[SOLVED] XSS problem?

[kmaid]

Hello,

 

I am a little worried by some possible XSS on my site. When a user edits their account details and includes invalid characters my script lists the errors they made and puts whatever they posted back into the submit fields to allow them to change the data they submitted to be valid. I have since noticed if you put in '"<B>' it changes the rest of the page to bold.

 

Does this pose any security risks as no data is placed into the database and will only occur if the user submits the data in the first place? How do you deal with this?

 

Thanks

Kmaid

[Orio]

It's not a security risk, but it can mess up your design.

Because only the user that posted the invalid data will see it (other people won't get the invalid input on their browsers), there's no XSS risk here.

But I think it is problematic that the rest of your page will be shown in bold/red/etc.

Just pass the data through htmlentities() before outputting it.

 

Orio.

[MadTechie]

could be a security risk.. injecting javascript or iframes could be hell.. and defacing isn't nice..

as Orio Says:

Just pass the data through htmlentities() before outputting it.

Orio.

[Orio]

could be a security risk.. injecting javascript or iframes could be hell..

 

How could it be a security risk? If one receives his own input, and no one else is exposed to whatever he had entered, I can't see what harm could be done.

 

Orio.

[kmaid]

I am probably over careful (or wasteful depending on your view) in the way that i validate everything to make sure it’s the “correct” input and then run the following function just in case.

function libStripInputSlashes()
{
	$input_arr = array();
	foreach ($_REQUEST as $key => $input_arr) 
	{
	    $_REQUEST[$key] = htmlentities($input_arr);
		$_REQUEST[$key] = mysql_real_escape_string($input_arr);
	}
}

 

However it doesn’t appear to be working as the problem is still present although ‘s are escaped.

 

[kmaid]

could be a security risk.. injecting javascript or iframes could be hell..

 

How could it be a security risk? If one receives his own input, and no one else is exposed to whatever he had entered, I can't see what harm could be done.

 

Orio.

 

This was my understanding aswell however i felt i should check. The only one who could be effected by the injected code would be the one injecting it which seems rather pointless. All the GET fields are validated in a diffrent way and would not be outputed.

[MadTechie]

I assume by account details this includes parts that will be displayed in a userlist or something thats others may see,

Now if something is missed by the error capture then it "could be" a risk..

 

it only takes a small security hole for the site to be exposed, and without knowing all the details it could be a security risk..

[kmaid]

Ah, I think you have missed when i said the data is not put into the database rather just flagged as wrong and returned to the user as the values of the edit boxes to allow the user to change the data to be valid.

 

Thank you for your concern though 

[MadTechie]

<?php
   function libStripInputSlashes()
   {
      $input_arr = array();
      foreach ($_REQUEST as $key => $input_arr)
      {
          $_REQUEST[$key] = htmlentities($input_arr); //this will do nothing
         $_REQUEST[$key] = mysql_real_escape_string($input_arr); 
      }
   }
?>

 

try this

<?php
   function libStripInputSlashes()
   {
      $input_arr = array();
      foreach ($_REQUEST as $key => $input_arr)
      {
          $_REQUEST[$key] = htmlentities($input_arr);
         $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]); 
//--OR
         //$input_arr= htmlentities($input_arr);
         //$_REQUEST[$key] = mysql_real_escape_string($input_arr);
      }
   }
?>

 

 

 

[kmaid]

Thankyou both my question is answered and is nolonger an issue!

[Andy-H]

function cleanData(){

if ( count($_REQUEST) > 0 ):

$_REQUEST = array_map("htmlentities", $_REQUEST);
$_REQUEST = array_map("mysql_real_escape_string", $_REQUEST);

Endif;

}