Comments on: Snippets of defense Pt.III

By: Content Injection: Hack the Hacker | GNUCITIZEN

Content Injection: Hack the Hacker | GNUCITIZEN — Mon, 08 Mar 2010 12:21:01 +0000

[...] blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and [...]

By: Content Injection: Hack the Hacker » Inking's Security Blog

Content Injection: Hack the Hacker » Inking's Security Blog — Fri, 11 Apr 2008 14:48:34 +0000

[...] blocking etc). Check out some of Marioâ€™s code snippets of defense for the idea: here, here, here, and [...]

By: Raaka!

Raaka! — Fri, 26 Oct 2007 19:19:38 +0000

LOL =))

where is reZen now :p

thanks for the code

By: Mario Heiderich

Mario Heiderich — Mon, 22 Oct 2007 21:13:49 +0000

Hey ReZEN – click that, junior!
http://tinyurl.com/2h3ps6

You should have read my post ;)

By: pdp

pdp — Mon, 22 Oct 2007 16:10:20 +0000

ReZEN, if you don’t like it, please don’t read it. All .mario did is to show a kind of code which may fit into some scenarios. We all know that there are no bulletproof solutions.

By: ReZEN

ReZEN — Mon, 22 Oct 2007 14:57:58 +0000

.mario:

Wow this is hilarious. Kids and their games. Next time you want to post pure crap just through up a link to rotten.com or ogrish or something and quit wasting everyones time with your absolute shit code. Have you done NO research on this subject at all? And if you had THIS IS WHAT YOU CAME UP WITH?

By: Wade

Wade — Mon, 22 Oct 2007 14:35:14 +0000

mario. sorry for rehashing this again, but I don't want to see anyone using this code thinking that it's going to save them against XSS. As previously mentioned by kuza55 and digi7al64, $_GET and $_POST values (which would typically used by developers) are not being affected by the sanitation script. For this to be more "copy and paste" friendly, you might want to initialize the whole thing by using:

$_GET = filter($_GET);
$_POST = filter($_POST);
$_COOKIE = filter($_COOKIE);

By: pdp

pdp — Sun, 21 Oct 2007 06:50:50 +0000

digi7al64, wordpress will try to prevent you from posting anything that looks like HTML. Just make sure that all your < are replaced < and > is replaced with > :) cheers

By: digi7al64

digi7al64 — Sun, 21 Oct 2007 03:29:05 +0000

it seems this blog removed half of my code. therefore don’t worry about approving my post, please delete it. i don’t intend to repost

By: digi7al64

digi7al64 — Sun, 21 Oct 2007 03:26:25 +0000

I been using a similar method to the one you presented here for a while now but there are a few different things in mine that perhaps could be blended into yours to make it safer.

I.E

> I use the iconv function to force an encoding set on the supplied data
> I loop through each $_POST and $_GET and set the values that way (as kuza55 suggested [cookie not included as this is only an idea to get you going])

Finally, there is a small bug in my code (intentional for this post) so post back if you can find how to make it throw an error, should be easy :)

oh and as a final thought, generally you might want to trim the string straight up to a fixed length you know you can handle it with whatever you want to do.

$value){
			$_POST[$name] = santize($value);
		}
	}
	
	// Clean any supplied get values
	if(isset($_GET)) {
		foreach($_GET as $name => $value){
			$_GET[$name] = santize($value);
		}
	}
?>

By: David

David — Sat, 20 Oct 2007 22:05:13 +0000

Not really recursive (function doesn't call itself, just goes 1 level into an array). Seems you can reduce the whole thing to 1 function by using actual recursion:

 $var) {
				$safe_html[$key]=recurs_escape_html($var);
			}
		} else {
			return htmlentities($data, ENT_QUOTES, 'ISO-8859-1');
		}
		return $safe_html;
	}
?>

By: .mario

.mario — Sat, 20 Oct 2007 12:00:28 +0000

Hi!

Thanks for the comments.

Kuza55 you are right – $_REQUEST _can_ be problematic in some setups but this is example is more to show on how you can build an easy to extend first solution to cope with global input filtering – which I really rarely come to see during work. It of course no ‘use it and be happy forever’ solution but a snippet to point into a certain direction.

Greetings,
.mario

By: kuza55

kuza55 — Sat, 20 Oct 2007 11:46:43 +0000

You're missing the end of a line:

return strip_tags(str_replace($search, $replace, $string)

should be

return strip_tags(str_replace($search, $replace, $string));

Furthermore editing $_REQUEST does not change the values in $_GET, $_POST, $_COOKIE, etc. SO you would need to do this to every array you want to sanitize, and then reconstruct $_REQUEST from your already filtered initial arrays. This is purely IMO, but $_REQUEST seems like a bad idea, since you don't know where the stuff your working with came from, especially considering it relies on the variables_order directive. Anyway, this seems pretty much identical to magic_quotes so I'm not going to bother criticising it since the arguments for/against magic_quotes have been rehashed enough times already.

By: Sirw2p

Sirw2p — Sat, 20 Oct 2007 10:08:41 +0000

Good code, but there are easier ways to filter and prevent xss attacks.

By: NIX

NIX — Sat, 20 Oct 2007 09:26:02 +0000

thats a good one ;)
thanks