PHP preg_replace security

Question

I need to prevent cross-site scripting (XSS). How can I validate that it isn't cross-site script? The issue is with my "url" BBCode.

function bbcode($input) {
    $search = array('/\[a url="(.+?)"\](.*?)\[\/a\]/is');

    $replace = array('<a href="$1" style="color: #337ab7; 
                         text-decoration: none" target="_blank">$2
                      </a>');

    return preg_replace($search, $replace, $input);
}

bbcode([a url="javascript://hello.com/%0Aalert(%27s%27)"]XSS[/url]);

The code above is an example of what happens. When you click the link, a JavaScript popup comes up. Also, there are more BBCode in that array, but I removed them when posting this to make it easier.

you may read this before https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet — Maytham Fahmi, Mar 26 '16 at 19:17
I need to prevent other users from posting cross-site injecting with other sites. — UnderMyWheel, Mar 26 '16 at 19:26
OK I will post two methods that might be useful in your case. — Maytham Fahmi, Mar 26 '16 at 19:27

score 2 · Accepted Answer · edited May 23 '17 at 12:15

2

After chatting with OP, looks like OP site is XSS infected.

Normally XSS comes from bad users through submit form, comments input, post, URL etc. So we need to prevent XSS, but since you are already harmed you could start using following function to stop scripts from execution, and analysis and fix your site against future attack.

function filterScript($content)
{
    $default = '';
    return preg_replace('/href="javascript:[^"]+"/', $default, $content);
}

Testing

We imagine this is our attack content:

$content = '<a href="javascript://somedomain.com/%0Aalert(%27s%27)">XSS</a>';

// this link is attacked
echo $content . "<br>";
// this link is not attacked
echo filterScript($content);

EDIT: in addition to this answer, it might be worth it to also take look at this answer.

Note: The above functions will help, but is not a complete solution, what really you need to make a strategy of you site to find out weakness and and find out how you should protect it.

The provided link has some recommendation how and where to look at. OWASP has top 10 list of possible attack you should read, they have also a newer recommendation guide.

edited May 23 '17 at 12:15

Community

1
1

answered Mar 26 '16 at 19:28

Maytham Fahmi

31,138
14
118
137

I'm having issues with it working. My BBCode doesn't work when I use the filterOutput function you created. – UnderMyWheel Mar 26 '16 at 19:40
Here's a full list of the array for what the BBCode searches for array('/\[b\](.*?)\[\/b\]/is', '/\[i\](.*?)\[\/i\]/is', '/\[strike\](.*?)\[\/strike\]/is', '/\[mark\](.*?)\[\/mark\]/is', '/\[u\](.*?)\[\/u\]/is', '/\[subscript\](.*?)\[\/subscript\]/is', '/\[superscript\](.*?)\[\/superscript\]/is', '/\[a url="(.+?)"\](.*?)\[\/a\]/is'); – UnderMyWheel Mar 26 '16 at 19:43
Alright, so basically the BBCode searches for anything like in the array. For example you can do bold like this "[b]Bold[/b]". The BBCode function searches for that and then replaces it with actual HTML. However, I'm having an issue with a user who can use the url in the BBCode and do cross-site injection with putting in a link to "javascript://hello.com/%0Aalert(%27s%27)". – UnderMyWheel Mar 26 '16 at 19:49
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/107429/discussion-between-maytham-mahtyam-and-anthony). – Maytham Fahmi Mar 26 '16 at 19:50

PHP preg_replace security

1 Answers1

Linked