Useful Scripts for Webmasters

JetScripts Data Sanitizer / XSS Cleaner

The JetScripts Data Sanitizer and XSS Cleaner prevents SQL-injection attacks and Cross-Site Scripting exploits by cleaning or 'sanitizing' user-submitted data. It's a must for any website that accepts user input, such as blogs, bulletin boards, and contact forms. Read more about the Sanitizer below, or try the demo.

This tool is intended for users who write or modify scripts, or who want an extra measure of protection against malicious users, hackers, and spambots. It is not intended for the casual user or those without at least some minimal knowledge of the PHP scripting language.

Sanitizer Demo

A simple test-bed is available for you to use. Try the demo here.


Sanitizing Functions

The Sanitizer can operate in several different cleaning modes:

  • Numeric only: Screens out everything except numeric data. Only the numbers 0 through 9 are allowed to pass, plus the space, period, and '-' characters. These characters are allowed so as to make screening data like telephone numbers and social security numbers easier.
  • Alphabetic Only: Screens out everything except the letters A through Z (upper and lower case), plus spaces and the underscore character '_'. HTML-style brackets are not passed.
  • Alphanumeric Only: Screens out everything except alphanumeric characters, numbers, space characters, underscores, periods, colons, and dashes. This mode allows for most user-supplied data to be passed in while still screening out garbage characters and unwanted punctuation. HTML-style brackets are not passed.
  • Alphanumeric with Punctuation: Similar to the above mode, but relaxes screening for most punctuation characters. This includes the following characters: @#$%=:;_, \!^&*()-+.?/'". HTML-style brackets are not passed.
  • Email Validation mode: Allows only characters legal for use in email addresses: 0-9, a-z, A-Z, @ _ \ - \ .. HTML-style brackets are not passed.
In each of the above modes other common exploit command entities are removed, such as: 'alert', 'cmd', 'passthru', 'eval', 'exec', 'system', 'fopen', 'fsockopen', 'file', 'file_get_contents', 'readfile', and 'unlink'.

Also removed are dozens of Javascript-specific exploit entities such as: 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', and many, many others.

The Sanitizer also perform a number of data transforms to ensure that malicious input isn't obfuscated and passed in. Entities like 'j a v a s c r i p t', 'vbscript', 'script', 'applet', 'alert', 'document', 'write' and others are stripped of spaces and compacted back to their original forms for detection and removal.

Obfucated and escaped strings like http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> are converted and scanned, as well as UTF16 data, null characters, octal characters, cookie commands, and many other potentially malicious data strings.

No data sanitization process is perfect, but the JetScripts Sanitizer is an excellent first line of defense against the thousands of different SQL-injection attacks and Cross-Site Scripting exploits in use today. It's so good, we use it here and in all of our products that accept user input. The JetScripts Sanitizer is compact and fast loading, and is generally easy to add into most existing scripts. If you're writing a script then it's an even simpler matter to call it wherever user-supplied data is found.

Stop relying on half-baked measures like 'mysql_real_escape()', 'strip_tags()', 'magic_quotes()' or other ineffective methods for cleaning and securing user-supplied data. None of those methods will stop even a slightly motivated hacker or script-kiddie.

The number and creativity of SQL-injection attacks and Cross-Site Scripting exploits increases every day- isn't it about time you started using some industrial-strength measures to keep them off your site and out of your server?

Want to use and/or redistribute this code in your project or software? Volume licenses with significant discounts are available to programmers and distributors. We'll make it easy and affordable to include this great tool in your next project, so please contact us.



"If you're not using this, you should be." - Frank M., programmer, Erie PA

"Finally, a solution that really, really works! Outstanding!" - Jim S., Los Angeles CA

"Stopped everything, and I mean everything that we threw at it. Rock solid." - R.A., San Francisco CA

"I'm using this in every project from now on, no exceptions." - Darren T., Pensacola FL



© JetScripts 2009~2010 :: Privacy & TOS
banner rotator |   Text CAPTCHA |   XSS Sanitizer |   Geo Location Tool |   Ultimate Pimp Game