Rev 6 | Rev 10 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 6 | Rev 9 | ||
|---|---|---|---|
| Line 1... | Line 1... | ||
| 1 | <?php |
1 | <?php |
| 2 | 2 | ||
| 3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
| 4 | 4 | ||
| 5 | $xxx_directories_need_anti_xss = array( |
5 | $xxx_vts_prepend_config = array(); |
| - | 6 | if (file_exists($xxx_vts_prepend_config_file = __DIR__.'/config.local.php')) include $xxx_vts_prepend_config_file; |
|
| 6 | '/home/' |
7 | unset($xxx_vts_prepend_config_file); |
| 7 | ); |
- | |
| 8 | - | ||
| - | 8 | $xxx_directories_need_anti_xss = $xxx_vts_prepend_config['directories_need_anti_xss']; |
|
| 9 | // --- |
9 | unset($xxx_vts_prepend_config); |
| 10 | 10 | ||
| 11 | function ___check_xss___($str) { |
11 | function ___check_xss___($str) { |
| 12 | $ary = is_array($str) ? $str : array($str); |
12 | $ary = is_array($str) ? $str : array($str); |
| 13 | foreach ($ary as $str) { |
13 | foreach ($ary as $str) { |
| 14 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
14 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
| 15 | @header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); |
15 | #@header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); |
| - | 16 | @header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request', true, 400); |
|
| 16 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
17 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
| 17 | } |
18 | } |
| 18 | } |
19 | } |
| 19 | } |
20 | } |
| 20 | 21 | ||
| 21 | // --- |
22 | // --- |
| 22 | 23 | ||
| 23 | $xxx_go = false; |
24 | $xxx_go = false; |
| 24 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { |
25 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { |
| - | 26 | if ($xxx_negate = (substr($xxx_directory_need_anti_xss,0,1) === '!')) { |
|
| - | 27 | $xxx_directory_need_anti_xss = substr($xxx_directory_need_anti_xss,1); |
|
| - | 28 | } |
|
| 25 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
29 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
| 26 | $xxx_go = true; |
30 | $xxx_go = !$xxx_negate; |
| 27 | } |
31 | } |
| 28 | } |
32 | } |
| 29 | unset($xxx_directories_need_anti_xss); |
33 | unset($xxx_directories_need_anti_xss); |
| 30 | unset($xxx_directory_need_anti_xss); |
34 | unset($xxx_directory_need_anti_xss); |
| - | 35 | ||
| 31 | if ($xxx_go) { |
36 | if ($xxx_go) { |
| 32 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
37 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
| 33 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
38 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
| 34 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
39 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
| 35 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
40 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
| 36 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
41 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
| 37 | 42 | ||
| 38 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
43 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
| 39 | foreach ($_REQUEST as $___key___ => $___val___) { |
44 | foreach ($_REQUEST as $___key___ => $___val___) { |
| 40 | ___check_xss___($___val___); |
45 | ___check_xss___($___val___); |
| 41 | } |
46 | } |
| 42 | unset($___key___); |
47 | unset($___key___); |
| 43 | unset($___val___); |
48 | unset($___val___); |