javascript code is submitted from textarea
35 views
Skip to first unread message
anjith
May 11, 2012, 9:05:23 AM5/11/12
to Professional PHP Developers
Hi,
In one form instaed of message some one sending javascript code how to
handle this situation when we are displaying post it is alerting
saying site is hacked
In one form instaed of message some one sending javascript code how to
handle this situation when we are displaying post it is alerting
saying site is hacked
Chase Reid
May 11, 2012, 10:05:50 AM5/11/12
to professi...@googlegroups.com
This is called an XSS attack or cross-site scripting, in your case some injected JavaScript code into your HTML form submission. In your HTML textarea it is always important to escape it.
Some sample code that my prevent any future XSS attacks to to your site. Here it is and when the hacker tries to enter JavaScript data into your website it'll say "I don't Like you" also don't forget to edit the parameters to compensate for your sites components:
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*noscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*vbscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*embed*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frame*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frameset*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*html*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*!DOCTYPE*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*link*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*bgsound*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*layer*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*XSS*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*background*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*mocha*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*livescript*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("I don't like you...");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*noscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*vbscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*embed*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frame*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frameset*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*html*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*!DOCTYPE*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*link*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*bgsound*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*layer*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*XSS*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*background*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*mocha*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*livescript*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("I don't like you...");
}
}
Chase Reid, Founder of Collision
> --
> This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
>
> For information or project assistance please visit :
> http://www.360psg.com
>
> You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
> To post to this group, send email to Professi...@googlegroups.com
> To unsubscribe from this group, send email to Professional-P...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/Professional-PHP
Some sample code that my prevent any future XSS attacks to to your site. Here it is and when the hacker tries to enter JavaScript data into your website it'll say "I don't Like you" also don't forget to edit the parameters to compensate for your sites components:
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*noscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*vbscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*embed*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frame*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frameset*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*html*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*!DOCTYPE*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*link*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*bgsound*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*layer*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*XSS*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*background*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*mocha*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*livescript*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("I don't like you...");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*noscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*vbscript*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*embed*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frame*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*frameset*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*html*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*!DOCTYPE*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*link*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*title*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*bgsound*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*layer*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*XSS*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*background*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*mocha*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*livescript*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("I don't like you...");
}
}
Chase Reid, Founder of Collision
> This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
>
> For information or project assistance please visit :
> http://www.360psg.com
>
> You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
> To post to this group, send email to Professi...@googlegroups.com
> To unsubscribe from this group, send email to Professional-P...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/Professional-PHP
Chase Reid
May 11, 2012, 10:10:07 AM5/11/12
to professi...@googlegroups.com, Professional PHP Developers
Also don't forget you can use strip_tags()
The code for that:
foreach ($_GET as $secvalue) {
strip_tags($secvalue);
}
foreach ($_POST as $secvalue) {
strip_tags($secvalue);
The code for that:
foreach ($_GET as $secvalue) {
strip_tags($secvalue);
}
foreach ($_POST as $secvalue) {
strip_tags($secvalue);
}
Chase Reid, Founder of Collision
On May 11, 2012, at 9:05 AM, anjith <anjithkuma...@gmail.com> wrote:
Chase Reid, Founder of Collision
On May 11, 2012, at 9:05 AM, anjith <anjithkuma...@gmail.com> wrote:
Robert Gonzalez
May 11, 2012, 2:56:57 PM5/11/12
to professi...@googlegroups.com
There is a bigger issue at hand here and that is the case of trusting your users' input. The basic stance of the security minded programmer is never trust your users to input safe data. Plain and simple...
Step 1: Validate and sanitize all inputs (not just from the user, but APIs, databases, files, etc)
Step 2: Filter and escape all outputs (not just HTTP responses but API responses, raw text, etc)
You can do a lot to make sure your systems aren't compromised AND that your users' systems aren't either. But it starts with how you program your application from the jump. Don't waste the overhead cleansing GET, POST or any other superglobals unless you are going to be using data in them. And when you know you are using data from your users, validate and sanitize the hell out of it. Every time. No exceptions.
Some links to assist you (thanks to Davey Shafik for putting this together many years ago):
http://www.phpdeveloper.org/news/5409 (also a great resource for PHP programmers, thanks to Chris Cornutt)
Also, I'd start checking out Chris Shiflett's articles on security, as he is a very well known security that has focused much of his knowledge on the PHP world.
Other PHP experts of note (only because of their focus on Security):
Hope that helps to get your started and get you thinking about security.
--
Robert Gonzalez
David Dyess
May 11, 2012, 5:04:17 PM5/11/12
to professi...@googlegroups.com
You should use strip_tags() or something equivalent. http://php.net/manual/en/function.strip-tags.php
It has an optional 2nd parameter that allows a list of allowable tags, which is normally needed from a textarea. If you make your own html filter or use someone else's, keep in mind to deny first and allow last. You want to strip anything not allowed, as opposed to stripping specific tags. If you are specifying which tags to strip, there's a chance you could miss one.
You should also use the Filter functions. http://us.php.net/manual/en/book.filter.php
The PHP manual has a lot of use cases for using the Filter functions to validate and filter input.
There are also useful classes out there people have made to do some of the work for you. Here is a class I've used a few times to filter attributes from tags as well. http://semlabs.co.uk/journal/php-strip-attributes-class-for-xml-and-html
David
Reply all
Reply to author
Forward
0 new messages