A working example would be:
$g = new dXSS();
$g->url = 'http://www.google.es';
$g->longitud = 10;
$g->TestGet();
This code must be before any output was produced from the browser. At the top of the page, for example.
In this way, accept parameters such as:
http://www.domain.com/index.php?Id=45&acc=new&op=32
But do not accept such things as:
http://www.domain.com/index.php?p=<script>alert("XSS");</script>
It is quite interesting to define a small length whenever possible:
$g = new dXSS();
$g->url = 'http://www.google.es';
$g->longitud = 2;
$g->TestGet();
Allow:
http://www.domain.com/index.php?Id=45&sub=3&acc=new&op=32
But no:
http://www.domain.com/index.php?Id=<meta%20http-equiv="refresh"%20content="0;">
or even:
http://www.domain.com/index.php?Id=$%
NOTE: This class controls only received $ _GET parameters. Could easily adapt or modify the class to the information received by $ _POST or even to deal with both, but I wanted to show a very simple use and compatible with compatible with PHP versions lower than 5.
|