Thursday, 6 January 2011

XSS and the BOM (“”)

So I was working on a script to get the Latitude and Longitude from postcodes using Bing. I set up a simple page with a box where a postcode could be entered, Upon a button being pressed the postcode is checked using the fantastic UK Postcode Validation JavaScript by John Gardner. I then used jQuery to query Bing but ran into problems thanks to ajax restrictions on cross site scripting, I got over that using a PHP proxy on the same domain that basically echoed the XML that I wanted originally. Thus:

  header ("content-type: text/xml");
  header ("charset: utf-8");
  $bingURI  = "";
  $apiKey   = "?o=xml&key=yourKeyHere";
  $file     = file_get_contents($bingURI.rawurlencode($_GET['postcode']).$apiKey);
  echo $file;

All well and good except that there was a rather odd set of glyphs () at the beginning of the echoed XML… after a fair bit of searching I discovered that it was the BOM, whatever it was I didn't want it! After a little more searching I found this PHP function from Philipp Michels:

function rmBOM($string) {
  if(substr($string, 0,3) == pack("CCC",0xef,0xbb,0xbf)) {
    $string=substr($string, 3);
  return $string;

Which worked a treat and allowed the XML to be parsed properly!

The result is here: