|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace devtoolboxuk\soteria\handlers; |
|
4
|
|
|
|
|
5
|
|
|
use devtoolboxuk\soteria\models\SoteriaModel; |
|
6
|
|
|
use devtoolboxuk\soteria\voku\Resources\Attributes; |
|
7
|
|
|
|
|
8
|
|
|
use devtoolboxuk\soteria\voku\Resources\Exploded; |
|
9
|
|
|
use devtoolboxuk\soteria\voku\Resources\Html; |
|
10
|
|
|
use devtoolboxuk\soteria\voku\Resources\JavaScript; |
|
11
|
|
|
use devtoolboxuk\soteria\voku\Resources\NeverAllowed; |
|
12
|
|
|
|
|
13
|
|
|
use devtoolboxuk\soteria\voku\Resources\System; |
|
14
|
|
|
use devtoolboxuk\soteria\voku\Resources\Utf7; |
|
15
|
|
|
use devtoolboxuk\soteria\voku\Resources\Utf8; |
|
16
|
|
|
use devtoolboxuk\soteria\voku\Resources\StringResource; |
|
17
|
|
|
|
|
18
|
|
|
|
|
19
|
|
|
class Xss |
|
|
|
|
|
|
20
|
|
|
{ |
|
21
|
|
|
|
|
22
|
|
|
private $_xss_found = null; |
|
23
|
|
|
private $neverAllowed; |
|
24
|
|
|
private $exploded; |
|
25
|
|
|
private $string; |
|
26
|
|
|
private $attributes; |
|
27
|
|
|
private $javascript; |
|
28
|
|
|
private $html; |
|
29
|
|
|
private $utf7; |
|
30
|
|
|
private $utf8; |
|
31
|
|
|
private $strings; |
|
32
|
|
|
private $system; |
|
33
|
|
|
private $input; |
|
34
|
|
|
private $output; |
|
35
|
|
|
|
|
36
|
|
|
|
|
37
|
6 |
|
function __construct() |
|
|
|
|
|
|
38
|
|
|
{ |
|
39
|
6 |
|
$this->init(); |
|
40
|
6 |
|
} |
|
41
|
|
|
|
|
42
|
6 |
|
function init() |
|
|
|
|
|
|
43
|
|
|
{ |
|
44
|
6 |
|
$this->neverAllowed = new NeverAllowed(); |
|
45
|
|
|
|
|
46
|
6 |
|
$this->exploded = new Exploded(); |
|
47
|
|
|
|
|
48
|
6 |
|
$this->attributes = new Attributes(); |
|
49
|
6 |
|
$this->javascript = new JavaScript(); |
|
50
|
6 |
|
$this->html = new Html(); |
|
51
|
|
|
|
|
52
|
6 |
|
$this->system = new System(); |
|
53
|
|
|
|
|
54
|
6 |
|
$this->utf7 = new Utf7(); |
|
55
|
6 |
|
$this->utf8 = new Utf8(); |
|
56
|
|
|
|
|
57
|
6 |
|
$this->strings = new StringResource(); |
|
58
|
6 |
|
} |
|
59
|
|
|
|
|
60
|
|
|
|
|
61
|
|
|
function setString($str) |
|
|
|
|
|
|
62
|
|
|
{ |
|
63
|
|
|
$this->string = $str; |
|
64
|
|
|
} |
|
65
|
|
|
|
|
66
|
|
|
public function cleanArray($array) |
|
67
|
|
|
{ |
|
68
|
|
|
return $this->clean($array); |
|
69
|
|
|
} |
|
70
|
|
|
|
|
71
|
|
|
/** |
|
72
|
|
|
* @param $str |
|
73
|
|
|
* @return array|mixed |
|
74
|
|
|
*/ |
|
75
|
6 |
|
public function clean($str) |
|
76
|
|
|
{ |
|
77
|
|
|
// reset |
|
78
|
6 |
|
$this->_xss_found = null; |
|
79
|
|
|
|
|
80
|
|
|
// check for an array of strings |
|
81
|
6 |
|
if (\is_array($str)) { |
|
82
|
2 |
|
foreach ($str as $key => $value) { |
|
83
|
2 |
|
$str[$key] = $this->clean($value); |
|
84
|
|
|
} |
|
85
