xss script 4 u
  • someone added this to our init-config loader at work. im still not sure what xss is, but my eyes tell me it has something to do with javascript inside a request. anyways, steal this if you want

    if (!checkUserInput($_SERVER['REQUEST_URI']) || !checkUserInput($_REQUEST)) {
    // log the event
    // kill script
    }

    function checkUserInput($check)
    {
    $scripting = '/(%3C|
  • So a function that removes <script> tags from your user input? What about the onclick, onsubmit etc of elements? If you take this approach, you’ll most likely find so many problems. Then, what happens in a forum like this? I want to display my code for others to see, not attack the site.

    In general I find it’s better to explicitly replace all string inputs as I put them into the database. Using the following function (it sits inside the parse class)

    static public function encode($string) { return(str_replace(array(’&’, ‘<’, ‘>’, ‘\’‘, ‘”’), array(’&#38;’, ‘&#60;’, ‘&#62;’, ‘&#39;’, ‘&#34;’), $string)); }

    Then, on longer strings, expected to be multi-line, as they are displayed I’ll run them through a forum tag style function which pretty much puts in <br />, <b> and so on. 99% of input string comes from the database or a similar source. Those exceptions are generally when a script redirects and wants to display a ‘You must be logged in.’ message, for example. These are pretty static so a simple isset($_GET[‘out’]) is done to display the error (avoiding passing strings across scripts through input like this).

    I’ve also noticed the use of $_REQUEST, isn’t this bad programming practice in PHP? You’re not being entirely clear on where your input is coming from and in particular, appending ?text=asdf to the url bar is a helluva lot easier than adding it to the POST string (I’m sure there are other, better, reasons that my brain just can’t even comprehend at 11am in the morning…).

  • Easier than your replace function, just do a htmlspecialchars() or htmlentities(); If you want to be totally destructive, you can also do a strip_tags();
  • :face-devil-grin: exactly!
  • may i get good oop-php notes?i'm beginning in oop-php programing

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Login with Facebook

Share Me

  • Please share this topic with your friends. Click any of the icons below:
  • stumbleupon
  • Twitter
  • facebook
  • myspace
  • technorati
  • reddit
  • fark
  • email