1 files changed, 48 insertions, 0 deletions

diff --git a/xss-check.php.sample b/xss-check.php.sample
new file mode 100644
index 0000000..bfc7973
--- /dev/null
+++ b/xss-check.php.sample
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * We don't automatically set this up, because it depends on server
+ * configuration.
+ * 
+ * This is a sample, it's what I use on mckenzierobotics.org
+ * So, it may help you to know that I have several systems interacting there.
+ *   http://mckenzierobotics.org/         Base of entire site
+ *   http://mckenzierobotics.org/mm/      WordPress
+ *   http://mckenzierobotics.org/wp/      MessageManager
+ * 
+ * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
+ * include the hostname.
+ *
+ * The idea of this approach is we inspect the HTTP_REFERER to decide if the
+ * user came from an acceptable URL. This is tricky because this isn't
+ * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
+ * inside of "baseurl" might not be trusted (like email body files).
+ */
+function xss_attack() {
+	$siteurl = 'http://mckenzierobotics.org/';// basic trusted base
+	$mmurl = $siteurl.'mm/';// where MessageManager is
+
+	if (!isset($_SERVER['HTTP_REFERER']))
+		return false;
+	
+	$from = $_SERVER['HTTP_REFERER'];
+	$method = $_SERVER['REQUEST_METHOD'];
+
+	switch ($method) {
+	case 'PUT': break;
+	case 'POST': break;
+	case 'GET': return false; break;
+	case HEAD: return false; break;
+	default: break;
+	}
+
+	if (substr($from,0,strlen($siteurl)) != $siteurl)
+		return true;
+
+	$messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
+	if (preg_match($messages, $from))
+		// Someone cleverly tried to XSS us from inside a message
+		return true;
+
+	return false;
+}
\ No newline at end of file