Subversion Repositories prepend

Rev

Rev 3 | Rev 9 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script!
  4.  
  5. $xxx_directories_need_anti_xss = array(
  6.         '/home/'
  7. );
  8.  
  9. // ---
  10.  
  11. function ___check_xss___($str) {
  12.         $ary = is_array($str) ? $str : array($str);
  13.         foreach ($ary as $str) {
  14.                 if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) {
  15.                         @header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
  16.                         die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de');
  17.                 }
  18.         }
  19. }
  20.  
  21. // ---
  22.  
  23. $xxx_go = false;
  24. foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) {
  25.         if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) {
  26.                 $xxx_go = true;
  27.         }
  28. }
  29. unset($xxx_directories_need_anti_xss);
  30. unset($xxx_directory_need_anti_xss);
  31. if ($xxx_go) {
  32.         if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']);
  33.         if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']);
  34.         if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']);
  35.         if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']);
  36.         if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']);
  37.  
  38.         # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt!
  39.         foreach ($_REQUEST as $___key___ => $___val___) {
  40.                 ___check_xss___($___val___);
  41.         }
  42.         unset($___key___);
  43.         unset($___val___);
  44. }
  45. unset($xxx_go);
  46.