|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* Class Filter |
|
5
|
|
|
* |
|
6
|
|
|
* This is the place to put filters, usually methods that cleans, sorts and, well, filters stuff. |
|
7
|
|
|
*/ |
|
8
|
|
|
class Filter |
|
9
|
|
|
{ |
|
10
|
|
|
/** |
|
11
|
|
|
* The XSS filter: This simply removes "code" from any data, used to prevent Cross-Site Scripting Attacks. |
|
12
|
|
|
* |
|
13
|
|
|
* A very simple introduction: Let's say an attackers changes its username from "John" to these lines: |
|
14
|
|
|
* "<script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>" |
|
15
|
|
|
* This means, every user's browser would render "John" anymore, instead interpreting this JavaScript code, calling |
|
16
|
|
|
* the delete.php, in this case inside the project, in worse scenarios something like performing a bank transaction |
|
17
|
|
|
* or sending your cookie data (containing your remember-me-token) to somebody else. |
|
18
|
|
|
* |
|
19
|
|
|
* What is XSS ? |
|
20
|
|
|
* @see http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html |
|
21
|
|
|
* |
|
22
|
|
|
* Deeper information: |
|
23
|
|
|
* @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet |
|
24
|
|
|
* |
|
25
|
|
|
* XSSFilter expects a value, checks if the value is a string, and if so, encodes typical script tag chars to |
|
26
|
|
|
* harmless HTML (you'll see the code, it wil not be interpreted). Then the method checks if the value is an array, |
|
27
|
|
|
* or an object and if so, makes sure all its string content is encoded (recursive call on its values). |
|
28
|
|
|
* Note that this method uses reference to the assed variable, not a copy, meaning you can use this methods like this: |
|
29
|
|
|
* |
|
30
|
|
|
* CORRECT: Filter::XSSFilter($myVariable); |
|
31
|
|
|
* WRONG: $myVariable = Filter::XSSFilter($myVariable); |
|
32
|
|
|
* |
|
33
|
|
|
* This works like some other popular PHP functions, for example sort(). |
|
34
|
|
|
* @see http://php.net/manual/en/function.sort.php |
|
35
|
|
|
* |
|
36
|
|
|
* @see http://stackoverflow.com/questions/1676897/what-does-it-mean-to-start-a-php-function-with-an-ampersand |
|
37
|
|
|
* @see http://php.net/manual/en/language.references.pass.php |
|
38
|
|
|
* |
|
39
|
|
|
* FYI: htmlspecialchars() does this (from PHP docs): |
|
40
|
|
|
* |
|
41
|
|
|
* '&' (ampersand) becomes '&' |
|
42
|
|
|
* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. |
|
43
|
|
|
* "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set. |
|
44
|
|
|
* '<' (less than) becomes '<' |
|
45
|
|
|
* '>' (greater than) becomes '>' |
|
46
|
|
|
* |
|
47
|
|
|
* @see http://www.php.net/manual/en/function.htmlspecialchars.php |
|
48
|
|
|
* |
|
49
|
|
|
* @param $value The value to be filtered |
|
50
|
|
|
* @return mixed |
|
51
|
|
|
*/ |
|
52
|
|
|
public static function XSSFilter(&$value) |
|
53
|
|
|
{ |
|
54
|
|
|
// if argument is a string, filters that string |
|
55
|
|
|
if (is_string($value)) { |
|
56
|
|
|
$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); |
|
57
|
|
|
|
|
58
|
|
|
// if argument is an array or an object, |
|
59
|
|
|
// recursivly filters its content |
|
60
|
|
|
} else if (is_array($value) || is_object($value)) { |
|
61
|
|
|
|
|
62
|
|
|
/** |
|
63
|
|
|
* Make sure the element is passed by reference, |
|
64
|
|
|
* In PHP 7, foreach does not use the internal array pointer. |
|
65
|
|
|
* In order to be able to directly modify array elements within the loop |
|
66
|
|
|
* precede $value with &. In that case the value will be assigned by reference. |
|
67
|
|
|
* @see http://php.net/manual/en/control-structures.foreach.php |
|
68
|
|
|
*/ |
|
69
|
|
|
foreach ($value as &$valueInValue) { |
|
70
|
|
|
self::XSSFilter($valueInValue); |
|
71
|
|
|
} |
|
72
|
|
|
} |
|
73
|
|
|
|
|
74
|
|
|
// other types are untouched |
|
75
|
|
|
return $value; |
|
76
|
|
|
} |
|
77
|
|
|
} |
|
78
|
|
|
|
panique /
huge
