Vulnerability Development mailing list archives

CROSS SITE-SCRIPTING Protection with PHP

From: Astalavista Baby <info () astalavista com>
Date: 10 Oct 2002 23:41:34 -0000



Dear Vuln-Dev@,

I am searching for a robust and easy way to protect all the PHP sites 
against XSS attacks. I would like to see more and better ways ?!

My idea: ( I think this is not safe enough?)

function make_clean($value){
  $value = htmlspecialchars($value) 
  $value = str_replace("%2B", "", $value);
  .... more ..
  return $value;
}

if (!empty($_GET)){
foreach( $_GET as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_POST)){
foreach( $_POST as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_SESSION)){
foreach( $_SESSION as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_COOKIE)){
foreach( $_COOKIE as $key=>$value )
 {$$key = make_clean($value);}
}


/IV/N
http://www.astalavista.net/

Current thread:

CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
    - Hashes,File protection,etc Dave Aitel (Oct 14)
    - Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)

(Thread continues...)