StyleContextCleaner Function

gistfile1.txt

<!--
/**
 * XSS protection function for style context only
 * @usecases
 * @double quoted case e.g.,
 * <span style="use this function if output reflects here"></span>
 * @single quoted case e.g.,
 * <div style='use this function if output reflects here'></div>
 * OR <style>use this function if output reflects here</style>
 * @description
 * Sanitize/Filter meta or control characters that attacker may use to execute JavaScript e.g.,
 * ( is filtered because width:expression(alert(1))
 * \ is filtered because x:expre/**/ssion\28 alert\28 1\29\29 (CSS escaping)
 * & is filtered in order to stop decimal + hex encoding.
 * < is filtered in case developers are using <style></style> tags instead of style attribute.
 * < is filtered because attacker may close the </style> tag and then execute JavaScript.
 * The function allows simple styles e.g., color:red, height:100px etc.
 * @author Ashar Javed
 * @Link https://twitter.com/soaj1664ashar
 * @demo http://xssplaygroundforfunandlearn.netai.net/final.html
 */
-->

<?php
function styleContextCleaner($input) {

  $bad_chars = array("\"", "'", "(", "\\\\", "<", "&");
   
  $safe_chars = array("&quot;", "&apos;", "&lpar;", "&bsol;", "&lt;", "&amp;");

  $output = str_replace($bad_chars, $safe_chars, $input);

  return stripslashes($output);             	
}
?>