Thursday, 6 January 2011

XSS and the BOM (“”)

So I was working on a script to get the Latitude and Longitude from postcodes using Bing. I set up a simple page with a box where a postcode could be entered, Upon a button being pressed the postcode is checked using the fantastic UK Postcode Validation JavaScript by John Gardner. I then used jQuery to query Bing but ran into problems thanks to ajax restrictions on cross site scripting, I got over that using a PHP proxy on the same domain that basically echoed the XML that I wanted originally. Thus:

<?php
  header ("content-type: text/xml");
  header ("charset: utf-8");
  $bingURI  = "http://dev.virtualearth.net/REST/v1/Locations/UK/";
  $apiKey   = "?o=xml&key=yourKeyHere";
  $file     = file_get_contents($bingURI.rawurlencode($_GET['postcode']).$apiKey);
  echo $file;
?>

All well and good except that there was a rather odd set of glyphs () at the beginning of the echoed XML… after a fair bit of searching I discovered that it was the BOM, whatever it was I didn't want it! After a little more searching I found this PHP function from Philipp Michels:

<?php
function rmBOM($string) {
  if(substr($string, 0,3) == pack("CCC",0xef,0xbb,0xbf)) {
    $string=substr($string, 3);
  }
  return $string;
}
?>

Which worked a treat and allowed the XML to be parsed properly!

The result is here: http://drmsite.com/postcode.html.