Vulnerability Development mailing list archives

RE: CROSS SITE-SCRIPTING Protection with PHP

From: Chris Field <chris () tux dogoodsoft org>
Date: 12 Oct 2002 10:32:54 -0400

/** 
* @desc Takes a string and removes illegal characters
* @param dirtyString string
* @return string
*/
function makeClean($dirtyString)
{
        $cleanString='';//holds string to return
        $stringLength=strlen($dirtyString);//holds length of the string
        
        for($counter=0;$counter<$stringLength;$counter++)
        {
                if( ($dirtyString[$counter]>='a' && $dirtyString[$counter]<='z') ||
                        ($dirtyString[$counter]>='A' && $dirtyString[$counter]<='Z') || 
                        (is_numeric($dirtyString[$counter])))
                {
                        $cleanString.=$dirtyString[$counter];
                }
                else 
                {
                        $cleanString.=' ';
                }
        }
        return $cleanString;
        
}
On Sat, 2002-10-12 at 10:04, Rob Shein wrote:


Valdis wrote:

You're filtering "known illegal" out, rather than refusing to 
pass only probably legal characters through.  You can 
enumerate %2B, ... more ... and you're still totally screwed 
to the wall if you missed one (and remember that all the 
Unicode exploits are basically "missed one").  Worse yet, 
you're screwed to the wall if you have a complete list, but 
at a later date somebody finds  a new and creative way to use 
a character (did you know that some Unix shells treat the ^ 
caret as equivalent to | pipe? ;)

I don't do PHP, but the pseudocode *should* be:

function make_clean($value) {
    legalchars = "[a-z][A-Z][0-9] "; // allow letters number 
space only
    for each char in $value
       if char not in legalchars
       then char=' ';  // bogus char? Make it a blank
    end for;
}

Somebody finds a way to use doublequote to inject bad data?  
Somebody finds a way to use asterisks or %2B?  No problem - 
they weren't in my legalchars list to start with.

Remember - don't filter known bad chars.  Filter *everything* 
*but* known good.
--


Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP.  Anyone
take a stab at it yet?

Current thread:

Re: Hashes,File protection,etc, (continued)
- - - Re: Hashes,File protection,etc Roland Postle (Oct 16)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
    - Re: Hashes,File protection,etc Bob Mathews (Oct 16)
    - Re: Hashes,File protection,etc Jose Nazario (Oct 15)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
    - RE: Hashes,File protection,etc Rich Cower (Oct 15)
    - Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
  - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
    - Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP M. Zeeshan Mustafa (Oct 11)
- RE: CROSS SITE-SCRIPTING Protection with PHP b0iler _ (Oct 15)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
  - HTML email and external embedded links. Ian Lyte (Oct 18)
    - Re: HTML email and external embedded links. Wim Mees (Oct 23)