Avoid XSS in meta description tags

inc/functions_common.inc.php

@@ -58,8 +58,6 @@
 /*                                                                                                                   */
 /*  discord_send_message                Uses a Discord webhook to broadcast a message.                               */
 /*                                                                                                                   */
-/*  html_fix_meta_tags                  Makes the content of meta tags valid.                                        */
-/*                                                                                                                   */
 /*********************************************************************************************************************/
 
 
@@ -1487,42 +1485,4 @@ function discord_send_message(  string  $message          ,
 
   // Send the message through the webhook, ignore any errors
   @file_get_contents($webhook, false, $context);
-}
-
-
-
-
-/*********************************************************************************************************************/
-/*                                                                                                                   */
-/*                                             HTML OUTPUT MANIPULATION                                              */
-/*                                                                                                                   */
-/*********************************************************************************************************************/
-
-/**
- * Makes the content of meta tags valid.
- *
- * Some characters are forbidden in HTML <meta> tags, this function replaces them with their valid equivalent.
- * Note that I am not even sure this is the proper way to do things... I'm just hoping it's right.
- *
- * @param   string  $string   A string to turn meta-tag-valid.
- *
- * @return  string            The meta-tag-valid string.
- */
-
-function html_fix_meta_tags( string $string ) : string
-{
-  // Replace illegal characters by their legal counterparcs
-  $string = str_replace("'","&#39;",$string);
-  $string = str_replace("\"","&#34;",$string);
-  $string = str_replace("<","&#60;",$string);
-  $string = str_replace(">","&#62;",$string);
-  $string = str_replace("{","&#123;",$string);
-  $string = str_replace("}","&#125;",$string);
-  $string = str_replace("[","&#91;",$string);
-  $string = str_replace("]","&#93;",$string);
-  $string = str_replace("(","&#40;",$string);
-  $string = str_replace(")","&#41;",$string);
-
-  // Return the modified string
-  return $string;
 }

inc/header.inc.php

@@ -313,13 +313,13 @@
 // If there is no description, use a default generic one
 $page_description = (isset($page_description)) ? $page_description : $page_title_en." - See more by visiting this page on NoBleme.com";
 
-// Make the page's description W3C meta tag compliant
-$page_description = html_fix_meta_tags($page_description);
-
 // Shorten the description if it is too long
 if(strlen($page_description) >= 155)
   $page_description = string_truncate($page_description, 150, '...');
 
+// Make the page's description W3C meta tag compliant
+$page_description = sanitize_meta_tags($page_description);
+
 // Set the page description to default if it is too short
 if(strlen($page_description) <= 25)
   $page_description = $page_title_en." - See more by visiting this page on NoBleme.com";

inc/sanitization.inc.php

@@ -13,6 +13,7 @@
 /*  sanitize_output               Sanitizes data for HTML usage.                                                     */
 /*  sanitize_output_full          Sanitizes data before outputting it as HTML, for untrusted user data.              */
 /*  sanitize_output_javascript    Sanitizes data for passing to inline javascript.                                   */
+/*  sanitize_meta_tags            Sanitizes the content of meta tags.                                                */
 /*                                                                                                                   */
 /*********************************************************************************************************************/
 
@@ -308,4 +309,27 @@ function sanitize_output_javascript( string $data ) : string
 
   // Return the sanitized data
   return $sanitized_data;
+}
+
+
+
+
+/**
+ * Sanitizes the contents of meta tags.
+ *
+ * @param   string  $data   The data to be sanitized.
+ *
+ * @return  string          The sanitized data, ready to be used in a meta tag.
+ */
+
+function sanitize_meta_tags( string $data ) : string
+{
+  // Strip illegal characters
+  $data = str_replace("\"","",$data);
+  $data = str_replace("<","",$data);
+  $data = str_replace(">","",$data);
+  $data = str_replace("&","",$data);
+
+  // Return the sanitized data
+  return $data;
 }

index.php

@@ -11,7 +11,7 @@
 $page_url         = "index";
 $page_title_en    = "Homepage";
 $page_title_fr    = "Accueil";
-$page_description = "NoBleme, la communauté web qui n'apporte rien mais a réponse à tout";
+$page_description = "NoBleme - An oldschool internet community";
 
 // Extra CSS
 $css = array('index');