I am trying to prevent xss injection. So before I submit a form, a javascript function is called

function validatefield(id) {
    var description = document.getElementById(id).value;   
    description = description.replace(/[\"\'][\s]*javascript:(.*)[\"\']/gi, "");
    description = description.replace(/script(.*)/gi, "");    
    description = description.replace(/eval\((.*)\)/gi, "");
    document.getElementById(id).value=description;
} 

I am wonderng if there's a way to do the same in php before inserting into the mysql? if they get around of the validatefield function.

Thanks

I am trying to prevent xss injection. So before I submit a form, a javascript function is called

function validatefield(id) {
    var description = document.getElementById(id).value;   
    description = description.replace(/[\"\'][\s]*javascript:(.*)[\"\']/gi, "");
    description = description.replace(/script(.*)/gi, "");    
    description = description.replace(/eval\((.*)\)/gi, "");
    document.getElementById(id).value=description;
} 

I am wonderng if there's a way to do the same in php before inserting into the mysql? if they get around of the validatefield function.

Thanks

• php
• javascript

Share Improve this question Follow edited Mar 1, 2010 at 4:13 Marek Karbarz 29.3k66 gold badges5555 silver badges7373 bronze badges asked Mar 1, 2010 at 4:12 haohao 5722 silver badges66 bronze badges 3

• 1 Porting this javascript code to php is not a good strategy to prevent XSS. There are ways of injecting javascript into html which are not covered by your logic, eg. the onclick attribute. The right (and much simpler!) way to go is to wrap your user submitted data in htmlspecialchars() just before outputting in in any html context. – Asaph Commented Mar 1, 2010 at 4:20
• But htmlspecialchars isn't adequate if you want to allow some HTML. – Matthew Flaschen Commented Mar 1, 2010 at 4:23
• @Matthew Flaschen: Certainly true. Although I didn't get the impression the poster was collecting HTML specifically through his form. It doesn't mention that anywhere in the question. In the case of collecting HTML data, I would go with a whitelist approach and strip all non-approved tags and attributes. – Asaph Commented Mar 1, 2010 at 4:26

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

You are looking for preg_replace.

$description = preg_replace('regex pattern', 'regex replacement', $description);

Generally speaking, you can use preg_replace for regex replacements in PHP. But there are a few problems with your design

1. You shouldn't even bother doing this on the client. It will slow things down without providing security.
2. You're removing things that are perfectly safe (e.g. "I wrote a script to do such as such"), while ignoring many actual dangers like onclick attributes (see also XSS Cheat Sheet).

Generally speaking, if you want to allow some form of HTML, a whitelist is a better approach. HTML Purifier is a popular tool for implementing this in PHP.