XSS PHP Log Filter?

Question

I have a log function on my admin panel that checks user input for being correct and, if not correct, writes it to a log file. This log file is written to the admin when logged in.

I was testing my site for vulnerabilities, and I managed to fully exploit my server using an XSS hole. I tried to filter logged input by checking the input through this function:

function isXSS($in){
    return preg_match("[<>(%[0-9a-fA-F]{2}+)]", $in) == 1;
}

but that would either paranoidly mark everything as a loathed XSS worm, or ignore common XSS injections. I think that the problem is the + quantifier, but I have heard that other PHP regexes allow this.

Answer 1

What's wrong with good old htmlspecialchars? I see why you might want to track potentially malicious users, but if you're investing your energy in simply blocking the security holes instead, then there's really no need.

Answer 2

You're trying to enumerate badness, which is a battle you'll never win. Instead, you should be only allowing through markup that you know is good, via a library like htmlpurifier

Also, I'm not sure about the {2}+ syntax, but I believe this is closer to what you want:

"[<>(%[0-9a-fA-F]{2,})]"