Hi Vuln-dev@, ----- Original Message ----- From: "Rohan Amin" <rohanat_private> To: "Rob Shein" <shotenat_private> Cc: <vuln-devat_private> Sent: Saturday, October 12, 2002 8:48 PM Subject: RE: CROSS SITE-SCRIPTING Protection with PHP > I think a regular expression should do the trick: > > function make_clean($value) { > $legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space > $new_value = preg_replace($legal_chars,"",$value); //replace with "" > return $new_value; > } The problem are really not simple input ranges like 0-9a-zA-Z values. ( solution: $legal_chars = "%[^0-9a-zA-Z ]%"; ) The problem are inputs for applications where we need HTML code as well as normal plain text user inputs. But why the htmlspecialchars($value) function is not secure enough ?! ( http://www.php.net/manual/en/function.htmlspecialchars.php ) After this general filter each input can go thourgh a few different filters for each case ... This is not a 100% solution, but should be a 99,9% filter at the end. ****** start generalfilter.inc.php ****** function make_clean($value){ $value = htmlspecialchars($value); return $value; } if (!empty($_GET)){ foreach( $_GET as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_POST)){ foreach( $_POST as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_SESSION)){ foreach( $_SESSION as $key=>$value ) {$$key = make_clean($value);} } if (!empty($_COOKIE)){ foreach( $_COOKIE as $key=>$value ) {$$key = make_clean($value);} } ****** end generalfilter.inc.php ****** The /IV/N http://www.astalavista.net/
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 10:22:20 PDT