|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace devtoolboxuk\soteria\handlers; |
|
4
|
|
|
|
|
5
|
|
|
use devtoolboxuk\soteria\models\SoteriaModel; |
|
6
|
|
|
|
|
7
|
|
|
use devtoolboxuk\soteriautf\Resources\Attributes; |
|
8
|
|
|
use devtoolboxuk\soteriautf\Resources\Exploded; |
|
9
|
|
|
use devtoolboxuk\soteriautf\Resources\Html; |
|
10
|
|
|
use devtoolboxuk\soteriautf\Resources\JavaScript; |
|
11
|
|
|
use devtoolboxuk\soteriautf\Resources\NeverAllowed; |
|
12
|
|
|
use devtoolboxuk\soteriautf\Resources\System; |
|
13
|
|
|
use devtoolboxuk\soteriautf\Resources\StringResource; |
|
14
|
|
|
|
|
15
|
|
|
use devtoolboxuk\soteriautf\Utf8; |
|
16
|
|
|
use devtoolboxuk\soteriautf\Utf7; |
|
17
|
|
|
|
|
18
|
|
|
|
|
19
|
|
|
class Xss |
|
20
|
|
|
{ |
|
21
|
|
|
|
|
22
|
|
|
private $_xss_found = null; |
|
23
|
|
|
private $neverAllowed; |
|
24
|
|
|
private $exploded; |
|
25
|
|
|
private $string; |
|
26
|
|
|
private $attributes; |
|
27
|
|
|
private $javascript; |
|
28
|
|
|
private $html; |
|
29
|
|
|
private $utf7; |
|
30
|
|
|
private $utf8; |
|
31
|
|
|
private $strings; |
|
32
|
|
|
private $system; |
|
33
|
|
|
private $input; |
|
34
|
|
|
private $output; |
|
35
|
|
|
|
|
36
|
|
|
|
|
37
|
6 |
|
function __construct() |
|
|
|
|
|
|
38
|
|
|
{ |
|
39
|
6 |
|
$this->init(); |
|
40
|
6 |
|
} |
|
41
|
|
|
|
|
42
|
6 |
|
function init() |
|
|
|
|
|
|
43
|
|
|
{ |
|
44
|
|
|
|
|
45
|
6 |
|
$this->neverAllowed = new NeverAllowed(); |
|
46
|
|
|
|
|
47
|
6 |
|
$this->exploded = new Exploded(); |
|
48
|
|
|
|
|
49
|
6 |
|
$this->attributes = new Attributes(); |
|
50
|
6 |
|
$this->javascript = new JavaScript(); |
|
51
|
6 |
|
$this->html = new Html(); |
|
52
|
|
|
|
|
53
|
6 |
|
$this->system = new System(); |
|
54
|
|
|
|
|
55
|
6 |
|
$this->utf7 = new Utf7(); |
|
56
|
6 |
|
$this->utf8 = new Utf8(); |
|
57
|
|
|
|
|
58
|
6 |
|
$this->strings = new StringResource(); |
|
59
|
6 |
|
} |
|
60
|
|
|
|
|
61
|
|
|
|
|
62
|
|
|
function setString($str) |
|
|
|
|
|
|
63
|
|
|
{ |
|
64
|
|
|
$this->string = $str; |
|
65
|
|
|
} |
|
66
|
|
|
|
|
67
|
|
|
public function cleanArray($array) |
|
68
|
|
|
{ |
|
69
|
|
|
return $this->clean($array); |
|
70
|
|
|
} |
|
71
|
|
|
|
|
72
|
|
|
/** |
|
73
|
|
|
* @param $str |
|
74
|
|
|
* @return array|mixed |
|
75
|
|
|
*/ |
|
76
|
6 |
|
public function clean($str) |
|
77
|
|
|
{ |
|
78
|
|
|
// reset |
|
79
|
6 |
|
$this->_xss_found = null; |
|
80
|
|
|
|
|
81
|
|
|
// check for an array of strings |
|
82
|
6 |
|
if (\is_array($str)) { |
|
83
|
2 |
|
foreach ($str as $key => $value) { |
|
84
|
2 |
|
$str[$key] = $this->clean($value); |
|
85
|
2 |
|
