How can you find all characters in a string which have ascii values under 256 in order to replace them?
I'm looking for a efficient method of doing this which does not require checking the string character by character.
I want to replace the characters which have an ascii value below 256 with their corresponding code using the following formats (the format will be picked based on a flag passed into the function):
&#xHH
\xHH
\HH
%HH
escape characters to a variety of formats
Moderator: General Moderators
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: escape characters to a variety of formats
Nice homework question! Hope you get it.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: escape characters to a variety of formats
haha It's not homework. It's for xss protection as per the suggestions on this page: http://www.owasp.org/index.php/XSS_(Cro ... nt_Content
Rules 2-5
Luckily, I'm past the stage of having to do this kind of homework

edit: I found the solution for the last format: %HH, it is rawurlencode()
Rules 2-5
Luckily, I'm past the stage of having to do this kind of homework
edit: I found the solution for the last format: %HH, it is rawurlencode()
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: escape characters to a variety of formats
This is what I came up with. It's a function to escape (well not really escape, more like encode) untrusted content to prevent xss attacks. If you like it feel free to use it, otherwise please give me some suggestions on how to improve it.
It is all based off the rules developed in http://www.owasp.org/index.php/XSS_(Cro ... Attributes
Shawn
Code: Select all
/*
* Modes: content for plain content
* attribute for attribute values
* script for script tags and javascript attributes
* style for inline style attributes
* url for get variables in urls
*/
function escape($str, $mode = "content")
{
$mode = strtolower($mode);
$prefix = "";
$suffix = "";
switch ($mode)
{
case "content": //Rule 1
$str = str_replace("&", "&", $str);
$str = str_replace("<", "<", $str);
$str = str_replace(">", ">", $str);
$str = str_replace('"', """, $str);
$str = str_replace("'", "'", $str);
$str = str_replace("/", "/", $str);
return $str;
case "attribute": //Rule 2
$prefix = "&#x";
$suffix = ";";
break;
case "script": //Rule 3
$prefix = "\x";
$suffix = "";
break;
case "style": //Rule 4
$prefix = "\\";
$suffix = "";
break;
case "url": //Rule 5
$prefix = "%";
$suffix = "";
break;
default:
trigger_error("Unknown escape mode");
return $str;
}
$new = str_split($str);
for ($i = 0; $i < strlen($str); $i++)
{
$ascii = ord($str[$i]);
if ($ascii < 256 && !ctype_alnum($ascii))
{
$hex = $prefix . dechex($ascii) . $suffix;
$new[$i] = $hex;
}
}
$new = implode($new);
return $new;
}
Shawn