I would appreciate feedback.
First php class I've written myself (the little tiny ones that are just
over-glorified functions don't count.)
Probably has bugs. I have not thoroughly tested it - but I finally have
a nice test sandbox to play with.
http://www.clfsrpm.net/xss/dom_script_test.php
That page has link to class source on it too.
The class is suppose to server side implement the Content Security
Policy recommendation that can be found here:
http://people.mozilla.org/~bsterne/content-security-policy/
In theory (assuming no bugs) the class should flat out remove any
content that would violate the specified policy server side so that
users who do not have browsers that benefit from CSP also benefit.
Clearly it can not cover every scenario, IE a script from a white listed
domain could modify the DOM introducing stuff that will still trigger
browser side CSP filtering.
In addition to enforcing the specified policy, it also removes some
stuff that ain't where it belongs, like meta tags outside the head etc.
One place where I deviate from the Mozilla CSP intentionally is in event
attributes. The way I read the CSP recommendation, event attributes just
aren't allowed. For the life of me, though, I can't figure out how to do
effective client side form validation w/o at least onchange and
onsubmit. So my class does allow white listing of event attributes,
though they can not have any arguments (IE onchange=alert('hello');
gets filtered to onchange=altert();
We'll have to see what the final standard is on that.
The test page lets you set the policy rules that are to be enforced
(except no event handler whitelist, I'll have to add that) and has
almost no input filtering (just enough to make the input load nicely
into the DOM - clean html input should go through unmutilated)
I'll try to put together a pretty index page along with examples of
usage, it should fit in nicely with most templating systems, for
example, because they tend to construct the page and then send it.
But I can't do that until after the weekend as I'm going out of town.
Anyway, I'd really appreciate feedback on it, so it can be improved.
Just a note - it's not intended as a substitute for input filtering, CSP
is intended as a second line of defense, and hopefully will be
implemented in browsers soon. This class just gives the benefit of a
sound CSP to users w/o a CSP enabled browser (which right now is all of
them, though firefox has a partially implemented plugin).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