} |
|
86
|
2 |
|
return $str; |
|
87
|
|
|
} |
|
88
|
|
|
|
|
89
|
6 |
|
$this->input = $str; |
|
90
|
6 |
|
$this->output = $this->process($str); |
|
91
|
6 |
|
return $this->output; |
|
92
|
|
|
} |
|
93
|
|
|
|
|
94
|
6 |
|
private function process($str) |
|
95
|
|
|
{ |
|
96
|
|
|
|
|
97
|
|
|
// process |
|
98
|
|
|
do { |
|
99
|
6 |
|
$old_str = $str; |
|
100
|
6 |
|
$str = $this->_do($str); |
|
101
|
6 |
|
} while ($old_str !== $str); |
|
102
|
|
|
|
|
103
|
|
|
// keep the old value, if there wasn't any XSS attack |
|
104
|
6 |
|
if ($this->_xss_found !== true) { |
|
105
|
6 |
|
$str = $this->input; |
|
106
|
6 |
|
} |
|
107
|
|
|
|
|
108
|
6 |
|
return $str; |
|
109
|
|
|
} |
|
110
|
|
|
|
|
111
|
|
|
/** |
|
112
|
|
|
* @param StringResource $str |
|
113
|
|
|
* |
|
114
|
|
|
* @return mixed |
|
115
|
|
|
*/ |
|
116
|
6 |
|
private function _do($str) |
|
117
|
|
|
{ |
|
118
|
6 |
|
$str = (string)$str; |
|
119
|
6 |
|
$strInt = (int)$str; |
|
120
|
6 |
|
$strFloat = (float)$str; |
|
121
|
6 |
|
if (!$str || (string)$strInt === $str || (string)$strFloat === $str) { |
|
122
|
|
|
|
|
123
|
|
|
// no xss found |
|
124
|
6 |
|
if ($this->_xss_found !== true) { |
|
125
|
6 |
|
$this->_xss_found = false; |
|
126
|
6 |
|
} |
|
127
|
|
|
|
|
128
|
6 |
|
return $str; |
|
129
|
|
|
} |
|
130
|
|
|
|
|
131
|
|
|
// remove the BOM from UTF-8 / UTF-16 / UTF-32 strings |
|
132
|
6 |
|
$str = $this->utf8->remove_bom($str); |
|
133
|
|
|
|
|
134
|
|
|
// replace the diamond question mark (�) and invalid-UTF8 chars |
|
135
|
6 |
|
$str = $this->utf8->replace_diamond_question_mark($str, ''); |
|
136
|
|
|
|
|
137
|
|
|
// replace invisible characters with one single space |
|
138
|
6 |
|
$str = $this->utf8->remove_invisible_characters($str, true, ' '); |
|
139
|
|
|
|
|
140
|
6 |
|
$str = $this->utf8->normalize_whitespace($str); |
|
141
|
6 |
|
$str = $this->strings->replace($str); |
|
142
|
|
|
|
|
143
|
|
|
// decode UTF-7 characters |
|
144
|
6 |
|
$str = $this->utf7->repack($str); |
|
145
|
|
|
|
|
146
|
|
|
// decode the string |
|
147
|
6 |
|
$str = $this->decodeString($str); // RW Partly DONE |
|
148
|
|
|
|
|
149
|
|
|
// backup the string (for later comparision) |
|
150
|
6 |
|
$str_backup = $str; |
|
151
|
|
|
|
|
152
|
|
|
// remove strings that are never allowed |
|
153
|
6 |
|
$str = $this->neverAllowed->doNeverAllowed($str); //RW DONE |
|
154
|
|
|
|
|
155
|
|
|
// corrects words before the browser will do it |
|
156
|
6 |
|
$str = $this->exploded->compactExplodedString($str); //RW DONE |
|
157
|
|
|
|
|
158
|
|
|
// remove disallowed javascript calls in links, images etc. |
|
159
|
6 |
|
