Jump to content

XSS Handling etc...

tinker

By tinker
in PHP Coding Help

Recommended Posts

tinker Member

tinker

Posted
Posted

last night i noticed that i could pass scripts to a field and they didn't get santitised, i do take certan measures generally, but they wernt working for some reason.

 

heres a bit of a demo...

 

<html><head></head><body>
<?php
function scheck_code($s){
$s=strip_tags($s);
return htmlspecialchars($s);
}

$s="<script>alert('test 1');</script>";

print $s."<br />\n";
print scheck_code($s)."<br />\n";

?>
</body></html>

 

i'll post another shortly because my example involves text and textarea form elements and is stored in mysql.

 

tbh i dont generally use strip_tags, i convert to htmlentities and then apply bbcode parsing i think..

Link to comment
https://forums.phpfreaks.com/topic/205314-xss-handling-etc/
Share on other sites
tinker Member

tinker

Posted
  • Author
Posted

okay dokey, better example time...

Theres a little bloat for managing the db.

 

Whilst looking through strip_tags docs i came across the strip_tags_content() function, as seen being used when outputting.

 

<html><head></head><body>
<?php

$host = 'localhost';
$user = 'user';
$pass = 'pass';
$db = 'db';

$conn = mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($db, $conn) or die(mysql_error());

//	INSTALL
$install=1;
if($install){
$s = "DROP TABLE test_store";
mysql_query($s, $conn);

$s = "CREATE TABLE test_store (id int not null primary key auto_increment, title varchar(128), blog text )";
if(mysql_query($s, $conn)){	print "creation success<br /><br />";	}
else{   print "creation failed<br /><br />";	}

$s = "INSERT INTO test_store VALUES('1', '<b>myTitle <script>alert(\'tit<>led\');</script></b>','<b>Blog <script>alert(\'blogged\');</script> blog blog</b>')";
if(mysql_query($s, $conn)){	print "insert success<br /><br />";	}
else{   print "insert failed<br /><br />";	}
}


$title="";
$blog="";

function scheck_code($s){
//$s = strip_tags($s);
return htmlspecialchars($s);
}
function scheck_code_d($s){
$s=strip_tags($s);
return htmlspecialchars_decode($s,ENT_QUOTES);
}

//	php.net functions
//		see... http://uk3.php.net/manual/en/function.strip-tags.php

function strip_only($str, $tags) {
    if(!is_array($tags)) {
        $tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags));
        if(end($tags) == '') array_pop($tags);
    }
    foreach($tags as $tag) $str = preg_replace('#</?'.$tag.'[^>]*>#is', '', $str);
    return $str;
}

function strip_tags_content($text, $tags = '', $invert = FALSE) {

  preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags);
  $tags = array_unique($tags[1]);
    
  if(is_array($tags) AND count($tags) > 0) {
    if($invert == FALSE) {
      return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text);
    }
    else {
      return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text);
    }
  }
  elseif($invert == FALSE) {
    return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
  }
  return $text;
}

//	end php.net functions




//	UPDATE DATA
if(isset($_POST['submit'])){
$title=$_POST['title'];
$blog=$_POST['blog'];

$title=mysql_real_escape_string($title);
$blog=mysql_real_escape_string($blog);

$title=scheck_code($title);
$blog=scheck_code($blog);

$s = "UPDATE test_store SET title = '".$title."', blog='".$blog."' WHERE id = 1";
if(mysql_query($s, $conn)){	print "update success<br>";	}
else{   print "update failed<br>";	}
}

//	RETRIEVE DATA
$s = "SELECT * FROM test_store WHERE id = 1";
$res = mysql_query($s, $conn) or die(mysql_error());
if(mysql_num_rows($res)==1){
while($a = mysql_fetch_array($res)){
   $title=$a['title'];
   $blog=$a['blog'];
}
}

print "<br />\n";
print "<b>TITLE:</b> ".scheck_code_d($title)."<br />\n";
print "<b>TITLE:</b> ".strip_only($title,array('script'))."<br />\n";
print "<b>TITLE:</b> ".strip_tags_content($title,'<script>',true)."<br />\n";
print "<b>BLOG:</b> ".scheck_code_d($blog)."<br />\n";
print "<br /><br />\n";

print "<br />\n
<form method='POST' action=''><table>
<tr valign='top'><td align='right'>Title</td><td><input type='text' name='title' size='32' value='".htmlentities($title,ENT_QUOTES)."'></td></tr>
<tr valign='top'><td align='right'>Blog</td><td><textarea name='blog' rows='7' cols='32'>".$blog."</textarea></td></tr>
<tr valign='top'><td align='right'></td><td><input type='submit' name='submit' value=''></td></tr>
</table></form><br />";

?>
</body></html>

 

is this function up to scratch?

 

What else should be checked for, for instance:

function strip_cdata($string) 
{ 
    preg_match_all('/<!\[cdata\[(.*?)\]\]>/is', $string, $matches); 
    return str_replace($matches[0], $matches[1], $string); 
}

Link to comment
https://forums.phpfreaks.com/topic/205314-xss-handling-etc/#findComment-1074596
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.