XSS Class

Small, short code snippets that other people may find useful. Do you have a good regex that you would like to share? Share it! Even better, the code can be commented on, and improved.

Moderator: General Moderators

Post Reply
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

XSS Class

Post by kettle_drum »

Heres a class from a cms that im currently coding that i thought people might like to see and use.

It checks all input from the user against XSS. You just load it at the start of your page and then use the classes instance variables instead of $_GET and $_POST etc.

Code: Select all

<?php
#####-----------------------------------------------------------------------------------------#####
#####                                   .: Icicle v0.1 :.                                     #####
#####                          Unleashing The Power Of Frozen Water                           #####
#####                                                                                         #####
#####                          Written By Frozensheep Web Solutions.                          #####
#####                               http://www.frozensheep.com                                #####
#####-----------------------------------------------------------------------------------------#####
#####     FILE: includes/includes/classes/xss.php                                             #####
#####                                                                                         #####
#####     DESCRIPTION: Checks all data against XSS.         .                                 #####
#####                                                                                         #####
#####-----------------------------------------------------------------------------------------#####

class XSS {
   
   var $GET = array();																#holds checked $_GET data
   var $POST = array();																#holds checked $_POST data
   var $COOKIE = array();															#holds checked $_COOKIE data
   var $SESSION = array();															#holds checked $_SESSION data
   
   ##--------------------------------------------
   ##CLASS CONSTRUCTOR
   ##--------------------------------------------
   function XSS(){											
      $this->check_all_input();													#does a XSS on ALL data received
   }

   ##--------------------------------------------
   ##CHECK ALL INPUT FUNCTION
   ##Checks all data the user has sent us for XSS
   ##--------------------------------------------
   function check_all_input(){
		if(isset($_GET) AND $_GET){$this->GET = $this->check_data_array($_GET);}							#Takes all $_GET variables and returns them xss checked
      if(isset($_POST) AND $_POST){$this->POST = $this->check_data_array($_POST);}						#Takes all $_POST variables and returns them xss checked
      if(isset($_COOKIE) AND $_COOKIE){$this->COOKIE = $this->check_data_array($_COOKIE);}			#Takes all $_COOKIE variables and returns them xss checked
      session_start();																										#Starts the session
      if(isset($_SESSION) AND $_SESSION){$this->SESSION = $this->check_data_array($_SESSION);}		#Takes all $_SESSION variables and returns them xss checked
      session_write_close(); 																								#ends the session
   }
   
   ##--------------------------------------------
   ##XSS CHECK FUNCTION
   ##Checks the string for xss
   ##--------------------------------------------
   function xss_check($string){
      return htmlspecialchars($string, ENT_QUOTES);						#removes the possibilty of XSS
   }

   ##--------------------------------------------
   ##CHECK DATA ARRAY FUNCTION
   ##Returns an array of xss checked items
   ##--------------------------------------------
   function check_data_array($array){
      $keys = array_keys($array);												#gets all the arrays keys
      foreach($keys as $key){														#loops through the keys
         $array[$key] = $this->xss_check($array[$key]);					#performs xss_check on the array value
      }
      return $array;																	#returns the array
   }
}

?>
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

What about checkboxes, radio buttons or multi-selects? or more specifically if the array element being processed is an array itself.

It may also become difficult to work with certain input e.g. the users name is Paddy O'Riely.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I'm not sure about htmlspecialchars at the input-gathering stage. This is really a display function which I think should be done at an output stage - not all scripts will be outputting the data as html.

I do like the idea of a class (or classes) to check user input. However, I think there are a lot more features which ought to be added. Checking user input is very important.

- as mentioned above, support for 2d arrays (they could in theory be deeper but that's unlikely)
- check for missing or alien keys
- filter out any invalid values
- support declaration of any number of rules per test array key and value (is numeric, regex, key required to exist, value required to validate, etc)
- support custom error messages
- provide accessors indicating if request processing should be terminated (eg if alien keys are found)
- provide an accessor to indicate the form redisplay case (eg required values failed to validate)

That's quite a different aim to your XSS class, but that's what I see as the task at hand when faced with raw user input.

What I've come up with are KeyValidators, ValueValidationControllers, individual Validators (is numeric, regex etc), ProxyArray classes, and a Firewall class to load it all up. Still finishing it off but sometime soon I'll stick something up.
Last edited by McGruff on Sat Jul 10, 2004 8:33 pm, edited 1 time in total.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

McGruff, I designed something like you describe here about two months ago... Are you interested?
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Yes - would be interesting to compare notes.

I'm hoping to stick a few pages up for the stuff I mentioned above in the next week or two with some docs & code download.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

This is simply a class to prevent XSS and sql injection but could certainly be a parent class for everything else your suggesting.

P.S. ill add support for multi-dimensional arrays when i next edit it. Bit of recursion should do it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

McGruff wrote:Yes - would be interesting to compare notes.
I have posted full source code in separate topic
Post Reply