regex: tracing malicious code in forms

valduc

Hi all,

I was looking for a way to scan for bad code in user submitted forms.
It needs more testing, but this is the regex i came up with:

$CFG["regex"]["ForbiddenEntries"]="^{(.)<([\?%/]|([\?%/]} ))?([a-zA-Z]+)( .)?>(.*)$";

The goal:
trace for code like: html, javascript, php and vb

any comments or someone knows a better one?

bye cya 🙂

drew010

best thing to do is run [man]htmlspecialchars[/man] so that it renders any script or html useless as the chars like < are turned into <.
Alternatively you can strip all tags like

$clean = preg_replace('/<[^>]+>/', '', $post);  // all <tags> </tags>
$nojs   = preg_replace('/<script[^>]*>(.*?)<\/script>/is', '', $post); //all <script...>tags and stuff in between</script>

valduc

I didn't want to strip the htmlspecialchars because entries like 'a < b > c' must be possible. And i know of the use of htmlspecialchars(), but the thing is that i wanted to be a bit fancy about warning people when they are attempting 'bad' things ;-)
maybe it's just me wanting to much...

drew010

if (preg_match('/<[\w\d]+>/', $post)) {
  echo "No code tags please...";
  $post = htmlspecialchars($post);
}

this detects a < immediately followed by one or more lettesr or numbers and then a closing > with no whitespace there.