anti-XXS attack form

Question

davy_yg 2 Posting Whiz

13 Years Ago

contact_us.php

<form action="contact.php" method="POST">      
<table border="0" cellpadding="2">
<tr>	
         <td>Name  : </td>
 	<td><input name="nama" type="text" value="" size="30" /></td>
</tr>
<tr>    
         <td>E-mail: </td>
	<td><input name="email" type="text" value="" size="20" /></td>
</tr>    
<tr>
	<td>Your message  : </td>
	<td><textarea name="comments" cols=30 rows=6></textarea></td>
</tr>
<tr>
	<td></td>
    <td><input name="send message" type="button" value="send message" /> 
</table>
</form>

Hello, out of this form I would like to create a form that's free from XXS attack. How to do so?

cybersecurity php

2 Contributors
16 Replies
136 Views
3 Weeks Discussion Span
Latest Post 13 Years Ago Latest Post by Stefano Mtangoo

Stefano Mtangoo 455 Senior Poster

13 Years Ago

no magic follow security rules. here is one of them concerning the question:

Before putting user input in HTML output, ALWAYS CONVERT control chars to HTML entities. This protects against cross-site scripting (XSS) or messing up your output with custom HTML

Source:
I would add to that, since it is a form, then limit HTML tags to a fixed list (bold Italic et al look at stack overflow comments) and then filter out anything else. That is, you have a whitelist and discard any other tag as invalid. you can use BB code also and convert BB tag to HTML on your server side script. Just note the rule above and choose your own remedy!

Stefano Mtangoo 455 Senior Poster

13 Years Ago

More or less the following code are safe from XXS attack right? Assuming I change the form action to send_email.php

send_email.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<?php
$kepada=$_GET["kepada"];
$nama = $_GET["nama"];
$email = $_GET["email"];
$subjek = $_GET["subjek"];
$comments = $_GET["comments"];
?> 
 
<?php
// using htmlentities

$newkepada= htmlspecialchars($kepada, ENT_QUOTES);
$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newemail = htmlspecialchars($email, ENT_QUOTES);
$newsubjek = htmlspecialchars($subjek, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
?> 
 
<h1>Demo Send Email</h1>
<hr>
Kepada : <?php echo $kepada; ?>
Subject : <?php echo $subjek; ?>
Pesan : <?php echo $pesan; ?>
Dari : <?php echo $dari; ?>
<br />
<?php
ini_set("SMTP", "172.16.1.1");
ini_set("sendmail_from", "$email");
mail("$kepada", "$subjek", "$comments");
?>

Telah dilakukan!

</body>
</html>

Do email need to have formatting or not?

Stefano Mtangoo 455 Senior Poster

13 Years Ago

Do you mean formatting like ckeditor? no.

Then strip off all <xxx> </xxx> tags and leave only plain text. you are safe with no tag!

Stefano Mtangoo 455 Senior Poster

13 Years Ago

Echo and echo are different beasts!
One is PHP function another is ??????

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

davy_yg 2 Posting Whiz · Answer 1 · 2011-10-19T16:19:29+00:00

More or less the following code are safe from XXS attack right? Assuming I change the form action to send_email.php

send_email.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<?php
$kepada=$_GET["kepada"];
$nama = $_GET["nama"];
$email = $_GET["email"];
$subjek = $_GET["subjek"];
$comments = $_GET["comments"];
?> 
 
<?php
// using htmlentities

$newkepada= htmlspecialchars($kepada, ENT_QUOTES);
$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newemail = htmlspecialchars($email, ENT_QUOTES);
$newsubjek = htmlspecialchars($subjek, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
?> 
 
<h1>Demo Send Email</h1>
<hr>
Kepada : <?php echo $kepada; ?>
Subject : <?php echo $subjek; ?>
Pesan : <?php echo $pesan; ?>
Dari : <?php echo $dari; ?>
<br />
<?php
ini_set("SMTP", "172.16.1.1");
ini_set("sendmail_from", "$email");
mail("$kepada", "$subjek", "$comments");
?>

Telah dilakukan!

