What's the best way to strip out script tags from a URL string?

Question

I'm getting a vulnerability alert from Mcafee Secure saying that there is an XSS vulnerability on my site. The string they use to produce it is:

https://www.mywebsite.com/%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22/www.mywebsite.com/my-product.html?ref=443%2Fanother%5Fpage%5Fon%5Fmy%5Fsite.php

I can't get the alert to display when submitting the URL, but McAfee swears it is a real vulnerability.

What's the best way to address that problem? I was thinking about using apache mod_rewrite to just rewrite all urls that contain the script tag. That said, I couldn't figure out how to write the expression to identify the tag.

Answer 1

Your proposed solution - prevent the script tag - is the obvious, niave, and incorrect solution to resolving cross site scripting problems. Please read the XSS FAQ by CGI Security ( http://www.cgisecurity.com/articles/xss-faq.shtml ). They do an excellent job explaining how XS works and how to prevent it - and you really need to understand it before you can properly fix it.

Answer 2

You can use UrlEncode and UrlDecode method to achieve that. You can google more about these items. Here is a link which will help you http://php.net/manual/en/function.urlencode.php

Answer 3

Instead of tying to filter attack attempts, just make sure you always properly escape user input in your HTML. A query parameter is user input.

You do need to see how the inputs propagate, and escape right before display.

One thing to remember is that the escaping is different depending on the context it's displayed in. Some tips I finds useful:

• Appears inside HTML elements: use HTML escaping
• Appears in an HTML element attribute: use HTML attribute escaping (can use HTML escaping as well, but attribute-only escaping is faster)
• Appears in a JavaScript literal: encode with JSON to properly escape

Answer 4

It turns out that I had the following code that was echoing the URL inside the page.

<?
if($_SERVER['HTTPS']){
?>
<link rel="canonical" href="<? echo HTTP_SERVER.$_SERVER['REQUEST_URI']; ?>" />
<?  
}
?>

I had forgotten to put htmlentities() around the request_uri. The following fixed it:

<?
if($_SERVER['HTTPS']){
?>
<link rel="canonical" href="<? echo htmlentities(HTTP_SERVER.$_SERVER['REQUEST_URI']); ?>" />
<?  
}
?>

Answer 5

function filter_url($url)
{
  if (is_array($url))
  {
    foreach ($url as $key => $value)
    {
      // recurssion
      $url[$key] = filter_url($value);
    }
    return $url;
  }
  else
  {
    // remove everything except for a-ZA-Z0-9_.-&=
    $url = preg_replace('/[^a-ZA-Z0-9_\.\-&=]/', '', $url);
    return $url;
  }
}

Now you can filter the $_GET like this:

$_GET = filter_url($_GET);

This will wipe out everything except for a-ZA-Z0-9_.-&= Of course you can enhance that function as per your needs.