Geek Answers Handbook

Is this function sufficient to detect xss?

I found it inside the Symphony CMS application, it is very small:

https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L100

And I was thinking about stealing it and using it in my own application to clear the string using HTML for display. Do you think this is a good job?

ps: I know there is an HTML cleaner, but this thing is huge. And I would prefer to prefer something less permissive, but I still want it to be effective.

I tested it on the lines from this page: http://ha.ckers.org/xss.html . But if "XSS Locator 2" fails. Do not know how you can use this line to hack a site :)

+6
source share
2 answers

No, I would not use it. There are many different attacks that depend on the context into which data is inserted. One single function did not cover them all. If you look closely, there are actually only four tests:

// Set the patterns we'll test against
$patterns = array(
    // Match any attribute starting with "on" or xmlns
    '#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',

    // Match javascript:, livescript:, vbscript: and mocha: protocols
    '!((java|live|vb)script|mocha):(\w)*!iUu',
    '#-moz-binding[\x00-\x20]*:#u',

    // Match style attributes
    '#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',

    // Match unneeded tags
    '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);

Nothing else has been verified. In addition to attacks that these tests do not detect (false negative), it can also erroneously report some entry as an attack (false positive).

Therefore, instead of detecting XSS attacks, just make sure that you are using the proper sanitization.

+8
source

I think this works well for string testing, at least for what I can say according to my tests.

+1
source

More articles:


All Articles