</body>
</html>

davy_yg 2 Posting Whiz · Answer 2 · 2011-10-20T13:35:48+00:00

davy_yg 2 Posting Whiz

13 Years Ago

Do you mean formatting like ckeditor? no.

davy_yg 2 Posting Whiz · Answer 3 · 2011-11-03T13:04:15+00:00

Like this ?

komentar.php

<?php

$nama = isset($_POST['nama']) ? $_POST['nama'] : '';
$comments = isset($_POST['comments']) ? $_POST['comments'] : '';
 
// escape output

$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
// filter input

Echo sanitize_data($newnama);
Echo sanitize_data($newcomments);


function sanitize_data($input_data) { 
return htmlentities(stripslashes($input_data), ENT_QUOTES); 
} 

?>

davy_yg 2 Posting Whiz · Answer 4 · 2011-11-03T17:21:55+00:00

I wonder why I do not see comments as output?

This code is the form code before komentar.php

komentar.php

<html>

Cross Site Scripting Security
<form action="komentar.php" method="POST">
Nama:
<input type="textbox" name="nama" /><br />
Komentar:<textarea name="comments" rows=10 cols=40></textarea><br />
<input type="submit" />
</form>

</html>

I only see nama (translate: name) as output after I input name, but not comments.

davy_yg 2 Posting Whiz · Answer 5 · 2011-11-04T13:03:47+00:00

Thanks. it works. one more thing:

receive.php

<html>

<?php

$nama = isset($_POST['nama']) ? $_POST ['nama'] : '';
$color =  isset($_POST['color']) ? $_POST ['color'] : '';


$newnama = htmlspecialchars($nama, ENT_QUOTES);
$newcolor =  htmlspecialchars($color, ENT_QUOTES);


RemoveBad($newnama);
RemoveBad($newcolor);


function RemoveBad(strTemp) { 
    strTemp = strTemp.replace(/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g,""); 
    return strTemp;
} 

?>

<h1> Print Output </h1>
Nama  :  <?php echo $newnama ?>
Color   :  <?php echo $newcolor ?>

</html>

Parse error: syntax error, unexpected ')', expecting '&' or T_VARIABLE in C:\xampp\htdocs\php_exercise\receive.php on line 17

line 17: function RemoveBad(strTemp) {

Stefano Mtangoo 455 Senior Poster · Answer 6 · 2011-11-04T19:48:07+00:00

Are you sure

strTemp = strTemp.replace(/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g,"");

is not supposed to be

strTemp = strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");

davy_yg 2 Posting Whiz · Answer 7 · 2011-11-04T22:54:55+00:00

Still error.

Parse error: syntax error, unexpected ')', expecting '&' or T_VARIABLE in C:\xampp\htdocs\php_exercise\receive.php on line 17

Stefano Mtangoo 455 Senior Poster · Answer 8 · 2011-11-04T23:05:50+00:00

Stefano Mtangoo 455 Senior Poster

13 Years Ago

what is your current code?

davy_yg 2 Posting Whiz · Answer 9 · 2011-11-04T23:17:46+00:00

strTemp = strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");

Stefano Mtangoo 455 Senior Poster · Answer 10 · 2011-11-05T02:05:34+00:00

mh, are you sure strTemp is not supposed to be $strTemp?

davy_yg 2 Posting Whiz · Answer 11 · 2011-11-05T11:38:34+00:00

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");
    return $strTemp;
}

Fatal error: Call to undefined function replace() in C:\xampp\htdocs\php_exercise\receive.php on line 18

Stefano Mtangoo 455 Senior Poster · Answer 12 · 2011-11-07T14:00:07+00:00

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/\<|\>|\|\|\%|\;|$|$|\&|\+|\-/g","");
    return $strTemp;
}
Fatal error: Call to undefined function replace() in C:\xampp\htdocs\php_exercise\receive.php on line 18

what is your programming languages background?
in PHP we do it this way