A better XSS trap (Feedback wanted)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hej everybody,

I built something I'd like to have feedback on. Looking at all the
template engines out there made me think.

I have two main requirements:
 - use PHP as the template language
 - effective XSS prevention without betting on discipline

Plain PHP only satisfies the first. I also couldn't find a PHP template
engine that satisfies both. (Savant doesn't.)

So here is my own minimal solution and I would like to know your
opinion. Also, if anybody has seen something like it out there, please
point me to it.

The Idea:
Automatically wrap every output string into a Decorator object, which
offers filtering methods like htmlentities. This also means intercepting
access to strings contained in Arrays and Objects in order to decorate them.

The code:
http://code.google.com/p/cvphplib/source/browse/trunk/cvphplib/
svn checkout http://cvphplib.googlecode.com/svn/trunk/cvphplib/

Example usage:
// first a simple string
<? $string = CV_OutputFilter::filter( '<marquee>evil</marquee>' ); ?>
<?=$string?> triggers an error
<?=$string->htmlentities()?> works fine
<?=$string->urlencode()?>    works fine
<?=$string->raw()?> outputs the unfiltered value

// extracting a bunch of filtered variables into the local scope
<?php
$vars = array( 'x'=>5, 'o'=>new O(), 'array' => array('<i>'=>'<b>') );
extract( CV_OutputFilter::filter($vars)->toArray() );
?>

// access to object members
<?=$o->var?> triggers an error
<?=$o->method()?> triggers an error
<?=$o->var->htmlentities()?> works fine
<?=$o->method()->htmlentities()?> works fine

// access to array elements
<?=$array['<i>']?> triggers an error
<?=$array['<i>']->htmlentities()?> works fine

// Iterating over an array
<? foreach( $array as $value ){} ?> works fine
<? foreach( $array as $key => $value ){} ?> throws an exception, because
$key would not be filtered in this case

// decorating array keys requires some iterator magic
<? foreach( $array->key_as($key) as $value ): ?>
	<?=$key->htmlentities()?>: <?=$value->htmlentities()?> <br/>
<? endforeach; ?>


Problems:
 - potentially slow (due to many object instantiations and reflection)

Benefits:
 - effective XSS prevention without betting on discipline
 - template-engine-like variable extraction into local scope
 - clean and short syntax
 - very little to learn

Functionality already implemented, but not shown in the example:
 - register custom filter methods
 - enable __toString() with custom default filter
 - use tuple array(key,value) for $value instead of 'key_as'-magic
 - register custom filter applied on keys in ->toArray()
 - decoration of multidimensional arrays and webs of object references

More example code:
http://code.google.com/p/cvphplib/source/browse/trunk/cvphplib/examples/exampleOutputFilter.php
http://code.google.com/p/cvphplib/source/browse/trunk/cvphplib/tests/CV/Test_OutputFilter.php

So what do you think?

Best regards

Christopher



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux