Created
July 14, 2011 04:25
-
-
Save pixelhandler/1081936 to your computer and use it in GitHub Desktop.
getParam fn and preventXSS fn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* method to test string for XSS | |
* @name PXHLR.preventXSS | |
* @type Function | |
* @member PXHLR | |
* @returns String that doesn't allow XSS Cross Site Scripting attack | |
*/ | |
PXHLR.preventXSS = function (str) { | |
var paramStr = str; | |
paramStr = paramStr.replace(/[<>]/g, '').replace(/</g, "<").replace(/>/g, ">"); | |
paramStr = paramStr.replace(/[\"\'][\s]*javascript:(.*)[\"\']/gi, "\"\""); | |
paramStr = paramStr.replace(/script(.*)/gi, ""); | |
paramStr = paramStr.replace(/eval\((.*)\)/gi, ""); | |
return paramStr; | |
}; | |
/** | |
* method to get url params | |
* @name PXHLR.getParam | |
* @type Function | |
* @member PXHLR | |
* @requires PXHLR.preventXSS | |
* @returns String as the value of the requested URL parameter | |
*/ | |
PXHLR.getParam = function(param) { | |
var p = { | |
vars : [], | |
hashes : window.location.href.slice(window.location.href.indexOf('?') + 1).split('&'), | |
i : 0 | |
}; | |
for(p.i; p.i < p.hashes.length; p.i++) { | |
p.hash = p.hashes[p.i].split('='); | |
p.vars.push(p.hash[0]); | |
p.vars[p.hash[0]] = p.hash[1]; | |
} | |
p.value = p.vars[param]; | |
if (!p.value) { | |
return ''; | |
} else { | |
return PXHLR.preventXSS(p.value); | |
} | |
}; | |
/* example use | |
// set logging on with url param | |
if (PXHLR.getParam('log') === '') { | |
window.log = function() { return false; }; | |
} | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment