You are here

Home » API reference » XSS Protection 7 » xssprotection.module

function xssprotection_init in XSS Protection 7

Implements hook_init().

File

./xssprotection.module, line 11
Module for managing XSS vulnerability.

Code

function xssprotection_init() {
  if (variable_get('xssprotection_enabled', 0)) {
    $url = strtolower(request_uri());
    $xss_checks = array();
    $xss_checks = array(
      '%3e',
      '%3c',
      '>',
      '<',
      '%25',
    );

    // Event handlers list from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
    array_push($xss_checks, 'onmouseover', 'fscommand', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onbegin', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragleave', 'ondragenter', 'ondragover', 'ondragdrop', 'ondragstart', 'ondrop', 'onend', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhashchange', 'onhelp', 'oninput', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmediacomplete', 'onmediaerror', 'onmessage', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onoffline', 'ononline', 'onoutofsync', 'onpaste', 'onpause', 'onpopstate', 'onprogress', 'onpropertychange', 'onreadystatechange', 'onredo', 'onrepeat', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onresume', 'onreverse', 'onrowsenter', 'onrowexit', 'onrowdelete', 'onrowinserted', 'onscroll', 'onseek', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onstorage', 'onsyncrestored', 'onsubmit', 'ontimeerror', 'ontrackchange', 'onundo', 'onunload', 'onurlflip', 'seeksegmenttime');
    foreach ($xss_checks as $xss) {
      if (strpos($url, $xss) > 0) {
        if ($xssprotection_text = variable_get('xssprotection_text')) {
          drupal_set_message(check_plain($xssprotection_text));
        }
        else {
          drupal_set_message(t('Requested page could not be found.'));
        }
        drupal_goto();
      }
    }
  }
}