Anti-XSS for PHP

{ @hacker | "try to bypass this XSS filter" }

github.com/voku/anti-xss



If you need some inspiration for new attacks, take a look at the PHPUnit tests. I have already included test from e.g. "DOMPurify", "JS-XSS" and "LaravelSecurity". Here you can find some more XSS strings:



PS: This demo, is also available at github.com and you can also create pull-requests, here.


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('aaa');</script>

keyword(s): b

description: b

by b | at 2019-09-15 15:05:51


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Hello

result with twig: {{ xss.xss | escape }}:

<a href="www.charfun.com">Hello</a>

keyword(s): a

description: a

by a | at 2019-09-15 15:05:10


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert()</script>

keyword(s): sdfdsa

description: sadfdsaf

by sadfa | at 2019-09-13 09:02:24


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

asdf

result with twig: {{ xss.xss | escape }}:

asdf

keyword(s): sadfdsaf

description: safdas

by asdfdsaf | at 2019-09-13 09:01:55


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

saddasds dassad

result with twig: {{ xss.xss | escape }}:

saddasds dassad

keyword(s): saddasds dassad

description: saddasds dassad

by saddasds dassad | at 2019-09-10 22:38:41


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

sfdsfd

result with twig: {{ xss.xss | escape }}:

sfdsfd

keyword(s): sdfsdf

description: sdfsdf

by sfdfdsdfsdf | at 2019-09-10 22:38:19


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

sad

result with twig: {{ xss.xss | escape }}:

sad

keyword(s):

description:

by sad | at 2019-09-10 13:24:08


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

ytgsgf

result with twig: {{ xss.xss | escape }}:

<div>ytgsgf</div>

keyword(s): Jsbsh

description: Snsjs

by Bdjd | at 2019-09-09 19:17:08


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<span></span>

keyword(s): Gshs

description: Nsbz

by Jsgs | at 2019-09-09 19:15:46


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<span>&#7586;</span>

keyword(s): 09968

description: Test

by Testing002 | at 2019-09-09 19:13:29


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<span>&#7586;</script>

keyword(s): 09968

description: Testing for xss

by Testing001 | at 2019-09-09 19:10:31


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script></script>

keyword(s): Gdjg

description: Gfjg

by Hfj | at 2019-09-09 19:07:20


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

saf

result with twig: {{ xss.xss | escape }}:

saf

keyword(s): sadf

description: sdf

by asdf | at 2019-09-08 10:26:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<?php echo "More" ?>

result with twig: {{ xss.xss | escape }}:

<script>window.alert("Wow");</script> <?php echo "More" ?>

keyword(s): Love

description: Love for computer information security

by Ssekiziyivu Godfrey | at 2019-09-07 22:30:23


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

&?

result with twig: {{ xss.xss | escape }}:

&?

keyword(s): Love

description: Love for computer security

by Ssekiziyivu Godfrey | at 2019-09-07 22:27:49


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<scr<script>ipt>alert("hello");</scr</script>ipt>

keyword(s): any

description: Test

by test | at 2019-09-07 12:33:03


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

qqq

result with twig: {{ xss.xss | escape }}:

qqq

keyword(s):

description: qqqq

by qqqq | at 2019-09-06 18:51:53


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<svg />

result with twig: {{ xss.xss | escape }}:

<svg onload='alert("dff")'/>

keyword(s): effefe

description: <svg />

by fer | at 2019-09-05 15:30:56


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<?php echo "sdfgdsfg"; ?>

result with twig: {{ xss.xss | escape }}:

<?php echo "sdfgdsfg"; ?>

keyword(s): dfh

description: dfhfdg

by sdf | at 2019-09-04 16:10:03


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

pop

result with twig: {{ xss.xss | escape }}:

pop <script></script>

keyword(s): dfh

description: dfg

by fdgh | at 2019-09-04 12:05:42


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

dfghdfghf

result with twig: {{ xss.xss | escape }}:

dfghdfghf<img src="#" />

keyword(s): dfh

description: dfghdfh

by dfh | at 2019-09-04 12:04:27


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<img src="#" />

keyword(s): sdfg

description: sdfg

by kh | at 2019-09-04 12:03:56


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert("khush");</script>

keyword(s): tes

description: sdfgfdg

by khush | at 2019-09-04 12:02:40


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert("sdfg");</script>

keyword(s): fgh

description: dfgh

by | at 2019-09-04 12:01:29


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

sdfsdf

result with twig: {{ xss.xss | escape }}:

sdfsdf

keyword(s):

description:

by vdc | at 2019-09-04 09:17:15


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

شسی

result with twig: {{ xss.xss | escape }}:

