Php: XSS

[John]

Aside from SQL injections, the next most popular security exploit is cross site scripting or XSS. While SQL injections deal with how data is inputed to the database XSS deals with how data is outputted from the database. While a good "cleaning" function (which parses data to be inputed into the database) could prevent both SQL injections and XSS, most do not. XSS occures when a piece of functioning code is stored in a database and displayed by simply echoing it.

Most, if not all XSS scripts involve some sort of malicious JavaScript being injected into the database and displayed. The JavaScript can cause unwanted popup's, download a virus, or steal your cookies. While XSS isn't so much a security flaw to the server, it is a large security flaw to the user who is browsing your site.

Any input form that takes data directly from the user and does not clean its input and output is open to XSS. For example, if you insert this into a form which doesn't parse output, you will receive a JavaScript alert window.

Code:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The code above will pass through most SQL injection prevention functions. So the main way to combat XSS is to clean your output before it is displayed. You can clean it just as easily before it is entered into the database, but that causes your database to become larger and retain more data - which is why most XSS prevention is done when the database information is outputted.

Generally what most people do when the "addslashes()" to content that is entered into the database, is they "stripslashes()" the output - because who really

wants to see everything escaped with an extra slash? It would look like this;

Quote:

It\'s cold today" or "<font color=\"#FF0000\">Hello World<\/font>

Striping the slashes and echoing the data would case the html to actually execute. Rather than seeing the html itself, all you will see is "Hello World" and

it will be colored. To prevent this its a good idea to pass all your data through htmlentities() which will convert all the special characters ( <, and ", and >) into their html entity equivalent such as &nbsp; or &quot; that way when they are echoed, it will actually display

Quote:

<font color="#FF0000">Hello World</font>

rather than just

Quote:

Hello World

In my scripts, I usually create a function called cleanOutput() that way every time I echo something from the database it dont have to call stripslashes(htmlentities($output)) every time, I can just call a single function. Moreover, if that function proves to be too week, I can always make it stronger and not have to update every outputed line.

PHP Code:

function cleanOutput($var) {
    $var = stripslashes($var);
    $var = htmlentities($var);
    return $var;
} 


Doing this:

PHP Code:

echo clanOutput($output) 


Will clean your output. Although there is a lot more "cleaning" you can do, I've found that this is the simplest and has yet to fail me.