I had a major security issue today. I did some tests on a project and found out that the an code “><script>alert(1)</script> made a big mess.
I tried multiple ways to fix it but it seems i could not find one. I know a simple regex for <script> could do also the trick but there are a lot of ways to get on the other way.
The biggest problem is i have a very big $_POST variable added with a lots of arrays that generated dynamically. So the only way that i could fix this XSS in PHP was creating a recursive function.
function recursivearr($arr){
if(is_array($arr)){
foreach($arr AS $key => $value){
$arr[$key] = recursivearr($value);
}
return $arr;
}else{
return htmlspecialchars($arr);
}
}
$_POST = recursivearr($_POST);
$_GET = recursivearr($_GET);
$_REQUEST = recursivearr($_REQUEST);
The function above actually gets all the HTML chars and encode it so it does not do any harm. This function is recursive so it takes all the array and works on it one by one. This function did the best for me on securing the input i had.
