Clean code from Javascript with specific method

Asked Sep 12 '13 at 12:58

Active Sep 12 '13 at 13:46

Viewed 125 times

I have this string ($str) and I'm trying to prevent Javascript execution:

<script> ... </script>
<link onload="...">
<div onmouseover="...">

I apply these commands:

$find = Array("script", "onload", "onmouseover");
$rep = Array("noscript", "no_onload", "no_onmouseover");

$new = str_replace($find, $rep, $str);

Working example: http://codepad.org/kwuQvRiM

I know there are other event attributes but to make the question shorter I've choosen just 3 elements/attributes, but.

If I allow users to populate $str instead of declare it in the PHP source ( $str = $_GET["str"] for example), so an user can changes the $str code can somehow exploit this protection?

Imagine that $new is stored in a database and used later, I want to know if the string will be safe from javascript execution.

N.B. I know there are safer ways to perform this task but this question is for a didactic study and I need to perform in this way

edited Sep 12 '13 at 13:10

asked Sep 12 '13 at 12:58

Fez Vrasta

14,110
21
98
160

4

Why not just use `strip_tags`? That is even safer. – putvande Sep 12 '13 at 13:01
some input, $str = $_GET["str"] etc – Fez Vrasta Sep 12 '13 at 13:01
I know put, but I need an answer to this question in this way. – Fez Vrasta Sep 12 '13 at 13:02
Here is something similar http://stackoverflow.com/questions/3026096/remove-all-attributes-from-an-html-tag – Daniel Gimenez Sep 12 '13 at 13:02
What are you replacing these with? – crush Sep 12 '13 at 13:02
@putvande Possibly to keep `` and so on available – Izkata Sep 12 '13 at 13:04
1

How could the user change `$str` value? Unless it comes via HTTP Request, there's no way of doing so. – Henrique Barcelos Sep 12 '13 at 13:04
I've explained the `$str` part better – Fez Vrasta Sep 12 '13 at 13:05
So what if they changed `$str`? What would that even matter? – crush Sep 12 '13 at 13:06
imagine the `$new` is sent to a database etc etc etc – Fez Vrasta Sep 12 '13 at 13:07
@FezVrasta You are stripping the script elements AFTER you get the `$str`. They can't modify it further at that point... – crush Sep 12 '13 at 13:07
@FezVrasta You are sanitizing the `$str` before you put it in the database, and after you get it from the HTTP request. There is no way they can reinject the javascript code at that point. So yes, it is safe *to the point of the protection your sanitization code provides.* **Are you actually asking us if there are any other ways they can insert scripts into HTML besides what you've listed in your question?** – crush Sep 12 '13 at 13:12
there aren't exploits to write an input that will not be sanitized? (special chars not read by browsers etc)? – Fez Vrasta Sep 12 '13 at 13:13
@FezVrasta If the browser doesn't read it, why/how would it execute it? – crush Sep 12 '13 at 13:14
@crush No, I know there are bunch of tags which can run javascript, I want to know if is enough replace all the tags. – Fez Vrasta Sep 12 '13 at 13:15
The only reason that escaped or special chars would be a problem is if your sanitize code didn't handle them correctly and/or converted them automatically into non-escaped/special chars. – crush Sep 12 '13 at 13:19
there aren't hacks like the ones for CSS in explorer? `alert("");` for example. – Fez Vrasta Sep 12 '13 at 13:26

Clean code from Javascript with specific method

0 Answers0