Sooner or later I always remember I’ve a blog. This time the topic is XSS.
If you don’t have a clue ofΒ what XSS is maybe you should read this before reading this article.
I’m my day-job the content is generated by third party people. In order to be save I always thought the strip_tags function from PHP was safe enough. In my case I needed to get some html tags working without letting malicious code pass through.
Fortunately strip_tags allows, as second parameter, to specify which tags are allowed. But here is the glitch:
What happens if the variable you’d like to strip contains something like this ?
Well, since the ‘a’ tag is allowed by our strip_tags call, the malicious code gets injected.
So here is what I discovered today: “strip_tags is not safe enough.”
The next question that popped in my mind was: “How to get strip_tags safe enough without adding any external library to the project?”
Well the easy solution was to strip away also html attributes ( since in my case those weren’t needed ). How to do that? This snippet of code worked ( for now ) for me.
Further readings:
- http://it.wikipedia.org/wiki/Cross-site_scripting
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet