Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
Yuri Denisov2014-04-22 07:19:10
PHP
Yuri Denisov, 2014-04-22 07:19:10

Would this XSS protection work?

Good afternoon! I came across an article where the author gives such a function

function defender_xss($arr){
   $filter = array("<", ">","="," (",")",";","/");
     foreach($arr as $num=>$xss){
        $arr[$num]=str_replace ($filter, "|", $xss);
     }
       return $arr;
} 
//используйте  функцию перед обработкой входящих данных:
$_REQUEST=defender_xss($_REQUEST);

also writes that a piece
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

inserted into htaccess will also give a plus.
The question is this. Will such protection work normally? If so, is it necessary to use htaccess, or will it be enough to pass data through a php function and that's it? What jambs can get out when using this function?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
D
Dmitry S, 2014-04-22
@Hakkunamatata

array("<", ">","="," (",")",";","/") - but what if you really have text with quotes and brackets at the input?
And it is better to do the filtering itself before displaying it on the page, so that the actual data is stored in the database.

Report
M
Mikhail Osher, 2014-04-22
@miraage

www.php.net/manual/ru/function.htmlspecialchars.php
// upd
XSS protection occurs only at the time of rendering the data.

Report
Y
Yuri Denisov, 2014-04-22
@denissov

@Hakkunamatata @Miraage i.e. it turns out that everything can be written to the database calmly, checked only for SQL injections, and already when outputting, in order to avoid misunderstandings, put htmlspecialchars? and it will save from XSS?

Report
V
Vitaly Zheltyakov, 2014-04-22
@VitaZheltyakov

The approach is absolutely correct. The reason for XSS and SQL Inj is the lack of user data filtering.
The given example of filtering will help only from elementary attacks, because. you can transfer data using special characters and entities.
I personally prefer to build protection based on whitelisting and escaping.

Similar questions
W
WebforSelf2021-03-23 23:45:26
How to start server after centos 7 backup, vestacp? 3Reply
S
Steve2022-01-20 23:47:23
How to hide the real path to css? 3Reply
A
Astral1004982020-09-25 14:08:44
How to clear a tab from a line? 2Reply
M
maiskiykot2018-04-19 11:13:32
What is the best way to compare PHP dates? 0Reply
O
oleg_drozdov2015-12-10 10:49:21
How to wrap images in a slider with links? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question