شسی

keyword(s): شسی

description: شسی

by سی | at 2019-09-03 23:49:56


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<div/onanimationend="alert(1)"/style="animation:a">

keyword(s): test

description:

by test | at 2019-09-02 14:58:34


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): sssssss

description: asdasda

by aaaa | at 2019-09-02 13:23:11


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script> alert(12312313213) </script>

keyword(s): dfgd

description: fgdfgd

by dfgdfg | at 2019-09-02 13:20:13


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script> alert(1) </script>

keyword(s): eryerye

description: ryeryerye

by yeyery | at 2019-09-02 13:19:45


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script> alert(1) </script>

keyword(s): 2

description: 3

by 1 | at 2019-09-01 15:08:51


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

ddd

result with twig: {{ xss.xss | escape }}:

ddd

keyword(s): ddd

description: ddd

by dd | at 2019-09-01 15:08:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

MPU ist für Sie kein Muss mehr! Ohne Schikane zum Führerschein! Nutzen Sie Ihr Recht auf EU-Führerschein, sowie schon Tausende deutsche Bürger gemacht haben. Idiotentest – nein, danke! Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: www.mpu77.com Außerdem: Umtausch „Alle nicht EU-Führerscheine“ gegen einen „EU-Führerschein“. EU driving license for all. Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: http://eufs.pw/ Peneta GmbH, Siemensstraße. 44, 12489 Berlin.

result with twig: {{ xss.xss | escape }}:

MPU ist für Sie kein Muss mehr! Ohne Schikane zum Führerschein! Nutzen Sie Ihr Recht auf EU-Führerschein, sowie schon Tausende deutsche Bürger gemacht haben. Idiotentest – nein, danke! Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: www.mpu77.com Außerdem: Umtausch „Alle nicht EU-Führerscheine“ gegen einen „EU-Führerschein“. EU driving license for all. Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: http://eufs.pw/ Peneta GmbH, Siemensstraße. 44, 12489 Berlin.

keyword(s):

description: MPU ist für Sie kein Muss mehr! Ohne Schikane zum Führerschein! Nutzen Sie Ihr Recht auf EU-Führerschein, sowie schon Tausende deutsche Bürger gemacht haben. Idiotentest – nein, danke! Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: www.mpu77.com Außerdem: Umtausch „Alle nicht EU-Führerscheine“ gegen einen „EU-Führerschein“. EU driving license for all. Anfrage E-Mail: cedeco99@gmail.com Mehr Info, telefonische Beratung auf: http://eufs.pw/ Peneta GmbH, Siemensstraße. 44, 12489 Berlin.

by Uhl | at 2019-08-31 08:44:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('hi')</script>

keyword(s): aa

description: aa

by aaa | at 2019-08-30 08:45:16


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify" ONCLICK="alert('test')">I am fine</div>

keyword(s):

description:

by test | at 2019-08-29 22:31:25


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify">I am fine</div>

keyword(s):

description:

by TEST | at 2019-08-29 22:30:21


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT SRC=http://xss.rocks/xss.js?< B >

keyword(s): s

description: s

by s | at 2019-08-28 11:10:23


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('hi')</script>

keyword(s): dhtdu

description: dtujtdu

by tjntfj | at 2019-08-26 09:19:22


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

asssssssssssssssssss

result with twig: {{ xss.xss | escape }}:

asssssssssssssssssss

keyword(s): asdas

description: asdasdasdasdasd

by the"=T84s(9831)" | at 2019-08-23 22:53:49


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

the"=T84s(9831)"

result with twig: {{ xss.xss | escape }}:

the"onmouseover=T84s(9831)"

keyword(s): nasil

description: kardes

by yarragim | at 2019-08-23 22:52:45


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>test('test');</script>

keyword(s):

description:

by adasda | at 2019-08-22 04:04:05


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

你早

result with twig: {{ xss.xss | escape }}:

你早

keyword(s):

description:

by 你早 | at 2019-08-22 04:03:21


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

testprofessional

result with twig: {{ xss.xss | escape }}:

<font color="#ffFF00">testprofessional</font>

keyword(s):

description:

by test | at 2019-08-20 13:04:42


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div><s>I am fine</s></div>

keyword(s):

description:

by test | at 2019-08-20 13:01:20


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="color: red;">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:59:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

I am fine

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify">I am fine</div>

keyword(s):

description:

by test | at 2019-08-20 12:55:38


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Nonstop

result with twig: {{ xss.xss | escape }}:

Nonstop

keyword(s):

description:

by Nonstop | at 2019-08-19 16:13:33


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 19:48:26


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('Il y a une faille XSS')</script>

keyword(s):

description:

by | at 2019-08-16 16:12:38


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<svg><p><textarea><img ><>

result with twig: {{ xss.xss | escape }}:

<svg><p><textarea><img src="</textarea><img src=x onerror=1//">

keyword(s): foo,bar

description: test from DOMPurify

by Lars | at 2019-08-15 01:27:47