$str = $this->javascript->removeDisallowedJavascript($str); |
|
160
|
|
|
|
|
161
|
|
|
// remove evil attributes such as style, onclick and xmlns |
|
162
|
6 |
|
$str = $this->attributes->removeEvilAttributes($str); |
|
163
|
|
|
|
|
164
|
|
|
// sanitize naughty JavaScript elements |
|
165
|
6 |
|
$str = $this->javascript->naughtyJavascript($str); |
|
166
|
|
|
|
|
167
|
|
|
// sanitize naughty HTML elements |
|
168
|
6 |
|
$str = $this->html->naughtyHtml($str); |
|
169
|
|
|
|
|
170
|
|
|
// final clean up |
|
171
|
|
|
// |
|
172
|
|
|
// -> This adds a bit of extra precaution in case something got through the above filters. |
|
173
|
6 |
|
$str = $this->neverAllowed->doNeverAllowedAfterwards($str); |
|
174
|
|
|
|
|
175
|
|
|
// check for xss |
|
176
|
6 |
|
if ($this->_xss_found !== true) { |
|
177
|
6 |
|
$this->_xss_found = !($str_backup === $str); |
|
178
|
6 |
|
} |
|
179
|
|
|
|
|
180
|
6 |
|
return $str; |
|
181
|
|
|
} |
|
182
|
|
|
|
|
183
|
6 |
|
public function decodeString($str) |
|
184
|
|
|
{ |
|
185
|
|
|
// init |
|
186
|
6 |
|
$regExForHtmlTags = '/<\p{L}+.*+/us'; |
|
187
|
|
|
|
|
188
|
6 |
|
if (strpos($str, '<') !== false && preg_match($regExForHtmlTags, $str, $matches) === 1) { |
|
189
|
6 |
|
$str = (string)preg_replace_callback( |
|
190
|
6 |
|
$regExForHtmlTags, |
|
191
|
6 |
|
function ($matches) { |
|
192
|
6 |
|
return $this->decodeEntity($matches); |
|
193
|
6 |
|
}, |
|
194
|
|
|
$str |
|
195
|
6 |
|
); |
|
196
|
6 |
|
} else { |
|
197
|
6 |
|
$str = $this->utf8->rawurldecode($str); |
|
198
|
|
|
} |
|
199
|
|
|
|
|
200
|
6 |
|
return $str; |
|
201
|
|
|
} |
|
202
|
|
|
|
|
203
|
6 |
|
private function decodeEntity(array $match) |
|
204
|
|
|
{ |
|
205
|
|
|
// init |
|
206
|
6 |
|
$str = $match[0]; |
|
207
|
|
|
|
|
208
|
|
|
// protect GET variables without XSS in URLs |
|
209
|
6 |
|
if (preg_match_all("/[\?|&]?[\\p{L}0-9_\-\[\]]+\s*=\s*(?<wrapped>\"|\042|'|\047)(?<attr>[^\\1]*?)\\g{wrapped}/ui", $str, $matches)) { |
|
210
|
6 |
|
if (isset($matches['attr'])) { |
|
211
|
6 |
|
foreach ($matches['attr'] as $matchInner) { |
|
212
|
6 |
|
$tmpAntiXss = clone $this; |
|
213
|
6 |
|
$urlPartClean = $tmpAntiXss->clean($matchInner); |
|
214
|
|
|
|
|
215
|
6 |
|
if ($tmpAntiXss->isXssFound() === true) { |
|
216
|
6 |
|
$this->_xss_found = true; |
|
217
|
6 |
|
$str = \str_replace($matchInner, $this->utf8->rawurldecode($urlPartClean), $str); |
|
218
|
6 |
|
} |
|
219
|
6 |
|
} |
|
220
|
6 |
|
} |
|
221
|
6 |
|
} else { |
|
222
|
6 |
|
$str = $this->_entity_decode($this->utf8->rawurldecode($str)); |
|
223
|
|
|
} |
|
224
|
|
|
|
|
225
|
6 |
|
return $str; |
|
226
|
|
|
} |
|
227
