prevent xss on input fields?

Question

1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female. now please can someone explain me how to prevent xss attacks on this fields in php? my form data is like this

<form action="register.php" method="post">
    <div>
        <table>
        <tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr>
        <tr>
        <td><?php echo $lang['8'] ?> :</td>
        <td>
        <select name="day">
        <option><?php echo $lang['9'] ?></option>
        <?php 
        for($i=1;$i<=31;$i++){
        echo "<option value=\"{$i}\">{$i}</option>\n"; 
        }
        ?>
        </select>
        <select name="month">
        <?php 
        for($i=0;$i<=12;$i++){
        $i = str_pad($i,2,"0",STR_PAD_LEFT);
        echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n"; 
        }
        ?>
        </select>
        <select name="year">
        <option><?php echo $lang['11'] ?></option>
        <?php 
        for($i=1300;$i<=1373;$i++){
        if($i == $birthdate['0']){
        echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n"; 
        }else{
        echo "<option value=\"{$i}\">{$i}</option>\n"; 
        }
        }
        ?>
        </select>
        </td>
        </tr>
        </table>
        male : <input type="radio" name="gender[]"  />female : <input type="radio" name="gender[]"  /><br />
        <input type="submit" name="submit" value="<?php echo $lang['63'];  ?>" onclick="formhash(this.form, this.form.password);"/>
    </div>
</form>

for name and family i did somthing like this for get just html entity with this pattern

$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name);
$family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family);

and for email i did like this:

 $email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email);

is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars?

2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them?

3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe?

thanks in advance.

Answer 1

• It is better to escape all submitted values

• HTMLPurifier is a very good and enough to prevent XSS attacks, and here is how you can use it.

  # In register.php page:
  
  require_once 'path/to/HTMLPurifier/library/HTMLPurifier.auto.php';
  
  $config = HTMLPurifier_Config::createDefault();
  $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
  $config->set("HTML.Allowed", ""); // this will NOT allow any html tags
  $purifier = new HTMLPurifier($config);
  
  # hash the provided password (don't apply HTMLPurifier on the password)
  $hash_password = sha1($_POST["password"]);
  
  $data = array();
  
  # apply HTMLPurify on all submitted data
  foreach ($_POST as $key => $value) {
      $data["$key"] = mysql_real_escape_string($purifier->purify($value));
  }
  
  # get birthday
  $data["birthday"] = $data["year"] . "-" . $data["month"] . "-" . $data["day"];
  
  # insert submitted data into your database
  $result = mysql_query("
      INSERT INTO table_name (name, family, email, password, birthday, gender)
      VALUES ('{$data["name"]}', '{$data["family"]}', '{$data["email"]}', '$hash_password', '{$data["birthday"]}', '{$data["gender"]}')
  ");
  
  
  ?>
  

NOTE: use male and female as values of the name attributes of the 2 radio input tags instead of the gender[] array