XSS url filtering

Question

I am using this function I made, although probably not original, and was wondering if this is good for filtering url based XSS attacks. here it is

function clean($url) {
    return strip_tags(html_entity_decode(urldecode($url), null, 'UTF-8'), ENT_QUOTES);
}

If not a point in the right direction would be nice

Answer 1

I would suggest looking at OWASP's ESAPI Project. They have created an encoding library which comes in a variety of languages including Java, .NET, PHP, Classic ASP, Cold Fusion, Python, and Haskell. It has tools for encoding untrusted data for the context that you're dealing with:

• encodeForHTML
• encodeForHTMLAttribute
• encodeForJavaScript
• encodeForCSS
• encodeForURL

It also caters for input validation. Some organisations using ESAPI include American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, U.S. Navy - SPAWAR, The World Bank, SANS Institute.

I also recommend giving their XSS Prevention Cheat Sheet a read which describes the best practices in building your defenses against XSS (it essentially boils down to that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into).

Answer 2

I suggest you pick a famous framework (stable) such as Codeigniter, Kohana, Yii, Zend and browse it's source code. Most of them provide such helper functions which you can adapt. This way you have the benefit of using something "community edited" which is always up to date with most of the security threats out there.