XSS Exposed - how do I fix them?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

XSS Exposed - how do I fix them?

Post by simonmlewis »

[text]index.php?page=search&search=<img src=x onerror=prompt(/XSSPOSED/)>[/text]
How do we stop these from generating the popup?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

We are using PDO, but it still generates the dreaded popup.

But it might be because we don't "escape" it from being seen in the $variable in the screen. So search for "hats", and the word "hats" will appear, without being escaped.

Code: Select all

if(isset($_GET['search']))
{
    $search = $_GET['search'];
    $_SESSION['search']=$search;
} else {
    $search=$_SESSION['search'];
}

$count = 0;
$searchhead = $search;
$search=mysql_real_escape_string($_GET["search"]);
So I assume we need to somehow escape the bad stuff in the $_GET ?? But how?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

PDO and prepared statements help protect against SQL injection. This is something completely different. You're accepting user values and echoing them directly without filtering them. What you want here is to either wrap output in htmlspecialchars or use templates (Twig, Blade, etc) that will do it for you.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

Code: Select all

if(isset($_GET['search']))
{
$search = htmlspecialchars($_GET['search'], ENT_QUOTES);
    $_SESSION['search']=$search;
} else {
    $search=$_SESSION['search'];
}
Like this?
Coz it isnt' working.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

No, you want to filter it prior to echoing. I don't even see output in your snippet of code.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

Code: Select all

$search = htmlspecialchars($_GET['search'], ENT_QUOTES);

if(isset($search))
{
    $_SESSION['search']=$search;
} else {
    $search=$_SESSION['search'];
}
More like this?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

We echo it like this:

Code: Select all

<div class='cat_head'>$num_rows results found for $search</div>
So I can see the issue, but want to stamp it down right at the top. Be better if it threw the person to a custom 404 page.
So if I could establish what it is in our header files, and then chuck them out to a 404 IF the code is bad?!
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

Actually I can see the the Blog handles it perfectly, but just saying that text is bad. So I guess I just need to do it like that. But how.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

Code: Select all

<?php

$search = $_GET['search'];

// Prepared statement to prevent SQL injection
$query = "SELECT * FROM whatever WHERE name LIKE :search";
$stmt = $db->prepare($query);
$exec = $stmt->execute(['search' => '%' . $search . '%']);

$results = [];
if ($exec) {
    $results = $stmt->fetchAll();
}

?>

<h1>Search Results</h1>
<?php /** Here we filter the _output_ to prevent XSS **/ ?>
<p>You searched for <?= htmlspecialchars($search); ?></p>

<?php foreach ($results as $result): ?>
    ...
<?php endforeach; ?>
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

That's a reasonably complete if somewhat contrived example.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

That's prevented the popup. So that's great.
It echoes the <> tag on screen, but that's fine.
But why is it producing 88 results?? When there is clearly nothing to be found?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:

Code: Select all

      if(preg_match('/</', $search))
      {
$search = "shirts";
      }
It doesn't work.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

simonmlewis wrote:But why is it producing 88 results?? When there is clearly nothing to be found?
One has nothing to do with the other. htmlspecialchars is used prior to echoing output. That's it, that's all. Perhaps if you posted a more complete, meaningful block of code? Obfuscate anything identifying/sensitive, of course, but two line snippets in isolation are often meaningless.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

simonmlewis wrote:I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:

Code: Select all

      if(preg_match('/</', $search))
      {
$search = "shirts";
      }
It doesn't work.
Is this before or after htmlspecialchars? If after, the < will have been replaced by <
Post Reply