Skip to content

@Xeoncross /xss.encode.php
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Stop dangerous HTML using different criteria for editing and display. This is a very basic example of how easy it is to encoded text so you don't have to remove dangerous stuff!
<?php
// @see http://stackoverflow.com/questions/8419038/what-is-the-correct-way-to-detect-whether-string-inputs-contain-html-or-not
// Lets disable HTML/XML for our safety
//header('Content-Type: text/plain');
$text_mode = false;
# Get the hackers Cheat Sheet
# $ wget http://ha.ckers.org/xssAttacks.xml
# or $file = 'http://ha.ckers.org/xssAttacks.xml'; //if your install supports HTTP requests
$file = 'xssAttacks.xml';
/*
* Core Functions
*/
function h($input)
{
return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
}
function gtlt($input)
{
return (mb_strpos($input, '<') !== FALSE OR mb_strpos($input, '>') !== FALSE);
}
libxml_use_internal_errors(true);
$xml = simplexml_load_file($file);
$xml = json_decode(json_encode($xml));
$xml = $xml->attack;
foreach($xml as $key => $attack)
{
//print_r($attack);
if($text_mode)
{
print "## " . $attack->name . ' (' . strip_tags($attack->browser) . ")\n\n";
/*
* The four posible attack forms when displaying user input for editing
* or content.
*/
// The "value" attribute
// Why anyone would not enclose attributes with quotes!?
print '<input value='. $attack->code . ">\n\n"; // no quotes
print '<input value="'. $attack->code . "\">\n\n"; // Double-quotes
print "<input value='". $attack->code . "'>\n\n"; // Single-quotes
// Raw HTML
print '<div>' . $attack->code . "</div>\n\n\n";
/*
* There is also the posibility that some projects might get user input into
* another attribute of an HTML tag. I've yet to see this since there is no
* reason for it, but it could happen and isn't discussed here:
*
* <tag [attribute]="$attack->code">...</tag>
* <a href="$attack->code">...</a>
* <b onClick="$attack->code">...</b>
* <ul rel="$attack->code">...</ul>
* <div class="$attack->code">...</div>
* etc...
*/
continue;
}
print "<h4>" . $key . ': ' . $attack->name . ' (' . strip_tags($attack->browser) . ")</h4>\n\n";
/*
* Step 1: HTML
*
* HTML parsers should only run dangerous code when contained within a one
* (or both) of [<>]. Assuming there are no broken tags on the page before
* this input is displayed - we can safely show it.
*/
// It should be safe to use this if our caculations are correct
if(gtlt($attack->code))
{
print "<p></p>\n";
print '<p><b>Unsafe</b>: ' . h($attack->code) . "</p>\n";
}
else
{
print '<p>' . $attack->code . "</p>\n";
}
/*
* Step 2: Attributes
*
* Attributes are different because the HTML parser is already running at
* this point and is ready to parse anything it comes accross up to the
* closing ">". We must do more than just HTML encode stuff at this point.
*/
$v = $attack->code;
// The "value" attribute
print '<input value='. h($v) . ">\n\n"; // no quotes
print '<input value="'. h($v) . "\">\n\n"; // Double-quotes
print "<input value='". h($v) . "'>\n\n"; // Single-quotes
print "\n\n";
if($key > 200) break;
}
// This is a tricky one since "javascript:" passes HTML entities just fine
print "<h3>Invalid Link Protocal</h3>\n\n";
$v = "javascript:alert('hi')"; // See also "vbscript: ..." or "expression(..)" for IE!!!
print "<a href=\"$v\">Bad Link</a>\n\n";
print '<input value='. h($v) . ">\n\n"; // no quotes
print '<input value="'. h($v) . "\">\n\n"; // Double-quotes
print "<input value='". h($v) . "'>\n\n"; // Single-quotes
print "<h1>Finished</h1>\n\n";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.