anti-XSS system (2)

Date 2006-06-21 15:27:40 | Category: PHP
in englishin japanese
This is the simple pattern of "Big Umbrella anti-XSS system".

(1) make a file.
eg) /usr/local/lib/php/bigumbrella.php

<?php
function bigumbrella_init() {
        foreach( $_REQUEST as $key => $val ) {
                if( preg_match( '/[<\'"].{15}/s' , $val , $regs ) ) {
                        $GLOBALS['bigumbrella_doubtfuls'][] = $regs[0] ;
                }
        }
        if( ! empty( $GLOBALS['bigumbrella_doubtfuls'] ) ) {
                ob_start( 'bigumbrella_outputcheck' ) ;
        }
}

function bigumbrella_outputcheck( $s ) {
        if( ! is_array( @$GLOBALS['bigumbrella_doubtfuls'] ) ) {
                return "bigumbrella injection found." ;
        }

        foreach( $GLOBALS['bigumbrella_doubtfuls'] as $doubtful ) {
                if( strstr( $s , $doubtful ) ) {
                        return "XSS found." ;
                }
        }
        return $s ;
}

$GLOBALS['bigumbrella_doubtfuls'] = array() ;
bigumbrella_init() ;
?>


(2) Insert a line into <VirtualHost> of your httpd.conf

php_value auto_prepend_file /usr/local/lib/php/bigumbrella.php

Else, you can also add it into php.ini

auto_prepend_file = /usr/local/lib/php/bigumbrella.php


If you use .htaccess, insert the line into .htaccess just under DocumentRoot.

To be continued (3) for better code...


You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=127