|
2 |
|
return $str; |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
6 |
|
$this->input = $str; |
|
89
|
6 |
|
$this->output = $this->process($str); |
|
90
|
6 |
|
return $this->output; |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
6 |
|
private function process($str) |
|
|
|
|
|
|
94
|
|
|
{ |
|
95
|
|
|
|
|
96
|
|
|
// process |
|
97
|
|
|
do { |
|
98
|
6 |
|
$old_str = $str; |
|
99
|
6 |
|
$str = $this->_do($str); |
|
100
|
6 |
|
} while ($old_str !== $str); |
|
101
|
|
|
|
|
102
|
|
|
// keep the old value, if there wasn't any XSS attack |
|
103
|
6 |
|
if ($this->_xss_found !== true) { |
|
104
|
6 |
|
$str = $this->input; |
|
105
|
|
|
} |
|
106
|
|
|
|
|
107
|
6 |
|
return $str; |
|
108
|
|
|
} |
|
109
|
|
|
|
|
110
|
|
|
/** |
|
111
|
|
|
* @param StringResource $str |
|
112
|
|
|
* |
|
113
|
|
|
* @return mixed |
|
114
|
|
|
*/ |
|
115
|
6 |
|
private function _do($str) |
|
|
|
|
|
|
116
|
|
|
{ |
|
117
|
6 |
|
$str = (string)$str; |
|
118
|
6 |
|
$strInt = (int)$str; |
|
119
|
6 |
|
$strFloat = (float)$str; |
|
120
|
6 |
|
if (!$str || (string)$strInt === $str || (string)$strFloat === $str) { |
|
|
|
|
|
|
121
|
|
|
|
|
122
|
|
|
// no xss found |
|
123
|
6 |
|
if ($this->_xss_found !== true) { |
|
124
|
6 |
|
$this->_xss_found = false; |
|
125
|
|
|
} |
|
126
|
|
|
|
|
127
|
6 |
|
return $str; |
|
128
|
|
|
} |
|
129
|
|
|
|
|
130
|
|
|
// remove the BOM from UTF-8 / UTF-16 / UTF-32 strings |
|
131
|
6 |
|
$str = $this->utf8->remove_bom($str); |
|
132
|
|
|
|
|
133
|
|
|
// replace the diamond question mark (�) and invalid-UTF8 chars |
|
134
|
6 |
|
$str = $this->utf8->replace_diamond_question_mark($str, ''); |
|
135
|
|
|
|
|
136
|
|
|
// replace invisible characters with one single space |
|
137
|
6 |
|
$str = $this->utf8->remove_invisible_characters($str, true, ' '); |
|
138
|
|
|
|
|
139
|
6 |
|
$str = $this->utf8->normalize_whitespace($str); |
|
140
|
6 |
|
$str = $this->strings->replace($str); |
|
141
|
|
|
|
|
142
|
|
|
// decode UTF-7 characters |
|
143
|
6 |
|
$str = $this->utf7->repack($str); |
|
144
|
|
|
|
|
145
|
|
|
// decode the string |
|
146
|
6 |
|
$str = $this->decodeString($str); // RW Partly DONE |
|
147
|
|
|
|
|
148
|
|
|
// backup the string (for later comparision) |
|
149
|
6 |
|
$str_backup = $str; |
|
150
|
|
|
|
|
151
|
|
|
// remove strings that are never allowed |
|
152
|
6 |
|
$str = $this->neverAllowed->doNeverAllowed($str); //RW DONE |
|
153
|
|
|
|
|
154
|
|
|
// corrects words before the browser will do it |
|
155
|
6 |
|
$str = $this->exploded->compactExplodedString($str); //RW DONE |
|
156
|
|
|
|
|
157
|
|
|
// remove disallowed javascript calls in links, images etc. |
|
158
