Created
December 18, 2011 20:49
-
-
Save xeoncross/1494416 to your computer and use it in GitHub Desktop.
Stop dangerous HTML using different criteria for editing and display. This is a very basic example of how easy it is to encoded text so you don't have to remove dangerous stuff!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// @see http://stackoverflow.com/questions/8419038/what-is-the-correct-way-to-detect-whether-string-inputs-contain-html-or-not | |
// Lets disable HTML/XML for our safety | |
//header('Content-Type: text/plain'); | |
$text_mode = false; | |
# Get the hackers Cheat Sheet | |
# $ wget http://ha.ckers.org/xssAttacks.xml | |
# or $file = 'http://ha.ckers.org/xssAttacks.xml'; //if your install supports HTTP requests | |
$file = 'xssAttacks.xml'; | |
/* | |
* Core Functions | |
*/ | |
function h($input) | |
{ | |
return htmlspecialchars($input, ENT_QUOTES, 'UTF-8'); | |
} | |
function gtlt($input) | |
{ | |
return (mb_strpos($input, '<') !== FALSE OR mb_strpos($input, '>') !== FALSE); | |
} | |
libxml_use_internal_errors(true); | |
$xml = simplexml_load_file($file); | |
$xml = json_decode(json_encode($xml)); | |
$xml = $xml->attack; | |
foreach($xml as $key => $attack) | |
{ | |
//print_r($attack); | |
if($text_mode) | |
{ | |
print "## " . $attack->name . ' (' . strip_tags($attack->browser) . ")\n\n"; | |
/* | |
* The four posible attack forms when displaying user input for editing | |
* or content. | |
*/ | |
// The "value" attribute | |
// Why anyone would not enclose attributes with quotes!? | |
print '<input value='. $attack->code . ">\n\n"; // no quotes | |
print '<input value="'. $attack->code . "\">\n\n"; // Double-quotes | |
print "<input value='". $attack->code . "'>\n\n"; // Single-quotes | |
// Raw HTML | |
print '<div>' . $attack->code . "</div>\n\n\n"; | |
/* | |
* There is also the posibility that some projects might get user input into | |
* another attribute of an HTML tag. I've yet to see this since there is no | |
* reason for it, but it could happen and isn't discussed here: | |
* | |
* <tag [attribute]="$attack->code">...</tag> | |
* <a href="$attack->code">...</a> | |
* <b onClick="$attack->code">...</b> | |
* <ul rel="$attack->code">...</ul> | |
* <div class="$attack->code">...</div> | |
* etc... | |
*/ | |
continue; | |
} | |
print "<h4>" . $key . ': ' . $attack->name . ' (' . strip_tags($attack->browser) . ")</h4>\n\n"; | |
/* | |
* Step 1: HTML | |
* | |
* HTML parsers should only run dangerous code when contained within a one | |
* (or both) of [<>]. Assuming there are no broken tags on the page before | |
* this input is displayed - we can safely show it. | |
*/ | |
// It should be safe to use this if our caculations are correct | |
if(gtlt($attack->code)) | |
{ | |
print "<p></p>\n"; | |
print '<p><b>Unsafe</b>: ' . h($attack->code) . "</p>\n"; | |
} | |
else | |
{ | |
print '<p>' . $attack->code . "</p>\n"; | |
} | |
/* | |
* Step 2: Attributes | |
* | |
* Attributes are different because the HTML parser is already running at | |
* this point and is ready to parse anything it comes accross up to the | |
* closing ">". We must do more than just HTML encode stuff at this point. | |
*/ | |
$v = $attack->code; | |
// The "value" attribute | |
print '<input value='. h($v) . ">\n\n"; // no quotes | |
print '<input value="'. h($v) . "\">\n\n"; // Double-quotes | |
print "<input value='". h($v) . "'>\n\n"; // Single-quotes | |
print "\n\n"; | |
if($key > 200) break; | |
} | |
// This is a tricky one since "javascript:" passes HTML entities just fine | |
print "<h3>Invalid Link Protocal</h3>\n\n"; | |
$v = "javascript:alert('hi')"; // See also "vbscript: ..." or "expression(..)" for IE!!! | |
print "<a href=\"$v\">Bad Link</a>\n\n"; | |
print '<input value='. h($v) . ">\n\n"; // no quotes | |
print '<input value="'. h($v) . "\">\n\n"; // Double-quotes | |
print "<input value='". h($v) . "'>\n\n"; // Single-quotes | |
print "<h1>Finished</h1>\n\n"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment