How to fix Cross site scripting or XSS

Question

How to fix Cross site scripting or XSS

I am studying about some vulnerabilities that I found on a site I made and came across the possibility of the attacker sending malicious code, from what I read and for this my question here, I just need to fix my script with a code similar to this:

Application with vulnerability:

$busca= $_GET[“busca”];

Application without vulnerability:

$busca= htmlspecialchars ($_GET[“busca”]);

Only with this change is it possible to eliminate the possibility of attack via Cross site scripting or XSS?

5

php segurança

Author: adventistapr, 2017-04-12

Source

4 answers

Just remove certain characters, such as,&,', ", / Create some kind of filter to use regex to make that filter.

X xss = /[&"'*]/;

A look at w3school how to use regex https://www.w3schools.com/php/php_regex.asp

In the example below has a solution using javascript, I used this code in React (frontend), the filter was performed as soon as the user typed something, just do not forget that put the filter on the backend also

export const htmlPurify = (value = '') => {
  const regex = /[!@#$%^&<>"'¨¨*]/;
  return value.replace(regex, '');
};

2

Author: Max, 2020-11-09 21:37:47

You have an option not as sophisticated as that of P1xM4, but an alternative is also filter_var:

$busca= htmlspecialchars ($_GET[“busca”]);
$strBusca = filter_var($busca,FILTER_SANITIZE_NUMBER_STRING);

1

Author: Diego Andrade, 2017-05-31 19:16:35

Simply block special characters from being interpreted in the browser.

Some of them are'", etc.

-6

Author: nProtect Web Security, 2020-12-25 03:51:38

score 5 · Accepted Answer

Good afternoon,

Using htmlspecialchars will not solve sophisticated XSS attacks. I advise using this Anti-XSS class that is more specific:

<?php

class AntiXSS {
    public static $err = "XSS Detected!";

    /*
     * @function   : setEncoding
     * @return     : String
     * @parameters : str: Content you want to change the character encoding
     *               newEncoding: Character encoding you want set
     * @description: Convert the character encoding of the string
     *               to newEncoding from currentEncoding. currentEncoding
     *               detecting by function so you only need give str and
     *               newEncoding to the setEncoding function.
     */
    public static function setEncoding($str, $newEncoding) {
        $encodingList = mb_list_encodings();
        $currentEncoding = mb_detect_encoding($str, $encodingList);
        $changeEncoding = mb_convert_encoding($str, $newEncoding, $currentEncoding);

        return $changeEncoding;
    }

    /*
     * @function   : blacklistFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     * @description: Filter the content by blacklist method. Library use
     *               RSnake's XSS attack vectors. To add new attack vectors
     *               I'm continue to research.
     */
    public static function blacklistFilter($str) {
        if (preg_match("/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t(.*)>(.*)/i", $str) > 0) {
            return $str;
        } else {
            return self::$err;
        }
    }

    /*
     * @function   : whitelistFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     *               whiteFilterPattern: Some patterns for filter the
     *               data types.
     * @description: Filter the content by whitelist method. To add
     *               new data types, I'm continue to research.
     */
    public static function whitelistFilter($str, $whiteFilterPattern) {

        switch ($whiteFilterPattern) {
            case "string":
                $pattern = "([a-zA-Z]+)";
            break;
            case "number":
                $pattern = "([0-9]+)";
            break;
            case "everything":
                $pattern = "(.*)";
            break;
            default:
                $pattern = "([0-9a-zA-Z]+)";
            break;
        }

        if(preg_match("/^$pattern $/i", $str) > 0) {
            return $str;
        } else {
            return self::$err;
        }
    }

    /*
     * @function   : setFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     *               filterMethod: Library have 3 method.
     *                  -Black Method
     *                  -White Method
     *                  -Gray Method
     *               filterPattern: Some patterns for filter the
     *               data types. (You can only use with whitelist filter)
     *               noHTMLTag: Use PHP's strip_tags function to
     *               remove HTML tags from content.
     * @description: Filter the content by method.
     */
    public static function setFilter($str, $filterMethod, $filterPattern = NULL, $noHTMLTag = NULL) {

        if (urldecode($str) > 0) {
            $str = urldecode($str);
        }

        if ($noHTMLTag == 1) {
            $str = strip_tags($str);
        }

        $str = strtolower($str);
        $str = addslashes($str);
    $str = htmlspecialchars(trim($str));

        switch($filterMethod) {
            case "black":
                $str = self::blacklistFilter($str);
            break;
            case "white":
                $str = self::whitelistFilter($str, $filterPattern);
            break;
            default:
            break;
        }

        return $str;
    }
}
?>

I hope I helped.