|
6 |
|
$str = $this->javascript->removeDisallowedJavascript($str); |
|
159
|
|
|
|
|
160
|
|
|
// remove evil attributes such as style, onclick and xmlns |
|
161
|
6 |
|
$str = $this->attributes->removeEvilAttributes($str); |
|
162
|
|
|
|
|
163
|
|
|
// sanitize naughty JavaScript elements |
|
164
|
6 |
|
$str = $this->javascript->naughtyJavascript($str); |
|
165
|
|
|
|
|
166
|
|
|
// sanitize naughty HTML elements |
|
167
|
6 |
|
$str = $this->html->naughtyHtml($str); |
|
168
|
|
|
|
|
169
|
|
|
// final clean up |
|
170
|
|
|
// |
|
171
|
|
|
// -> This adds a bit of extra precaution in case something got through the above filters. |
|
172
|
6 |
|
$str = $this->neverAllowed->doNeverAllowedAfterwards($str); |
|
173
|
|
|
|
|
174
|
|
|
// check for xss |
|
175
|
6 |
|
if ($this->_xss_found !== true) { |
|
176
|
6 |
|
$this->_xss_found = !($str_backup === $str); |
|
177
|
|
|
} |
|
178
|
|
|
|
|
179
|
6 |
|
return $str; |
|
180
|
|
|
} |
|
181
|
|
|
|
|
182
|
6 |
|
public function decodeString($str) |
|
183
|
|
|
{ |
|
184
|
|
|
// init |
|
185
|
6 |
|
$regExForHtmlTags = '/<\p{L}+.*+/us'; |
|
186
|
|
|
|
|
187
|
6 |
|
if (strpos($str, '<') !== false && preg_match($regExForHtmlTags, $str, $matches) === 1) { |
|
188
|
6 |
|
$str = (string)preg_replace_callback( |
|
189
|
6 |
|
$regExForHtmlTags, |
|
190
|
|
|
function ($matches) { |
|
191
|
6 |
|
return $this->decodeEntity($matches); |
|
192
|
6 |
|
}, |
|
193
|
6 |
|
$str |
|
194
|
|
|
); |
|
195
|
|
|
} else { |
|
|
|
|
|
|
196
|
6 |
|
$str = $this->utf8->rawurldecode($str); |
|
197
|
|
|
} |
|
198
|
|
|
|
|
199
|
6 |
|
return $str; |
|
200
|
|
|
} |
|
201
|
|
|
|
|
202
|
6 |
|
private function decodeEntity(array $match) |
|
203
|
|
|
{ |
|
204
|
|
|
// init |
|
205
|
6 |
|
$str = $match[0]; |
|
206
|
|
|
|
|
207
|
|
|
// protect GET variables without XSS in URLs |
|
208
|
6 |
|
if (preg_match_all("/[\?|&]?[\\p{L}0-9_\-\[\]]+\s*=\s*(?<wrapped>\"|\042|'|\047)(?<attr>[^\\1]*?)\\g{wrapped}/ui", $str, $matches)) { |
|
209
|
6 |
|
if (isset($matches['attr'])) { |
|
210
|
6 |
|
foreach ($matches['attr'] as $matchInner) { |
|
211
|
6 |
|
$tmpAntiXss = clone $this; |
|
212
|
6 |
|
$urlPartClean = $tmpAntiXss->clean($matchInner); |
|
213
|
|
|
|
|
214
|
6 |
|
if ($tmpAntiXss->isXssFound() === true) { |
|
215
|
6 |
|
$this->_xss_found = true; |
|
216
|
6 |
|
$str = \str_replace($matchInner, $this->utf8->rawurldecode($urlPartClean), $str); |
|
217
|
|
|
} |
|
218
|
|
|
} |
|
219
|
|
|
} |
|
220
|
|
|
} else { |
|
|
|
|
|
|
221
|
6 |
|
$str = $this->_entity_decode($this->utf8->rawurldecode($str)); |
|
222
|
|
|
} |
|
223
|
|
|
|
|
224
|
6 |
|
return $str; |
|
225
|
|
|
} |
|
226
|
|
|
|
|
227
|
|
