Add XSS attack protect in magic variables $_GET and $_POST

[Ange1PLSGreet]

Title

• Add XSS Attack Protection for Magic Variables $_GET and $_POST

Description

• This pull request introduces XSS (Cross-Site Scripting) attack protection for the magic variables $_GET and $_POST. By sanitizing their inputs, we mitigate the risk of attackers injecting malicious scripts into web pages.

Changes Made

• Enhanced Sanitization in add_post_var: An extra sanitization step is added to the add_post_var function in main/php_variables.c. It removes common XSS-related characters and patterns from input values, neutralizing potential malicious scripts before they're registered as PHP variables.
  Extended Sanitization in php_default_treat_data: Additional sanitization logic is implemented in both PARSE_GET and PARSE_POST cases of the php_default_treat_data function, strengthening input handling for $_GET and $_POST.

Testing

• Custom PHP Script with cURL: Instead of using PHPT, I wrote a custom PHP script and used cURL to test XSS protection. The script sends various XSS payloads via $_GET and $_POST requests and verifies the sanitized output. It covers common XSS patterns like <script> tags, javascript: URIs, and event-based injection.

-- These are my test code

// TestGet.php
<?php var_dump($_GET); ?>
// TestPost.php
<?php var_dump($_POST); ?>

curl "http://localhost:8000/TestGet.php?param1=<script>alert('xss')</script>"
curl -X POST -d "param1=<script>alert('xss')</script>" http://localhost:8000/TestPost.php

Manual Verification

• After running the test script, I manually verified that the sanitization worked without breaking existing functionality.

[rlerdorf]

You know about https://www.php.net/manual/en/filter.configuration.php right?

[Ange1PLSGreet]

You know about https://www.php.net/manual/en/filter.configuration.php right?

Yeah, I know filter.default = full_special_chars and filter.default_flags = 0, and this INI setting is deprecated as of PHP 8.1.0.