mod_rewrite: Prevent XSS?

[Amanda<3]

Well, i know how to do it the old way, url by url by url. I was wondering if anyone could suggest a more shortcut approach to keep XSS out of the url using mod_rewrite. Also, i currently have a rewrite function that rewrites my URL's for me:

function rewriteURI($URI,$argSeperator="/"){	    $origURI = $URI;		    $requestURI = preg_replace("/^\/?([A-Z0-9_-]+)\.php(.+)?$/i","$1", $origURI);			$requestURI = '/'.$requestURI.'/';			    $params = explode("?",$origURI);                $args = explode("&", $params[1]);				$queryString = '';                    foreach($args as $arg){					    $parts = explode("=", $arg);						    $queryString .= $parts[1].$argSeperator;											   }				     				    $rewrittenURI = preg_replace("/^(.*)\\$argSeperator$/i","$1", $queryString);					$rewrittenURI = $requestURI.$rewrittenURI;					$rewrittenURI = $rewrittenURI;										    return $rewrittenURI;}

 

Basically that is what i'm using to turn this: page.php?arg1=foo&arg2=bar, into /page/foo/bar. Is this a good method?

[a_bertrand]

no, a mod_rewrite doesn't prevent XSS

[Amanda<3]

I'm saying, is it possible to rewrite the URL to not allow XSS inside the URL. I know it doesn't completely solve the problem though.

[a_bertrand]

Well, sure you could prevent ANY kind of tag / scripts and therefore you would prevent XSS. You can find pre-made PHP library which will check if your parameters (GET, POST, COOKIES) are potentially harmful or not.

A good example of what you could use:

http://phpids.org/

demo under:

http://demo.phpids.org/

This lib prevent XSS as well as SQL injection.

However, honestly, it doesn't completely replace a well secured code.

[Amanda<3]

Thanks. and Yeah i still secure my scripts, i just rather have extra insurance. You can never over-secure something...

[a_bertrand]

Well actually yes, as the more you secure it the more checks you build in, and the slower it will be. Also increase security means also at some point less usable features.