lovephp Posted January 31, 2017 Share Posted January 31, 2017 hey ya guys, first of all a very happy new year to all. ok my following code is prone to XSS how could this be prevented? <?php function updateDataArray($value) { if(preg_match("#[a-z]#i", $value)) { return str_replace("-", " ", $value); } return $value; } if(!empty($_GET)){ echo '<br/>'; foreach ($_GET as $key => $value) { $key = str_replace('_', ' ', $key); echo '<small><b>'.ucstring($key). ':</b> ' .ucstring(updateDataArray($value)). ', </small>'; } echo '<br/>'; } ?> Quote Link to comment Share on other sites More sharing options...
lovephp Posted January 31, 2017 Author Share Posted January 31, 2017 or is this a better solution <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F,L] </IfModule> Quote Link to comment Share on other sites More sharing options...
lovephp Posted January 31, 2017 Author Share Posted January 31, 2017 (edited) Depends what "ucstring" does htmlspecialchars. Make sure your pages are using the same encoding as PHP's default_charset (or vice versa) and you can htmlspecialchars($key) htmlspecialchars(updateDataArray($value))If you were outputting into a '-quoted attribute or similar then you'd need to include the ENT_QUOTES flag. But you're not. Ah ucstring is a function to Capitalize the first word. thanks requinix solved my problem appreciate it. oh and yes i also use function noHTML($input, $encoding = 'UTF-8') { return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding); } on most of the places, i will keep your advice in mind. Edited January 31, 2017 by lovephp Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 31, 2017 Share Posted January 31, 2017 Forget about trying to apply handcrafted procedures to individual PHP fragments. requinix really loves to do this, but it's disastrous for security. You need systematic protection for your entire site. Modern template engines like Twig support automatic escaping of all HTML input which is far more realistic than doing it by hand. If, for some strange reason, you have to use oldschool PHP, write your own escape function and manually apply to it all dynamic input, not only when you feel like it: <?php function html_escape($raw_input, $encoding) { return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding); } Make sure the HTML document is delivered with an explicit character encoding, and use Content Security Policy as an additional layer of protection. CSP tells the browser which scripts are legitimate and which scripts should be blocked. A complete example: <?php require_once '/path/to/functions.php'; // you may set those headers with your web server rather than with PHP header('Content-Type: text/html;charset=utf8'); header("Content-Security-Policy: default-src 'none'"); $input = '<script>alert("XSS");</script>'; ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <!-- also declare the encoding within the document itself --> <title>Title</title> </head> <body> <!-- escape all input, regardless of whether you think it's safe or not --> <p><?= html_escape($input, 'UTF-8') ?></p> <!-- testing CSP: this will be blocked in modern browsers --> <script>alert("XSS");</script> </body> </html> 1 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 31, 2017 Share Posted January 31, 2017 By the way, you really need to stop believing any random guy who tells you that your site is “secure” now. There's a difference between being able to make an error message go away and actually understanding the problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.