Reputation: 10809
Preventing iframe injection via url?
I'm trying to prevent attacks where a url can be distributed that inserts an iframe (containing a fake login screen) into a PHP site using javascript in the url. Is there some way with PHP to clean out URLs of a page before it is loaded?
The url looks like something like: login.php?login_nav_map=%2Fv3%2Farchives%2Findex.php%22/%3E%3Cimg%20src=%22no.jpg%22%20onerror=%22document.write%28String.fromCharCode%2860,99,101,110,116,101,114,62,10,60,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,119,111,114,108,100,116,118,112,99,46,99,111,109,47,98,108,111,45,99,111,110,116,101,110,116,47,117,112,108,111,97,100,115,47,50,48,49,49,47,48,56,47,97,98,99,45,111,110,108,105,110,101,45,116,118,46,106,112,103,34,47,62,60,98,114,47,62,10,60,104,49,62,65,100,
and the char codes insert an iframe into my page which I do not want there.
Upvotes: 0
Views: 2311
Answers (1)
Reputation: 31131
Your question is really confusing so I'll try to answer a few questions and hopefully it helps.
You have a web page that you don't want people loading in an iframe.
Use a frame breakout script, usually something like
if (top.location != location) {
top.location.href = document.location.href ;
}
You have a web page where people can post stuff and you don't want somebody typing in an iframe code and it loading a frame on your page.
Sanitize the input. Take a look at htmlentities. That'll convert < and > (among others) to their HTML entities so everything will be visible on the page but the browser won't parse any tags as code. No more <script>, it'll show up as just instead of executing the code inside.
You have a website where the URL parameters mean something in the code and you don't want somebody putting a malicious URL as a parameter. Something like http://mysite.com?foo=bar&url=somebadwebsite.com/virus.php
You should have a blacklist of URLs or domains to block. Look at parse_url to get the parts of the URL and you can have use in_array to see if the host is part of the blacklisted array.
You have a website where the URL parameters control the content of the page. Something like http://mysite.com?foo=bar&title=Hello and it displays "Hello" on the page. You wouldn't want somebody injecting JS there and your page to execute that.
It's usually a bad idea to do this. You should have a whitelist of possible values in this case.
$value = $_GET['title']
switch ($value) {
case 'Hello':
// do something for hello
break;
case 'Goodbye':
// do something for goodbye
break;
default:
// do something if it's something you don't expect/want as input
}
Upvotes: 2
Related Questions
- Allowing URL access only via an iFrame and prevent from direct access in PHP
- Website iframe attack - inserts code into source
- Allow a page to only load in an iframe and prevent direct access
- Use PHP to control user inputted Javascript / HTML / textarea and prevent iframe hack
- Security Concern with PHP loading an iframe
- iframe php injection into my html site
- Allowing user-supplied <iframe>s without risking XSS?
- Stop other websites iframing?
- Restricting IFRAME access in PHP
- How to prevent Iframe hack