XSS Injection or also known as Cross Site Scripting is a type of code injection attack technique. Preventing XSS attacks on PHP is very important. For that I will describe the easy tricks to ward off this XSS Injection attack. Before discussing further, my previous article was about the Application of Jquery Mask for Numbers in HTML and PHP Forms, please read for those who have not applied it in the form.
Reporting from Wikipedia, XSS is carried out by attackers by entering injection scripts on a site. This attack seems to come from the site itself. So it looks like there was an error in the scripting scripting by the program maker. As a result of this attack, the danger the attacker can bypass web security from the client side, get sensitive information such as sessions, or even can insert a very dangerous script that can record all web activities.
Well, I will not explain the complete definition of XSS Injection. For more details, please visit the https://id.wikipedia.org/wiki/XSS page to get more complete information about this XSS Injection.
Prevent XSS Injection Attacks On PHP Easily
Seeing the dangers of this injection technique, I will share powerful scripts to ward off XSS Injection attacks on PHP. Here is the script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
function antixss($data){ // Fix &entity\n; $data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data); $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data); $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data); $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8'); // Remove any attribute starting with "on" or xmlns $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data); // Remove javascript: and vbscript: protocols $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data); $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data); $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data); // Only works in IE: <span style="width: expression(alert('Ping!'));"></span> $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data); // Remove namespaced elements (we do not need them) $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data); do { // Remove really unwanted tags $old_data = $data; $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data); } while ($old_data !== $data); // we are done... return $data; } |
How to apply it? it’s easy … all you have to do is use the antixss function for every php method you need, for example POST, then it becomes antixss ($ _ POST [‘variable_name’]); Consider the following example:
|
1 2 3 4 5 |
//Apply the XSS Injection function to the POST or GET method //Example for POST $nama = antixss($_POST['nama']); //Example for GET $nama = antixss($_GET['nama']); |
Very easy isn’t it !!! … I myself to get this function has sailed to China … hehe. I have applied various methods, but this function is very simple and practical. Because my heart is good, I share this free antixss script to all readers of DetriAmelia.com blog
Well, maybe that’s my first article about Prevent XSS Injection Attacks on PHP Easily. Hopefully there are benefits, if there are any questions, please write your comments below. Don’t forget to visit my blog often, because I will continue to write other more useful articles.
Ya ampun, simple sekali ternyata… save my year searching…
hehe, dan ternyata ini sangat ampuh loo…
Sangat bermanfaat… sudH sisi kan satu…
Thank you…
I was recommended by one of my friends on facebook to watch
out your article. Great job bro… looking for more from yours.
However good luck with your channel…
Keyword phrases are the foundation of organic positioning.