Anti XSS Filter PHP

Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. 12-03-12 #1
    nickymonsma
    Account Upgraded | Title Enabled! nickymonsma is offline
    MemberRank
    Sep 2009 Join Date
    The NetherlandsLocation
    232Posts

    Anti XSS Filter PHP

    Spoiler:


    <?php
    ob_start("ob_gzhandler");

    foreach($_GET as $key => $value){
    $_GET[$key]=mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value))));
    }
    foreach($_POST as $key => $value){
    $_POST[$key]=mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value))));
    }
    foreach($_REQUEST as $key => $value){
    $_REQUEST[$key]=mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value))));
    }

    function RemoveXSS($val)
    {
    $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);

    $search = '[a-zA-Z0-9]';
    $search .= '!@#$%^&*()';
    $search .= '~`";:?+/={}[]-\\_|\'';
    for ($i = 0; $i < strlen($search); $i++)
    {
    $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
    $val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
    }
    $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
    $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
    $ra = array_merge($ra1, $ra2);

    $found = true;
    while ($found)
    {
    $val_before = $val;
    for ($i = 0; $i < sizeof($ra); $i++)
    {
    $pattern = '/';
    for ($j = 0; $j < strlen($ra[$i]); $j++)
    {
    if ($j > 0)
    {
    $pattern .= '(';
    $pattern .= '(&#[xX]0{0,8}([9ab]);)';
    $pattern .= '|';
    $pattern .= '|(&#0{0,8}([9|10|13]);)';
    $pattern .= ')*';
    }
    $pattern .= $ra[$i][$j];
    }
    $pattern .= '/i';
    $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2);
    $val = preg_replace($pattern, $replacement, $val);
    if ($val_before == $val)
    {
    $found = false;
    }
    }
    }
    return $val;
    }
    ?>



    Hope you like it :D
  2. Check out our sponsor
    Anti XSS Filter PHP
  3. 12-03-12 #2
    Droppy
    Evil Italian Overlowrd Droppy is offline
    [Internal Coder]Rank
    Feb 2012 Join Date
    /home/droppyLocation
    2,076Posts

    Re: Anti XSS Filter PHP

    Niiiiice! 10/10.
    And security... 10000000 :P

    But an example of how a page in common!

    (Sorry for my BAAD english, I am using Google Translator :P
  4. 12-03-12 #3
    nickymonsma
    Account Upgraded | Title Enabled! nickymonsma is offline
    MemberRank
    Sep 2009 Join Date
    The NetherlandsLocation
    232Posts

    Re: Anti XSS Filter PHP

    make an php include? its simple
  5. 12-03-12 #4
    mohje
    Account Upgraded | Title Enabled! mohje is offline
    MemberRank
    Dec 2008 Join Date
    NLLocation
    651Posts

    Re: Anti XSS Filter PHP

    thank you , interesting ^^
  6. 12-03-12 #5
    nickymonsma
    Account Upgraded | Title Enabled! nickymonsma is offline
    MemberRank
    Sep 2009 Join Date
    The NetherlandsLocation
    232Posts

    Re: Anti XSS Filter PHP

    No Problem you welcome
  7. 12-03-12 #6
    Kaan2106
    JustLikeMeForNoReason Kaan2106 is offline
    MemberRank
    Nov 2007 Join Date
    282Posts

    Re: Anti XSS Filter PHP

    and where to include it? -> index / me ..? More infos please - thank you ;3
  8. 12-03-12 #7
    Shredinator
    this is title Shredinator is offline
    MemberRank
    May 2011 Join Date
    399Posts

    Re: Anti XSS Filter PHP

    Quote Originally Posted by Kaan2106 View Post
    and where to include it? -> index / me ..? More infos please - thank you ;3
    Including it isn't enough, since RemoveXSS is a function.
  9. 12-03-12 #8
    leenster
    [̲̅$̲̅(̲̅1̲̅)̲̅$ ̲̅] leenster is offline
    MemberRank
    May 2008 Join Date
    KanaadaLocation
    992Posts

    Re: Anti XSS Filter PHP

    Quote Originally Posted by nickymonsma View Post
    make an php include? its simple
    Maybe i am missing something but simply including this will only filter the GET's and POST'S

    The function RemoveXSS($val) will just sit there and do nothing...


    you need to add a call to that function.

    Quote Originally Posted by Shredinator View Post
    Including it isn't enough, since RemoveXSS is a function.
    I guess we started typing at the same time :)


    Anyways, you(OP) better fix it before people start using it and think they are all safe now..

    Something like this is how it should be used...

    PHP Code:
    //UNTESTED//
    $_SERVER['REQUEST_URI']=RemoveXXS($_SERVER['REQUEST_URI']); 


    So simply including it is no good...
    Last edited by leenster; 12-03-12 at 10:19 PM.
  10. 12-03-12 #9
    nickymonsma
    Account Upgraded | Title Enabled! nickymonsma is offline
    MemberRank
    Sep 2009 Join Date
    The NetherlandsLocation
    232Posts

    Re: Anti XSS Filter PHP

    Quote Originally Posted by leenster View Post
    Maybe i am missing something but simply including this will only filter the GET's and POST'S

    The function RemoveXSS($val) will just sit there and do nothing...


    you need to add a call to that function.



    I guess we started typing at the same time :)


    Anyways, you(OP) better fix it before people start using it and think they are all safe now..

    Something like this is how it should be used...

    PHP Code:
    //UNTESTED//
    $_SERVER['REQUEST_URI']=RemoveXXS($_SERVER['REQUEST_URI'];) 


    So simply including it is no good...

    Oh Thanks :P
  11. 12-03-12 #10
    leenster
    [̲̅$̲̅(̲̅1̲̅)̲̅$ ̲̅] leenster is offline
    MemberRank
    May 2008 Join Date
    KanaadaLocation
    992Posts

    Re: Anti XSS Filter PHP

    It is a typo3 script that he has edited.
  12. 13-03-12 #11
    pepijndut
    I am Nobody. pepijndut is offline
    MemberRank
    Oct 2009 Join Date
    328Posts

    Re: Anti XSS Filter PHP

    I don't know what XSS is precisly (I know its anything with security) but i think you can better do this
    PHP Code:
    <?php
    ob_start    ("ob_gzhandler");

    foreach(    $_GET as $key => $value){
    $_GET[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));
    }
    foreach(    $_POST as $key => $value){
    $_POST[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));
    }
    foreach(    $_REQUEST as $key => $value){
    $_REQUEST[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));


    function     RemoveXSS($val
    {
    $val preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/'''$val);

    $search '[a-zA-Z0-9]';
    $search .= '!@#$%^&*()';
    $search .= '~`";:?+/={}[]-\\_|\'';
    for (    $i 0$i strlen($search); $i++) 
    {
    $val preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i'$search[$i], $val); // with a ;
    $val preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/'$search[$i], $val); // with a ;
    }
    $ra1 = Array('javascript''vbscript''expression''applet''meta''xml''blink''link''style''script''embed''object''iframe''frame''frameset''ilayer''layer''bgsound''title''base');
    $ra2 = Array('onabort''onactivate''onafterprint''onafterupdate''onbeforeactivate''onbeforecopy''onbeforecut''onbeforedeactivate''onbeforeeditfocus''onbeforepaste''onbeforeprint''onbeforeunload''onbeforeupdate''onblur''onbounce''oncellchange''onchange''onclick''oncontextmenu''oncontrolselect''oncopy''oncut''ondataavailable''ondatasetchanged''ondatasetcomplete''ondblclick''ondeactivate''ondrag''ondragend''ondragenter''ondragleave''ondragover''ondragstart''ondrop''onerror''onerrorupdate''onfilterchange''onfinish''onfocus''onfocusin''onfocusout''onhelp''onkeydown''onkeypress''onkeyup''onlayoutcomplete''onload''onlosecapture''onmousedown''onmouseenter''onmouseleave''onmousemove''onmouseout''onmouseover''onmouseup''onmousewheel''onmove''onmoveend''onmovestart''onpaste''onpropertychange''onreadystatechange''onreset''onresize''onresizeend''onresizestart''onrowenter''onrowexit''onrowsdelete''onrowsinserted''onscroll''onselect''onselectionchange''onselectstart''onstart''onstop''onsubmit''onunload');
    $ra array_merge($ra1$ra2);

