1

I am trying to prevent xss injection. So before I submit a form, a javascript function is called

function validatefield(id) {
    var description = document.getElementById(id).value;   
    description = description.replace(/[\"\'][\s]*javascript:(.*)[\"\']/gi, "");
    description = description.replace(/script(.*)/gi, "");    
    description = description.replace(/eval\((.*)\)/gi, "");
    document.getElementById(id).value=description;
}

I am wonderng if there's a way to do the same in php before inserting into the mysql? if they get around of the validatefield function.

Thanks

Improve this question
3
  • 1
    Porting this javascript code to php is not a good strategy to prevent XSS. There are ways of injecting javascript into html which are not covered by your logic, eg. the onclick attribute. The right (and much simpler!) way to go is to wrap your user submitted data in htmlspecialchars() just before outputting in in any html context. Commented Mar 1, 2010 at 4:20
  • But htmlspecialchars isn't adequate if you want to allow some HTML. Commented Mar 1, 2010 at 4:23
  • @Matthew Flaschen: Certainly true. Although I didn't get the impression the poster was collecting HTML specifically through his form. It doesn't mention that anywhere in the question. In the case of collecting HTML data, I would go with a whitelist approach and strip all non-approved tags and attributes. Commented Mar 1, 2010 at 4:26

2 Answers 2

Reset to default
5

You are looking for preg_replace.

$description = preg_replace('regex pattern', 'regex replacement', $description);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Regular expressions are poorly suited for (non-regular) html syntax. You'd also have to run that until it didn't find any more matches to replace in order to take care of sitauations like <<scriptscript...
I tried to just copy and paste the js version but it doesnt seem to work $text = preg_replace('/[\"\'][\s]*javascript:(.*)[\"\']/gi', '', $text); $text = preg_replace('/script(.*)/gi', '', $text); $text = preg_replace('/eval((.*))/gi', '', $text);
The regular expression dialect is different. This function only accepts Perl Compatible Regular Expressions. Here is a cheat sheet: phpguru.org/downloads/PCRE%20Cheat%20Sheet/… You will need to rewrite your regular expressions for them to work in PHP.
3

Generally speaking, you can use preg_replace for regex replacements in PHP. But there are a few problems with your design

  1. You shouldn't even bother doing this on the client. It will slow things down without providing security.
  2. You're removing things that are perfectly safe (e.g. "I wrote a script to do such as such"), while ignoring many actual dangers like onclick attributes (see also XSS Cheat Sheet).

Generally speaking, if you want to allow some form of HTML, a whitelist is a better approach. HTML Purifier is a popular tool for implementing this in PHP.

Improve this answer

1 Comment

+1 for html purifier and white lists. Boo! for regular expresions and html.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.