[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] xss filter to protect from xss attacks
- From: Andrew van der Stock <vanderaj@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] xss filter to protect from xss attacks
- Date: Tue, 23 Jan 2007 12:07:27 -0500
--B_3252398848_622161
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
I have a PHP anti-XSS library in development which encodes all but the
characters A-Z, a-z, 0-9, and space. It is multi-byte aware. For
convenience, it uses the same API interfaces as Microsoft Anti-XSS 1.5
library (which I heartily recommend to all .NET developers). My version is
initially implemented in just PHP. I might have to make it into a PHP
extension to regain speed. But first and foremost, correct then fast. The
API is most likely going to be (statics may be lost in the long run):
class AntiXSS { public function __construct() { } public
static function HTMLEncode($o)
{ } public static function HTMLDecode($i) { }
public static function HtmlAttributeEncode($o)
{ } public static function UrlEncode($o)
{ } public static function JavaScriptEncode($o)
{ } public static function XmlEncode($o)
{ } public static function XmlAttributeEncode($o)
{ }=20
}
In addition, I have completed a basic anti-CSRF class, which will defeat
some but not all forced browsing attacks.
/*
* Usage: * * require_once('owasp.csrfguard.php'); * $cg =3D new csrfGuard()=
;
* * In your HTML form, use this to get a hidden field: * * echo $cg; * *
If you want the two values as an array, say if you * want to put or store i=
t
elsewhere, do this: * * $myArray =3D $cg->getToken(csrfGuard::RAWFORM); * *
Before processing the resulting submission, do this: * * try * { *
$cg->isValid();
* ... Your app=B9s code goes here ... * } * catch (TokenException $e) * { *
// handle exception * }
*/
These will be up on the OWASP web site soon; sooner with some help! :)
Thanks,
Andrew
--B_3252398848_622161
Content-type: text/html;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>Re: [WEB SECURITY] xss filter to protect from xss attacks</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:12.0px'>I hav=
e a PHP anti-XSS library in development which encodes all but the characters=
A-Z, a-z, 0-9, and space. It is multi-byte aware. For convenience, it uses =
the same API interfaces as Microsoft Anti-XSS 1.5 library (which I heartily =
recommend to all .NET developers). My version is initially implemented in ju=
st PHP. I might have to make it into a PHP extension to regain speed. But fi=
rst and foremost, correct then fast. The API is most likely going to be (sta=
tics may be lost in the long run):<BR>
<BR>
class AntiXSS
{
public function __construct()
{
}
public static function HTMLEncode($o) <BR>
{
}
public static function HTMLDecode($i)
{
}
public static function HtmlAttributeEncode($o) <BR>
{
}
public static function UrlEncode($o) <BR>
{
}
public static function JavaScriptEncode($o) <BR>
{
}
public static function XmlEncode($o) <BR>
{
}
public static function XmlAttributeEncode($o) <BR>
{
} <BR>
}<BR>
<BR>
In addition, I have completed a basic anti-CSRF class, which will defeat so=
me but not all forced browsing attacks.<BR>
<BR>
/*<BR>
* Usage:
*
* require_once('owasp.csrfguard.php');
* $cg =3D new csrfGuard();
*
* In your HTML form, use this to get a hidden field:
*
* echo $cg;
*
* If you want the two values as an array, say if you
* want to put or store it elsewhere, do this:
*
* $myArray =3D $cg->getToken(csrfGuard::RAWFORM);
*
* Before processing the resulting submission, do this:
*
* try
* {
* $cg->isValid();<BR>
* ... Your app’s code goes here ...
* }
* catch (TokenException $e)
* {
* // handle exception
* }<BR>
*/<BR>
<BR>
These will be up on the OWASP web site soon; sooner with some help! :) <BR>
<BR>
Thanks,<BR>
Andrew<BR>
</SPAN></FONT>
</BODY>
</HTML>
--B_3252398848_622161--
Brought to you by http://www.webappsec.org
Search this site
|