Phalcon context encoding (contextual escaping)

website and other b/s applications are highly susceptible toXssattacks, although PHP provides escape functionality and is still not secure in some cases. In the PhalconPhalcon\escaperprovides context escape, which is implemented by the C language, which allows for better performance when escaping. The Phalcon context escape component is based on the OWASP-provided ' XSS (cross Site Scripting) Prevention Cheat sheet ' _ In addition, this component relies on the mbstring extension to support almost all character sets. The following example shows how this component works: <?php //Malicious document title with extra HTML tags $maliciousTitle = ' </title><script>alert (1) </script> '; //Malicious CSS class name $className = '; ' ('; //malicious CSS font name $fontName = ' Verdana ' </style> '; //malicious JavaScript text $javascriptText = "'; </script>hello"; //Create escape Instance Object $e = New Phalcon\escaper();?> <meta http-equiv="Content-type" content="text/html; Charset=utf-8 "/> <title><?php Echo $e -escapehtml($maliciousTitle) ?></title> <styletype="Text/css"> .<?php Echo $e -Escapecss($className) ?> { font-family : "<?php Echo $e -Escapecss($fontName) ?>"; Color: Red; } </style><body> <div class='<?php Echo $e -escapehtmlattr($className) ?>'>Hello</div> <script>var some = '<?php Echo $e -Escapejs($javascriptText) ?>'</script></body> The results are as follows: Phalcon is escaped based on the context in which the text is located. An appropriate context is important to protect against XSS attacks. HTML encoding (escaping HTML)? The least secure scenario is inserting non-secure data into the HTML tag. <div class= "Comments" > <!--Escape untrusted data here! -- </div> We can use the Escapehtml method to escape the text: <div class= " comments " > <?php echo $e -> escapehtml ( ' ></div> ); ?> </DIV> The results are as follows: <div class= "Comments" > &gt;&lt; /div&gt;&lt; H1&gt; Myattack&lt; /H1&gt; </div> HTML attribute encoding (escaping HTML Attributes)? It is slightly different to escape HTML attributes and to escape HTML content. The escape of HTML attributes is achieved by escaping all non-alphabetic and numeric characters. The escape of the class example is done in this way, except for some complex properties such as href and URL: <table width= "Escape untrusted data here!" ><tr><td> Hello</td></tr></table> Here we use the Escapehtmlattr method to escape HTML attributes: <table width="<?php Echo $e -escapehtmlattr(' >); ?>"><tr><td>Hello</td></tr></table> The results are as follows: <table width= "& #x22;& #x3e;& #x3c;h1& #x3e; hello& #x3c;& #x2f; table "><tr><td>Hello</td></tr></table > URL encoding (escaping URLs)? Some HTML attributes, such as href or URL, need to be escaped using a specific method: <a href= "Escape untrusted data here!" > Some Link</a> Here we use the Escapeurl method to escape the URL: <a href="<?php Echo $e -Escapeurl(' "><script>alert (1) </script><a href=" # '); ?>">Some Link</a> The results are as follows: <a href= "%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e%3ca%20href%3d%22%23" > Some Link</a> CSS encoding (escaping CSS)? The CSS identity/value can also be escaped: <a style= "Color:escape unstrusted data Here" > Some Link</a> Here we use the Escapecss method to escape: <a style="COLOR:<?php Echo $e -Escapecss(' "><script>alert (1) </script><a href=" # '); ?>">Some Link</a> Results: <a style= "COLOR: \22 \3e \3c script\3e alert\28 1\29 \3c \2f script\3e \3c a\20 href\3d \22 \23" > Some Link</a> JavaScript encoding (escaping JavaScript)? The string inserted into the JavaScript code also needs to be properly escaped: <script> Document . title = ' Escape untrusted data here ' </script> Here we use Escapejs to escape: <SCRIPT> document title = " <?php echo $e -> escapejs ( <script> Document . title = ' \x27; alert (+); var x\x3d\x27 ' </script>

Phalcon context encoding (contextual escaping)