Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-08 01:26:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Largely adjusted XSS protection

Browse Source 
Adjusted to match that implemented by Ashar Javed
(https://twitter.com/soaj1664ashar, demo:
http://xssplaygroundforfunandlearn.netai.net/final.html). Was
unbreakable against 78k XSS attempts, so seems very solid
This commit is contained in:
Matt Pass
2014-06-27 11:22:32 +01:00
parent 3bf0e2e4db
commit 8ec0d518ad
1 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/settings-common.php
View File

@@ -71,31 +71,33 @@ function xssClean($data,$type) {
// === style ===
if ($type == "style") {
$bad = array("\"", "``", "(", ")", "&", ".", "\\");
$good = array(""", "``", "(", ")", "&", ".", "\");
$bad = array("<", ">", "\"", "'", "``", "(", ")", "&", "\\\\");
$good = array("&lt;", "&gt;", "&quot;", "&apos;", "&grave;", "&lpar;", "&rpar;", "&amp;", "&bsol;");
}
// === attribute ===
if ($type == "attribute") {
$bad = array("\"", "``");
$good = array("&quot;", "&grave;&grave;");
$bad = array("\"", "'", "``");
$good = array("&quot;", "&apos;", "&grave;");
}
// === script ===
if ($type == "script") {
$bad = array("<", ">", "(", ")", "[", "]", "\"", "'", ";");
$good = array("&lt;", "&gt;", "&lpar;", "&rpar;", "&lbrack;", "&rbrack;", "&quot;", "&apos;", "&semi;");
$bad = array("<", ">", "\"", "'", "\\\\", "%", "&");
$good = array("&lt;", "&gt;", "&quot;", "&apos;", "&bsol;", "&percnt;", "&amp;");
}
// === url ===
if ($type == "url") {
$bad = array("\"", "``");
$good = array("%22", "%60%60");
if(preg_match("#^(?:(?:https?|ftp):{1})\/\/[^\"\s\\\\]*.[^\"\s\\\\]*$#iu",(string)$data,$match)) {
return $match[0];
} else {
return 'javascript:void(0)';
}
}
$data = str_replace($bad, $good, $data);
return $data;
$output = str_replace($bad, $good, $data);
return $output;
}
// returns a UTF8 based string with any UFT8 BOM removed