Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CROSS SITE-SCRIPTING Protection with PHP

From: "Astalavista.NET Baby!" <info () astalavista com>
Date: Mon, 14 Oct 2002 18:34:04 +0200
Hi Vuln-dev@,

----- Original Message -----
From: "Rohan Amin" <rohan () rohanamin com>
To: "Rob Shein" <shoten () starpower net>
Cc: <vuln-dev () securityfocus com>
Sent: Saturday, October 12, 2002 8:48 PM
Subject: RE: CROSS SITE-SCRIPTING Protection with PHP



I think a regular expression should do the trick:

function make_clean($value) {
  $legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space
  $new_value = preg_replace($legal_chars,"",$value); //replace with ""
  return $new_value;
}


The problem are really not simple input ranges like 0-9a-zA-Z values. (
solution: $legal_chars = "%[^0-9a-zA-Z ]%"; )
The problem are inputs for applications where we need HTML code as well as
normal plain text user inputs.

But why the htmlspecialchars($value) function is not secure enough  ?!
( http://www.php.net/manual/en/function.htmlspecialchars.php )

After this general filter each input can go thourgh a few different filters
for each case ...
This is not a 100% solution, but should be a 99,9% filter at the end.

****** start generalfilter.inc.php ******
function make_clean($value){
  $value = htmlspecialchars($value);
  return $value;
}

if (!empty($_GET)){
foreach( $_GET as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_POST)){
foreach( $_POST as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_SESSION)){
foreach( $_SESSION as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_COOKIE)){
foreach( $_COOKIE as $key=>$value )
 {$$key = make_clean($value);}
}
****** end generalfilter.inc.php ******

The

/IV/N
http://www.astalavista.net/
Previous By Date Next
Previous By Thread Next

Current thread: