Created
October 6, 2014 13:12
-
-
Save soaj1664/1c40e52c7a8f78981623 to your computer and use it in GitHub Desktop.
StyleContextCleaner Function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| /** | |
| * XSS protection function for style context only | |
| * @usecases | |
| * @double quoted case e.g., | |
| * <span style="use this function if output reflects here"></span> | |
| * @single quoted case e.g., | |
| * <div style='use this function if output reflects here'></div> | |
| * OR <style>use this function if output reflects here</style> | |
| * @description | |
| * Sanitize/Filter meta or control characters that attacker may use to execute JavaScript e.g., | |
| * ( is filtered because width:expression(alert(1)) | |
| * \ is filtered because x:expre/**/ssion\28 alert\28 1\29\29 (CSS escaping) | |
| * & is filtered in order to stop decimal + hex encoding. | |
| * < is filtered in case developers are using <style></style> tags instead of style attribute. | |
| * < is filtered because attacker may close the </style> tag and then execute JavaScript. | |
| * The function allows simple styles e.g., color:red, height:100px etc. | |
| * @author Ashar Javed | |
| * @Link https://twitter.com/soaj1664ashar | |
| * @demo http://xssplaygroundforfunandlearn.netai.net/final.html | |
| */ | |
| --> | |
| <?php | |
| function styleContextCleaner($input) { | |
| $bad_chars = array("\"", "'", "(", "\\\\", "<", "&"); | |
| $safe_chars = array(""", "'", "(", "\", "<", "&"); | |
| $output = str_replace($bad_chars, $safe_chars, $input); | |
| return stripslashes($output); | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment