forked from symphonycms/xssfilter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
extension.driver.php
162 lines (135 loc) · 4.36 KB
/
extension.driver.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
<?php
Class Extension_XSSFilter extends Extension {
public function about() {
return array(
'name' => 'Cross-Site Scripting (XSS) Filter',
'version' => '1.1.1',
'release-date' => '2012-05-21',
'author' => array(
'name' => 'Symphony Team',
'website' => 'http://symphony-cms.com/',
'email' => '[email protected]'
),
'description' => 'Protect yourself against XSS attacks in form submissions.'
);
}
public function getSubscribedDelegates() {
return array(
array(
'page' => '/blueprints/events/new/',
'delegate' => 'AppendEventFilter',
'callback' => 'appendEventFilter'
),
array(
'page' => '/blueprints/events/edit/',
'delegate' => 'AppendEventFilter',
'callback' => 'appendEventFilter'
),
array(
'page' => '/frontend/',
'delegate' => 'EventPreSaveFilter',
'callback' => 'eventPreSaveFilter'
),
);
}
public function appendEventFilter(array $context) {
$context['options'][] = array(
'xss-fail',
is_array($context['selected']) ? in_array('xss-fail', $context['selected']) : false,
'Filter XSS: Fail if malicious input is detected'
);
}
public function eventPreSaveFilter(array $context) {
if(!in_array('xss-fail', $context['event']->eParamFILTERS) && !in_array('xss-remove', $context['event']->eParamFILTERS)) return;
$contains_xss = FALSE;
// Loop over the fields to check for XSS, this loop will
// break as soon as XSS is detected
foreach($context['fields'] as $field => $value) {
if(is_array($value)) {
if(self::detectXSSInArray($value) === FALSE) continue;
$contains_xss = TRUE;
break;
}
else {
if(self::detectXSS($value) === FALSE) continue;
$contains_xss = TRUE;
break;
}
}
// "fail" filter
if(in_array('xss-fail', $context['event']->eParamFILTERS) && $contains_xss === TRUE) {
$context['messages'][] = array(
'xss', FALSE, __("Possible XSS attack detected in submitted data")
);
}
}
/**
* A utility function to manage nested array structures, checking
* each value for possible XSS. Function returns boolean if XSS is
* found.
*
* @param array $array
* An array of data to check, this can be nested arrays.
* @return boolean
* True if XSS is detected, false otherwise
*/
public static function detectXSSInArray(array $array) {
foreach($array as $value) {
if(is_array($value)) {
return self::detectXSSInArray($value);
}
else {
if(self::detectXSS($value) === TRUE) return TRUE;
}
}
return FALSE;
}
/**
* Given a string, this function will determine if it potentially an
* XSS attack and return boolean.
*
* @param string $string
* The string to run XSS detection logic on
* @return boolean
* True if the given `$string` contains XSS, false otherwise.
*/
public static function detectXSS($string) {
$contains_xss = FALSE;
// Skip any null or non string values
if(is_null($string) || !is_string($string)) {
return $contains_xss;
}
// Keep a copy of the original string before cleaning up
$orig = $string;
// URL decode
$string = urldecode($string);
// Convert Hexadecimals
$string = preg_replace('!(&#|\\\)[xX]([0-9a-fA-F]+);?!e','chr(hexdec("$2"))', $string);
// Clean up entities
$string = preg_replace('!(�+[0-9]+)!','$1;',$string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
// Strip whitespace characters
$string = preg_replace('!\s!','',$string);
// Set the patterns we'll test against
$patterns = array(
// Match any attribute starting with "on" or xmlns
'#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>?#iUu',
// Match javascript:, livescript:, vbscript: and mocha: protocols
'!((java|live|vb)script|mocha|feed|data):(\w)*!iUu',
'#-moz-binding[\x00-\x20]*:#u',
// Match style attributes
'#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',
// Match unneeded tags
'#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
);
foreach($patterns as $pattern) {
// Test both the original string and clean string
if(preg_match($pattern, $string) || preg_match($pattern, $orig)){
$contains_xss = TRUE;
}
if ($contains_xss === TRUE) return TRUE;
}
return FALSE;
}
}