Hi Vuln-dev,

----- Original Message -----
From: "Rohan Amin" <rohanrohanamin.com>
To: "Rob Shein" <shotenstarpower.net>
Cc: <vuln-devsecurityfocus.com>
Sent: Saturday, October 12, 2002 8:48 PM
Subject: RE: CROSS SITE-SCRIPTING Protection with PHP

> I think a regular expression should do the trick:
>
> function make_clean($value) {
> $legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space
> $new_value = preg_replace($legal_chars,"",$value); //replace with ""
> return $new_value;
> }

The problem are really not simple input ranges like 0-9a-zA-Z values. (
solution: $legal_chars = "%[^0-9a-zA-Z ]%"; )
The problem are inputs for applications where we need HTML code as well as
normal plain text user inputs.

But why the htmlspecialchars($value) function is not secure enough ?!
( http://www.php.net/manual/en/function.htmlspecialchars.php )

After this general filter each input can go thourgh a few different filters
for each case ...
This is not a 100% solution, but should be a 99,9% filter at the end.

****** start generalfilter.inc.php ******
function make_clean($value){
  $value = htmlspecialchars($value);
  return $value;
}

if (!empty($_GET)){
foreach( $_GET as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_POST)){
foreach( $_POST as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_SESSION)){
foreach( $_SESSION as $key=>$value )
 {$$key = make_clean($value);}
}
if (!empty($_COOKIE)){
foreach( $_COOKIE as $key=>$value )
 {$$key = make_clean($value);}
}
****** end generalfilter.inc.php ******

The

/IV/N
http://www.astalavista.net/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]