XSS filtering function in PHP

Question

Does anyone know of a good function out there for filtering generic input from forms  Zend Filter input seems to require prior knowledge of the contents of the input and I m concerned that using something like HTML Purifier will have a big performance impact   What about something like   http   snipplr com view 1848 php--sacar-xss   Many thanks for any input

User · Answer

the best and the secure way is to use HTML Purifier  Follow this link for some hints on using it with Zend Framework   HTML Purifier with Zend Framework

User · Answer

There are a number of ways hackers put to use for XSS attacks  PHP s built-in functions do not respond to all sorts of XSS attacks  Hence  functions such as strip tags  filter var  mysql real escape string  htmlentities  htmlspecialchars  etc do not protect us 100   You need a better mechanism  here is what is solution   function xss clean  data       Fix  amp entity n   data   str replace array   amp amp     amp lt     amp gt     array   amp amp amp     amp amp lt     amp amp gt      data    data   preg replace     amp    w    x00- x20    u     1     data    data   preg replace     amp  x  0-9A-F      iu     1     data    data   html entity decode  data  ENT COMPAT   UTF-8        Remove any attribute starting with  on  or xmlns  data   preg replace     lt    gt      x00- x20        on xmlns    gt     gt  iu     1 gt     data       Remove javascript  and vbscript  protocols  data   preg replace     a-z     x00- x20     x00- x20             x00- x20  j  x00- x20  a  x00- x20  v  x00- x20  a  x00- x20  s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20    iu     1  2nojavascript       data    data   preg replace     a-z     x00- x20             x00- x20  v  x00- x20  b  x00- x20  s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20    iu     1  2novbscript       data    data   preg replace     a-z     x00- x20             x00- x20  -moz-binding  x00- x20    u     1  2nomozbinding       data       Only works in IE   lt span style  width  expression alert  Ping       gt  lt  span gt   data   preg replace     lt    gt     style  x00- x20     x00- x20            expression  x00- x20       gt     gt  i     1 gt     data    data   preg replace     lt    gt     style  x00- x20     x00- x20            behaviour  x00- x20       gt     gt  i     1 gt     data    data   preg replace     lt    gt     style  x00- x20     x00- x20            s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20       gt     gt  iu     1 gt     data       Remove namespaced elements  we do not need them   data   preg replace    lt    w   w   gt     gt  i        data    do          Remove really unwanted tags      old data    data       data   preg replace    lt      applet b   ase gsound link  embed frame   set   i   frame layer  l   ayer ink  meta object s   cript tyle  title xml    gt     gt  i        data     while   old data      data       we are done    return  data

User · Answer

I m was collect most of issues by the web and combine stepping filter for all of them  After some testing seems it works perfect        Total XSS preventer class by Full-R       final class xCleaner        public static function clean  string  html    string            return self  cleanXSS               preg replace                                             s  lt iframe   gt     gt     lt   iframe gt  s  si                          s  lt style   gt     gt     lt   style gt  s  si                          s  lt script   gt     gt     lt   script gt  s  si                          son w   quot    quot    quot                                                                                                                                                        html                                        protected static function hexToSymbols  string  s    string            return html entity decode  s  ENT XML1   UTF-8                protected static function escape  string  s  string  m    attr     string            preg match all   data  w     a-zA-Z    base64                 quot     mi    s   b64  PREG OFFSET CAPTURE            if  count  array filter   b64      gt  0                  switch   m                      case  attr                         xclean   self  cleanXSS                                           urldecode                                               base64 decode                                                    b64  2    0    0                                                                                                                                                      break                   case  tag                         xclean   self  cleanTagInnerXSS                                           urldecode                                               base64 decode                                                    b64  2    0    0                                                                                                                                                      break                              return substr replace                    s                            base64 encode   xclean                      b64  2    0    1                     strlen   b64  2    0    0                                        else                return  s                         protected static function cleanXSS  string  s    string               base64 injection prevention          st   self  escape   s   attr              return preg replace                       JSON unicode                       u     a-f0-9  4       mi                                                                          1  unicode JSON clean                     Data b64 safe                      w    mi                                                                                                  2  unicode simple clean                     Malware payloads                     e  s  x  s  p  s  r  s  e  s  s  s  s  s  i  s  o  s  n  s           w  mi          3     expression  evalution                   l  s  i  s  v  s  e  s  s  s  c  s  r  s  i  s  p  s  t  s           w  mi               4    livescript   evalution                   j  s  s  s  c  s  r  s  i  s  p  s  t  s           w  mi                                       5    jscript   evalution                   j  s  a  s  v  s  a  s  s  s  c  s  r  s  i  s  p  s  t  s           w  mi             6    javascript   evalution                   b  s  e  s  h  s  a  s  v  s  i  s  o  s  r  s           w  mi                           7    behavior   evalution                   v  s  b  s  s  s  c  s  r  s  i  s  p  s  t  s           w  mi                            8    vsbscript   evalution                   v  s  b  s  s  s           w  mi                                                                    9    vbs   evalution                   e  s  c  s  m  s  a  s  s  s  c  s  r  s  i  s  p  s  t          w  mi              10   ecmascript   possible ES evalution                   b  s  i  s  n  s  d  s  i  s  n  s  g          w  mi                                       11   -binding  payload                       v 8 9         mi                                                                                12   UTF-7 mutation                      Some entities                    amp   w   w  mi                                                                                         13  html entites clenup                    amp   d    m                                                                                            14  html entites clenup                     Script tag encoding mutation issue                          w     w  mi                                                                               21  mutation KOI-8                     ADw-    w   AD4- w  mi                                                               22  mutation old encodings                         00     m                       base64 escaped                         mi                                                                                             23  base64 escaped marker cleanup                                              Replacements steps    23                amp  x 1                                                                                      str ireplace                      u0     amp colon      amp tab      amp newline                        0                                 U-HEX prepare step             self  hexToSymbols   st                            Also you can add Tidy markup correction to make HTML valid

