Question

I have the following php XSS filter function:

<?php
function xssfilter($inp){
    $inp = html_entity_decode(urldecode($inp));
    $inp = preg_replace('/!/','',$inp);
    if (preg_match('/script|on|xmlns|data/iu',$inp)){
        while(preg_match('/script|on|xmlns|data/iu',$inp)){
            $inp = preg_replace('/(script)|(on)|(xmlns)|(data)/iu','NO!',$inp);
        }
    }
    return $inp;
}
?>

Obviously you can upload a remote script here but my question here is if you can bypass the regex in some way?

Answer 1

不，这至少有一个明显的缺陷。您可以插入包含JavaScript的链接标记，如下所示：

<a href="&#x26;&#x23;&#x78;&#x36;&#x41;&#x3B;&#x26;&#x23;&#x78;&#x36;&#x31;&#x3B;&#x26;&#x23;&#x78;&#x37;&#x36;&#x3B;&#x26;&#x23;&#x78;&#x36;&#x31;&#x3B;&#x26;&#x23;&#x78;&#x37;&#x33;&#x3B;&#x26;&#x23;&#x78;&#x36;&#x33;&#x3B;&#x26;&#x23;&#x78;&#x37;&#x32;&#x3B;&#x26;&#x23;&#x78;&#x36;&#x39;&#x3B;&#x26;&#x23;&#x78;&#x37;&#x30;&#x3B;&#x26;&#x23;&#x78;&#x37;&#x34;&#x3B;: alert('XSS');">Innocent Link</a>

唯一阻止Chrome攻击的是它内置XSS保护的事实。您的XSS保护不会阻止它。

Is this code realy XSS proof?

1 个答案: