Welcome to WebmasterWorld Guest from

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

Sanitize URL to prevent XSS

URL cross scripting vulnerabilites - php



8:31 pm on Jun 4, 2008 (gmt 0)

5+ Year Member

Hi -- I'm a newbie, and need some help. Hope this is where I need to post this...

I 'fell' into this job about 6 months ago, and have been able to take care of most issues to this point. Received notice from Hacker Safe about Cross Scripting vulnerabilities. We have a search - it strips all html tags, so it's not a problem. The issue is sanitizing external input entered directly into address bar through external links, keyboard, etc. I know a little php and javascript -- I don't have a clue how or where I need to insert sanitizing code that will affect URL input.

We use Apache/Linux/php.

Any help is greatly appreciated! I would like to have some hair left by this time next week.


5:39 am on Jun 5, 2008 (gmt 0)

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

XSS happens when user-entered characters are allowed to be rendered on the page, sans validation.

for instance:
opens a search page, where you show scuba gear. In the <head> of your page, you might have something like this:

<title>Search results for <?php print($_GET['q']) ?></title>
and further down, a nice heading:
<h1>Search results for <?php print($_GET['q']) ?></h1>

Now what if I were to request this URL?


the query, urldecoded, is this:


rendered on the page, it ends your </h1> and executes a script. That script can do pretty much anything it wants. Combined with a little phishing, this can be a really dangerous vulnerability. Remember all it takes is one hole like that, and a kiddie can inject about 2K of pure malice via the URL.

In addition to XSS, you may also need to be concerned about SQL injection. The two are different. XSS plants executable JS code on the client, whereas SQL injection tries to manipulate SQL operations on the server using ununsual user input. XSS and SQL injection are often mentioned together, since they're both easy to perpetrate by script kiddies [en.wikipedia.org], and often overlooked by beginner programmers.

For instance, take this URL:
as you'd expect, will get info about user #50.

A careless coder would do this:

$query = "SELECT * FROM users WHERE id=".$_GET['userid'];

and end up with a SQL query:
SELECT * FROM users WHERE id=50

Pop quiz.
What would this URL do?


nothing good, that's what!


3:52 pm on Jun 5, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

^ ^ Shudder. :-)

Welcome aboard tazzy47!

One of the first things you do is quote everything in your selects. This is NOT a cure-all, it's one tool:

$select = "select * from table where id='$_GET['userid']';";

Yes, even numeric fields, although it's "implied" that quoting means you're searching on text, this is one way to start securing your selects. Many injections can be thwarted this way.

Second, as mentioned, is you should cleanse those GET vars and never put them directly in the selects.

Injection Wiki [en.wikipedia.org], and you'll find many more searching for SQL injection.


8:20 pm on Jun 5, 2008 (gmt 0)

5+ Year Member

Thank you httpwebwitch and rocknbil... I appreciate your help. And thanks for the welcome...

The guy I 'inherited' the job from had most of it pretty well covered (I think). We have php, phtml, and html pages throughout, and only the html pages are affected. In talking with McAffee, external sources can use .>"< ... alert ... "< in the browser address bar after the html, generating a javascript alert window. Does not work on phtml or php pages. Suggestions? I know user input needs to be sanitized/validated, but I don't know how to strip the html markup from external links. Will the above snippet not work with phtml extension? We have over 700 html product pages... New product pages are generated dynamically, and the site is so huge I still have trouble finding things. And, "webnut" is only one of my designated jobs (webmaster quit, boss knew I'd taken a couple years of programming classes)

Again, thanks for all the help. I'm about to suggest we hire this fix out. Didn't get as far as php security in those 2 yrs of programming classes.


10:24 pm on Jun 5, 2008 (gmt 0)

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Just don't render any parts of the URL on the page. And if you do, pasteurize it first using htmlentities() [php.net].

For instance, a URL like
is highly suspect. If I see one of those, the next thing I try is:

you should never do this:
<?php print($_GET['variable_name']); ?>

Though honestly, someone injecting XSS on their own session is usually harmless. They might mess around with their own account, or hijack global Javascript objects. If the site is really badly architected, they may be able to access an unsecured API - who knows? it depends on the site. Serious security breaches happen when you allow users to enter text which will eventually be shown to another user.

Sort of like this reply.

If WebmasterWorld didn't pasteurize all posts before rendering them on the page, I'd have your cookies, hijack your session and be reading your mail by now.
Not that I would actually do that.
It was just an example.


5:16 pm on Jun 6, 2008 (gmt 0)

5+ Year Member

Thank you! I really appreciate your help. I'll check out htmlentities today!

Featured Threads

Hot Threads This Week

Hot Threads This Month