prevent xss attacks...

Copernicus

question, I want to be able to prevent XSS attacks via $_GET.. is this function good?

function PrevXSS($Get)
	{
		if (eregi('<script>', $Get) || eregi('<iframe>', $Get)
		|| eregi('<applet>', $Get) || eregi('<object>', $Get)
			{
				exit();
			}
		}

Also, how do I make it so it will automatically secure all $GET that include this file...as opposed to having to do it
through PrevXSS($GET['blah']).

thanks

kakki

i once did sth like this

foreach( $_REQUEST as $item => $value )
{
     // delete anything but numbers
     $_REQUEST[ $item ] = ereg_replace( '[^0-9]','',$value );
}

this was standard for "normal" pages( not the "edit item" ones ),
because there were only key-values being passed to the php-scripts

you can modify your script accordingly( foreach $_GET ..... )

MarkR

No, neither of these approaches is good.

The way to prevent XSS, is to ESCAPE HTML in the output of your page. This means using htmlspecialchars() as necessary in the output of your page.

Every variable output in the page should be escaped unless:

You are sure it came from a trusted source

It has been through your HTML-cleaning routine and you are confident of its effectiveness. Cleaning HTML of potentially active content is NOT easy, particularly if you want to do it without breaking anything.

Anything else, which could possibly have come from or via an untrusted user, MUST be escaped. There should be no exceptions.

As a rule, just escape everything in the output. In most cases escaping is the right thing to do even if you expect it to contain no HTML or characters which require escaping (say a date or an int).

Mark

zabmilenko

My weak approach:

function cleanup_request(&$request_array)
{
    $request_copy = $request_array;
    foreach($request_copy as $rkey => $rval)
    {
        $request_array[$rkey] = htmlspecialchars($rval);
        // also consider htmlentities();
    }
}

cleanup_request($_GET);
cleanup_request($_POST);

MarkR is correct, however. The best way is to just escape everything you output when you output it. Methods like the ones above are just sanity checks.

MarkR

zabmilenko's approach is not what I'd recommend either- as it will cause $GET and $POST to become escaped with htmlspecialchars, even if they are not going to be output to the browser.

This will cause data corruption, as your database, emails, etc, will fill up with & and < and such like.

Moreover, if you're taking the contents of a form and posting it back into itself (for example, if validation fails), HTML special characters will "breed" causing &amp;amp;amp;lt; and other dodgy stuff to appear all over the place.

It's just going to cause trouble.

This is basically the same problem as using magic_quotes- it will cause things to be escaped in the wrong place.

Mark

void_function

Cast all intergers into integers: $var= (int) $_GET['numeric_field']
Preg_match() for unallowed characters in string vars like usernames or passwords (unless passwords get encrypted so it won't matter much)
Use strip_tags() if no html is allowed and htmlspecialchars() on that text that is being shown back to users like forum posts, messages, etc...
Deny HTML completely and use BBCode if at all possible

vaaaska

I'd say use a token as well. The previous two posts with a token and it's about as good as you'll get for the moment.