|
|
|
|
|
228
|
|
|
/** |
|
229
|
|
|
* @return null |
|
230
|
|
|
*/ |
|
231
|
6 |
|
public function isXssFound() |
|
232
|
|
|
{ |
|
233
|
6 |
|
return $this->_xss_found; |
|
234
|
|
|
} |
|
235
|
|
|
|
|
236
|
|
|
/** |
|
237
|
|
|
* Entity-decoding. |
|
238
|
|
|
* |
|
239
|
|
|
* @param StringResource $str |
|
240
|
|
|
* |
|
241
|
|
|
* @return StringResource |
|
242
|
|
|
*/ |
|
243
|
6 |
|
private function _entity_decode($str) |
|
244
|
|
|
{ |
|
245
|
6 |
|
static $HTML_ENTITIES_CACHE; |
|
246
|
|
|
|
|
247
|
6 |
|
$flags = ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED | ENT_SUBSTITUTE; |
|
248
|
|
|
|
|
249
|
|
|
// decode |
|
250
|
6 |
|
$str = html_entity_decode($str, $flags); |
|
251
|
|
|
|
|
252
|
|
|
|
|
253
|
|
|
// decode-again, for e.g. HHVM or miss configured applications ... |
|
254
|
6 |
|
if (preg_match_all('/(?<html_entity>&[A-Za-z]{2,}[;]{0})/', $str, $matches)) { |
|
255
|
|
|
if ($HTML_ENTITIES_CACHE === null) { |
|
256
|
|
|
|
|
257
|
|
|
// links: |
|
258
|
|
|
// - http://dev.w3.org/html5/html-author/charref |
|
259
|
|
|
// - http://www.w3schools.com/charsets/ref_html_entities_n.asp |
|
260
|
|
|
$entitiesSecurity = [ |
|
261
|
|
|
'�' => '', |
|
262
|
|
|
'�' => '', |
|
263
|
|
|
'' => '', |
|
264
|
|
|
'' => '', |
|
265
|
|
|
'>⃒' => '', |
|
266
|
|
|
'' => '', |
|
267
|
|
|
'' => '', |
|
268
|
|
|
'­' => '', |
|
269
|
|
|
'­' => '', |
|
270
|
|
|
'­' => '', |
|
271
|
|
|
':' => ':', |
|
272
|
|
|
':' => ':', |
|
273
|
|
|
':' => ':', |
|
274
|
|
|
'(' => '(', |
|
275
|
|
|
'(' => '(', |
|
276
|
|
|
'(' => '(', |
|
277
|
|
|
')' => ')', |
|
278
|
|
|
')' => ')', |
|
279
|
|
|
')' => ')', |
|
280
|
|
|
'?' => '?', |
|
281
|
|
|
'?' => '?', |
|
282
|
|
|
'?' => '?', |
|
283
|
|
|
'/' => '/', |
|
284
|
|
|
'/' => '/', |
|
285
|
|
|
'/' => '/', |
|
286
|
|
|
''' => '\'', |
|
287
|
|
|
''' => '\'', |
|
288
|
|
|
''' => '\'', |
|
289
|
|
|
''' => '\'', |
|
290
|
|
|
''' => '\'', |
|
291
|
|
|
'\' => '\'', |
|
292
|
|
|
'\' => '\\', |
|
293
|
|
|
'\' => '\\', |
|
294
|
|
|
',' => ',', |
|
295
|
|
|
',' => ',', |
|
296
|
|
|
',' => ',', |
|
297
|
|
|
'.' => '.', |
|
298
|
|
|
'.' => '.', |
|
299
|
|
|
'"' => '"', |
|
300
|
|
|
'"' => '"', |
|
301
|
|
|
'"' => '"', |
|
302
|
|
|
'"' => '"', |
|
303
|
|
|
'`' => '`', |
|
304
|
|
|
'`' => '`', |
|
305
|
|
|
'`' => '`', |
|
306
|
|
|
'`' => '`', |
|
307
|
|
|
'.' => '.', |
|
308
|
|
|
'=' => '=', |
|
309
|
|
|
'=' => '=', |
|
310
|
|
|
'=' => '=', |
|
311
|
|
|
'&newline;' => "\n", |
|
312
|
|
|
'
' => "\n", |
|
313
|
|
|
' ' => "\n", |
|
314
|
|
|
'&tab;' => "\t", |
|
315
|
|
|
'	' => "\t", |
|
316
|
|
|
'	' => "\t", |
