1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
/** |
4
|
|
|
* Class Filter |
5
|
|
|
* |
6
|
|
|
* This is the place to put filters, usually methods that cleans, sorts and, well, filters stuff. |
7
|
|
|
*/ |
8
|
|
|
class Filter |
|
|
|
|
9
|
|
|
{ |
10
|
|
|
/** |
11
|
|
|
* The XSS filter: This simply removes "code" from any data, used to prevent Cross-Site Scripting Attacks. |
12
|
|
|
* |
13
|
|
|
* A very simple introduction: Let's say an attackers changes its username from "John" to these lines: |
14
|
|
|
* "<script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>" |
15
|
|
|
* This means, every user's browser would render "John" anymore, instead interpreting this JavaScript code, calling |
16
|
|
|
* the delete.php, in this case inside the project, in worse scenarios something like performing a bank transaction |
17
|
|
|
* or sending your cookie data (containing your remember-me-token) to somebody else. |
18
|
|
|
* |
19
|
|
|
* What is XSS ? |
20
|
|
|
* @see http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html |
21
|
|
|
* |
22
|
|
|
* Deeper information: |
23
|
|
|
* @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet |
24
|
|
|
* |
25
|
|
|
* XSSFilter expects a value, checks if the value is a string, and if so, encodes typical script tag chars to |
26
|
|
|
* harmless HTML (you'll see the code, it wil not be interpreted). Note that this method uses reference to the |
27
|
|
|
* passed variable, not a copy, meaning you can use this methods like this: |
28
|
|
|
* |
29
|
|
|
* CORRECT: Filter::XSSFilter($myVariable); |
30
|
|
|
* WRONG: $myVariable = Filter::XSSFilter($myVariable); |
31
|
|
|
* |
32
|
|
|
* This works like some other popular PHP functions, for example sort(). |
33
|
|
|
* @see http://php.net/manual/en/function.sort.php |
34
|
|
|
* |
35
|
|
|
* @see http://stackoverflow.com/questions/1676897/what-does-it-mean-to-start-a-php-function-with-an-ampersand |
36
|
|
|
* @see http://php.net/manual/en/language.references.pass.php |
37
|
|
|
* |
38
|
|
|
* FYI: htmlspecialchars() does this (from PHP docs): |
39
|
|
|
* |
40
|
|
|
* '&' (ampersand) becomes '&' |
41
|
|
|
* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. |
42
|
|
|
* "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set. |
43
|
|
|
* '<' (less than) becomes '<' |
44
|
|
|
* '>' (greater than) becomes '>' |
45
|
|
|
* |
46
|
|
|
* @see http://www.php.net/manual/en/function.htmlspecialchars.php |
47
|
|
|
* |
48
|
|
|
* @param $value |
49
|
|
|
* @return mixed |
50
|
|
|
*/ |
51
|
|
|
public static function XSSFilter(&$value) |
52
|
|
|
{ |
53
|
|
|
if (is_string($value)) { |
54
|
|
|
|
55
|
|
|
$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); |
56
|
|
|
|
57
|
|
|
}elseif(is_array($value) || is_object($value)) { |
58
|
|
|
|
59
|
|
|
foreach ($value as $key => &$array_value) { |
60
|
|
|
|
61
|
|
|
self::XSSFilter($array_value); |
62
|
|
|
|
63
|
|
|
} |
64
|
|
|
|
65
|
|
|
} |
66
|
|
|
|
67
|
|
|
return $value; |
68
|
|
|
} |
69
|
|
|
} |
70
|
|
|
|
You can fix this by adding a namespace to your class:
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.