so before I start quickly
this is not meant to actually stop XSS scripts
I am designing a project which shows common error in preventing XSS
[PHP]
<?php
$message = 'iframe javascript normaltext';
$message = xsseliminator($message);
echo $message;
function xsseliminator($message)
{
$xssWords = array('iframe', 'javascript');
$replaceWith = array(' the iframe tag is forbidden', ' the javascript tag is forbidden');
$message = str_ireplace($xssWords, $replaceWith, $message);
return $message;
}
?>
[/PHP]
This works fine on its own page however when I place
it inside this
[php]
<?php
//when sumbit button is pressed
if(isset($_POST['btnSign']))
{
//assign these values
//$message is taken from the message box on the page (mtxMessage)
$message = trim($_POST['mtxMessage']);
$message = xsseliminator($message);
//$name is taken from the session value for username
$name = ($_SESSION['username']);
//email is taken from the value of the erlear php query for the email
$email = ($emailr);
function xsseliminator($message)
{
$xssWords = array('iframe', 'javascript');
$replaceWith = array(' the iframe tag is forbidden', ' the javascript tag is forbidden');
$message = str_ireplace($xssWords, $replaceWith, $message);
return $message;
}
//Construct sql query to send to the database
$query = "INSERT INTO $tbl_name (comment,username,email) VALUES ('$message','$name','$email');";
//run the query on the datbase or return error message
$result = mysql_query($query) or die('
' . mysql_error() . '
' );
//reloadpage
header("Location:login_msgboard.php");
}
?>
[/php]
I get the error
[Thu Jan 10 17:07:09 2013] [error] [client 127.0.0.1] PHP Fatal error: Call to undefined function xsseliminator() in /var/www/CorviTestingVuln/CorviTestingMed/login_msgboard.php on line 38, referer: http://127.0.0.1/CorviTestingVuln/CorviTestingMed/login_msgboard.php