User · Answer

According to www mcafeesecure com General Solution for vulnerable to cross-site scripting  XSS  filter function can be   function xss cleaner  input str         return str   str replace  array   lt     gt                     array   amp lt     amp gt     amp apos     amp  x22     amp  x29     amp  x28      input str         return str   str ireplace    3Cscript        return str        return  return str

User · Answer

Simple way  Use strip tags      str   strip tags  input     You can also use filter var   for that    str   filter var  input  FILTER SANITIZE STRING     The advantage of filter var   is that you can control the behaviour by  for example  stripping or encoding low and high characters   Here is a list of sanitizing filters

User · Answer

All above methods don t allow to preserve some tags like  lt a gt    lt table gt  etc  There is an ultimate solution http   sourceforge net projects kses  Drupal uses it

User · Answer

Try using for Clean XSS  xss clean  data     gt  lt script gt alert String fromCharCode 74 111 104 116 111 32 82 111 98 98 105 101   lt  script gt

User · Answer

I have a similar problem  I need users to submit html content to a profile page with a great WYSIWYG editor  Redactorjs    i wrote the following function to clean the submitted html        lt  php function filterxss  str      Initialize DOM   dom   new DOMDocument      Load content and add UTF8 hint   dom- gt loadHTML   lt meta http-equiv  content-type  content  text html  charset utf-8  gt    str     Array holds allowed attributes and validation rules   check   array  src   gt    http      s        jpe g png gif    i   href   gt    http s      a-z0-9-     a-z0-9-       0-9            i      Loop all elements  foreach  dom- gt getElementsByTagName      as  node       for  i    node- gt attributes- gt length -1   i  gt   0   i--             Get the attribute           attribute    node- gt attributes- gt item  i             Check if attribute is allowed          if  in array  attribute- gt name array keys  check                    Validate by regex                  if  preg match  check  attribute- gt name   attribute- gt value                        No match  Remove the attribute                  node- gt removeAttributeNode  attribute                           else                Not allowed  Remove the attribute               node- gt removeAttributeNode  attribute                     var dump  dom- gt saveHTML         gt    The  check array holds all the allowed attributes and validation rules  Maybe this is useful for some of you  I haven t tested is yet  so tips are welcome

User · Answer

htmlspecialchars   is perfectly adequate for filtering user input that is displayed in html forms

User · Answer

function clean  data        data   rawurldecode  data       return filter var  data  FILTER SANITIZE SPEC CHARS

User · Answer

I found a solution for my problem with the posts with german umlaut  To provide from totally cleaning  killing  the posts  i encode the incoming data          data   utf8 encode  data           function        And at last i decode the output to get correct signs         data   utf8 decode  data      Now the post go through the filter function and i get a correct result

[php] XSS filtering function in PHP

Examples related to php

Examples related to filter

Examples related to xss