Skip to content

Instantly share code, notes, and snippets.

@soaj1664
Created October 6, 2014 13:12
Show Gist options
  • Save soaj1664/1c40e52c7a8f78981623 to your computer and use it in GitHub Desktop.
Save soaj1664/1c40e52c7a8f78981623 to your computer and use it in GitHub Desktop.
StyleContextCleaner Function
<!--
/**
* XSS protection function for style context only
* @usecases
* @double quoted case e.g.,
* <span style="use this function if output reflects here"></span>
* @single quoted case e.g.,
* <div style='use this function if output reflects here'></div>
* OR <style>use this function if output reflects here</style>
* @description
* Sanitize/Filter meta or control characters that attacker may use to execute JavaScript e.g.,
* ( is filtered because width:expression(alert(1))
* \ is filtered because x:expre/**/ssion\28 alert\28 1\29\29 (CSS escaping)
* & is filtered in order to stop decimal + hex encoding.
* < is filtered in case developers are using <style></style> tags instead of style attribute.
* < is filtered because attacker may close the </style> tag and then execute JavaScript.
* The function allows simple styles e.g., color:red, height:100px etc.
* @author Ashar Javed
* @Link https://twitter.com/soaj1664ashar
* @demo http://xssplaygroundforfunandlearn.netai.net/final.html
*/
-->
<?php
function styleContextCleaner($input) {
$bad_chars = array("\"", "'", "(", "\\\\", "<", "&");
$safe_chars = array("&quot;", "&apos;", "&lpar;", "&bsol;", "&lt;", "&amp;");
$output = str_replace($bad_chars, $safe_chars, $input);
return stripslashes($output);
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment