I want to ask if i need to use html purifier to avoid XSS atacks if:
already used preg_ match for example:
$userid = $_POST["userid"]; if(!preg_match("/^[a-zA-Z0-9]{3,15}$/", $userid)){ alerts('INVALID')
alerts is function with switch case to show in url alert like ...?alert=invalidid
filter_var($email, FILTER_VALIDATE_EMAIL
i'm using window.location.href.indexOf('alert') != -1) need it filter somehow values for alert?
I have also function with $_GET['alert'] to compare which alert is actually in url to echo bootstrap div class="alert-danger". Do I need to use html purifier? Thanks for answers. In case 3, i woudn't know how to do it.
Using preg_match validation like that is a good safety measure, but your preceding line $userid = $_POST["userid"] is in itself vulnerable. Always make sure to check that the value is both set and not null:
$userid = isset($_POST["userid"] && $POST_["userid"] !== null)
Regarding your "alerts is function with switch case to show in url alert like ...?alert=invalidid", it depends on exactly what you mean by 'show', but note that displaying information entered by a user back to the user is the primary vector for XSS. If you're 'showing' it in HTML content, HTML attributes, or JavaScript data values, it's unsafe, all you will want to encode the following:
& --> &
< --> <
> --> >
" --> "
' --> ' ' not recommended because its not in the HTML spec (See: section 24.4.1) ' is in the XML and XHTML specs.
/ --> / forward slash is included as it helps end an HTML entity
This depends on the version of PHP you're using. Assuming you're above PHP 5.2.1 (which you certainly should be, as they're no longer supported), FILTER_VALIDATE_EMAIL is good validation for email addresses. If you're on PHP 5.2.1 or lower, you're vulnerable.
I'm not sure why . alert is by no means the only JavaScript method for XSS. Take, for example, console.log.
$_GET['alert'] is vulnerable to XSS when echoed back to the page, but with the six transformations listed above, this will no longer be possible.
Using something like HTML Purifier is always a good idea. Even if you're already fully hardened against XSS, you're preventing yourself against potential future XSS vulnerabilities.
I'd also recommend reading the official OWASP guide on preventing XSS.
I'd set a flag for each validation before attempting to commit those values to a table ~ I'm presuming you're going to commit the values :) Use a php activated popup and allow the user to close the popup window using jquery js. If someone disables js and tries to mess around it simply won't insert or update but the window telling them what they did wrong will still be there, they just won't be able to close it.
<?php
$userid = "";
if (isset($_POST['userid'])) {
$userid = $_POST["userid"];
if (!preg_match("/^[a-zA-Z0-9]{3,15}$/", $userid)) {
$flag = "user id error";
echo "
<div id='user-id-alert'>$flag
<input type='button' value='X' onclick='closePopup()' class='button-close' />
</div>
";
}
}
echo "
<script>
function closePopup() {
var elem = document.getElementById('#user-id-alert');
$('#user-id-alert').hide(200);
return false;
}
</script>
";
?>
I added an id to the alert window and a class to the close button but didn't provide css as it's out of the scope of your request.