WebSVN – prepend – Diff – /trunk/php_auto_pre/004-anti-xss.php


<?php
 
// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
 
$xxx_directories_need_anti_xss = array(
 
        '/home/'
);
 
// ---
 
function ___check_xss___($str) {
        $ary = is_array($str) ? $str : array($str);
        foreach ($ary as $str) {
                if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
                        @header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
                        die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
                }
        }
}
 
// ---
 
$xxx_go = false;
foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) {
        if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {
                $xxx_go = true;
        }
}
unset($xxx_directories_need_anti_xss);
unset($xxx_directory_need_anti_xss);
if ($xxx_go) {
        if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
        if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
        if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
        if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
        if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
 
        # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
        foreach ($_REQUEST as $___key___ => $___val___) {
                ___check_xss___($___val___);
        }
        unset($___key___);
        unset($___val___);
}
unset($xxx_go);
 

Rev 3	Rev 6
1	<?php	1	<?php
2		2
3	// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!	3	// ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
4		4
5	$xxx_directories_need_anti_xss = array(	5	$xxx_directories_need_anti_xss = array(
6	// Webseiten, die mit XSS verseucht sind	-
7	'/home/'	6	'/home/'
8	);	7	);
9		8
10	// ---	9	// ---
11		10
12	function ___check_xss___($str) {	11	function ___check_xss___($str) {
-		12	$ary = is_array($str) ? $str : array($str);
-		13	foreach ($ary as $str) {
13	if ((stripos($str, '<svg') !== false) \|\| (stripos($str, '<script') !== false)) {	14	if ((stripos($str, '<svg') !== false) \|\| (stripos($str, '<script') !== false)) {
-		15	@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
14	die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');	16	die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
15	}	17	}
-		18	}
16	}	19	}
17		20
18	// ---	21	// ---
19		22
20	$xxx_go = false;	23	$xxx_go = false;
21	foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) {	24	foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) {
22	if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {	25	if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {
23	$xxx_go = true;	26	$xxx_go = true;
24	}	27	}
25	}	28	}
26	unset($xxx_directories_need_anti_xss);	29	unset($xxx_directories_need_anti_xss);
27	unset($xxx_directory_need_anti_xss);	30	unset($xxx_directory_need_anti_xss);
28	if ($xxx_go) {	31	if ($xxx_go) {
29	if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);	32	if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
30	if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);	33	if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
31	if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);	34	if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
32	if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);	35	if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
33	if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);	36	if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
34		37
35	# Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!	38	# Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
36	foreach ($_REQUEST as $___key___ => $___val___) {	39	foreach ($_REQUEST as $___key___ => $___val___) {
37	___check_xss___($___val___);	40	___check_xss___($___val___);
38	}	41	}
39	unset($___key___);	42	unset($___key___);
40	unset($___val___);	43	unset($___val___);
41	}	44	}
42	unset($xxx_go);	45	unset($xxx_go);
43		46

Subversion Repositories prepend

prepend/trunk/php_auto_pre/004-anti-xss.php – Rev 3 → 6