We have a simpel PHP script that is designed to only include the body portion of a page when doing a server side include. The dilema is it is failing our security audit to to an xss issue.
<?php
function StripBody($content){
preg_match('%<body.*>(.*)</body>%is', $content, $matches);
$matches=$matches[0];
$matches=preg_replace('%<.*body.*>%i','',$matches);
//$matches=str_replace(array("\n","\t","\r"," "),"",$matches);
$matches=str_replace(array("../"),"",$matches);
$matches=trim($matches);
return $matches;
}
if(file_exists("../includes/$_REQUEST[p]")){
$inp=file_get_contents("../includes/$_REQUEST[p]");
echo "<!-- include $_REQUEST[p] BEGIN -->\n";
if($_REQUEST['lb']==1){
echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}
echo StripBody($inp);
if($_REQUEST['lb']==1){
echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}
echo "\n<!-- include $_REQUEST[p] END-->\n";
}else{
echo '[<i>' . $_REQUEST['p'] . '</i>]';
}
?>
The problem according to the security audit is a hacker could in theory add ?p=<script>alert(document.cookie)</script><iframe%20width=800%20height=600%20src=http://www.intrudersdomainname.com></iframe>&lb=1 to the URL and have their content displayed on our page or run other scripts.
The issue is stripping that information out of the value for p
Ive tried strip_tags but since p is defined as a constant it does not work.