I have a security function which is part of a script. It's supposed to filter out malicious code from being executed in an input form. It works without a problem with normal characters from A-Z, but it rejects inputs with characters such as á, ñ, ö, etc.
What can I do so that form inputs with these characters are not rejected? Here is the function:
function add_special_chars($string, $no_quotes = FALSE)
{
$patterns = array(
"/(?i)javascript:.+>/",
"/(?i)vbscript:.+>/",
"/(?i)<img.+onload.+>/",
"/(?i)<body.+onload.+>/",
"/(?i)<layer.+src.+>/",
"/(?i)<meta.+>/",
"/(?i)<style.+import.+>/",
"/(?i)<style.+url.+>/"
);
$string = str_ireplace("&","&",$string);
if (!$no_quotes) $string = str_ireplace("'","'",$string);
$string = str_ireplace('"','"',$string);
$string = str_ireplace('<','<',$string);
$string = str_ireplace('>','>',$string);
$string = str_ireplace(' ',' ',$string);
foreach ($patterns as $pattern)
{
if(preg_match($pattern, $string))
{
$string = strip_tags($string);
}
}
$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', "$1;", $string);
$string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu', "$1$2;", $string);
$string = html_entity_decode($string, ENT_COMPAT, LANG_CODEPAGE);
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>#iUu', "$1>", $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2novbscript...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*data[\x00-\x20]*:#Uu', '$1=$2nodata...', $string);
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);
$string = preg_replace('#</*\w+:\w[^>]*>#i', "", $string);
do
{
$original_string = $string;
$string = preg_replace('#</*(applet|meta|xml|blink|link|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $string);
}
while ($original_string != $string);
return $string;
}
UPDATE: I found that the following line seems to be causing the problem, but not sure why:
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);
