Vulnerability Development mailing list archives
RE: CROSS SITE-SCRIPTING Protection with PHP
From: Chris Field <chris () tux dogoodsoft org>
Date: 12 Oct 2002 10:32:54 -0400
/** * @desc Takes a string and removes illegal characters * @param dirtyString string * @return string */ function makeClean($dirtyString) { $cleanString='';//holds string to return $stringLength=strlen($dirtyString);//holds length of the string for($counter=0;$counter<$stringLength;$counter++) { if( ($dirtyString[$counter]>='a' && $dirtyString[$counter]<='z') || ($dirtyString[$counter]>='A' && $dirtyString[$counter]<='Z') || (is_numeric($dirtyString[$counter]))) { $cleanString.=$dirtyString[$counter]; } else { $cleanString.=' '; } } return $cleanString; } On Sat, 2002-10-12 at 10:04, Rob Shein wrote:
Valdis wrote:You're filtering "known illegal" out, rather than refusing to pass only probably legal characters through. You can enumerate %2B, ... more ... and you're still totally screwed to the wall if you missed one (and remember that all the Unicode exploits are basically "missed one"). Worse yet, you're screwed to the wall if you have a complete list, but at a later date somebody finds a new and creative way to use a character (did you know that some Unix shells treat the ^ caret as equivalent to | pipe? ;) I don't do PHP, but the pseudocode *should* be: function make_clean($value) { legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only for each char in $value if char not in legalchars then char=' '; // bogus char? Make it a blank end for; } Somebody finds a way to use doublequote to inject bad data? Somebody finds a way to use asterisks or %2B? No problem - they weren't in my legalchars list to start with. Remember - don't filter known bad chars. Filter *everything* *but* known good. --Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone take a stab at it yet?
Current thread:
- Re: Hashes,File protection,etc, (continued)
- Re: Hashes,File protection,etc Roland Postle (Oct 16)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
- Re: Hashes,File protection,etc Bob Mathews (Oct 16)
- Re: Hashes,File protection,etc Jose Nazario (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- RE: Hashes,File protection,etc Rich Cower (Oct 15)
- Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
- HTML email and external embedded links. Ian Lyte (Oct 18)
- Re: HTML email and external embedded links. Wim Mees (Oct 23)