1–5

PHP Sanitization + XSS

From: ANT_THOMAS23 Jan 2012 13:59
To: ALL1 of 5
39261.1

I've made a little page to stick some values in and generate a result based on the input.

 

I'd like to sanitize the input by preventing/removing certain characters and prevent XSS attacks.

 

Any easy guides?

Reply
0/0
From: Matt23 Jan 2012 14:34
To: ANT_THOMAS 2 of 5
39261.2 In reply to 39261.1
Unless you need it unescaped, escape all user input that you use. You can accomplish most of this using htmlentities().
Reply
0/0
From: Peter (BOUGHTONP)23 Jan 2012 14:59
To: ANT_THOMAS 3 of 5
39261.3 In reply to 39261.1
^ that's the sledgehammer approach - seems to work but not the best solution.

Look for the PHP implementation of the OWASP ESAPI library, which has context specific functions (e.g. encodeForHtml, encodeForSQL, encodeForUrl, etc) which allow you to perform the correct escapes for where you are using the data.
Reply
0/0
From: ANT_THOMAS23 Jan 2012 15:11
To: ALL4 of 5
39261.4

Thanks!

 

I think I'll try the sledgehammer approach first.

 

It really is very basic, but since it's going to be open to the public (and already posted on a public forum) I'd like it to be reasonable safe. Especially since I've been checking my access.log for Apache lately and there's a number of requests for certain config files that do exist on one of my servers, but not accessible via the web server. Basically people trying to steal some usernames and passwords, but they can't get to the them thankfully.

 

 

EDITED: 23 Jan 2012 15:11 by ANT_THOMAS
Reply
0/0
From: Peter (BOUGHTONP)23 Jan 2012 15:26
To: ANT_THOMAS 5 of 5
39261.5 In reply to 39261.4
Why Can't I Just HTML Entity Encode Untrusted Data?
HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.
Reply
0/0