PEAK XOOPS - anti-XSS system (2) in englishin japanese

Archive | RSS |
PHP
PHP : anti-XSS system (2)
Poster : GIJOE on 2006-06-21 15:27:40 (10928 reads)

in englishin japanese
This is the simple pattern of "Big Umbrella anti-XSS system".

(1) make a file.
eg) /usr/local/lib/php/bigumbrella.php


<?php
function bigumbrella_init() {
        foreach( $_REQUEST as $key => $val ) {
                if( preg_match( '/[<\'"].{15}/s' , $val , $regs ) ) {
                        $GLOBALS['bigumbrella_doubtfuls'][] = $regs[0] ;
                }
        }
        if( ! empty( $GLOBALS['bigumbrella_doubtfuls'] ) ) {
                ob_start( 'bigumbrella_outputcheck' ) ;
        }
}

function bigumbrella_outputcheck( $s ) {
        if( ! is_array( @$GLOBALS['bigumbrella_doubtfuls'] ) ) {
                return "bigumbrella injection found." ;
        }

        foreach( $GLOBALS['bigumbrella_doubtfuls'] as $doubtful ) {
                if( strstr( $s , $doubtful ) ) {
                        return "XSS found." ;
                }
        }
        return $s ;
}

$GLOBALS['bigumbrella_doubtfuls'] = array() ;
bigumbrella_init() ;
?>


(2) Insert a line into <VirtualHost> of your httpd.conf

php_value auto_prepend_file /usr/local/lib/php/bigumbrella.php

Else, you can also add it into php.ini

auto_prepend_file = /usr/local/lib/php/bigumbrella.php


If you use .htaccess, insert the line into .htaccess just under DocumentRoot.

To be continued (3) for better code...

0 comments

Related articles
Printer friendly page Send this story to a friend

Comments list

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!