XSS attack via this filter?

Question

function filter($p){
    $i=0;
    return str_replace("<","&lt;",str_replace(">","&gt;",str_replace("&","&amp;",$p,$i),$i),$i);
}

Any idea pass this xss prevention ? just my idea , not homework

Answer 1

Possibly. For instance, if filter is used within a HTML tag, like this:

<input type="text" value="<?=filter($p)?>">

The attacker might execute an XSS attack by coercing $p into being something like:

something" onfocus="javascript:alert('test')

So the output HTML becomes:

<input type="text" value="something" onfocus="javascript:alert('test')">

Answer 2

As raised in the question errata, the problem here is you're trying to roll your own replacement for htmlspecialchars in PHP. While you've asked for a spot code review for fixing a potential XSS exploit, you've actually indicated a design smell in your application regarding how you handle vulnerabilities.

While you can perform iterative fixups or input mode sanitization as you appear to be trying to do (note this answer about black- and white-lists), you would be better served by reading this documentation on how to address and mitigate XSS exploits and this additional documentation. It should offer guidance on reviewing and rearchitecting your application to handle these threats cleanly and safely, instead of swiss-cheesing your mitigation strategy over multiple fixups in the code.

(Additional helpful resource)

Best of luck with your application!

Answer 3

Never use blacklist. Always use whitelist. Read for example here about plenty of different attacks. Thought-provoking :)