This question already has answers here:
What are the common defenses against XSS? [closed]
(4 answers)
Closed 9 years ago.
How do I get the url from the address bar and try to sanitize it to prevent cross side scripting?
For example in this link,
www.somesite.com/login/login.php
how do I prevent it from
www.somesite.com/login/login.php/"><h2>This%20is%20our%20cookie<h2>
<script>document.write%28document.cookie%29</script></h2>
Do I use the $_SERVER to get the url from address bar then what should I use to sanitize the link?
Thank you.
To obtain it, you can refer to $_SERVER['REQUEST_URI'].
If you want to append it to HTML, escape it using htmlspecialchars().
For url
$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']
check this link for detail
http://www.phpeasystep.com/phptu/27.html
For sanitizing as rid said you can use
htmlspecialchars() (http://ca3.php.net/htmlspecialchars)
Instead you can use http://php.net/manual/en/function.preg-replace.php to sanitize the $url that you receive, by using that you can remove anything that comes after .php by replacing those using a empty string.
Also please have a look at this post.
Removing unwanted characters from URL in htaccess
If you want to sanitize the url on the server-side, use mysql_escape_string($_SERVER['REQUEST_URI']). Even more, use var_dump($_SERVER) to see all the values you can use and play around with them. Btw, why are you sanitizing the URL? What do you want to do with it? I assumed you wanted to put it into a database, but if you want to just remove all the html code from it, the browser will already do the escaping, so you don't really need to do it...
If you want to sanitize it on the client-side, that will make no point, since the attacker can always generate his own http request, using his own tools, not even using the browser.
Related
This question already has answers here:
Preserve and display text exactly how it is typed and submitted
(2 answers)
Closed 8 years ago.
** Update - following the link that deceze kindly posted to a similar question lead me to a great article by deceze here The Great Escapism which gave me all the answers I needed. To anyone finding this question due to similar issues I urge you to read this article **
I'm allowing users to enter information through a textarea on my site.
I'm aware that there is a security risk whenever a user can enter information into a site.
I want to be able to preserve whitespace / newlines from their entry but I'm also mindful of stripping HTML tags etc out of their input.
I have written a function that replaces \r\n with <br/> before the data retrieved from the database gets outputted to the browser (I also stripslashes before I output to the browser).
I have a function that will strip out HTML tags from the entered text that I can run before putting the user entry into the database.
I'm unsure if this is all that I need to do? Does anyone have either a list of checks I need to do before putting user-entered info into the database and then before displaying it in a browser? Or even a set of sanitising functions that they use for this?
I've looked at esc_html() and sanitize_text_field() and filter_var($output, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES) but I'm really unsure when I should be using what function?
Help much appreciated :-)
You can use mysql_real_escape_string() to prevent sql-injection. You can find a good basic tutorial here
This question already has answers here:
How can I sanitize user input with PHP?
(16 answers)
Closed 8 years ago.
For global safely, is it safe to to use htmlspecialchars or striptags when user POST or GET in php ?
for example, htmlspecialchars any post and get that sent by request and save that to the database
For displaying purposes you could just use htmlspecialchars() or htmlentities() to ward of the common XSS attacks.
It is not suggested to strip_tags() the data (unless it is really neccessary) , because that may lose all formatting if the user had provided any.
I would do sanity-checks depending on what you're expecting to get.
A good reading (like always) is the OWASP cheat-sheet: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet
If you're expecting plain text, always use htmlspecialchars() when showing it by the web-client. Some template-engines, like Twig, already do that by default. For this case, I wouldn't do any checks when saving to the database, because you may need to encode it differently for another client later - and you expect it to be plain-text, right?
If the user has an RTE and can make use of HTML, I'd use strip_tags() or a method like used in other frameworks. An example is http://svn.openfoundry.org/wowsecmodules/trunk/filter/RemoveXSS.php. TYPO3 also has a pretty good one that you can view by downloading the package and looking into typo3/contrib/RemoveXSS/RemoveXSS.php
A workaround would be to use stuff like BB-Code or Markdown, handled as plain-text, that is later compiled to HTML in your code, but this mostly confuses the editor, if he isn't used to stuff like that.
What I do not recommend at all, but it's possible is to let the browser do the job - see XSS Basic Understanding
EDIT:
The two libs, I linked here for removing XSS from HTML-data, are both based on the same one, but have been forked into different projects and the communities applied fixes and so on. The goal of this method is like yours, even so I do not support it, because it sounds like a one-size-fits-all solution:
Usage: Run *every* variable passed in through it.
* The goal of this function is to be a generic function that can be used to
* parse almost any input and render it XSS safe. ...
Why I am against running this method on every input-variable? You do not think about what you really want to get. Maybe you just want plain-text ... In this case, as I wrote earlier here, you don't need to do that, but just use htmlspecialchars() when showing it in an HTML context.
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?
PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.
Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.
If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/
In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to encrypt HTML, CSS and JavaScript to prevent theft
Is there any technique in PHP language, or some software available to encrypt the html code that is seen while clicking on view source and view generated source on browsers.Can the code be encrypted to binary strings ie( 0 and 1) format.
No. The browser needs valid HTML to display the document. There is no way to encrypt HTML.
The whole world is serving pages that are not encrypted, so it stands to reason it's not necessary, either.
People will always be able to get to your html - even if you did find some way to obfuscate / hide it, maybe using javascript, anyone can always use wget or similar to view it.
No. You can obscure it a bit, but in the end your browser needs to read it, and it reads HTML.
In a word: no. You can make the HTML ugly by removing whitespace, but the browser needs to be able to read it! You can obfuscate your Javascript pretty darn well by removing whitespace and newlines and using short or crazy variable names: for example see here.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Can PHP read the hash portion of the URL?
Hi,
I want to go to a part of my web page where a div called bla bla bla is located.
Using this: http://www.mysite.com/mypage#28 I get there.
But I also need that number to process in php. Does the # work like a ? ($_get) as well?
How do I do that otherwise?
Thanks
I agree with middaparka, Hash values is a client side values can not be loaded from server side, as Facebook Dynamic Url Loading technique
so you can read it is value from a function, and call that function onload of page to do what you need.
In theory you can use the parse_url function to obtain this, via the PHP_URL_FRAGMENT option. However, in practice I'm pretty sure that there's no guarantee that the browser will pass this information to the server. (i.e.: It won't show up in $_SERVER['REQUEST_URI'], so there's no way to pass this information into parse_url in the first place.)
As such, you'd need to obtain this client-side via JavaScript and forward it to the server. To do this you can use window.location.hash.
e.g.: <script>alert('The hash value is: '+window.location.hash);</script>
There is JQuery Plugin "hashchange" using that you can send Ajax request when the hash is changed everytime. You can even bookmark it.
http://benalman.com/projects/jquery-hashchange-plugin/
Check out the demo at http://benalman.com/code/projects/jquery-hashchange/examples/hashchange/