示例#1
0
    public function testXSS()
    {
        $inputs = array('<object data="hack.swf" type="application/x-shockwave-flash"><param name="foo" value="bar"></object>' => '<param name="foo" value="bar">', '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>' => '', 'XSS attack <object data="hack.swf" type="application/x-shockwave-flash"></object>' => 'XSS attack ', 'XSS attack <applet code="Bubbles.class">Java applet says XSS.</applet>' => 'XSS attack Java applet says XSS.', 'XSS attack <embed src="hack.swf">' => 'XSS attack ', 'XSS attack <iframe src="http://ha.ckers.org/scriptlet.html"></iframe>' => 'XSS attack ', 'XSS attack <iframe src=http://ha.ckers.org/scriptlet.html></iframe>' => 'XSS attack ', '<form type="post">XSS attack</form>' => 'XSS attack', '<BASE HREF="javascript:alert(\'XSS\');//">' => '', '<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
org/xss.swf" AllowScriptAccess="always"></EMBED>' => '', '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>' => '', 'XSS attack <SCRIPT>alert("XSS");</SCRIPT>' => 'XSS attack alert("XSS");', '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' => '', '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '', '<<SCRIPT>alert("XSS");//<</SCRIPT>' => '<alert("XSS");//<', 'XSS<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > attack' => 'XSS attack', '<SCRIPT SRC=//ha.ckers.org/.j>XSS attack' => 'XSS attack', '</script><script>alert(\'XSS\');</script>' => 'alert(\'XSS\');', '</TITLE><SCRIPT>alert("XSS");</SCRIPT>' => 'alert("XSS");', '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>' => '', '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">' => '<IMG """>alert("XSS")">', '<IMG SRC="javascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC=javascript:alert(\'XSS\');>' => '<IMG SRC=noscript:alert(\'XSS\');>', '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>' => '<IMG SRC=noscript:alert(\'XSS\')>', '<IMG SRC=javascript:alert("XSS")>' => '<IMG SRC=noscript:alert("XSS")>', '<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC="jav	ascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC=" &#14;  javascript:alert(\'XSS\');">' => '<IMG SRC="noscript:alert(\'XSS\');">', '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>' => '<IMG SRC=`noscript:alert("RSnake says, \'XSS\'")`>', 'perl -e \'print "<IMG SRC=java\\0script:alert(\\"XSS\\")>";\' > out' => 'perl -e \'print "<IMG SRC=noscript:alert("XSS")>";\' > out', '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' => '<IMG SRC=noscript:alert(String.fromCharCode(88,83,83))>', 'xss <IMG SRC="javascript:alert(\'XSS\')" attack' => 'xss <IMG SRC="noscript:alert(\'XSS\')" attack', '<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">' => '<INPUT TYPE="IMAGE" SRC="noscript:alert(\'XSS\');">', '<IMG DYNSRC="javascript:alert(\'XSS\')">' => '<IMG DYNSRC="noscript:alert(\'XSS\')">', '<IMG LOWSRC="javascript:alert(\'XSS\')">' => '<IMG LOWSRC="noscript:alert(\'XSS\')">', '<IMG SRC=\'vbscript:msgbox("XSS")\'>' => '<IMG SRC=\'noscript:msgbox("XSS")\'>', '<IMG SRC="livescript:[code]">' => '<IMG SRC="noscript:[code]">', '<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>' => 'li {list-style-image: url("noscript:alert(\'XSS\')");}<UL><LI>XSS</br>', '<body style=\'-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")\'></body>' => '<body style=\'noscript:url("http://ha.ckers.org/xssmoz.xml#xss")\'></body>', '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>' => 'BODY{noscript:url("http://ha.ckers.org/xssmoz.xml#xss")}', '<STYLE type="text/css">BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>' => 'BODY{noscript:url("http://ha.ckers.org/xssmoz.xml#xss")}', '<IMG SRC=# onmouseover="alert(\'xxs\')">' => '<IMG SRC=# >', '<IMG SRC= onmouseover="alert(\'xxs\')">' => '<IMG SRC= >', '<IMG onmouseover="alert(\'xxs\')">' => '<IMG >', '<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>' => '<IMG SRC=/ ></img>', '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")>' => '<BODY >', '<BODY ONLOAD=alert(\'XSS\')>' => '<BODY >', '<a onmouseover="alert(document.cookie)">xss link</a>' => '<a >xss link</a>', '<a onmouseover=alert(document.cookie)>xss link</a>' => '<a >xss link</a>', 'XSS <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> attack' => 'XSS <IMG SRC> attack', 'XSS <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> attack' => 'XSS <IMG SRC> attack', 'XSS <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> attack' => 'XSS <IMG SRC> attack', 'XSS<BGSOUND SRC="javascript:alert(\'XSS\');"> attack' => 'XSS