiXss = new AntiXSS();

I put the $antiXss->xss_clean($input);

Result:

Fatal error: Uncaught Error: Class 'UTF8' not found in include\AntiXSS.php:1933 Stack trace: #0 [internal function]: AntiXSS->_decode_entity(Array) #1 include\AntiXSS.php(2472): preg_replace_callback('/<\\w+.*+/si', Array, 't\xC5\xB1zolt\xC3\xB3<scipt...') #2 include\AntiXSS.php(1985): AntiXSS->_decode_string('t\xC5\xB1zolt\xC3\xB3<scipt...') #3 include\AntiXSS.php(2907): AntiXSS->_do('t\xC5\xB1zolt\xC3\xB3<scipt...') #4 modules\keres\keres_index.php(22): AntiXSS->xss_clean('t\xC5\xB1zolt\xC3\xB3<scipt...') #5 engine.php(19): include('\m...') #6 index.php(216): include('...') #7 {main} thrown in include\AntiXSS.php on line 1933

Can you help me?

Below is the code in my submission.

<pre><code>
throttle(fn, delay) {
    let _this = this, context, args, result;
    let timeout = null;
    let previous = 0;
    const later = () =&gt; {
        previous = 0;
        timeout = null;
        result = fn.apply(context, args);
        if (!timeout) {
            context = args = null;
        }
    };
    return () =&gt; {
        let now = _this.now();
        if (!previous) {
            previous = now;
        }
        let remaining = delay - (now - previous);
        context = this;
        args = arguments;
        if (remaining &lt;= 0 || remaining &gt; delay) {
            if (timeout) {
                clearTimeout(timeout);
                timeout = null;
            }
            previous = now;
            result = fn.apply(context, args);
            if (!timeout) {
                context = args = null;
            }
        } else if (!timeout) {
            timeout = setTimeout(later, remaining);
        }
        return result;
    };
}
</code></pre>

After testing, it is caused by the setTimeout keyword. Please help me see how to deal with it, thank you.😊

Hi, I've developed a UGC service with laravel that users can publish posts. I've used this package to prevent xss, and used xss_clean method in validation before post can published. But sometimes there are some issues that clean wrong contents. For example: before xss_clean: <img src="https://****/upload/***/****/***/2nshd82y68kxvbbb/u82nc9375n.png" alt="توییتر " />

after xss_clean: <img src="" />

in this post there are 4 img tags but xss_clean cleaned only this one !!

Or in another post: before: <img src="https://****/upload/***/*****/***/ksjd827xchu2/m2sjhd262sj" alt="فضا (فضای سفید یا خالی) - Space"/>

after: <img src="" />

Hello,

I have an issue where an email would be considered dangerous when enclosed between <> tags. For example:

<[email protected]>. It's basically <$keyword(*.)@gmail.com> where $keyword is something that would be considered the start of a dangerous tag like style, script etc.

What happens is that the tags are encoded like < and > causing the content to be double escaped in my case. Any ideas how to fix this behaviour or if it is possible at all?

Thanks!

Hello!

I think we have a bug when an URL have a +param/other- sequence it removes. I added a failing test case for that. It caused by this regex https://github.com/voku/anti-xss/blob/master/src/voku/helper/AntiXSS.php#L2731

Could you have a look, please? Thanks!

This change is 

Hello

We think about use this class on our cms ( https://github.com/pi-engine/pi ) Instead of this filter ( https://github.com/pi-engine/pi/blob/develop/lib/Pi/Filter/XssSanitizer.php and https://github.com/pi-engine/pi/blob/develop/lib/Pi/Security/Xss.php) for make support better php7

Just I have question, can we make squerty little simpler ? for example we use ckeditor and users make some custom setting ( usually use css codes ) but this project remove all custom css codes , can we manage it?

What is this feature about (expected vs actual behaviour)?

False positive for URL in href attribute removes whole URL if it contains Document.aspx.

How can I reproduce it?

$antiXss = new \voku\helper\AntiXSS();
$antiXss->xss_clean('<a href="http://google.com/Document.aspx">long link</a>');

Hi, I think i stumbled on a false positive in _sanitize_naughty_javascript

What is this feature about (expected vs actual behaviour)?

• do no detect XSS

How can I reproduce it?

$str = '<p>Montageprofile(n)</p>';

$antiXss = new \voku\helper\AntiXSS(); 
$antiXss->xss_clean($str);

assert(false === $antiXss->isXssFound());

Does it take minutes, hours or days to fix?

• minutes, maybe

Any additional information?

https://github.com/voku/anti-xss/blob/master/src/voku/helper/AntiXSS.php#L1680:L1721

• regex is missing a space before the keyword pattern, blablafile(n) is no valid js

Input:

<span>
    foo="<span class="bar">baz</span>"
</span>

Expected result (no changes):

<span>
    foo="<span class="bar">baz</span>"
</span>

Actual result:

<span>
    foo="&lt;span class="bar">baz</span>"
</span>

The change is coming from this part: https://github.com/voku/anti-xss/blob/19da849cb2dd44d7c25e3eb0ee6cc9433ff9a106/src/voku/helper/AntiXSS.php#L1543-L1559

What is this feature about (expected vs actual behaviour)?

Link url https://www.geolocation.com is not passing, also https://www.history.com

How can I reproduce it?

insert a link with one of the URLs above and it will report as it have xss

Does it take minutes, hours or days to fix?

don't know

Any additional information?

if the url have some string of (_never_allowed_js_callback_regex) plus a dot, it will report as positive. this detection occurs in lines (1153-1161) of AntiXSS.php

What is this feature about (expected vs actual behaviour)?

Trying to validate a string containing a person's name, the method xss_clean returns a modified string, please see the following screens:

How can I reproduce it?

Here's the minimum code I can provide for reproducing the issue:

$antiXss = new AntiXSS();
$value = "Eva L'Host";
$cleaned = $antiXss->xss_clean($value);
dump($value, $cleaned);

Any additional information?

I tried with modified versions of the string, like "Eve L'Host" and it's validated correctly. I guess the library is interpreting the string "Eva L'Host" as an attempt to use "eval".

I found a test (https://github.com/voku/anti-xss/blob/master/tests/XssTest.php) that should ensure that "ordinary strings" containing the word "eval" are validated correctly, but I guess different strings with spaces and single quotes may lead to false positives.

I think this issue is similar to a problem I'm having with text like system (… being considered dangerous. For example the string the operating system (e.g. Windows 10, Mac OS X etc.) you are using is considered to contain XSS.

Would a similar change for system work? @voku , @Fahl-Design

Originally posted by @mike-healy in https://github.com/voku/anti-xss/issues/99#issuecomment-1214704658

What is this feature about (expected vs actual behaviour)?

If we tryind to validate HTML code like this:

<video controls="controls" width="300" height="150">
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
</video>

We got an XSS error rise. Howewer it is an valid HTML code, with allowed tags: video & sorce.

How can I reproduce it?

$html = <<<HTML
<video controls="controls" width="300" height="150">
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
</video>
HTML;

$antiXss = new AntiXSS();
$antiXss->removeEvilHtmlTags(['video', 'sorce']);
$antiXss->xss_clean($html);
var_dump($antiXss->isXssFound());

Any additional information?

On validation system check a valid src attribute in tag and this is what this regexp finds:

src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" /

Obviously the last / is ambiguous and it show only, that this tag is closed.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | codecov/codecov-action | action | major | v2 -> v3 |

Release Notes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

This change is