|
/** |
|
228
|
|
|
* @return null |
|
229
|
|
|
*/ |
|
230
|
6 |
|
public function isXssFound() |
|
231
|
|
|
{ |
|
232
|
6 |
|
return $this->_xss_found; |
|
233
|
|
|
} |
|
234
|
|
|
|
|
235
|
|
|
/** |
|
236
|
|
|
* Entity-decoding. |
|
237
|
|
|
* |
|
238
|
|
|
* @param StringResource $str |
|
239
|
|
|
* |
|
240
|
|
|
* @return StringResource |
|
241
|
|
|
*/ |
|
242
|
6 |
|
private function _entity_decode($str) |
|
|
|
|
|
|
243
|
|
|
{ |
|
244
|
6 |
|
static $HTML_ENTITIES_CACHE; |
|
245
|
|
|
|
|
246
|
6 |
|
$flags = ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED | ENT_SUBSTITUTE; |
|
247
|
|
|
|
|
248
|
|
|
// decode |
|
249
|
6 |
|
$str = html_entity_decode($str, $flags); |
|
250
|
|
|
|
|
251
|
|
|
|
|
252
|
|
|
// decode-again, for e.g. HHVM or miss configured applications ... |
|
253
|
6 |
|
if (preg_match_all('/(?<html_entity>&[A-Za-z]{2,}[;]{0})/', $str, $matches)) { |
|
254
|
|
|
if ($HTML_ENTITIES_CACHE === null) { |
|
|
|
|
|
|
255
|
|
|
|
|
256
|
|
|
// links: |
|
257
|
|
|
// - http://dev.w3.org/html5/html-author/charref |
|
258
|
|
|
// - http://www.w3schools.com/charsets/ref_html_entities_n.asp |
|
259
|
|
|
$entitiesSecurity = [ |
|
260
|
|
|
'�' => '', |
|
261
|
|
|
'�' => '', |
|
262
|
|
|
'' => '', |
|
263
|
|
|
'' => '', |
|
264
|
|
|
'>⃒' => '', |
|
265
|
|
|
'' => '', |
|
266
|
|
|
'' => '', |
|
267
|
|
|
'­' => '', |
|
268
|
|
|
'­' => '', |
|
269
|
|
|
'­' => '', |
|
270
|
|
|
':' => ':', |
|
271
|
|
|
':' => ':', |
|
272
|
|
|
':' => ':', |
|
273
|
|
|
'(' => '(', |
|
274
|
|
|
'(' => '(', |
|
275
|
|
|
'(' => '(', |
|
276
|
|
|
')' => ')', |
|
277
|
|
|
')' => ')', |
|
278
|
|
|
')' => ')', |
|
279
|
|
|
'?' => '?', |
|
280
|
|
|
'?' => '?', |
|
281
|
|
|
'?' => '?', |
|
282
|
|
|
'/' => '/', |
|
283
|
|
|
'/' => '/', |
|
284
|
|
|
'/' => '/', |
|
285
|
|
|
''' => '\'', |
|
286
|
|
|
''' => '\'', |
|
287
|
|
|
''' => '\'', |
|
288
|
|
|
''' => '\'', |
|
289
|
|
|
''' => '\'', |
|
290
|
|
|
'\' => '\'', |
|
291
|
|
|
'\' => '\\', |
|
292
|
|
|
'\' => '\\', |
|
293
|
|
|
',' => ',', |
|
294
|
|
|
',' => ',', |
|
295
|
|
|
',' => ',', |
|
296
|
|
|
'.' => '.', |
|
297
|
|
|
'.' => '.', |
|
298
|
|
|
'"' => '"', |
|
299
|
|
|
'"' => '"', |
|
300
|
|
|
'"' => '"', |
|
301
|
|
|
'"' => '"', |
|
302
|
|
|
'`' => '`', |
|
303
|
|
|
'`' => '`', |
|
304
|
|
|
'`' => '`', |
|
305
|
|
|
'`' => '`', |
|
306
|
|
|
'.' => '.', |
|
307
|
|
|
'=' => '=', |
|
308
|
|
|
'=' => '=', |
|
309
|
|
|
'=' => '=', |
|
310
|
|
|
'&newline;' => "\n", |
|
311
|
|
|
'
' => "\n", |
|
312
|
|
|
' ' => "\n", |
|
313
|
|
|
'&tab;' => "\t", |
|
314
|
|
|
'	' => "\t", |
|
315
|
|
|
'	' => "\t", |
|
316
|
|
|
]; |
|
317
|
|
|
|
|
318
