Is this function enough for xss detection?

Question

I found it inside the "symphony CMS" app, it's very small:

https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L100

And I was thinking of stealing it and use it in my own application to sanitize string with HTML for display. Do you think it does a good job?

ps: I know there's HTML Purifier, but that thing is huge. And I'd rather prefer something less permissive, but I still want it to be efficient.

---

I've been testing it against strings from this page: http://ha.ckers.org/xss.html. But if fails against "XSS locator 2". Not sure how can anyone use that string to hack a site though :)

Answer 1

No, I wouldn’t use it. There are many different attacks that all depend on the context the data is inserted into. One single function would not cover them all. If you take a close look, there are actually just four tests:

// Set the patterns we'll test against
$patterns = array(
    // Match any attribute starting with "on" or xmlns
    '#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',

    // Match javascript:, livescript:, vbscript: and mocha: protocols
    '!((java|live|vb)script|mocha):(\w)*!iUu',
    '#-moz-binding[\x00-\x20]*:#u',

    // Match style attributes
    '#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',

    // Match unneeded tags
    '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);

Nothing else is tested. Besides attacks that these tests don’t detect (false negative), it could also report some input mistakenly as an attack (false positive).

So instead of trying to detect XSS attacks, just make sure to use proper sanitizing.