StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POphp security function to filter our malicious code is stripping out legit characters
text
Body
copied!<p>I have a security function which is part of a script. It's supposed to filter out malicious code from being executed in an input form. It works without a problem with normal characters from A-Z, but it rejects inputs with characters such as á, ñ, ö, etc.</p> <p>What can I do so that form inputs with these characters are not rejected? Here is the function:</p> <pre><code>function add_special_chars($string, $no_quotes = FALSE) { $patterns = array( "/(?i)javascript:.+>/", "/(?i)vbscript:.+>/", "/(?i)<img.+onload.+>/", "/(?i)<body.+onload.+>/", "/(?i)<layer.+src.+>/", "/(?i)<meta.+>/", "/(?i)<style.+import.+>/", "/(?i)<style.+url.+>/" ); $string = str_ireplace("&amp;","&",$string); if (!$no_quotes) $string = str_ireplace("&#039;","'",$string); $string = str_ireplace('&quot;','"',$string); $string = str_ireplace('&lt;','<',$string); $string = str_ireplace('&gt;','>',$string); $string = str_ireplace('&nbsp;',' ',$string); foreach ($patterns as $pattern) { if(preg_match($pattern, $string)) { $string = strip_tags($string); } } $string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', "$1;", $string); $string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu', "$1$2;", $string); $string = html_entity_decode($string, ENT_COMPAT, LANG_CODEPAGE); $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>#iUu', "$1>", $string); $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string); $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2novbscript...', $string); $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string); $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*data[\x00-\x20]*:#Uu', '$1=$2nodata...', $string); $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string); $string = preg_replace('#</*\w+:\w[^>]*>#i', "", $string); do { $original_string = $string; $string = preg_replace('#</*(applet|meta|xml|blink|link|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $string); } while ($original_string != $string); return $string; } </code></pre> <p>UPDATE: I found that the following line seems to be causing the problem, but not sure why:</p> <pre><code> $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string); </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload