Disinfection PHP XSS

Question

Disinfection PHP XSS

Questions:

What are the best functions safe1 (), safe2 (), safe3 () and safe4 () to avoid XSS for UTF8 encoded pages? Is it also safe in all browsers (in particular, IE6)?

<body><?php echo safe1($xss)?></body> <body id="<?php echo safe2($xss)?>"></body> <script type="text/javascript"> var a = "<?php echo safe3($xss)?>"; </script> <style type="text/css"> .myclass {width:<?php echo safe4($xss)?>} </style>

.

Many say that the best thing you can do is:

 // safe1 & safe2 $s = htmlentities($s, ENT_QUOTES, "UTF-8"); // But how would you compare the above to: // https://github.com/shadowhand/purifier // OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean // OR is there an even better if not perfect solution?

.

 // safe3 $s = mb_convert_encoding($s, "UTF-8", "UTF-8"); $s = htmlentities($s, ENT_QUOTES, "UTF-8"); // How would you compare this to using using mysql_real_escape_string($s)? // (Yes, I know this is a DB function) // Some other people also recommend calling json_encode() before passing to htmlentities // What the best solution?

.

There are many posts about PHP and XSS. Most simply say "use HTMLPurifier" or "use htmlspecialchars" or are mistaken. Others say they use OWASP - but it is EXTREMELY slow. Some of the good posts I've come across are listed below:

Do htmlspecialchars and mysql_real_escape_string provide PHP code from injection?

XSS Me Warnings - Real XSS Issues?

CodeIgniter - why use xss_clean

+7

javascript php xss html-entities

user324289 May 13, '11 at 3:27

source share

2 answers

http://php.net/htmlentities note the section on the optional third parameter, which takes a character encoding. You should use this instead of mv_convert_encoding. For now, the php file itself is saved using utf8 encoding, which should work.

 htmlentities($s, ENT_COMPAT, 'UTF-8');

As for injecting a variable directly into javascript, you might consider putting content in a hidden html element somewhere else on the page and pulling content from dom when you need it.

The cleaners you mention are used when you want to actually display the html that the user submitted (for example, allow the browser to actually display). Using htmlentities will encode everything so that characters display in ui, but none of the actual code will be interpreted by the browser. What are you aiming for?

+3

wewals May 13, '11 at 3:45

source share

mario · Accepted Answer · 2011-05-13T06:24:43+0000

safe2() explicitly htmlspecialchars()

Instead of safe1() you really should use HTMLPurifier to disinfect full drops of HTML. It removes unwanted attributes, tags, and in particular something javascriptish. Yes, it is slow, but it covers all the small edges (even for older versions of IE) that allow the safe reuse of a fragment of an HTML file. But check out http://htmlpurifier.org/comparison for alternatives. - If you really want to display the raw text of the user (without the html filter), then htmlspecialchars(strip_tags($src)) will work fine.

safe3() screams a regular expression. Here you can really apply the whitelist to what you really want:

 var a = "<?php echo preg_replace('/[^-\w\d .,]/', "", $xss)?>";

You can, of course, use json_encode here to get perfectly valid JS syntax and variable. But then you just delay the exploitability of this line in your JS code, where you have to look after it.

Is it safe in all browsers (in particular, IE6)?

If you explicitly specify the encoding, then IE will not do its terrible magic of detecting content, so UTF7 exploits can be ignored.

Disinfection PHP XSS

More articles: