Created data filter to avoid XSS attack
This commit is contained in:
parent
146b5d33e6
commit
213f598631
@ -7,6 +7,7 @@ use App\Models\Access;
|
||||
use \Core\Token;
|
||||
use \Core\Session;
|
||||
use \Core\Redirect;
|
||||
use \Core\XSS;
|
||||
|
||||
class Posts
|
||||
{
|
||||
@ -81,11 +82,13 @@ class Posts
|
||||
|
||||
$url = 'Data/pengumuman.html';
|
||||
|
||||
$status = '';
|
||||
$privilage = '';
|
||||
|
||||
if (Session::exists('userid')) {
|
||||
$post = $this->model->showAll();
|
||||
$privilage = Session::get('privilage');
|
||||
$status = 'loggedin';
|
||||
}
|
||||
|
||||
if ($post !== false) {
|
||||
@ -102,6 +105,7 @@ class Posts
|
||||
}
|
||||
View::render($url, [
|
||||
'posts' => $posts,
|
||||
'status' => $status,
|
||||
'privilage' => $privilage
|
||||
]);
|
||||
}
|
||||
@ -159,7 +163,8 @@ class Posts
|
||||
$creator = $post['creator'];
|
||||
$editor = $post['editor'];
|
||||
|
||||
$post['content'] = htmlspecialchars_decode($post['content']);
|
||||
// Decode XSS data
|
||||
$post = XSS::decode($post);
|
||||
|
||||
$table = 'users';
|
||||
|
||||
@ -241,11 +246,8 @@ class Posts
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($args['content'])) {
|
||||
$args['content'] = htmlspecialchars($args['content']);
|
||||
} elseif (isset($args['category'])) {
|
||||
$args['category'] = htmlspecialchars($args['category']);
|
||||
}
|
||||
// Avoid XSS attack
|
||||
$args = XSS::avoid($args);
|
||||
|
||||
if (isset($table)) {
|
||||
if ($this->model->entry($args, $table)) {
|
||||
@ -272,7 +274,9 @@ class Posts
|
||||
Redirect::to('/posts/category');
|
||||
die();
|
||||
}
|
||||
$args['content'] = htmlspecialchars($args['content']);
|
||||
|
||||
// Avoid XSS attack
|
||||
$args = XSS::avoid($args);
|
||||
|
||||
$id = $args['id'];
|
||||
unset($args['id']);
|
||||
|
||||
62
Core/XSS.php
Normal file
62
Core/XSS.php
Normal file
@ -0,0 +1,62 @@
|
||||
<?php
|
||||
namespace Core;
|
||||
|
||||
class XSS
|
||||
{
|
||||
public static function avoid($args = [])
|
||||
{
|
||||
if ($args) {
|
||||
if (array_key_exists('exclude', $args)) {
|
||||
$excludes = $args['exclude'];
|
||||
|
||||
foreach ($excludes as $exclude) {
|
||||
$includes[$exclude] = $args[$exclude];
|
||||
unset($args[$exclude]);
|
||||
}
|
||||
|
||||
unset($args['exclude']);
|
||||
}
|
||||
|
||||
foreach ($args as $key => $value) {
|
||||
$args[$key] = htmlspecialchars($value);
|
||||
}
|
||||
|
||||
// Re-include excluded data
|
||||
if (isset($includes)) {
|
||||
foreach ($includes as $key => $value) {
|
||||
$args[$key] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
return $args;
|
||||
}
|
||||
}
|
||||
|
||||
public static function decode($args = []) {
|
||||
if ($args) {
|
||||
if (array_key_exists('exclude', $args)) {
|
||||
$excludes = $args['exclude'];
|
||||
|
||||
foreach ($excludes as $exclude) {
|
||||
$includes[$exclude] = $args[$exclude];
|
||||
unset($args[$exclude]);
|
||||
}
|
||||
|
||||
unset($args['exclude']);
|
||||
}
|
||||
|
||||
foreach ($args as $key => $value) {
|
||||
$args[$key] = htmlspecialchars_decode($value);
|
||||
}
|
||||
|
||||
// Re-include excluded data
|
||||
if (isset($includes)) {
|
||||
foreach ($includes as $key => $value) {
|
||||
$args[$key] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
return $args;
|
||||
}
|
||||
}
|
||||
}
|
||||
56
_tests/unit/XSSTest.php
Normal file
56
_tests/unit/XSSTest.php
Normal file
@ -0,0 +1,56 @@
|
||||
<?php
|
||||
namespace Core;
|
||||
|
||||
class XSSTest extends \PHPUnit\Framework\TestCase
|
||||
{
|
||||
/**
|
||||
*
|
||||
* @test
|
||||
*/
|
||||
public function HindariSeranganXSSBerhasil() {
|
||||
$args = [
|
||||
'data_biasa' => 'Abcdefghijklmnopqrstuvwxyz',
|
||||
'data_xss' => '<b>A</b><b>z</b>',
|
||||
'data_xss_exclude' => '<i>A</i><i>z</i>',
|
||||
'data_xss_exclude_2' => '<i>A</i><i>z</i>',
|
||||
'data_xss_exclude_3' => '<i>A</i><i>z</i>',
|
||||
];
|
||||
|
||||
$args['exclude'] = [
|
||||
'data_xss_exclude',
|
||||
'data_xss_exclude_3'
|
||||
];
|
||||
|
||||
$expected = [
|
||||
'data_biasa' => 'Abcdefghijklmnopqrstuvwxyz',
|
||||
'data_xss' => '<b>A</b><b>z</b>',
|
||||
'data_xss_exclude' => '<i>A</i><i>z</i>',
|
||||
'data_xss_exclude_2' => '<i>A</i><i>z</i>',
|
||||
'data_xss_exclude_3' => '<i>A</i><i>z</i>'
|
||||
];
|
||||
|
||||
$this->assertEquals($expected, XSS::avoid($args));
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @test
|
||||
*/
|
||||
public function DecodeDataXSSBerhasil() {
|
||||
$args = [
|
||||
'data_encode' => '<b>A</b><b>z</b>',
|
||||
'data_encode_exclude' => '<b>A</b><b>z</b>'
|
||||
];
|
||||
|
||||
$args['exclude'] = [
|
||||
'data_encode_exclude'
|
||||
];
|
||||
|
||||
$expected = [
|
||||
'data_encode' => '<b>A</b><b>z</b>',
|
||||
'data_encode_exclude' => '<b>A</b><b>z</b>'
|
||||
];
|
||||
|
||||
$this->assertEquals($expected, XSS::decode($args));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user