Jump to content

Recommended Posts

hey ya guys, first of all a very happy new year to all.

 

ok my following code is prone to XSS how could this be prevented?

 

<?php
function updateDataArray($value)
{
 if(preg_match("#[a-z]#i", $value))
    {
        return str_replace("-", " ", $value);
    }
    return $value;
}
if(!empty($_GET)){
echo '<br/>';
foreach ($_GET as $key => $value) {
$key = str_replace('_', ' ', $key);
echo '<small><b>'.ucstring($key). ':</b> ' .ucstring(updateDataArray($value)). ', </small>';
}
echo '<br/>';
}
?>

 

 

Link to comment
https://forums.phpfreaks.com/topic/303067-how-to-prevent-xss-on-this/
Share on other sites

or is this a better solution

 

 

<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* index.php [F,L]
</IfModule>

Depends what "ucstring" does ;)

 

htmlspecialchars. Make sure your pages are using the same encoding as PHP's default_charset (or vice versa) and you can

htmlspecialchars($key)
htmlspecialchars(updateDataArray($value))
If you were outputting into a '-quoted attribute or similar then you'd need to include the ENT_QUOTES flag. But you're not.

 

Ah :) ucstring  is a function to Capitalize the first word. thanks requinix solved my problem appreciate it.

 

oh and yes i also use

 

function noHTML($input, $encoding = 'UTF-8')
{
    return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding);
}

 

on most of the places, i will keep your advice in mind.

Edited by lovephp

Forget about trying to apply handcrafted procedures to individual PHP fragments. requinix really loves to do this, but it's disastrous for security.

 

You need systematic protection for your entire site. Modern template engines like Twig support automatic escaping of all HTML input which is far more realistic than doing it by hand. If, for some strange reason, you have to use oldschool PHP, write your own escape function and manually apply to it all dynamic input, not only when you feel like it:

<?php

function html_escape($raw_input, $encoding)
{
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding);
}

Make sure the HTML document is delivered with an explicit character encoding, and use Content Security Policy as an additional layer of protection. CSP tells the browser which scripts are legitimate and which scripts should be blocked.

 

A complete example:

<?php

require_once '/path/to/functions.php';



// you may set those headers with your web server rather than with PHP
header('Content-Type: text/html;charset=utf8');
header("Content-Security-Policy: default-src 'none'");

$input = '<script>alert("XSS");</script>';

?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">    <!-- also declare the encoding within the document itself -->
        <title>Title</title>
    </head>
    <body>
        <!-- escape all input, regardless of whether you think it's safe or not -->
        <p><?= html_escape($input, 'UTF-8') ?></p>

        <!-- testing CSP: this will be blocked in modern browsers -->
        <script>alert("XSS");</script>
    </body>
</html>

  • Like 1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.