Rev 6 | Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
3 | daniel-mar | 1 | <?php |
2 | |||
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
||
4 | |||
5 | $xxx_directories_need_anti_xss = array( |
||
6 | // Webseiten, die mit XSS verseucht sind |
||
7 | '/home/' |
||
8 | ); |
||
9 | |||
10 | // --- |
||
11 | |||
12 | function ___check_xss___($str) { |
||
13 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
||
14 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
||
15 | } |
||
16 | } |
||
17 | |||
18 | // --- |
||
19 | |||
20 | $xxx_go = false; |
||
21 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { |
||
22 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
||
23 | $xxx_go = true; |
||
24 | } |
||
25 | } |
||
26 | unset($xxx_directories_need_anti_xss); |
||
27 | unset($xxx_directory_need_anti_xss); |
||
28 | if ($xxx_go) { |
||
29 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
||
30 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
||
31 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
||
32 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
||
33 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
||
34 | |||
35 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
||
36 | foreach ($_REQUEST as $___key___ => $___val___) { |
||
37 | ___check_xss___($___val___); |
||
38 | } |
||
39 | unset($___key___); |
||
40 | unset($___val___); |
||
41 | } |
||
42 | unset($xxx_go); |