So_Not_an_HTML_genius Posted November 8, 2008 Share Posted November 8, 2008 Hi, I am really new at this addon php code. Here is the add on for the antixss // Remove XSS ATTACK function RemoveXSS(&$val,$key) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <javascript> // note that you have to handle splits with n, r, and t later since they *are* allowed in some inputs $val = preg_replace('/([x00-x08][x0b-x0c][x0e-x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|'\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/([x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/({0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are t, n, and r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '([x|X]0{0,8}([9][a]);?)?'; $pattern .= '|({0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } When I copy and paste this entire information and place it in my general file as described above, my entire online store disappears. I migt be missing something in the information above. Are they really saying to actually copy and paste that entire code? Is there something else special in that information that I am missing? Any help would be appreciated. Thanks, K Quote Link to comment Share on other sites More sharing options...
germ Posted November 8, 2008 Share Posted November 8, 2008 The code has one bad line: $search .= '~`";:?+/={}[]-_|'\'; I think it should be: $search .= '~`";:?+/={}[]-_|\''; That worked on my site. Quote If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
So_Not_an_HTML_genius Posted November 9, 2008 Author Share Posted November 9, 2008 Hi germ, Thank you for that input, after fixing that code line, I was successful in adding that code to my general.php without any issue to my store. However, when I got to the next step and added the next part to the application_top.php once again after saving my store disappeared when I went to go view it. Here is what is in the instructions for the second part: open: catalog/includes/application_top.php find: // define general functions used application-wide require(DIR_WS_FUNCTIONS . 'general.php'); require(DIR_WS_FUNCTIONS . 'html_output.php'); Add below: if (!empty($_POST)) array_walk_recursive($_POST, 'RemoveXSS'); if (!empty($_GET)) array_walk_recursive($_GET, 'RemoveXSS'); if (!empty($_COOKIE)) array_walk_recursive($_COOKIE, 'RemoveXSS'); if (!empty($_SERVER)) array_walk_recursive($_SERVER, 'RemoveXSS'); if (!empty($_SESSION)) array_walk_recursive($_SESSION, 'RemoveXSS'); if (!empty($_REQUEST)) array_walk_recursive($_REQUEST, 'RemoveXSS'); Is there anything wacky here? Thanks again! Kelly Quote Link to comment Share on other sites More sharing options...
germ Posted November 9, 2008 Share Posted November 9, 2008 array_walk_recursive is a PHP 5 function. It won't work if your server isn't that version. :( Quote If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
So_Not_an_HTML_genius Posted November 9, 2008 Author Share Posted November 9, 2008 Well, that would make sense. Thank you again for the help. With all that I did to this point with my site I am now PCI compliant so I am happy without this last bit for now. -Kelly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.