public function testXSS() { $inputs = array('<object data="hack.swf" type="application/x-shockwave-flash"><param name="foo" value="bar"></object>' => '<param name="foo" value="bar">', '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>' => '', 'XSS attack <object data="hack.swf" type="application/x-shockwave-flash"></object>' => 'XSS attack ', 'XSS attack <applet code="Bubbles.class">Java applet says XSS.</applet>' => 'XSS attack Java applet says XSS.', 'XSS attack <embed src="hack.swf">' => 'XSS attack ', 'XSS attack <iframe src="http://ha.ckers.org/scriptlet.html"></iframe>' => 'XSS attack ', 'XSS attack <iframe src=http://ha.ckers.org/scriptlet.html></iframe>' => 'XSS attack ', '<form type="post">XSS attack</form>' => 'XSS attack', '<BASE HREF="javascript:alert(\'XSS\');//">' => '', '<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: org/xss.swf" AllowScriptAccess="always"></EMBED>' => '', '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>' => '', 'XSS attack <SCRIPT>alert("XSS");</SCRIPT>' => 'XSS attack alert("XSS");', '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' => '', '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<<SCRIPT>alert("XSS");//<</SCRIPT>' => '<alert("XSS");//<', 'XSS<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > attack' => 'XSS attack', '<SCRIPT SRC=//ha.ckers.org/.j>XSS attack' => 'XSS attack', '</script><script>alert(\'XSS\');</script>' => 'alert(\'XSS\');', '</TITLE><SCRIPT>alert("XSS");</SCRIPT>' => 'alert("XSS");', '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>' => '', '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">' => '<IMG """>alert("XSS")">', '<IMG SRC="javascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC=javascript:alert(\'XSS\');>' => '<IMG SRC=noscript:alert(\'XSS\');>', '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>' => '<IMG SRC=noscript:alert(\'XSS\')>', '<IMG SRC=javascript:alert("XSS")>' => '<IMG SRC=noscript:alert("XSS")>', '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav
ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav	ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="  javascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>' => '<IMG SRC=`noscript:alert("RSnake says, \'XSS\'")`>', 'perl -e \'print "<IMG SRC=java\\0script:alert(\\"XSS\\")>";\' > out' => 'perl -e \'print "<IMG SRC=noscript:alert("XSS")>";\' > out', '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' => '<IMG SRC=noscript:alert(String.fromCharCode(88,83,83))>', 'xss <IMG SRC="javascript:alert(\'XSS\')" attack' => 'xss <IMG SRC="noscript:alert(\'XSS\')" attack', '<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">' => '<INPUT TYPE="IMAGE" SRC="noscript:alert(\'XSS\');">', '<IMG DYNSRC="javascript:alert(\'XSS\')">' => '<IMG DYNSRC="noscript:alert(\'XSS\')">', '<IMG LOWSRC="javascript:alert(\'XSS\')">' => '<IMG LOWSRC="noscript:alert(\'XSS\')">', '<IMG SRC=\'vbscript:msgbox("XSS")\'>' => '<IMG SRC=\'noscript:msgbox("XSS")\'>', '<IMG SRC="livescript:[code]">' => '<IMG SRC="noscript:[code]">', '<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>' => 'li {list-style-image: url("noscript:alert(\'XSS\')");}<UL><LI>XSS</br>', '<body style=\'-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")\'></body>' => '<body style=\'noscript:url("http://ha.ckers.org/xssmoz.xml#xss")\'></body>', '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>' => 'BODY{noscript:url("http://ha.ckers.org/xssmoz.xml#xss")}', '<STYLE type="text/css">BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>' => 'BODY{noscript:url("http://ha.ckers.org/xssmoz.xml#xss")}', '<IMG SRC=# onmouseover="alert(\'xxs\')">' => '<IMG SRC=# >', '<IMG SRC= onmouseover="alert(\'xxs\')">' => '<IMG SRC= >', '<IMG onmouseover="alert(\'xxs\')">' => '<IMG >', '<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>' => '<IMG SRC=/ ></img>', '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")>' => '<BODY >', '<BODY ONLOAD=alert(\'XSS\')>' => '<BODY >', '<a onmouseover="alert(document.cookie)">xss link</a>' => '<a >xss link</a>', '<a onmouseover=alert(document.cookie)>xss link</a>' => '<a >xss link</a>', 'XSS <IMG SRC=javascript:alert('XSS')> attack' => 'XSS <IMG SRC> attack', 'XSS <IMG SRC=javascript:alert('XSS')> attack' => 'XSS <IMG SRC> attack', 'XSS <IMG SRC=javascript:alert('XSS')> attack' => 'XSS <IMG SRC> attack', 'XSS<BGSOUND SRC="javascript:alert(\'XSS\');"> attack' => 'XSS attack', '<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">' => '', '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">' => '', '<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>' => '@import\'http://ha.ckers.org/xss.css\';', '<STYLE>@im\\port\'\\ja\\vasc\\ript:alert("XSS")\';</STYLE>' => '@import\'noscript:alert("XSS")\';', '<img src="" style="margin:3px" vspace="1" hspace="1" />' => '<img src="" style="margin:3px" vspace="1" hspace="1" />', '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>' => 'alert(\'XSS\');', '<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>' => '.XSS{background-image:url("noscript:alert(\'XSS\')");}<A CLASS=XSS></A>', '<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>' => 'BODY{background:url("noscript:alert(\'XSS\')")}', '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">' => '<IMG >', '<XSS STYLE="xss:expression(alert(\'XSS\'))">' => '<XSS >', '<XSS STYLE="behavior: url(xss.htc);">' => '<XSS >', '<DIV STYLE="width: expression(alert(\'XSS\'));">' => '<DIV >', '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">' => '; REL=stylesheet">', '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS);">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">' => '', '<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">' => 'alert(\'XSS\')">', '<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>xss attack' => 'xss attack', '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>' => '', '<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>' => '', '<TABLE BACKGROUND="javascript:alert(\'XSS\')">' => '<TABLE BACKGROUND="noscript:alert(\'XSS\')">', '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">' => '<DIV STYLE="background-image: url(noscript:alert(\'XSS\'))">', '<!--[if gte IE 4]> <SCRIPT>alert(\'XSS\');</SCRIPT> <![endif]-->' => '<!--[if gte IE 4]> alert(\'XSS\'); <![endif]-->', '<XML SRC="xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>' => '<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>', '<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>' => '<I><B><IMG SRC="noscript:alert(\'XSS\')"></B></I><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>', '<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>' => '<HTML><BODY><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSSalert("XSS")"></BODY></HTML>', '<!--#exec cmd="/bin/echo \'<SCR\'"--><!--#exec cmd="/bin/echo \'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>\'"-->' => '\'"-->', '<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">' => '<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">', '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-' => '<HEAD> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-', '<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" \'\' SRC="http://ha.ckers.org/xss.js">', '<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '\'" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '` SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '\'>" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => 'document.write("<SCRI");PT SRC="http://ha.ckers.org/xss.js">'); foreach ($inputs as $input => $expected) { $this->assertEqual(_xss($input), $expected); } }
/** * Permits you to set the value to a rich text editor or any input where HTML source is required to be rendered. * Allows you to safely use HTML and characters such as quotes within form elements without breaking out of the form * * @param string $name The input element field name * @param mixed $defaultValue The default value of the input element (optional) * * @return mixed The value of the input element */ public static function htmlValue($name, $defaultValue = null) { if (count($_POST)) { if (!isset($_POST[$name])) { return ''; } $value = _xss($_POST[$name]); return _h($value); } else { return _h($defaultValue); } }
/** * Strips javascript tags in the value to prevent from XSS attack * @param mixed $value The value or The array of values being stripped. * @return mixed the cleaned value */ function _xss($value) { if (is_object($value)) { return $value; } if (is_array($value)) { foreach ($value as $key => $val) { if (is_array($val)) { $value[$key] = _xss($val); } else { $value[$key] = __xss($val); } } } else { $value = __xss($value); } return $value; }