Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing server-side scripting, XSS

Tags:

security

php

mysql

xss

Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections?

I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything?

Any ideas would be great. Many thanks :)

EDIT: Something generic that strips out anything that could be hazardous, ie. greater than / less than signs, semi-colons, words like "DROP", etc?

I basically just want to compress everything to be alphanumeric, I guess...?

like image 675
Tim Avatar asked Jun 03 '10 11:06

Tim

2 Answers

Never output any bit of data whatsoever to the HTML stream that has not been passed through htmlspecialchars() and you're done. Simple rule, easy to follow, completely eradicates any XSS risk.

As a programmer it's your job to do it, though.

You can define

function h(s) { return htmlspecialchars(s); }

if htmlspecialchars() is too long to write 100 times per PHP file. On the other hand, using htmlentities() is not necessary at all.

The key point is: There is code, and there is data. If you intermix the two, bad things ensue.

In the case of HTML, code is elements, attribute names, entities, comments. Data is everything else. Data must be escaped to avoid being mistaken for code.

In case of URLs, code is the scheme, the host name, the path, the mechanism of the query string (?, &, =, #). Data is everything in the query string: parameter names and values. They must be escaped to avoid being mistaken for code.

URLs embedded in HTML must be doubly escaped (by URL-escaping and HTML-escaping) to ensure proper separation of code and data.

Modern browsers are capable of parsing amazingly broken and incorrect markup into something useful. This capability should not be stressed, though. The fact that something happens to work (like URLs in <a href> without proper HTML-escaping applied) does not mean that it's good or correct to do it. XSS is a problem that roots in a) people unaware of data/code separation (i.e. "escaping") or those that are sloppy and b) people that try to be clever about what part of data they don't need to escape.

XSS is easy enough to avoid if you make sure you don't fall into categories a) and b).

like image 195
Tomalak Avatar answered Sep 26 '22 02:09

Tomalak

I think Google-caja maybe a solution. I write a taint analyzer for java web application to detect and prevent XSS automatically. But not for PHP. I think Learning to using caja not bad for web developer.

like image 21
Jafar Mirzaei Avatar answered Sep 24 '22 02:09

Jafar Mirzaei
Sign in to Comment

Related questions

php how to serialize array of objects?
phpUnderControl and CodeBrowser
Need help with nested atomic operations involving PDO transactions
How to parse a phpDoc style comment block with PHP?
Drupal CCK Date: how to set datetime field's default value to a fix date?
Which Code Should Go Where in MVC Structure
Superfish: How to keep sub menu open after it has been clicked
PHP unlink OR rewrite own/current file by itself
Testing for security vulnerabilities on web applications
Administrator account: Where, when and how?
Writing direct to disk with php
MySQL select two tables at the same time
How to run my php code in every X minute?
Adding rows to an array in PHP
Best way to structure AJAX for a Zend Framework application
How to write this loop prettier?
Php regular expression to match a div
Zend Framework: How to handle exceptions in Ajax requests?
Best Practice for Uploading Many (2000+) Images to A Server
phpunit command doesn't work for laravel 4 on windows 7

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!