John Tell’s Us How To Take Care Of Security Issues from User Generated Input
While dynamic landing pages are awesome for advertising, and we haven’t had any problems yet after thousands of clicks and tons of conversions, security is a concern for us and our users so John has kindly commented on the previous post about how to fix these potential security issues. I simply copied John’s comments and posted them here. Thanks John!
Unfortunately, as simple as your code example is, it introduces a Cross-Site Scripting (XSS) vulnerability to your page. XSS can lead to all kinds of bad things like session hijacking and browser redirection. Check out these links to learn how to prevent XSS:
The code snippets on the ha.ckers.org site show you different ways to exploit or discover XSS problems. To fix it, you have to properly sanitize the input from the query string variable before you display it on the page.
You have an additional issue on your page as it looks like magic quotes are enabled. For example:
To fix the XSS problem, you’ll need to filter the input. For efficiency, you can do this once, save the output, and use the cleaned variable for displaying on the page.
Right now, your script allows pretty much anything to be injected on the page. In your use case, it seems reasonable that you want to prevent any kind of HTML. After all, this looks pretty silly:
If this is the case, you can simply use the htmlentities function to escape all tags:
//top of the script
$cleankw = htmlentities($_GET['kw'],ENT_QUOTES);
//wherever it appears on the page
php echo $cleankw;
On the other hand, if you want to allow HTML, it’s a much harder problem to solve. I recommend this article as a starting point:
An extreme example of what can go wrong when you allow XSS to persist can be found here:
Hope that helps
If you want to learn more about John Herren, he has a blog here. Thanks again John!
Note: Input problems appear to generally occur when the user can manipulate it from a form, etc. Because our users are clicking directly to the page, input is supplied by Google and the query searched by the user. After the user is ON the page, they can manipulate the page if you don’t use htmlentities to escape html characteristics…you also have the risk of a savvy user hijacking things which is why it is good to filter the input once then display the output. I could be wrong, but that is my understanding…here is a great list of ways to filter the data from php.net: http://us.php.net/filter.If you enjoyed this post, make sure you subscribe to my RSS feed!