HTML Purifier XSS

Question

I have created a game called Staroids. I just want to allow the user to enter plain text as the name.

I have created validation client side (in JavaScript), but my friend who knows a lot of XSS managed to hack into the leaderboard within a few minutes and told me to look at HTML Purify to make it more secure.

I have read through installation process and have done what it says, but when I now run the game then submit the score it empties the name field and submits a blank name.

Here is my PHP code:

<?php

    require_once 'htmlpurifier/library/HTMLPurifier.auto.php';

    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $clean_html = $purifier->purify($dirty_html);

    $seconds = $_POST['seconds'];
    $kills = $_POST['kills'];
    $deaths = $_POST['deaths'];
    $wave = $_POST['wave'];
    $score = $_POST['score'];
    $name = mysql_real_escape_string($_POST['name']);
    $hash = $_POST['hash'];
    $date = $_POST['date'];
    $time = $_POST['time'];
    $timezone = $_POST['timezone'];
    $userdata = $_POST['userdata'];
    $display = $_POST['display'];



    mysql_connect("localhost", "root", "password");
    mysql_select_db("staroids");
    mysql_query("INSERT INTO scores (seconds, kills, deaths, wave, score, name, hash, date, time, timezone, userdata, display) VALUES ('$seconds', '$kills', '$deaths', '$wave', '$score', '$name', '$hash', '$date', '$time', '$timezone', '$userdata', '$display')");
    mysql_close($connect);
?>

I am grabbing the name variable from the HTML page and and this is what I wanted to validate / purify to stop users using XSS to hack into the leaderboard.

I don't seem to find where you use `$clean_html`, or - asamof, where does `$dirty_html` come from. — MightyPork, Aug 09 '13 at 08:59
It says in the installation to use this code: `require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html);` — smj2393, Aug 09 '13 at 09:00
You can't just **blindly copy stuff** to your project and think it will always work. I am assuming you want to process the `$_POST['name']` - then put this in place of `$dirty_html` and then use `mysql_real_escape_string($clean_html)` — MightyPork, Aug 09 '13 at 09:15
First of all read this - http://stackoverflow.com/questions/2677578/php-html-purifier-hello-world-world-tutorial-striptags . Second, I don't think you have XSS problem, it's MySQL Injection, then... you need to change your codding style and manner, learn the new libs for querying database — Royal Bg, Aug 09 '13 at 09:15
I looked at that before and couldn't get it working. Ok I will carry out some more research, cheers for the help! — smj2393, Aug 09 '13 at 09:28

score 3 · Accepted Answer · edited Aug 09 '13 at 09:36

The $dirty_html is a string, or an array of strings, proberly you have create a array of you're data with the name $dirty_html.

<?php
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';

$dirty_html = array('seconds' => $_POST['seconds'], 'kills' => $_POST['kills'],'deaths' =>$_POST['deaths'],'wave' => $_POST['wave'],
'score' => $_POST['score'],'name' => mysql_real_escape_string($_POST['name']),'hash' => $_POST['hash'],
'date' => $_POST['date'],'time' => $_POST['time'], 'timezone' => $_POST['timezone'], 'userdata' => $_POST['userdata'],
display => $_POST['display']);  

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

print_r($clean_html);

?>

Note i've not tested the code.

HTML Purifier XSS

1 Answers1