Page 1 of 1
escape characters to a variety of formats
Posted: Sat Jul 17, 2010 9:54 pm
by shawngoldw
How can you find all characters in a string which have ascii values under 256 in order to replace them?
I'm looking for a efficient method of doing this which does not require checking the string character by character.
I want to replace the characters which have an ascii value below 256 with their corresponding code using the following formats (the format will be picked based on a flag passed into the function):
&#xHH
\xHH
\HH
%HH
Re: escape characters to a variety of formats
Posted: Sat Jul 17, 2010 11:35 pm
by AbraCadaver
Nice homework question! Hope you get it.
Re: escape characters to a variety of formats
Posted: Sun Jul 18, 2010 7:33 am
by shawngoldw
haha It's not homework. It's for xss protection as per the suggestions on this page:
http://www.owasp.org/index.php/XSS_(Cro ... nt_Content
Rules 2-5
Luckily, I'm past the stage of having to do this kind of homework
edit: I found the solution for the last format: %HH, it is rawurlencode()
Re: escape characters to a variety of formats
Posted: Sun Jul 18, 2010 11:14 am
by shawngoldw
This is what I came up with. It's a function to escape (well not really escape, more like encode) untrusted content to prevent xss attacks. If you like it feel free to use it, otherwise please give me some suggestions on how to improve it.
Code: Select all
/*
* Modes: content for plain content
* attribute for attribute values
* script for script tags and javascript attributes
* style for inline style attributes
* url for get variables in urls
*/
function escape($str, $mode = "content")
{
$mode = strtolower($mode);
$prefix = "";
$suffix = "";
switch ($mode)
{
case "content": //Rule 1
$str = str_replace("&", "&", $str);
$str = str_replace("<", "<", $str);
$str = str_replace(">", ">", $str);
$str = str_replace('"', """, $str);
$str = str_replace("'", "'", $str);
$str = str_replace("/", "/", $str);
return $str;
case "attribute": //Rule 2
$prefix = "&#x";
$suffix = ";";
break;
case "script": //Rule 3
$prefix = "\x";
$suffix = "";
break;
case "style": //Rule 4
$prefix = "\\";
$suffix = "";
break;
case "url": //Rule 5
$prefix = "%";
$suffix = "";
break;
default:
trigger_error("Unknown escape mode");
return $str;
}
$new = str_split($str);
for ($i = 0; $i < strlen($str); $i++)
{
$ascii = ord($str[$i]);
if ($ascii < 256 && !ctype_alnum($ascii))
{
$hex = $prefix . dechex($ascii) . $suffix;
$new[$i] = $hex;
}
}
$new = implode($new);
return $new;
}
It is all based off the rules developed in
http://www.owasp.org/index.php/XSS_(Cro ... Attributes
Shawn