1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
/** |
4
|
|
|
* Class Filter |
5
|
|
|
* |
6
|
|
|
* This is the place to put filters, usually methods that cleans, sorts and, well, filters stuff. |
7
|
|
|
*/ |
8
|
|
|
class Filter |
|
|
|
|
9
|
|
|
{ |
10
|
|
|
/** |
11
|
|
|
* The XSS filter: This simply removes "code" from any data, used to prevent Cross-Site Scripting Attacks. |
12
|
|
|
* |
13
|
|
|
* A very simple introduction: Let's say an attackers changes its username from "John" to these lines: |
14
|
|
|
* "<script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>" |
15
|
|
|
* This means, every user's browser would render "John" anymore, instead interpreting this JavaScript code, calling |
16
|
|
|
* the delete.php, in this case inside the project, in worse scenarios something like performing a bank transaction |
17
|
|
|
* or sending your cookie data (containing your remember-me-token) to somebody else. |
18
|
|
|
* |
19
|
|
|
* What is XSS ? |
20
|
|
|
* @see http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html |
21
|
|
|
* |
22
|
|
|
* Deeper information: |
23
|
|
|
* @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet |
24
|
|
|
* |
25
|
|
|
* XSSFilter expects a value, checks if the value is a string, and if so, encodes typical script tag chars to |
26
|
|
|
* harmless HTML (you'll see the code, it wil not be interpreted). Then the method checks if the value is an array, |
27
|
|
|
* or an object and if so, makes sure all its string content is encoded (recursive call on its values). |
28
|
|
|
* Note that this method uses reference to the assed variable, not a copy, meaning you can use this methods like this: |
29
|
|
|
* |
30
|
|
|
* CORRECT: Filter::XSSFilter($myVariable); |
31
|
|
|
* WRONG: $myVariable = Filter::XSSFilter($myVariable); |
32
|
|
|
* |
33
|
|
|
* This works like some other popular PHP functions, for example sort(). |
34
|
|
|
* @see http://php.net/manual/en/function.sort.php |
35
|
|
|
* |
36
|
|
|
* @see http://stackoverflow.com/questions/1676897/what-does-it-mean-to-start-a-php-function-with-an-ampersand |
37
|
|
|
* @see http://php.net/manual/en/language.references.pass.php |
38
|
|
|
* |
39
|
|
|
* FYI: htmlspecialchars() does this (from PHP docs): |
40
|
|
|
* |
41
|
|
|
* '&' (ampersand) becomes '&' |
42
|
|
|
* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. |
43
|
|
|
* "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set. |
44
|
|
|
* '<' (less than) becomes '<' |
45
|
|
|
* '>' (greater than) becomes '>' |
46
|
|
|
* |
47
|
|
|
* @see http://www.php.net/manual/en/function.htmlspecialchars.php |
48
|
|
|
* |
49
|
|
|
* @param $value The value to be filtered |
50
|
|
|
* @return mixed |
51
|
|
|
*/ |
52
|
|
|
public static function XSSFilter(&$value) |
53
|
|
|
{ |
54
|
|
|
// if argument is a string, filters that string |
55
|
|
|
if (is_string($value)) { |
56
|
|
|
$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); |
57
|
|
|
|
58
|
|
|
// if argument is an array or an object, |
59
|
|
|
// recursivly filters its content |
60
|
|
|
} else if (is_array($value) || is_object($value)) { |
61
|
|
|
|
62
|
|
|
/** |
63
|
|
|
* Make sure the element is passed by reference, |
64
|
|
|
* In PHP 7, foreach does not use the internal array pointer. |
65
|
|
|
* In order to be able to directly modify array elements within the loop |
66
|
|
|
* precede $value with &. In that case the value will be assigned by reference. |
67
|
|
|
* @see http://php.net/manual/en/control-structures.foreach.php |
68
|
|
|
*/ |
69
|
|
|
foreach ($value as &$valueInValue) { |
70
|
|
|
self::XSSFilter($valueInValue); |
71
|
|
|
} |
72
|
|
|
} |
73
|
|
|
|
74
|
|
|
// other types are untouched |
75
|
|
|
return $value; |
76
|
|
|
} |
77
|
|
|
} |
78
|
|
|
|
You can fix this by adding a namespace to your class:
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.