0

i want to creating xss filter for my own project, this is for html event filtering

preg_replace("/ on\w+='[^']*'/i", '', preg_replace('/ on\w+="[^"]*"/i', '', $framed));

but considering to more efective way, i would think this is more efectively clearing unquoted attribute like this

preg_replace('/on\w+=/i', '', $framed);

but i think would be another way that more efective?

Improve this question

    1 Answer 1

    Reset to default
    2

    Correctly filtering XSS from input is pretty hard. Most XSS filters can be bypassed by modifying the payload. For example, the following HTML will pass through your XSS filter:

    <h1 onmouseover =alert`XSS`>Test</h1>

    Because there is a space between onmouseover and =, your regex doesn't match. Another possible bypass is this:

    <h1 oonmouseover=nmouseover=alert`XSS`>Test</h1>

    The occurrence of onmouseover= will be removed once, leaving the following:

    <h1 onmouseover=alert`XSS`>Test</h1>

    One possibility is to use HTML Purifier, a library that is pretty good at cleaning up XSS. But the real solution against XSS is output encoding, so that when a user enters <script>alert(1), it just appears on the webpage as <script>alert(1) instead of being parsed as HTML.

    Improve this answer
    1
    • i would think if i just filter the html event and replacing with string rather than deleting them in native.
      – Reyhan Fabiano
      CommentedMar 7, 2019 at 12:11

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.