How to prevent XSS via URL?

Question

I'm familiar with the usual persistent XSS, where content coming from user input should be escaped on the way out to the templates (html entities).

Recently, I encountered a non-persistent one, where a user can just send in the script on the URL where the URL is displayed somewhere on the page. In my case, it was a link tag.

So I have the following link tag that uses the current URL.

<link rel="next" href="{current_url}" />

The problem is when someone sends a link such as:

www.example.com/?%27;alert...

It could be a %27 (single quote) and %22 (double quote) that will close the tag, therefore allowing the user to input scripts, etc.

I know the usual way of preventing XSS would be to use html entities. In this case, won't this break the URL? Is it possible to use url encode instead?

Btw, I'm using PHP and would prefer to use native functions.

Answer 1

I know you said you preferred native functions, but I have generally been able to find ways to beat most solutions. This library, however, definitely does the job. It is a little slow if you run a ton of executions (> 1000 per request would slow your page down).

http://htmlpurifier.org/

Answer 2

All content coming from users should be escaped, whether from the URL or from the database. In this case, you'll just do URL encoding instead of HTML entities. It's possible your templating engine is already smart enough to do this for values going into HTML attributes.

Answer 3

Like this: Check this answer, it's the one with the function below: XSS filtering function in PHP

 function xss_clean($data)
    {
        /*
         * Function to clean a string to prevent XSS attack.
         */

        // Fix &entity\n;
        $data = str_replace(array('&','<','>'), array('&','<','>'), $data);
        $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
        $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);

        // decode
        $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

        // Remove any attribute starting with "on" or xmlns
        $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

        // Remove javascript: and vbscript: protocols
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

        // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

        // Remove namespaced elements (we do not need them)
        $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

        do
        {
            // Remove really unwanted tags
            $old_data = $data;
            $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
        }
        while ($old_data !== $data);

        // we are done...
        return $data;
    }