/** * Test that xss() removes any XSS attack vectors and escapes content. */ public function testXss() { $test = 'Test string <script>alert("XSS!");</script> with attack <div onclick="javascript:alert(\'XSS!\')">vectors</div>'; // remove HTML tags and escape $this->assertEquals('Test string alert("XSS!"); with attack vectors', Sanitize::xss($test)); // remove on attributes and escape $this->assertEquals('Test string alert("XSS!"); with attack <div>vectors</div>', Sanitize::xss($test, array('strip' => false))); // remove xmlns and escape $this->assertEquals('<html>', Sanitize::xss('<html xmlns="http://www.w3.org/1999/xhtml">', array('strip' => false))); // remove namespaced tags and escape $this->assertEquals('Content', Sanitize::xss('<ns:tag>Content</ns:tag>', array('strip' => false))); $this->assertEquals('Content', Sanitize::xss('<ns:tag attr="foo">Content</ns:tag>', array('strip' => false))); // remove unwanted tags $this->assertEquals('A string full of unwanted tags.', Sanitize::xss('<audio>A</audio> <script type="text/javascript">string</script> <iframe>full</iframe> <applet>of</applet> <object>unwanted</object> <style>tags</style>.', array('strip' => false))); }
function xss($value, array $options = array()) { return Sanitize::xss($value, $options); }
/** * Run the filters before each save. * * @param \Titon\Event\Event $event * @param \Titon\Db\Query $query * @param int|int[] $id * @param array $data * @return bool */ public function preSave(Event $event, Query $query, $id, array &$data) { $filters = $this->getFilters(); foreach ($data as $key => $value) { if (empty($filters[$key])) { continue; } $filter = $filters[$key]; // HTML escape if (isset($filter['html'])) { $value = Sanitize::html($value, $filter['html']); } // Newlines if (isset($filter['newlines'])) { $value = Sanitize::newlines($value, $filter['newlines']); } // Whitespace if (isset($filter['whitespace'])) { $value = Sanitize::whitespace($value, $filter['whitespace']); } // XSS if (isset($filter['xss'])) { $value = Sanitize::xss($value, $filter['xss']); } $data[$key] = $value; } return true; }