2

Can this code help to sanitize malicious code in user submit form?

function rex($string) {
$patterns = array();
$patterns[0] = '/=/i';
$patterns[1] = '/javascript:/i';
$replacements = array();
$replacements[0] = '';
$replacements[1] = '';
return preg_replace($patterns, $replacements, $string);

I have included htmlentities() to prevent XSS on client side, is all the code shown is safe enough to prevent attack?

proyb2
  • 31
  • 1
  • 2
  • 1
    Could you provide some more information? What is the data going to used for? Where is it going to be displayed? Are you using htmlentities as well or are you expecting this to be a replacement? – Rob Young May 31 '10 at 15:02
  • upvoted, seems reasonable question and topic, whoever downvoted without leaving a comment is an idiot. – danp May 31 '10 at 15:03
  • @danp, I agree. +1 as it's good to have questions on XSS, even if they are repeats. – Daniel Trebbien May 31 '10 at 15:08
  • I am trying to remove some of the code when the user input their business description into my form which will be use for Classified Listing, would I able to safely decode with htmlentitles_decode? I would like to retain valid HTML code into my mysql DB. – proyb2 May 31 '10 at 16:10

5 Answers5

3

You don't need that if you are using htmlentities. To prevent XSS you can even just use htmlspecialchars.

Just make sure that you use htmlspecialchars on all data that is printed as plain text in your HTML response.

See also: the answers to "Does this set of regular expressions FULLY protect against cross site scripting?"

Community
  • 1
  • 1
Daniel Trebbien
  • 38,421
  • 18
  • 121
  • 193
2

your substitutions may help. But you're better off using a pre-rolled solution like PHP's data filters. Then you can easily limit datatype to what you expect.

dnagirl
  • 20,196
  • 13
  • 80
  • 123
0

htmlentities alone will do the trick. No need to replace anything at all.

Matchu
  • 83,922
  • 18
  • 153
  • 160
0

No. http://ha.ckers.org/xss.html

Arkh
  • 8,416
  • 40
  • 45
  • 2
    This terse answer is not very helpful without explaining that the http://ha.ckers.org/xss.html page exists to convince developers of the difficulty of making a completely safe filtering scheme for preventing XSS. – Daniel Trebbien May 31 '10 at 15:18
  • The link is not the answer, just an example of why "No" is the answer to the question "Can this code help to sanitize malicious code in user submit form?" – Arkh Nov 19 '12 at 09:59
0

Your first replacement rule is useless as it can be easily circumvented by using eval and character encoding (and an equal sign isn't necessary for XSS attacks anyway).

Your second rule can be very likely circumvented on at least some browsers by using things like javascript : or java\script:.

In short, it doesn't help much. If you want to show plain text, htmlentities is probably fine (there are exotic attacks which take advantage of unusual character encodings and browser stupidity to launch XSS attacks without any special characters, but that only works on specific browsers - cough IE cough - in specific situations). If you want to put user input in URLs or other attributes, it is not necessarily enough.

Tgr
  • 27,442
  • 12
  • 81
  • 118