From 8ec0d518adae7dfa247d1a7480843bb6b32052f1 Mon Sep 17 00:00:00 2001 From: Matt Pass Date: Fri, 27 Jun 2014 11:22:32 +0100 Subject: [PATCH] Largely adjusted XSS protection Adjusted to match that implemented by Ashar Javed (https://twitter.com/soaj1664ashar, demo: http://xssplaygroundforfunandlearn.netai.net/final.html). Was unbreakable against 78k XSS attempts, so seems very solid --- lib/settings-common.php | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/lib/settings-common.php b/lib/settings-common.php index 0bf78b0..b3f39b9 100644 --- a/lib/settings-common.php +++ b/lib/settings-common.php @@ -71,31 +71,33 @@ function xssClean($data,$type) { // === style === if ($type == "style") { - $bad = array("\"", "``", "(", ")", "&", ".", "\\"); - $good = array(""", "``", "(", ")", "&", ".", "\"); + $bad = array("<", ">", "\"", "'", "``", "(", ")", "&", "\\\\"); + $good = array("<", ">", """, "'", "`", "(", ")", "&", "\"); } // === attribute === if ($type == "attribute") { - $bad = array("\"", "``"); - $good = array(""", "``"); + $bad = array("\"", "'", "``"); + $good = array(""", "'", "`"); } // === script === if ($type == "script") { - $bad = array("<", ">", "(", ")", "[", "]", "\"", "'", ";"); - $good = array("<", ">", "(", ")", "[", "]", """, "'", ";"); + $bad = array("<", ">", "\"", "'", "\\\\", "%", "&"); + $good = array("<", ">", """, "'", "\", "%", "&"); } // === url === if ($type == "url") { - $bad = array("\"", "``"); - $good = array("%22", "%60%60"); + if(preg_match("#^(?:(?:https?|ftp):{1})\/\/[^\"\s\\\\]*.[^\"\s\\\\]*$#iu",(string)$data,$match)) { + return $match[0]; + } else { + return 'javascript:void(0)'; + } } - $data = str_replace($bad, $good, $data); - - return $data; + $output = str_replace($bad, $good, $data); + return $output; } // returns a UTF8 based string with any UFT8 BOM removed