Reputation:
What is a good url validation function in php to detect xss?
I tried the FILTER_URL function in php, but that still allows urls like:
http://example.com?<script></script>
Upvotes: 0
Views: 1001
Reputation: 12834
You could use htmlspecialchars()
and strip_tags()
though they will not entirely prevent anything.
Use a combination of these as well as other heuristics. Ideally write your own function where you pass content through a chain of checks. filter_input can be used in it as well.
Upvotes: 0
Reputation: 5733
You could try with these four tests:
// Set the patterns we'll test against
$patterns = array(
// Match any attribute starting with "on" or xmlns
'#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',
// Match javascript:, livescript:, vbscript: and mocha: protocols
'!((java|live|vb)script|mocha):(\w)*!iUu',
'#-moz-binding[\x00-\x20]*:#u',
// Match style attributes
'#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',
// Match unneeded tags
'#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);
And instead of trying to detect XSS attacks, just make sure to use proper sanitizing.
Upvotes: 1