I am attempting to write some .htaccess rules that replace certain figures within the REQUEST_URI parameter. Particularly, I wish to replace the next:

  • "<" = &lt;
  • ">" = &gt;
  • "'" = &apos;
  • '"' = &#x22;
  • ")" = &#x29;
  • "(" = &#x28;

Example URL might be http://www.example.com/?<script>alert(1)</script>&q=")("<script')

I have attempted a lot of techniques without results. Can someone point me within the right direction? Thanks.

You should use mod_rewrite to get this done alternative, check this out example for <:

RewriteCond %{QUERY_STRING} ^([^<]*)<([^<]*)<(.*)
RewriteRule ^ %{REQUEST_URI}?%1&lt;%2&lt; [N]
RewriteCond %{QUERY_STRING} ^([^<]*)<([^<]*)$
RewriteRule ^ %{REQUEST_URI}?%1&lt;%2 [L]

The very first rule will replace two < figures at any given time and also the second will finish the recursion. Another figures could be changed in the same manner (just replace < and &lt; using the other pairs).

But using mod_rewrite with this type of work isn't that appropriate because

  1. mod_rewrite enables to exchange only fixed quantity of occurrences at any given time and
  2. the amount of substitutes is restricted towards the internal redirection counter that's accustomed to avoid infinite recursion.

Even though second statement doesn't apply within this situation because of using the N flag, I wouldn't recommend using mod_rewrite with this type of work.

I'd rather recommend to get this done within the web application, possibly right before putting your computer data out into an HTML document and never inside a prophylactic manner for each input regardless of how that information is processed.