Re: CROSS SITE-SCRIPTING Protection with PHP

[Valdis.Kletnieks () vt edu]

On Thu, 10 Oct 2002 23:41:34 -0000, Astalavista Baby <info () astalavista com>  said:
> like to see more and better ways ?!
>
> My idea: ( I think this is not safe enough?)
>
> function make_clean($value){
>   $value = htmlspecialchars($value) 
>   $value = str_replace("%2B", "", $value);
>   .... more ..
>   return $value;
> }

Wrong.

You're filtering "known illegal" out, rather than refusing to pass only
probably legal characters through.  You can enumerate %2B, ... more ...
and you're still totally screwed to the wall if you missed one (and remember
that all the Unicode exploits are basically "missed one").  Worse yet,
you're screwed to the wall if you have a complete list, but at a later date
somebody finds  a new and creative way to use a character (did you know that
some Unix shells treat the ^ caret as equivalent to | pipe? ;)

I don't do PHP, but the pseudocode *should* be:

function make_clean($value) {
    legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only
    for each char in $value
       if char not in legalchars
       then char=' ';  // bogus char? Make it a blank
    end for;
}

Somebody finds a way to use doublequote to inject bad data?  Somebody finds
a way to use asterisks or %2B?  No problem - they weren't in my legalchars
list to start with.

Remember - don't filter known bad chars.  Filter *everything* *but* known good.
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: