user816604
Reputation:
Detecting XSS using url validation
What is a good url validation function in php to detect xss?
I tried the FILTER_URL function in php, but that still allows urls like:
http://example.com?<script></script>
Upvotes: 0
Views: 1001
Answers (2)
raidenace
Reputation: 12834
You could use htmlspecialchars() and strip_tags() though they will not entirely prevent anything.
Use a combination of these as well as other heuristics. Ideally write your own function where you pass content through a chain of checks. filter_input can be used in it as well.
Upvotes: 0
SpencerX
Reputation: 5733
You could try with these four tests:
// Set the patterns we'll test against
$patterns = array(
// Match any attribute starting with "on" or xmlns
'#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',
// Match javascript:, livescript:, vbscript: and mocha: protocols
'!((java|live|vb)script|mocha):(\w)*!iUu',
'#-moz-binding[\x00-\x20]*:#u',
// Match style attributes
'#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',
// Match unneeded tags
'#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);
And instead of trying to detect XSS attacks, just make sure to use proper sanitizing.
Upvotes: 1
Related Questions
- prevent xss attack via url( PHP)
- Is this function enough for xss detection?
- PHP check if url is valid
- validate url in php
- URL Validation/Sanitization with Regular Expressions
- Validate url in PHP & Jquery?
- XSS url filtering
- PHP filter_var for a URL against XSS attacks
- input is URL, how to protect it from xss
- Validate URL with javascript and php