attack', '<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">' => '', '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">' => '', '<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>' => '@import\'http://ha.ckers.org/xss.css\';', '<STYLE>@im\\port\'\\ja\\vasc\\ript:alert("XSS")\';</STYLE>' => '@import\'noscript:alert("XSS")\';', '<img src="" style="margin:3px" vspace="1" hspace="1" />' => '<img src="" style="margin:3px" vspace="1" hspace="1" />', '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>' => 'alert(\'XSS\');', '<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>' => '.XSS{background-image:url("noscript:alert(\'XSS\')");}<A CLASS=XSS></A>', '<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>' => 'BODY{background:url("noscript:alert(\'XSS\')")}', '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">' => '<IMG >', '<XSS STYLE="xss:expression(alert(\'XSS\'))">' => '<XSS >', '<XSS STYLE="behavior: url(xss.htc);">' => '<XSS >', '<DIV STYLE="width: expression(alert(\'XSS\'));">' => '<DIV >', '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">' => '; REL=stylesheet">', '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS);">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">' => '', '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">' => '', '<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">' => 'alert(\'XSS\')">', '<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>xss attack' => 'xss attack', '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>' => '', '<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>' => '', '<TABLE BACKGROUND="javascript:alert(\'XSS\')">' => '<TABLE BACKGROUND="noscript:alert(\'XSS\')">', '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">' => '<DIV STYLE="background-image: url(noscript:alert(\'XSS\'))">', '<!--[if gte IE 4]> <SCRIPT>alert(\'XSS\');</SCRIPT> <![endif]-->' => '<!--[if gte IE 4]> alert(\'XSS\'); <![endif]-->', '<XML SRC="xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>' => '<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>', '<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>' => '<I><B><IMG SRC="noscript:alert(\'XSS\')"></B></I><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>', '<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>' => '<HTML><BODY><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSSalert("XSS")"></BODY></HTML>', '<!--#exec cmd="/bin/echo \'<SCR\'"--><!--#exec cmd="/bin/echo \'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>\'"-->' => '\'"-->', '<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">' => '<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">', '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-' => '<HEAD> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-', '<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '" \'\' SRC="http://ha.ckers.org/xss.js">', '<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '\'" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '` SRC="http://ha.ckers.org/xss.js">', '<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => '\'>" SRC="http://ha.ckers.org/xss.js">', '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>' => 'document.write("<SCRI");PT SRC="http://ha.ckers.org/xss.js">');
        foreach ($inputs as $input => $expected) {
            $this->assertEqual(_xss($input), $expected);
        }
    }
示例#2
0
 /**
  * Permits you to set the value to a rich text editor or any input where HTML source is required to be rendered.
  * Allows you to safely use HTML and characters such as quotes within form elements without breaking out of the form
  *
  * @param string $name The input element field name
  * @param mixed $defaultValue The default value of the input element (optional)
  *
  * @return mixed The value of the input element
  */
 public static function htmlValue($name, $defaultValue = null)
 {
     if (count($_POST)) {
         if (!isset($_POST[$name])) {
             return '';
         }
         $value = _xss($_POST[$name]);
         return _h($value);
     } else {
         return _h($defaultValue);
     }
 }
示例#3
0
/**
 * Strips javascript tags in the value to prevent from XSS attack
 * @param mixed $value The value or The array of values being stripped.
 * @return mixed the cleaned value
 */
function _xss($value)
{
    if (is_object($value)) {
        return $value;
    }
    if (is_array($value)) {
        foreach ($value as $key => $val) {
            if (is_array($val)) {
                $value[$key] = _xss($val);
            } else {
                $value[$key] = __xss($val);
            }
        }
    } else {
        $value = __xss($value);
    }
    return $value;
}