need help implementing this safe method of sanitizing GET inputs from XSS attacks

Vigilante

Since XSS can take all kinds of nasty forms and what may be discovered in the future is still unknown I've opted to sanitize my GET inputs by eliminating all characters except ones I've marked as safe.

So I have this variable

$safechars = '1234567890_-!@# abcdefghijklmnopqrstuvwxyzABCDEFGHIJKMNOPQRSTUVWXYZ';

(added a space so the page won't stretch)
These are everything I want to allow users to submit through the query string but I don't know how I would eliminate all characters except these ones from a variable. Anyone have any ideas?

sfullman

if(preg_match('/^[-a-z0-9!@# ]+$/i', $GET['thevalue'])){
//it's OK
}else{
//sorry, illegal characters
}

I suggest you also convert combinations like <? and ?> and <% and %> into their ascii code equivalents. For example < is ascii 060 and ? is ascii 063, so change <? over to <? when you store it.

That way they can't pass scripts -- <? will still display as <?

Sam

Vigilante

If I can do what I'm trying to do, which is trim any characters NOT found in the safe string from a variable then I don't need to worry about converting anything to ASCII. < and > braces aren't in the string so they would just get cut out.

If someone can help me implement this idea, which I got from a CERT article recommending this method as protection from xss attacks, then all the guest vars in my rather extensive system will be safe.