|
|
|
$HTML_ENTITIES_CACHE = \array_merge( |
|
319
|
|
|
$entitiesSecurity, |
|
320
|
|
|
\array_flip(\get_html_translation_table(HTML_ENTITIES, $flags)), |
|
321
|
|
|
\array_flip($this->_get_data('entities_fallback')) |
|
322
|
|
|
); |
|
323
|
|
|
} |
|
324
|
|
|
|
|
325
|
|
|
$search = []; |
|
326
|
|
|
$replace = []; |
|
327
|
|
|
foreach ($matches['html_entity'] as $match) { |
|
328
|
|
|
$match .= ';'; |
|
329
|
|
|
if (isset($HTML_ENTITIES_CACHE[$match])) { |
|
330
|
|
|
$search[$match] = $match; |
|
331
|
|
|
$replace[$match] = $HTML_ENTITIES_CACHE[$match]; |
|
332
|
|
|
} |
|
333
|
|
|
} |
|
334
|
|
|
|
|
335
|
|
|
if (\count($replace) > 0) { |
|
336
|
|
|
$str = \str_replace($search, $replace, $str); |
|
337
|
|
|
} |
|
338
|
|
|
} |
|
339
|
|
|
|
|
340
|
6 |
|
return $str; |
|
341
|
|
|
} |
|
342
|
|
|
|
|
343
|
|
|
private function _get_data($file) |
|
|
|
|
|
|
344
|
|
|
{ |
|
345
|
|
|
/** @noinspection PhpIncludeInspection */ |
|
346
|
|
|
return include __DIR__ . '/../voku/Data/' . $file . '.php'; |
|
347
|
|
|
} |
|
348
|
|
|
|
|
349
|
|
|
public function cleanString($str) |
|
350
|
|
|
{ |
|
351
|
|
|
return $this->clean($str); |
|
352
|
|
|
} |
|
353
|
|
|
|
|
354
|
|
|
/** |
|
355
|
|
|
* @param $str |
|
356
|
|
|
* @return array|mixed |
|
357
|
|
|
*/ |
|
358
|
3 |
|
public function cleanUrl($str) |
|
|
|
|
|
|
359
|
|
|
{ |
|
360
|
3 |
|
$this->input = $str; |
|
361
|
3 |
|
$str = $this->clean($str); |
|
362
|
|
|
|
|
363
|
3 |
|
if (is_numeric($str) || is_null($str)) { |
|
364
|
1 |
|
return $str; |
|
365
|
|
|
} |
|
366
|
|
|
|
|
367
|
3 |
|
if (is_array($str)) { |
|
368
|
1 |
|
foreach ($str as $key => $value) { |
|
369
|
1 |
|
$str[$key] = $this->cleanUrl($value); |
|
370
|
|
|
} |
|
371
|
1 |
|
return $str; |
|
372
|
|
|
} |
|
373
|
|
|
|
|
374
|
|
|
do { |
|
375
|
3 |
|
$decode_str = rawurldecode($str); |
|
376
|
3 |
|
$str = $this->_do($str); |
|
|
|
|
|
|
377
|
3 |
|
} while ($decode_str !== $str); |
|
378
|
|
|
|
|
379
|
3 |
|
$this->output = $str; |
|
380
|
|
|
|
|
381
|
3 |
|
return $str; |
|
382
|
|
|
} |
|
383
|
|
|
|
|
384
|
|
|
function result() |
|
|
|
|
|
|
385
|
|
|
{ |
|
386
|
|
|
$valid = false; |
|
387
|
|
|
if (!$this->_xss_found) { |
|
|
|
|
|
|
388
|
|
|
$valid = true; |
|
389
|
|
|
} |
|
390
|
|
|
return new SoteriaModel($this->input, $this->output, $valid); |
|
391
|
|
|
} |
|
392
|
|
|
} |
devtoolboxuk /
soteria
Loading history...
This check marks property names that have not been written in camelCase.
In camelCase names are written without any punctuation, the start of each new word being marked by a capital letter. Thus the name database connection string becomes
databaseConnectionString.