<?php
function uniord__($c) {
$h = ord($c{0});
if ($h <= 0x7F) {
return $h;
} else if ($h < 0xC2) {
return false;
} else if ($h <= 0xDF) {
return ($h & 0x1F) << 6 | (ord($c{1}) & 0x3F);
} else if ($h <= 0xEF) {
return ($h & 0x0F) << 12 | (ord($c{1}) & 0x3F) << 6
| (ord($c{2}) & 0x3F);
} else if ($h <= 0xF4) {
return ($h & 0x0F) << 18 | (ord($c{1}) & 0x3F) << 12
| (ord($c{2}) & 0x3F) << 6
| (ord($c{3}) & 0x3F);
} else {
return false;
}
}
/**
* Secures input string against XSS-attacks.
* Return value can be send to browser securely.
* supports single & multi byte UTF-8
*/
function SEQ_OUTPUT($string_ = '') {
$string = mb_convert_encoding($string_, "UTF-8", "7bit, UTF-7, UTF-8, UTF-16, ISO-8859-1, ASCII");
$output = '';
for ($i = 0; $i < mb_strlen($string); $i++) {
if (preg_match('/([a-zA-Z0-9_.-])/', $string[$i])) {
$output .= $string[$i];
continue;
}
$byte = ord($string[$i]);
if ($byte <= 127) {
$length = 1;
$output .= sprintf("&#x%04s;", dechex(uniord__(mb_substr($string, $i, $length))));
} else if ($byte >= 194 && $byte <= 223) {
$length = 2;
$output .= sprintf("&#x%04s;", dechex(uniord__(mb_substr($string, $i, $length))));
} else if ($byte >= 224 && $byte <= 239) {
$length = 3;
$output .= sprintf("&#x%04s;", dechex(uniord__(mb_substr($string, $i, $length))));
} else if ($byte >= 240 && $byte <= 244) {
$length = 4;
$output .= sprintf("&#x%04s;", dechex(uniord__(mb_substr($string, $i, $length))));
}
}
return $output;
}
?>
Code can be tested by
echo SEQ_OUTPUT('プライバシー <script>alert(3)</script>');
It runs in the wanted way, but I wish to use the code in more than one snippet.
Therefore i have the question, if it is possible, that this code can be placed in a separated snippet and then embedded in the different calling snippets by some "include"-function?
In which way do i give the text-string to the xss-snippet and the output back to the calling snippet?
Thanks for help.
Christiane
