Contact Form input filtering

Question

Checking through my contact form I have found Cross Site Scripting vulnerabilities but haven't enough knowledge on how to fix this.

Affected Parameter: name Vector Used: ">alert(document.cookie) Pattern found: \\">alert(document.cookie) Complete Attack: /http://##################/contact.php [name=\\">alert(document.cookie) &email= &message=]

Affected Parameter: email Vector Used: ">alert(document.cookie) Pattern found: \\">alert(document.cookie) Complete Attack: /http://##################/contact.php [name= &email=\\">alert(document.cookie) &message=]

Affected Parameter: message Vector Used: ">alert(document.cookie) Pattern found: \\">alert(document.cookie) Complete Attack: /http://##################/contact.php [name= &email= &message=\\">alert(document.cookie)]

My current form code looks like this

<?php 
if (isset($_POST['submit'])) { 
    $error = ""; 

    if (!empty($_POST['name'])) { 
        $name = $_POST['name']; 
        if (!preg_match('/^[a-zA-Z0-9]+$/i', $name)){  
            $error .= "The name you entered is not valid. <br/>"; 
        } 
    } else { 
        $error .= "You didn't type in your name. <br />"; 
    } 

    if (!empty($_POST['email'])) { 
        $email = $_POST['email']; 
        if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){  
            $error .= "The e-mail address you entered is not valid. <br/>"; 
        } 
    } else { 
        $error .= "You didn't type in an e-mail address. <br />"; 
    } 

    if (!empty($_POST['messagesubject'])) { 
        $messagesubject = $_POST['messagesubject']; 
    } else { 
        $error .= "You didn't type in a subject. <br />"; 
    } 

    if (!empty($_POST['message'])) { 
        $message = $_POST['message']; 
    } else { 
        $error .= "You didn't type in a message. <br />"; 
    } 

    if(($_POST['code']) == $_SESSION['code']) {  
        $code = $_POST['code']; 
    } else {  
        $error .= "The captcha code you entered does not match. Please try again. <br />";     
    } 

    if (empty($error)) { 
        $from = 'From: ' . $name . ' <' . $email . '>'; 
        $to = "aaron@fosternetwork.co.uk"; 
        $subject = strip_tags("CWS - Contact Us - \n" . $messagesubject); 
        $content = strip_tags("Name: " . $name . "\nSubject: " . $messagesubject . "\nMessage: \n" . $message); 
        $success = "<h2>Thank you! <span>Your message has been sent!</span></h2>"; 
        mail($to,$subject,$content,$from); 
        $emailSent = true; 
    } 
} 
?> 

Form

<form action="contact.php" method="post"> 

    <label>Name:</label> 
    <input type="text" name="name" value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>" /> 

    <label>Email:</label> 
    <input type="text" name="email" value="<?php if ($_POST['email']) { echo $_POST['email']; } ?>" /> 

    <label>Subject:</label> 
    <input type="text" name="messagesubject" value="<?php if ($_POST['messagesubject']) { echo $_POST['messagesubject']; } ?>" /> 

    <label>Message:</label><br /> 
    <textarea name="message" rows="20" cols="20"><?php if ($_POST['message']) { echo $_POST['message']; } ?></textarea> 

    <label>Please input the following code: <img src="captcha.php"></label> 
    <input type="text" name="code"> <br />  

    <button type="submit" class="colorButton" name="submit" value="Send message">Send Message</button> 

</form>

Any help is really appreciated.

Answer 1

Your HTML generation has a flaw in it:

 value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>"

You should always escape your output variables, ie:

 value="<?php if ($_POST['name']) { echo htmlspecialchars($_POST['name']); } ?>"

See also: htmlspecialchars() or htmlentities()

Answer 2

never trust to user inputs, some guy can insert javascript codes that can harm your system or things like that, thats why you are vulnerable to cross site scripting, sanitize the inputs that are posted with this function:

function xss_protect($data, $strip_tags = false, $allowed_tags = "\"\'") { 
if($strip_tags) {
    $data = strip_tags($data, $allowed_tags . "<b>");
}

if(stripos($data, "script") !== false) { 
    $result = str_replace("script","scr<b></b>ipt", htmlentities($data, ENT_QUOTES,"UTF-8")); 
} else { 
    $result = htmlentities($data, ENT_QUOTES, "UTF-8"); 
} 

return $result;
}

To use the function for instance use like that :

$code = xss_protect($_POST['code']); 

Answer 3

You should use some good programming practices, for instance:

Initialize your variables, that way, you always have something to print, debugging you will get a lot of simple, but annoying error about that

$name = false;
$email = false;
$message = false;
$messagesubject = false;

Modify your data if you are getting new values, for instance from $_POST as is your case. If you do it this way, your script avoids some work if there is no data for a specific field, plus you can control easier the flow of your script and validation of data.

if ( isset( $_POST['name'] ) !== false ) {
    // validate the content
    $name = process_you_choose_to_clean( $_POST['name'] );
}
if ( isset( $_POST['email'] ) !== false ) {
    // validate the content
    $name = process_you_choose_to_clean( $_POST['email'] );
}
if ( isset( $_POST['message'] ) !== false ) {
    // validate the content
    $name = process_you_choose_to_clean( $_POST['message'] );
}
if ( isset( $_POST['messagesubject'] ) !== false ) {
    // validate the content
    $name = process_you_choose_to_clean( $_POST['messagesubject'] );
}

Try to avoid messy code in your html part, something like this work perfectly if you took care of the things I mentioned before

<input type="text" name="name" value="<?php { echo( $name ); } ?>" />

About the sanitazing, consider the options mentioned, plus use the filter_var options of PHP