Was hälst du bzw ihr davon wenn ich bei jedem POST, GET, SQL (LESEN+SCHREIBEN) die Werte mit folgender Funktion entschärfe:
(Die Leerzeichen sind nur da damit das Board den Code nicht umwandelt)PHP-Code:function filter($wert) {
$wert = str_replace(";","& #59;",$wert);
$wert = str_replace("\x00","& #92;& #120;& #48;& #48;",$wert);
$wert = str_replace("\x1a","& #92;& #120;& #49;& #97;",$wert);
$wert = str_replace("\n","& #92;& #110;",$wert);
$wert = str_replace("\r","& #92;& #114;",$wert);
$wert = str_replace("\\","& #92;",$wert);
$wert = str_replace("'","& #39;",$wert);
$wert = str_replace('"',"& #34;",$wert);
$wert = str_replace("/","& #47;",$wert);
$wert = str_replace("#","& #35;",$wert);
$wert = str_replace("&","& #38;",$wert);
$wert = str_replace("|","& #124;",$wert);
$wert = str_replace("--","& #45;& #45;",$wert);
$wert = htmlentities($wert);
return $wert;
}
funktion hab ich selbst geschrieben, aber somit ist doch 1. Alles entschärft und 2. ändert sich optisch nichts zb. in den input feldern...
Was meint ihr?
EDIT:
Hab den filter jetzt auf alle GET und POST werte gesetzt, was anderes kommt ja nicht von draussen.
Würde ich das zb. auch auf SQL-Lesewerte anwenden könnte ich selber keine html seiten mehr wiedergeben (produkte speicher ich immer als html in die datenbank)
Geändert von Rickard (04.12.2008 um 16:56 Uhr)
Hab den Filter doch nochmal abgeändert (Einige Funktionen haben sich überschnitten)...
Also habe jetzt einen Filter ohne htmlentities sondern nur mit eigenen funktionen, es wird alles gefiltert (so wie oben) was mit scripten usw. zu tun haben könnte...
also auch $ & / ( [ { # ; . usw....
Diesen Filter wende ich auf ALLE POST und GET Werte an... Dürfte doch dann einigermaßen sicher sein oder?
Ja, kann man.Zitat von Rickard
Code:$_POST = array_map(’htmlspecialchars’, $_POST);
Hey,
vielen dank für den Tipp, hab ihn gleich umgesetzt
Hab übrigends in meinen Filter einige Zeichen wieder rausgenommen und mich auf die wesentlichen Zeichen (Aus htmlspecialchars und mysql_real_escape_string) konzentriert (2 od. 3 extra) Komme also insgesamt auf 10 x replace, ich denke das ist ok.
Das einzige was mich noch interessiert mysql_real_escape_string escaped ja ua. \x00 wenn ich jetzt aber sowieso alle backslashes ( \ ) in HTML-Code umwandel dann ist \x00 doch auch "entschärft" oder seh ich das falsch?
Geändert von Rickard (08.12.2008 um 23:58 Uhr)
was Du vorhast ist cross-site-scripting zu unterbinden. Dafür gibts fertige Lösungen, siehe
http://ha.ckers.org/xss.html
http://ha.ckers.org/xssAttacks.xml
PHP-Code:<?php
/**
* Usage: Run *every* variable passed in through it.
* The goal of this function is to be a generic function that can be used to
* parse almost any input and render it XSS safe. For more information on
* actual XSS attacks, check out http://ha.ckers.org/xss.html. Another
* excellent site is the XSS Database which details each attack and how it
* works.
*
* Used with permission by the author.
* URL: http://quickwired.com/smallprojects/php_xss_filter_function.php
*
* Check XSS attacks on http://ha.ckers.org/xss.html
*
* License:
* This code is public domain, you are free to do whatever you want with it,
* including adding it to your own project which can be under any license.
*
* $Id: RemoveXSS.php 4457 2008-11-12 17:15:55Z ohader $
*
* @author Travis Puderbaugh <kallahar@quickwired.com>
* @author Jigal van Hemert <jigal@xs4all.nl>
* @package RemoveXSS
*/
final class RemoveXSS {
/**
* Removes potential XSS code from an input string.
* Wrapper for RemoveXSS::process().
