How to Fix a XSS Vulnerability in PHP Source CodesInformation
These functions clean up the HTML tags, so is not possible inject into the code.
The function more used is htmlspecialchars() that transmutes all the characters "<" and ">" into "<" and ">".
Another option is htmlentities(), which replaces all the characters in the corresponding entities.
// This page shows an example
// of the differences in output between 2 functions
$input = '<script>alert(1);</script>';
echo htmlspecialchars($input) . '<br />';
An example of htmlentities()
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str, ENT_QUOTES);
The first show --> A 'quote' is <b>bold</b>
The second --> A 'quote' is <b>bold</b>
An example of htmlspecialchars()
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
This show --> <a href='test'>Test</a>
The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.
An example of strip_tags()
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
// allow <p>
echo strip_tags($text, '<p>');
Now that we know at least that there are these functions, we will to apply into the code when we find a xss in our web application.
I have recently found a xss on my website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.
First of all I have found the php page in question: search.php
Now let's look for the portion of code that makes available research, query and output the result of the query:
function search($query, $page)
global $db, $bgcolor2, $bgcolor4, $sitename, $io_db, $module_url, $list_page_items, $hm_index;
$option = trim($option);
$query = trim($query);
$query = FixQuotes(nl2br(filter_text($query)));
In this case the variable that passes the values is $query then we apply the function htmlentities():
$query = FixQuotes(nl2br(filter_text(htmlentities($query))));
If you have problems you can post here, or consult the manuals on these 3 php functions that we saw:
The following guide can be used freely on any site without changes including copyright.