    $found true;
    while (    $found
    {
    $val_before $val;
    for (    $i 0$i sizeof($ra); $i++) 
    {
    $pattern '/';
    for (    $j 0$j strlen($ra[$i]); $j++) 
    {
    if (    $j 0
    {
    $pattern .= '(';
    $pattern .= '(&#[xX]0{0,8}([9ab]);)';
    $pattern .= '|';
    $pattern .= '|(&#0{0,8}([9|10|13]);)';
    $pattern .= ')*';
    }
    $pattern .= $ra[$i][$j];
    }
    $pattern .= '/i';
    $replacement substr($ra[$i], 02).'<x>'.substr($ra[$i], 2);
    $val preg_replace($pattern$replacement$val);
    if (    $val_before == $val
    {
    $found false;
    }
    }
    }
    return     $val;

    ?>
  13. 13-03-12 #12
    azaidi
    I don't even know azaidi is offline
    MemberRank
    Apr 2010 Join Date
    the NetherlandsLocation
    2,065Posts

    Re: Anti XSS Filter PHP

    Quote Originally Posted by pepijndut View Post
    I don't know what XSS is precisly (I know its anything with security) but i think you can better do this
    <?php
    ob_start("ob_gzhandler");

    foreach($_GET as $key => $value){
    $_GET[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));
    }
    foreach($_POST as $key => $value){
    $_POST[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));
    }
    foreach($_REQUEST as $key => $value){
    $_REQUEST[$key]=RemoveXSS(mysql_real_escape_string(stripslashes(trim(htmlspecialchars($value)))));
    }

    function RemoveXSS($val)
    {
    $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);

    $search = '[a-zA-Z0-9]';
    $search .= '!@#$%^&*()';
    $search .= '~`";:?+/={}[]-\\_|\'';
    for ($i = 0; $i < strlen($search); $i++)
    {
    $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
    $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
    }
    $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
    $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
    $ra = array_merge($ra1, $ra2);

    $found = true;
    while ($found)
    {
    $val_before = $val;
    for ($i = 0; $i < sizeof($ra); $i++)
    {
    $pattern = '/';
    for ($j = 0; $j < strlen($ra[$i]); $j++)
    {
    if ($j > 0)
    {
    $pattern .= '(';
    $pattern .= '(&#[xX]0{0,8}([9ab]);)';
    $pattern .= '|';
    $pattern .= '|(�{0,8}([9|10|13]);)';
    $pattern .= ')*';
    }
    $pattern .= $ra[$i][$j];
    }
    $pattern .= '/i';
    $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2);
    $val = preg_replace($pattern, $replacement, $val);
    if ($val_before == $val)
    {
    $found = false;
    }
    }
    }
    return $val;
    }
    ?>
    Thats SQL injection, we're talking about XSS bro.
  14. 13-03-12 #13
    pepijndut
    I am Nobody. pepijndut is offline
    MemberRank
    Oct 2009 Join Date
    328Posts

    Re: Anti XSS Filter PHP

    Owh okay.. What is XSS :P
    I don't know anything about security xD

    Pepijn =D
  15. 13-03-12 #14
    nickymonsma
    Account Upgraded | Title Enabled! nickymonsma is offline
    MemberRank
    Sep 2009 Join Date
    The NetherlandsLocation
    232Posts

    Re: Anti XSS Filter PHP

    XSS is Scripting - Alert() you know?
  16. 13-03-12 #15
    Kaan2106
    JustLikeMeForNoReason Kaan2106 is offline
    MemberRank
    Nov 2007 Join Date
    282Posts

    Re: Anti XSS Filter PHP

    Quote Originally Posted by nickymonsma View Post
    XSS is Scripting - Alert() you know?
    and this is what (Alert() ) explain sth ^^


Page 1 of 2 12 LastLast
« Previous Thread | Next Thread »

Advertisement