Jump to content

XSS Handling etc...

tinker

By tinker
in PHP Coding Help

 Share

Recommended Posts

tinker Member

tinker

Posted
Posted

last night i noticed that i could pass scripts to a field and they didn't get santitised, i do take certan measures generally, but they wernt working for some reason.

 

heres a bit of a demo...

 

<html><head></head><body>
<?php
function scheck_code($s){
$s=strip_tags($s);
return htmlspecialchars($s);
}

$s="<script>alert('test 1');</script>";

print $s."<br />\n";
print scheck_code($s)."<br />\n";

?>
</body></html>

 

i'll post another shortly because my example involves text and textarea form elements and is stored in mysql.

 

tbh i dont generally use strip_tags, i convert to htmlentities and then apply bbcode parsing i think..

Link to comment
Share on other sites
tinker Member

tinker

Posted
  • Author
Posted

okay dokey, better example time...

Theres a little bloat for managing the db.

 

Whilst looking through strip_tags docs i came across the strip_tags_content() function, as seen being used when outputting.

 

<html><head></head><body>
<?php

$host = 'localhost';
$user = 'user';
$pass = 'pass';
$db = 'db';

$conn = mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($db, $conn) or die(mysql_error());

//	INSTALL
$install=1;
if($install){
$s = "DROP TABLE test_store";
mysql_query($s, $conn);

$s = "CREATE TABLE test_store (id int not null primary key auto_increment, title varchar(128), blog text )";
if(mysql_query($s, $conn)){	print "creation success<br /><br />";	}
else{   print "creation failed<br /><br />";	}

$s = "INSERT INTO test_store VALUES('1', '<b>myTitle <script>alert(\'tit<>led\');</script></b>','<b>Blog <script>alert(\'blogged\');</script> blog blog</b>')";
if(mysql_query($s, $conn)){	print "insert success<br /><br />";	}
else{   print "insert failed<br /><br />";	}
}


$title="";
$blog="";

function scheck_code($s){
//$s = strip_tags($s);
return htmlspecialchars($s);
}
function scheck_code_d($s){
$s=strip_tags($s);
return htmlspecialchars_decode($s,ENT_QUOTES);
}

//	php.net functions
//		see... http://uk3.php.net/manual/en/function.strip-tags.php

function strip_only($str, $tags) {
    if(!is_array($tags)) {
        $tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags));
        if(end($tags) == '') array_pop($tags);
    }
    foreach($tags as $tag) $str = preg_replace('#</?'.$tag.'[^>]*>#is', '', $str);
    return $str;
}

function strip_tags_content($text, $tags = '', $invert = FALSE) {

  preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags);
  $tags = array_unique($tags[1]);
    
  if(is_array($tags) AND count($tags) > 0) {
    if($invert == FALSE) {
      return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text);
    }
    else {
      return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text);
    }
  }
  elseif($invert == FALSE) {
    return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
  }
  return $text;
}

//	end php.net functions




//	UPDATE DATA
if(isset($_POST['submit'])){
$title=$_POST['title'];
$blog=$_POST['blog'];

$title=mysql_real_escape_string($title);
$blog=mysql_real_escape_string($blog);

$title=scheck_code($title);
$blog=scheck_code($blog);

$s = "UPDATE test_store SET title = '".$title."', blog='".$blog."' WHERE id = 1";
if(mysql_query($s, $conn)){	print "update success<br>";	}
else{   print "update failed<br>";	}
}

//	RETRIEVE DATA
$s = "SELECT * FROM test_store WHERE id = 1";
$res = mysql_query($s, $conn) or die(mysql_error());
if(mysql_num_rows($res)==1){
while($a = mysql_fetch_array($res)){
   $title=$a['title'];
   $blog=$a['blog'];
}
}

print "<br />\n";
print "<b>TITLE:</b> ".scheck_code_d($title)."<br />\n";
print "<b>TITLE:</b> ".strip_only($title,array('script'))."<br />\n";
print "<b>TITLE:</b> ".strip_tags_content($title,'<script>',true)."<br />\n";
print "<b>BLOG:</b> ".scheck_code_d($blog)."<br />\n";
print "<br /><br />\n";

print "<br />\n
<form method='POST' action=''><table>
<tr valign='top'><td align='right'>Title</td><td><input type='text' name='title' size='32' value='".htmlentities($title,ENT_QUOTES)."'></td></tr>
<tr valign='top'><td align='right'>Blog</td><td><textarea name='blog' rows='7' cols='32'>".$blog."</textarea></td></tr>
<tr valign='top'><td align='right'></td><td><input type='submit' name='submit' value=''></td></tr>
</table></form><br />";

?>
</body></html>

 

is this function up to scratch?

 

What else should be checked for, for instance:

function strip_cdata($string) 
{ 
    preg_match_all('/<!\[cdata\[(.*?)\]\]>/is', $string, $matches); 
    return str_replace($matches[0], $matches[1], $string); 
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.