PEAK XOOPS - anti-XSS system (3) 
PHP
PHP : anti-XSS system (3)
The simple pattern of BigUmbrella has 3 problems.
(A) XSS check should be done only for "Content-Type: text/html".
(B) ob_start() will increase server's load when php transfers a huge file.
(C) preview situation with html allowed.
For (B), you should disable ob fileter manually.
// remove output bufferings
while( ob_get_level() ) {
ob_end_clean() ;
}
For (C), you should disable BigUmbrella manually.
define( 'BIGUMBRELLA_DISABLED' , true ) ;
Don't forget checking referer or ticket in the situation.
This is the modified code for (A) and (C).
I will argue about super variables of $_COOKIE and $_SERVER in next article.
<?php
function bigumbrella_init() {
foreach( $_GET as $key => $val ) {
if( preg_match( '/[<\'"].{15}/s' , $val , $regs ) ) {
$GLOBALS['bigumbrella_doubtfuls'][] = $regs[0] ;
}
}
foreach( $_POST as $key => $val ) {
if( preg_match( '/[<\'"].{15}/s' , $val , $regs ) ) {
$GLOBALS['bigumbrella_doubtfuls'][] = $regs[0] ;
}
}
if( ! empty( $GLOBALS['bigumbrella_doubtfuls'] ) ) {
ob_start( 'bigumbrella_outputcheck' ) ;
}
}
function bigumbrella_outputcheck( $s ) {
if( defined( 'BIGUMBRELLA_DISABLED' ) ) return $s ;
if( function_exists( 'headers_list' ) ) {
foreach( headers_list() as $header ) {
if( stristr( $header , 'Content-Type:' ) && ! stristr( $header , 'text/html' ) ) {
return $s ;
}
}
}
if( ! is_array( @$GLOBALS['bigumbrella_doubtfuls'] ) ) {
return "bigumbrella injection found." ;
}
foreach( $GLOBALS['bigumbrella_doubtfuls'] as $doubtful ) {
if( strstr( $s , $doubtful ) ) {
return "XSS found." ;
}
}
return $s ;
}
$GLOBALS['bigumbrella_doubtfuls'] = array() ;
bigumbrella_init() ;
?>
0 comments
Related articles
- Big Umbrella Anti-SQL-Injection(1) (2009-01-07 04:37:49)
- anti-XSS system (4) (2006-06-25 18:20:31)
- anti-XSS system (2) (2006-06-21 15:27:40)
- anti-XSS system (1) (2006-06-20 13:16:00)
Comments list
Login