I have a log function on my admin panel that checks user input for being correct and, if not correct, writes it to a log file. This log file is written to the admin when logged in.
I was testing my site for vulnerabilities, and I managed to fully exploit my server using an XSS hole. I tried to filter logged input by checking the input through this function:
function isXSS($in){
return preg_match("[<>(%[0-9a-fA-F]{2}+)]", $in) == 1;
}
but that would either paranoidly mark everything as a loathed XSS worm, or ignore common XSS injections. I think that the problem is the + quantifier, but I have heard that other PHP regexes allow this.
What’s wrong with good old htmlspecialchars? I see why you might want to track potentially malicious users, but if you’re investing your energy in simply blocking the security holes instead, then there’s really no need.