How to know if a string is dangerous (contains XSS) or not?

S

sorry_i_noob2018-11-01 13:32:24

PHP

sorry_i_noob, 2018-11-01 13:32:24

Hello. How do I know if a string is dangerous or not? I've tried processing the string with HTMLPurifier and then comparing its length with the raw string. If the length is different, then HTMLPurifier removed dangerous elements from this string (tags, attributes). So the line was dangerous.
But it doesn't work. Because HTMLPurifier has Tidy built in. And you can't turn it off. And he changes the line - adds to the <br>slashes, changes the style attribute - adds a semicolon, removes the space. I'll give you an example.
It was:
<div style="color: red">это div</div>
It became:
<div style="color:red;">это div</div>
Somewhere else something changes. And it's almost impossible to keep track of all this.
So how can you check if a string is dangerous or not?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alex-1917, 2018-11-01
@alex-1917

phpfaq.ru/safemysql

M

Maxim Timofeev, 2018-11-01
@webinar

If the length is different, then HTMLPurifier removed dangerous elements from this string (tags, attributes). So the line was dangerous.

No, it means that he removed what you asked him to remove. Maybe some tags, maybe something else. In your case, he also does autocorrect.
In fact, it is difficult to track down a uniquely malicious string. In a primitive version, you can check for the presence of the tag <script>, but there are many XSS variants and the goal is usually to avoid them, and not to unambiguously identify them. This task is closer to reality. Since a number of methods successfully prevent, but do not detect.
Here is the reading: https://habr.com/company/pentestit/blog/211494/