*
* Using an external class by Travis Puderbaugh <kallahar@quickwired.com>
*
* @param string Input string
* @param string replaceString for inserting in keywords (which destroyes the tags)
* @return string Input string with potential XSS code removed
* @deprecated since TYPO3 4.3, use static call RemoveXSS::process() instead
*/
public function RemoveXSS($val, $replaceString = '<x>') {
return self::process($val, $replaceString);
}
/**
* Removes potential XSS code from an input string.
*
* Using an external class by Travis Puderbaugh <kallahar@quickwired.com>
*
* @param string Input string
* @param string replaceString for inserting in keywords (which destroyes the tags)
* @return string Input string with potential XSS code removed
*/
public static function process($val, $replaceString = '<x>') {
// don't use empty $replaceString because then no XSS-remove will be done
if ($replaceString == '') {
$replaceString = '<x>';
}
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <java\0script>
// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x19])/', '', $val);
// straight replacements, the user should never need these since they're normal characters
// this prevents like <IMG SRC=@avascript:alert('XSS')>
$search = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/ie';
$val = preg_replace($search, "chr(hexdec('\\1'))", $val);
$search = '/�{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/ie';
$val = preg_replace($search, "chr('\\1')", $val);
// now the only remaining whitespace attacks are \t, \n, and \r
$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
$ra_tag = array('applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
$ra_attribute = array('style', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
$ra_protocol = array('javascript', 'vbscript', 'expression');
//remove the potential &#xxx; stuff for testing
$val2 = preg_replace('/(&#[xX]?0{0,8}(9|10|13|a|b);)*\s*/i', '', $val);
$ra = array();
foreach ($ra1 as $ra1word) {
//stripos is faster than the regular expressions used later
//and because the words we're looking for only have chars < 0x80
//we can use the non-multibyte safe version
if (stripos($val2, $ra1word ) !== false ) {
//keep list of potential words that were found
if (in_array($ra1word, $ra_protocol)) {
$ra[] = array($ra1word, 'ra_protocol');
}
if (in_array($ra1word, $ra_tag)) {
$ra[] = array($ra1word, 'ra_tag');
}
if (in_array($ra1word, $ra_attribute)) {
$ra[] = array($ra1word, 'ra_attribute');
}
//some keywords appear in more than one array
//these get multiple entries in $ra, each with the appropriate type
}
}
//only process potential words
if (count($ra) > 0) {
// keep replacing as long as the previous round replaced something
$found = true;
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = '';
for ($j = 0; $j < strlen($ra[$i][0]); $j++) {
if ($j > 0) {
$pattern .= '((&#[xX]0{0,8}([9ab]);)|(�{0,8}(9|10|13);)|\s)*';
}
$pattern .= $ra[$i][0][$j];
}
//handle each type a little different (extra conditions to prevent false positives a bit better)
switch ($ra[$i][1]) {
case 'ra_protocol':
//these take the form of e.g. 'javascript:'
$pattern .= '((&#[xX]0{0,8}([9ab]);)|(�{0,8}(9|10|13);)|\s)*(?=:)';
break;
case 'ra_tag':
//these take the form of e.g. '<SCRIPT[^\da-z] ....';
$pattern = '(?<=<)' . $pattern . '((&#[xX]0{0,8}([9ab]);)|(�{0,8}(9|10|13);)|\s)*(?=[^\da-z])';
break;
case 'ra_attribute':
//these take the form of e.g. 'onload=' Beware that a lot of characters are allowed
//between the attribute and the equal sign!
$pattern .= '[\s\!\#\$\%\&\(\)\*\~\+\-\_\.\,\:\;\?\@\[\/\|\\\\\]\^\`]*(?==)';
break;
}
$pattern = '/' . $pattern . '/i';
// add in <x> to nerf the tag
$replacement = substr_replace($ra[$i][0], $replaceString, 2, 0);
// filter out the hex tags
$val = preg_replace($pattern, $replacement, $val);
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
}
return $val;
}
}
?>
TYPO3 · MySQLDumper · dislabs
·
manche Mühlen mahlen schneller ...
"Ich habe Rücken"
Horst Schlämmer
Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)
LinkBack URL
About LinkBacks
Zitieren