Protect your Joomla! installation!
Last few days , Youjoomla Team was testing security or better said, testing the best protection you can use in your Joomla! website. We have focused mainly on XSS ( cross site scripting ) since it is one of the most common ways for intruder to get in or abuse your website. If you did not know, one of the best ways to protect yourself from XSS is to turn your Joomla! SEF on.
But the problem is that not everyone is using it like they should. So it is up to us developers, to try to protect you before you even think about downloading our products. Bumping heads together has helped and we also joined forces with brilliant Mr. andresg888 who was to our surprise, very polite and helped us test some common exploits.
Most of them use your in code $_POST and $_GET that are not sanitized to attack you. We have brushed up on our strip_tags() , htmlentities() , htmlspecialchars() and so on , but most of them either strip everything or are not 100% reliable for protection. So we came up with few lines of code that would strip everything from $_POST or $_GET and just return letters, numbers , spaces and ' . Mr. andress888 was kind enough to test it for us and confirmed protection.
So here it is , 2 lines that can save you from trouble
$_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
$_POST = preg_replace("|([^\w\s\'])|i",'',$_POST); Simply add them to your template index.php after the first <?php deceleration and you should be safe. Please remember that every code has weakness and if you find one in this code snippet, we would like to hear your thoughts or advices.
Best regards
Youjoomla Team
