New PHP template XSS Automatic repair function in Fl

Previously, Fl had the XSS Automatic repair function of the Smarty template, but it has never been supported by the PHP template. The main reason is that the output of the Smarty template recognition variable is relatively simple. You can determine whether it is a $ header, and there is no value assignment or other operations in it. But the PHP template is very troublesome. You can write any PHP code between the PHP delimiters and do not know when to output the code.

Previously, Fl had the XSS Automatic repair function of the Smarty template, but it has never been supported by the PHP template. The main reason is that the output of the Smarty template recognition variable is relatively simple. You can determine whether it is a $ header, and there is no value assignment or other operations in it. But the PHP template is very troublesome. You can write any PHP code between the PHP delimiters and do not know when to output the code.

Previously, Fl had the XSS Automatic repair function of the Smarty template, but it has never been supported by the PHP template. The main reason is that the output of the Smarty template recognition variable is relatively simple. You can determine whether it is a $ header, and there is no value assignment or other operations in it.

But the PHP template is very troublesome. You can write any PHP code between the PHP delimiters and do not know when to output the code. Even if echo is used for output, echo can be followed by many things, such as strings, variables, expressions, and function calls:

In this case, we have never been able to solve this problem. It would be too troublesome to implement PHP lexical analysis for this function.

Suddenly we found that the lexical analysis method is provided in PHP, And the token_get_all function (this function has been available for a long time ).

After passing the PHP text to this function, you can get the TOKEN list. For details, see PHP official documentation: http://php.net/manual/en/function.token-get-all.php

With this method, you can get the token list and find the echo TOKEN. Or?> End, and determine whether a corresponding escape method exists or the logo is not escaped. If not, add the corresponding escape method (function escaping is used in PHP ).

Code implementation is not very complex, see the github project file: https://github.com/welefen/Fl/blob/master/src/Util/Tpl/PHP.class.php

Ps: Although there are many problems with the function name and Parameter Design in php, there are many real functions. Or all functions have corresponding functions.

In fact, the browser can expose similar interfaces to JS, so many tools do not need to perform lexical analysis once.

Original article address: the PHP template XSS Automatic repair function is added in Fl. Thank you for sharing it with me.