Hi,
I have a WordPress plugin which needs to load settings into external javascript files. Previously, I simply accessed the database, grabbed the variables from it and dumped them into the file. However, for performance issues I've decided to move to a non-database route to transfer the data.

The route I decided to take, was to send the settings inside the URL and echo them onto the screen.

In case there are any ways for nasty code to get embedded, I've used htmlentities, stripslashes, strlen and ctype_alnum to confirm that it is only an alpha-numeric, non-HTML, slashless string of less than 10 characters. However others are telling me there is still some ways this could be used for cross-site scripting.

Any ideas on how this could be hacked? I believe those who tell me it can, but it makes it darn hard to know how to prevent these types of attacks when I can't even understand how they work.

I can't even see how it could be attacked without the checks in place, let alone afterwards ... showing my complete lack of knowledge of XSS here.

Code PHP:
<?php
 
header( 'Cache-Control: public' );
header( 'Pragma: cache' );
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 60*60*24*365 ) . ' GMT'); // cache for one year
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s', filemtime( $_SERVER['SCRIPT_FILENAME'] ) ) . ' GMT' );
header( 'Content-Type: text/javascript' );
 
// Grabbing the settings from the URL and doing some checks
$set = $_GET['set'];
$set = htmlentities($set); // Strip nasties
$set = stripslashes( $set ); // Strip slashes
if ( strlen( $set ) > 10 ) {echo 'input text too long';exit;}
if ( !ctype_alnum( $set ) ) {echo 'non-alpha numeric input';exit;}
 
// echo'ing the javascript on screen
echo 'jQuery(document).ready(function() {
	jQuery("ul.sf-menu").superfish({
		animation:     {opacity:"show",height:"show"},  // fade-in and slide-down animation
		delay:        ' . $set . '
		speed:        50,  // animation speed
		autoArrows:   "on",  // enable generation of arrow mark-up
		dropShadows:  "on"  // enable drop shadows
	});
});';
 
?>

Or alternatively, if any of you have any other methods for transferring settings into an external javascript file I'm keen to hear them too

At last resort I can just include the javascript directly into the head of the page, but I'd rather keep them external if possible.


Any help much appreciated