XSS – How we try to prevent it.

  • Christian Stocker

Cross Site Scripting aka XSS is increasingly a problem with a lot of webapps and there's an ongoing discussion on the phpsec mailinglist about that.

We try to prevent that since some time with different approaches. For example, we allow only certain tags in comments (with the help of strip_tags()), we don't make links clickable, and use tidy for further clean up, but we also wrote a little method, which tries to clean the most common exploit attempts with some preg magic. But I doubt, that we catch every possible exploit…

Therefore I ask my readers, if they know of some more exploits to further improve this method. The source code of the method can be found here and you can test it out at http://php5.bitflux.org/xss.php. If you manage to somehow show up an alert box (through a click or even without), you succeeded and I ask you to report that to me, so we will add further checks into that method. Please mail it to me, it will most certainly not work in the comments (or just the exploit will work, but I'll be fast in removing such comments ;) )

The test script does not use tidy or strip_tags or anything other than the method mentioned above. Of course, feel free to use it for your own projects, if you like to.

Happy Hacking ;)

Update: Already found some weaknesses. Updated the method. Will blog about the improvements later. Furthermore, the method doesn't care about CSS hacks, so yes, you can change the color of the site with it ;) I'm only intrested in “real” XSS exploits, meaning you can somehow inject javascript into it.

Update II: I wrote a little wiki article about what the script does and what common exploits are.

Tell us what you think