|
317
|
|
|
]; |
|
318
|
|
|
|
|
319
|
|
|
$HTML_ENTITIES_CACHE = \array_merge( |
|
320
|
|
|
$entitiesSecurity, |
|
321
|
|
|
\array_flip(\get_html_translation_table(HTML_ENTITIES, $flags)), |
|
322
|
|
|
\array_flip($this->_get_data('entities_fallback')) |
|
323
|
|
|
); |
|
324
|
|
|
} |
|
325
|
|
|
|
|
326
|
|
|
$search = []; |
|
327
|
|
|
$replace = []; |
|
328
|
|
|
foreach ($matches['html_entity'] as $match) { |
|
329
|
|
|
$match .= ';'; |
|
330
|
|
|
if (isset($HTML_ENTITIES_CACHE[$match])) { |
|
331
|
|
|
$search[$match] = $match; |
|
332
|
|
|
$replace[$match] = $HTML_ENTITIES_CACHE[$match]; |
|
333
|
|
|
} |
|
334
|
|
|
} |
|
335
|
|
|
|
|
336
|
|
|
if (\count($replace) > 0) { |
|
337
|
|
|
$str = \str_replace($search, $replace, $str); |
|
338
|
|
|
} |
|
339
|
|
|
} |
|
340
|
|
|
|
|
341
|
6 |
|
return $str; |
|
342
|
|
|
} |
|
343
|
|
|
|
|
344
|
|
|
private function _get_data($file) |
|
345
|
|
|
{ |
|
346
|
|
|
/** @noinspection PhpIncludeInspection */ |
|
347
|
|
|
return include __DIR__ . '/../vendor/devtoolboxuk/soteriautf/src/Data/' . $file . '.php'; |
|
348
|
|
|
} |
|
349
|
|
|
|
|
350
|
|
|
public function cleanString($str) |
|
351
|
|
|
{ |
|
352
|
|
|
return $this->clean($str); |
|
353
|
|
|
} |
|
354
|
|
|
|
|
355
|
|
|
/** |
|
356
|
|
|
* @param $str |
|
357
|
|
|
* @return array|mixed |
|
358
|
|
|
*/ |
|
359
|
3 |
|
public function cleanUrl($str) |
|
360
|
|
|
{ |
|
361
|
3 |
|
$this->input = $str; |
|
362
|
3 |
|
$str = $this->clean($str); |
|
363
|
|
|
|
|
364
|
3 |
|
if (is_numeric($str) || is_null($str)) { |
|
365
|
1 |
|
return $str; |
|
366
|
|
|
} |
|
367
|
|
|
|
|
368
|
3 |
|
if (is_array($str)) { |
|
369
|
1 |
|
foreach ($str as $key => $value) { |
|
370
|
1 |
|
$str[$key] = $this->cleanUrl($value); |
|
371
|
1 |
|
} |
|
372
|
1 |
|
return $str; |
|
373
|
|
|
} |
|
374
|
|
|
|
|
375
|
|
|
do { |
|
376
|
3 |
|
$decode_str = rawurldecode($str); |
|
377
|
3 |
|
$str = $this->_do($str); |
|
|
|
|
|
|
378
|
3 |
|
} while ($decode_str !== $str); |
|
379
|
|
|
|
|
380
|
3 |
|
$this->output = $str; |
|
381
|
|
|
|
|
382
|
3 |
|
return $str; |
|
383
|
|
|
} |
|
384
|
|
|
|
|
385
|
|
|
function result() |
|
|
|
|
|
|
386
|
|
|
{ |
|
387
|
|
|
$valid = false; |
|
388
|
|
|
if (!$this->_xss_found) { |
|
|
|
|
|
|
389
|
|
|
$valid = true; |
|
390
|
|
|
} |
|
391
|
|
|
return new SoteriaModel($this->input, $this->output, $valid); |
|
392
|
|
|
} |
|
393
|
|
|
} |
devtoolboxuk /
soteria
Loading history...
Adding explicit visibility (
private,protected, orpublic) is generally recommend to communicate to other developers how, and from where this method is intended to be used.