Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: "Astalavista.NET Baby!" <info () astalavista com>
Date: Mon, 14 Oct 2002 18:34:04 +0200
Hi Vuln-dev@, ----- Original Message ----- From: "Rohan Amin" <rohan () rohanamin com> To: "Rob Shein" <shoten () starpower net> Cc: <vuln-dev () securityfocus com> Sent: Saturday, October 12, 2002 8:48 PM Subject: RE: CROSS SITE-SCRIPTING Protection with PHP
I think a regular expression should do the trick: function make_clean($value) { $legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space $new_value = preg_replace($legal_chars,"",$value); //replace with "" return $new_value; }
The problem are really not simple input ranges like 0-9a-zA-Z values. ( solution: $legal_chars = "%[^0-9a-zA-Z ]%"; ) The problem are inputs for applications where we need HTML code as well as normal plain text user inputs. But why the htmlspecialchars($value) function is not secure enough ?! ( http://www.php.net/manual/en/function.htmlspecialchars.php ) After this general filter each input can go thourgh a few different filters for each case ... This is not a 100% solution, but should be a 99,9% filter at the end. ****** start generalfilter.inc.php ****** function make_clean($value){ $value = htmlspecialchars($value); return $value; } if (!empty($_GET)){ foreach( $_GET as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_POST)){ foreach( $_POST as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_SESSION)){ foreach( $_SESSION as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_COOKIE)){ foreach( $_COOKIE as $key=>$value ) {$$key = make_clean($value);} } ****** end generalfilter.inc.php ****** The /IV/N http://www.astalavista.net/
Current thread:
- Re: Hashes,File protection,etc, (continued)
- Re: Hashes,File protection,etc Jose Nazario (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- RE: Hashes,File protection,etc Rich Cower (Oct 15)
- Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
- HTML email and external embedded links. Ian Lyte (Oct 18)
- Re: HTML email and external embedded links. Wim Mees (Oct 23)