Jump to content
Sign in to follow this  
Terminum

Preventing XSS Attacks

Recommended Posts

I'm looking for an add-on that will prevent XSS attacks without diminishing functionality of the Administration Tool. I've read their are problems with Anti XSS, so I was considering [TiM's] Safer Database Input Method. But this says that it filters all html, and I would like to enter HTML in product descriptions through the administration tool.

 

 

 

[TiM's] Safer Database Input Method changes the following code from /catalog/includes/functions/database.php:

 

 function tep_db_input($string, $link = 'db_link') {
   global $$link;

   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }

   return addslashes($string);
 }:

 

Replaced with:

 

function tep_db_input($string, $link = 'db_link', $skip_stripping = false) {
   global $$link;

   // Strip HTML and PHP tags from string
   if (!$skip_stripping) $string = strip_tags($string);

   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }

   return addslashes($string);
 }

 

 

 

The README says:

 

 

If you for any reason want to store HTML in the database, make sure you

manipulate the tep_db_input() command with the third optional parameter

like the following.

 

This...

 

$example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");

 

Becomes...

 

$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");

 

I'm not very familiar with sql and I don't know what this means. I just want to be able to use HTML in product descriptions in the admin tool. Any ideas for what I should do?

Share this post


Link to post
Share on other sites

 

If you make code changes on the catalog side they do not apply to admin.

 

 

But I would use the htacess method detailed in the contrib linked in this thread. And make sure you add the other security changes too. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

If you make code changes on the catalog side they do not apply to admin.

 

 

 

Ha, thanks that's great. I'm working my way through your other post right now! Thanks for the help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×