Add request parameter filtering to avoid XSS attacks

technicalguru · Jan 28, 2023 · 40b578e · 40b578e
1 parent a3cf57b
commit 40b578e
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 8 deletions.
diff --git a/src/TgUtils/DummyStringFilter.php b/src/TgUtils/DummyStringFilter.php
@@ -0,0 +1,25 @@
+<?php
+
+package TgUtils;
+
+/**
+ * An interface for not filtering string at all.
+ */
+public class DummyStringFilter implements StringFilter {
+
+	public static $INSTANCE = new DummyStringFilter();
+
+	public __construct() {
+	}
+
+	/**
+	 * Filters the given string and returns sanitized value.
+	 * @param string $s - string to sanitize (can be null)
+	 * @return the sanitized string.
+	 */
+	public filter($s) {
+		return $s;
+	}
+
+}
+
diff --git a/src/TgUtils/NoHtmlStringFilter.php b/src/TgUtils/NoHtmlStringFilter.php
@@ -0,0 +1,26 @@
+<?php
+
+package TgUtils;
+
+/**
+ * An interface for filter strings from any HTML tags.
+ */
+public class NoHtmlStringFilter implements StringFilter {
+
+	public static $INSTANCE = new NoHtmlStringFilter();
+
+	public __construct() {
+	}
+
+	/**
+	 * Filters the given string and returns sanitized value.
+	 * @param string $s - string to sanitize (can be null)
+	 * @return the sanitized string.
+	 */
+	public filter($s) {
+		if ($s == NULL) return $s;
+		return strip_tags($s);
+	}
+
+}
+
diff --git a/src/TgUtils/Request.php b/src/TgUtils/Request.php
@@ -186,13 +186,15 @@ public function hasGetParam($key) {
 
 	/**
 	 * Returns the GET parameter value from the request.
-	 * @param string $key - the parameter name
-	 * @param mixed $default - the default value to return when parameter does not exist (optional, default is NULL).
+	 * @param string $key     - the parameter name
+	 * @param mixed  $default - the default value to return when parameter does not exist (optional, default is NULL).
+	 * @param object $filter  - a filter to sanitize the value.
 	 * @return mixed the parameter value or its default.
 	 */
-	public function getGetParam($key, $default = NULL) {
+	public function getGetParam($key, $default = NULL, $filter = NULL) {
 		$params = $this->getParams;
-		return isset($params[$key]) ? $params[$key] : $default;
+		if ($filter == NULL) $filter = StringFilters::$NO_HTML;
+		return isset($params[$key]) ? $filter->filter($params[$key]) : $default;
 	}
 
 	/**
@@ -214,13 +216,15 @@ public function hasPostParam($key) {
 
 	/**
 	 * Returns the POST parameter value from the request.
-	 * @param string $key - the parameter name
-	 * @param mixed $default - the default value to return when parameter does not exist (optional, default is NULL).
+	 * @param string $key     - the parameter name
+	 * @param mixed  $default - the default value to return when parameter does not exist (optional, default is NULL).
+	 * @param object $filter  - a filter to sanitize the value.
 	 * @return mixed the parameter value or its default.
 	 */
-	public function getPostParam($key, $default = NULL) {
+	public function getPostParam($key, $default = NULL, $filter = NULL) {
 		$params = $this->getPostParams();
-		return isset($params[$key]) ? $params[$key] : $default;
+		if ($filter == NULL) $filter = StringFilters::$NO_HTML;
+		return isset($params[$key]) ? $filter->filter($params[$key]) : $default;
 	}
 
 	/**

diff --git a/src/TgUtils/StringFilter.php b/src/TgUtils/StringFilter.php
@@ -0,0 +1,18 @@
+<?php
+
+package TgUtils;
+
+/**
+ * An interface for filter strings from evil input.
+ */
+public interface StringFilter {
+
+	/**
+	 * Filters the given string and returns sanitized value.
+	 * @param string $s - string to sanitize (can be null)
+	 * @return the sanitized string.
+	 */
+	public filter($s);
+
+}
+
diff --git a/src/TgUtils/StringFilters.php b/src/TgUtils/StringFilters.php
@@ -0,0 +1,14 @@
+<?php
+
+package TgUtils;
+
+/**
+ * Provides default string filters.
+ */
+public class StringFilters {
+
+	public static $DUMMY   = DummyStringFilter::$INSTANCE;
+	public static $NO_HTML = NoHtmlStringFilter::$INSTANCE;
+
+}
+