Preventing XSS cross-site scripting attacks with PHP programming

Source: Internet
Author: User
Tags filter ord php programming printable characters strlen
Many domestic forums have a cross-site scripting loophole, foreign also many such examples, even Google has appeared, but in early December revised. (Editor's note: For cross-site scripting exploits, readers can refer to the "detailed XSS cross-site scripting Attack"). Cross-station attacks are easy to construct, and very covert, not easy to be Chage (usually steal information immediately jump back to the original page).

How to attack, do not explain this (also do not ask me), mainly talk about how to prevent. First, cross-site scripting attacks are due to the lack of strict filtering of user input, so we have to intercept the possible dangers before all data enters our site and database. For illegal HTML code including single double quotes, you can use Htmlentities ().

<?php
$str = "A ' quote ' is <b> bold </b>";

Outputs:a ' Quote ' is <b>bold</b>
echo htmlentities ($STR);

Outputs:a ' Quote ' is <b>bold</b>
Echo htmlentities ($str, ent_quotes);
? >
This will invalidate the illegal script.

Note, however, that the htmlentities () default encoding is Iso-8859-1, and if your illegal script is encoded as something else, it may not be filtered out and the browser can recognize and execute it. This problem I first find a few site test and then say.

This provides a function to filter illegal scripts:

function Removexss ($val) {
Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
This prevents some character re-spacing such as <java\0script>
Note this you have to handle splits with \ n, \ r, and \ t later since they *are* allowed in some inputs
$val = Preg_replace ('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', ', $val);

Straight replacements, the user should never need these since they ' re normal characters
This is prevents like _#x6cert (' XSS ')
$search = ' abcdefghijklmnopqrstuvwxyz ';
$search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';
$search. = ' 1234567890!@#$%^&* () ';
$search. = ' ~ ';: +/={}[]-_|\ ' \ ';
for ($i = 0; $i strlen ($search); $i + +) {
// ;? Matches the;, which is optional
0{0,7} matches any padded zeros, which are optional and go up to 8 chars

@ @ search for the hex values
$val = Preg_replace ('/(&#[x| x]0{0,8} '. Dechex (Ord ($search [$i])). /I ', $search [$i], $val); with A;
@ @ 0{0,7} matches ' 0 ' zero to seven times
$val = Preg_replace ('/({0,8} '. Ord ($search [$i]). /', $search [$i], $val); with A;
}

Now the only remaining whitespace attacks are \ \ n, and \ r
$ra 1 = Array (' javascript ', ' VBScript ', ' expression ', ' applets ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ', ' Object ', ' iframe ', ' frame ', ' frameset ', ' ilayer ', ' layer ', ' bgsound ', ' title ', ' base ';
$ra 2 = Array (' onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' Onbeforecut ', ' onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' Onbeforeupdate ', ' onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' Oncopy ', ' oncut ', ' ondataavailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' Ondragend ', ' ondragenter ', ' ondragleave ', ' ondragover ', ' ondragstart ', ' ondrop ', ' onerror ', ' onerrorupdate ', ' Onfilterchange ', ' onfinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onhelp ', ' onkeydown ', ' onkeypress ', ' onkeyup ', ' Onlayoutcomplete ', ' onload ', ' onlosecapture ', ' onmousedown ', ' onmouseenter ', ' onmouseleave ', ' onmousemove ', ' onMouseOut ', ' onmouseover ', ' onmouseup ', ' onmousewheel ', ' onmove ', ' onmoveend ', ' onmovestart ', ' onpaste ', ' Onpropertychange ', ' onreadystatechange ', ' onreset ', ' onresize ', ' onresizeend ', ' onresizestart ', ' OnrowenteR ', ' onrowexit ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', ' onselectionchange ', ' onselectstart ', ' OnStart ', ' onstop ', ' onsubmit ', ' onunload ');
$ra = Array_merge ($ra 1, $ra 2);

$found = true; Keep replacing as long as the previous round replaced something
while ($found = = True) {
$val _before = $val;
for ($i = 0; $i sizeof ($RA); $i + +) {
$pattern = '/';
for ($j = 0; $j strlen ($ra [$i]); $j + +) {
if ($j > 0) {
$pattern. = ' (';
$pattern. = ' (&#[x| x]0{0,8} ([9][a][b]);
$pattern. = ' | ({0,8} ([9][10][13]);
$pattern. = ')? ';
}
$pattern. = $ra [$i] [$j];
}
$pattern. = '/I ';
$replacement = substr ($ra [$i], 0, 2). ' <x> '. substr ($ra [$i], 2); Add in <> to nerf the tag
$val = Preg_replace ($pattern, $replacement, $val); Filter out the hex tags
if ($val _before = = $val) {
No replacements were made, so exit the loop
$found = false;
}
}
}
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.