WordPress.org
Get WordPress

Plugin Directory

Changeset 833088


Ignore:
Timestamp:
01/05/2014 12:21:33 AM (12 years ago)
Author:
scibuff
Message:
  • updated the xss filter function
File:
1 edited

Legend:

Unmodified
Added
Removed

  • wordpress-connect/branches/2.0.3b/editor/common.php

    r833082 r833088  
    66
    77    if ( !empty( $_GET[ $key ] ) ){
    8         $value = $_GET[ $key ];
    9         if ( contains_xss( $value ) ){ return $default; }
    10         return $value;
     8        $value = htmlspecialchars( $_GET[ $key ], ENT_QUOTES, 'UTF-8' );
     9        return filter_var( $value, FILTER_SANITIZE_STRING );
    1110    }
    1211    return $default;
    1312}
    1413
    15 /**
    16  * Given a string, this function will determine if it potentially an
    17  * XSS attack and return boolean.
    18  *
    19  * @param string $string
    20  *  The string to run XSS detection logic on
    21  * @return boolean
    22  *  True if the given `$string` contains XSS, false otherwise.
    23  */
    24 function contains_xss( $string ) {
    25    
    26     $contains_xss = false;
    27 
    28     // Skip any null or non string values
    29     if( is_null( $string ) || !is_string( $string ) ) {
    30         return $contains_xss;
    31     }
    32 
    33     // Keep a copy of the original string before cleaning up
    34     $original = $string;
    35 
    36     // URL decode
    37     $string = urldecode( $string );
    38 
    39     // Convert Hexadecimals
    40     $string = preg_replace( '!(&#|\\\)[xX]([0-9a-fA-F]+);?!e','chr(hexdec("$2"))', $string );
    41 
    42     // Clean up entities
    43     $string = preg_replace( '!(&#0+[0-9]+)!','$1;',$string );
    44 
    45     // Decode entities
    46     $string = html_entity_decode( $string, ENT_NOQUOTES, 'UTF-8' );
    47 
    48     // Strip whitespace characters
    49     $string = preg_replace( '!\s!','',$string );
    50 
    51     // Set the patterns we'll test against
    52     $patterns = array(
    53         // Match any attribute starting with "on" or xmlns
    54         '#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',
    55 
    56         // Match javascript:, livescript:, vbscript: and mocha: protocols
    57         '!((java|live|vb)script|mocha|feed|data):(\w)*!iUu',
    58         '#-moz-binding[\x00-\x20]*:#u',
    59 
    60         // Match style attributes
    61         '#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',
    62 
    63         // Match unneeded tags
    64         '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
    65     );
    66 
    67     foreach( $patterns as $pattern ) {
    68         // Test both the original string and clean string
    69         if( preg_match( $pattern, $string ) || preg_match( $pattern, $original ) ){
    70                 return true;
    71         }
    72     }
    73     return false;
    74 }
    75                
    7614function print_select( $name, $options, $selected_value ){
    7715?>
Note: See TracChangeset for help on using the changeset viewer.