YII2 Analysis of XSS attack prevention Strategy _php example

This article illustrates the YII2 's XSS attack prevention strategy. Share to everyone for your reference, specific as follows:

XSS Vulnerability Fixes

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>

① marks an important cookie as HTTP only, so that the Document.cookie statement in JavaScript will not get a cookie.
② only allows the user to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
③ HTML Encode Processing of data
④ Filter or remove special HTML tags, for example: script, IFrame, < for;, > for
⑤ Filters The labels for JavaScript events. such as "onclick=", "onfocus" and so on.

XSS Prevention in Yii

<?php Echo Chtml::encode ($user->name)?>

The source code for this method:

/**
* Encodes special characters into HTML entities.
* The [[\yii\base\application::charset|application CharSet]] is used for encoding.
* @param string $content The content to IS encoded
* @param boolean $doubleEncode whether to encode HTML entities in ' $content '. If false,
* HTML entities in ' $content ' won't be further encoded.
* @return string The encoded content
* @see decode ()
* @see http://www.php.net/manual/en/ function.htmlspecialchars.php
*
/public static function encode ($content, $doubleEncode = True)
{
  Return Htmlspecialchars ($content, Ent_quotes | Ent_substitute, Yii:: $app->charset, $doubleEncode);

Htmlspecialchars & htmlentities & UrlEncode The difference between the three:

http://php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
http://cn2.php.net/manual/zh/function.urlencode.php

Available Flags Constants
Constant Name Description
Ent_compat'll convert Double-quotes and leave single-quotes alone.
Ent_quotes'll convert both double and single quotes.
Ent_noquotes'll leave both double and single quotes unconverted.
Ent_ignore silently discard Invalid code unit sequences instead of returning a empty string. The Using this flag was discouraged as it»may have security implications.
Ent_substitute Replace Invalid code sequences with a Unicode replacement Character u+fffd (UTF-8) or & #FFFD; (otherwise) instead of returning an empty string.
Ent_disallowed Replace Invalid code points for the given document type with a Unicode replacement Character (U+FFFD) or & #FFFD; (otherwise) instead of leaving them as is. This is useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ent_html401 Handle Code as HTML 4.01.
ENT_XML1 Handle Code as XML 1.
Ent_xhtml Handle Code as XHTML.
ENT_HTML5 Handle Code as HTML 5.

Htmlspecialchars

Convert special characters to HTML entities

String Htmlspecialchars ( 
      string $string 
      [, int $flags = Ent_compat | ent_html401 
      [, String $encoding = Ini_get ("Default_charset") 
      [, bool $double _encode = True]
    ]
  ] 

The translations performed are:

& (Ampersand) becomes &
"(double quote) becomes" When ent_noquotes are not set.
' (single quote) becomes ' (or ") only if Ent_quotes is set.
< (less than) becomes <
> (greater than) becomes >

<?php
$new = Htmlspecialchars ("<a href= ' test ' >Test</a>", ent_quotes);
Echo $new; <a href= ' test ' >Test</a>
?>

Htmlentities

Convert all applicable characters to HTML entities

String Htmlentities ( 
      string $string 
      [, int $flags = Ent_compat | ent_html401 
      [, String $encoding = Ini_get ("Default_charset") 
      [, bool $double _encode = True]
    ]
  ] 
)

<?php
$str = "A ' quote ' is <b>bold</b>";
Outputs:a ' quote ' is <b>bold</b>
echo htmlentities ($STR);
Outputs:a ' quote ' is <b>bold</b>
echo htmlentities ($str, ent_quotes);
? >

UrlEncode

URL encoding is to conform to the specification of the URL. Because in the standard URL specification Chinese and a lot of characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: All non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)
This string is in addition to-_. All non-alphanumeric characters are replaced with a percent sign (%) followed by a two-bit hexadecimal number, and the space is encoded as a plus (+). This encoding is the same encoding as the WWW form POST data and is encoded in the same way as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from RFC1738 encoding (see Rawurlencode ()) for encoding spaces as plus signs (+).

<?php
Echo ' <a href= ' mycgi?foo= ', UrlEncode ($userinput), ' > ';
? >

<?php
$query _string = ' foo= '. UrlEncode ($foo). ' &bar= '. UrlEncode ($bar);
Echo ' <a href= ' mycgi '. Htmlentities ($query _string). ' > ';
? >

For more information on YII-related content, readers who are interested in this site can view the topics: Introduction to YII Framework and summary of common skills, "Summary of PHP Excellent development framework", "Smarty Template Introductory Course", "Introduction to PHP object-oriented programming", "PHP string" Summary of Usage , "Php+mysql Database operation Introduction Tutorial" and "PHP common database Operation Skills Summary"

I hope this article will help you with the PHP program design based on the YII framework.