user816604
user816604

Reputation:

Detecting XSS using url validation

What is a good url validation function in php to detect xss?

I tried the FILTER_URL function in php, but that still allows urls like:

http://example.com?<script></script>

Upvotes: 0

Views: 1001

Answers (2)

raidenace
raidenace

Reputation: 12834

You could use htmlspecialchars() and strip_tags() though they will not entirely prevent anything.

Use a combination of these as well as other heuristics. Ideally write your own function where you pass content through a chain of checks. filter_input can be used in it as well.

Upvotes: 0

SpencerX
SpencerX

Reputation: 5733

You could try with these four tests:

// Set the patterns we'll test against
$patterns = array(
    // Match any attribute starting with "on" or xmlns
    '#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',

    // Match javascript:, livescript:, vbscript: and mocha: protocols
    '!((java|live|vb)script|mocha):(\w)*!iUu',
    '#-moz-binding[\x00-\x20]*:#u',

    // Match style attributes
    '#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',

    // Match unneeded tags
    '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);

And instead of trying to detect XSS attacks, just make sure to use proper sanitizing.

Upvotes: 1

Related Questions