Re: [Pas-dev] for better or worse, XSS filtering is here

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Also, what about the possibility of malicious code in the query parameter 
> names themselves?

Ok, I'm about to check in a changed version of the function.  The changes
include support for defanging the query parameter names, and it accounts
for multiple values for a query parameter.  It also uses the logging to 
log a warning that includes the remote addr (not completely reliable, but
better than nothing).

Kyle

==>

my $scriptingRegex =
  qr/(<\s*script[\s+?.*?>|>].*?\<\s*?\/script\s*?>)| 
     (<\s*embed[\s+?.*?>|>].*?\<\s*?\/embed\s*?>)|
     (<\s*applet[\s+?.*?>|>].*?\<\s*?\/applet\s*?>)|
     (<\s*object[\s+?.*?>|>].*?\<\s*?\/object\s*?>)/imx;

sub inspect_request
{
  my ($q)  = @_;

  my @badParameters = ();
  foreach my $p ($q->param()){
    if ($p =~ $scriptingRegex ) {
      $log->warn("possible XSS attack found while scrubbing ",
        "parameter names: '$p' REMOTE_ADDR: ",$ENV{'REMOTE_ADDR'}
      );
      push @badParameters, $p;
    }
  }

  foreach my $badParam (@badParameters) {
    my @values = $q->param($badParam);
    $q->delete($badParam);
    my $p = HTML::Entities::encode_entities($badParam);
    $q->param($p,@values);
  }

  foreach my $p ($q->param()){
    my @x = $q->param($p);
    foreach my $x ( @x ) {
      if ($x =~ $scriptingRegex ) {
        $log->warn("possible XSS attack found while scrubbing ",
          "parameter values: '$p' => '$x' REMOTE_ADDR: ",$ENV{'REMOTE_ADDR'}
        );
        $x = HTML::Entities::encode_entities($x);
        #$q->param($p,$x);
      }
    }
    $q->param($p,@x);
  }

  return $q;
}

-- 

------------------------------------------------------------------------------
Wisdom and Compassion are inseparable.
        -- Christmas Humphreys
mo...@vo...                            http://www.voicenet.com/~mortis
------------------------------------------------------------------------------