IronicSoul Posted June 14, 2008 Share Posted June 14, 2008 We have a website that allows our users to add html to their profile's and such until some person thought they were real funny and posting this: <iframe src=http://lancxeon.com/jack****.html</iframe> On their profile, in return this contained Javascript on that remote page that acted on our site and our users in a bad way. The link above no longer contains the bad code and is resolved. We would really like to know how to sensor out words/html tags that can cause XSS that our system does not normally detect as bad. Here is a snip lit of our user_class file: // DECODE TO MAKE HTML TAGS FOR PROFILE FIELDS VALID $field_value_profile = htmlspecialchars_decode($field_value_profile, ENT_QUOTES); // FORMAT VALUE FOR FORM } else { if($field_info[field_type] == 2) { $field_value = str_replace("<br>", "\r\n", $field_value); } } break; I have read ALOT on the php page on usage of htmlspecialchars and str_replace, but nothing will truly get rid of the code from being used, or at least being html-safe. Any help I would greatly appreciate it! Link to comment https://forums.phpfreaks.com/topic/110237-php-security-issue/ Share on other sites More sharing options...
marklarah Posted June 15, 2008 Share Posted June 15, 2008 Okay, str_replace will work if use correctly. Just filter out "<iframe" to be replaced with "". Alternatively, disallow html on pages. If they want custom font sizes or images, have bbcode system in place. Other than that, why else would they need it? Link to comment https://forums.phpfreaks.com/topic/110237-php-security-issue/#findComment-565733 Share on other sites More sharing options...
aximbigfan Posted June 15, 2008 Share Posted June 15, 2008 Better yet, preg_replace < with it's display code, ie & -> & This will cause the raw text to show up. Chris Link to comment https://forums.phpfreaks.com/topic/110237-php-security-issue/#findComment-565754 Share on other sites More sharing options...
D3xt3r Posted June 15, 2008 Share Posted June 15, 2008 You could just use a function to kill the script if it detects any bad entries. $bad_codes = array("<iframe", "</script>"); foreach ($bad_codes as $bad_code) { if (preg_match("/" . $bad_code . "/", $profile_data)) { echo "Invalid Data"; exit(); } } Link to comment https://forums.phpfreaks.com/topic/110237-php-security-issue/#findComment-565774 Share on other sites More sharing options...
corbin Posted June 15, 2008 Share Posted June 15, 2008 amixbigfan and D3xt3r, it's much better (faster) to use strpos() or stripos() when checking just to see if a string is in another string.... I personally would not let users use HTML (run all output through htmlentities), and then implement a bbcode system.... Link to comment https://forums.phpfreaks.com/topic/110237-php-security-issue/#findComment-565776 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.