YII2 Analysis of XSS attack prevention Strategy _php instance

This paper describes the prevention strategy of XSS attack in Yii2. Share to everyone for your reference, as follows:

XSS Bug fix

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in the

① flags The important cookie as HTTP only, so that the Document.cookie statement in JavaScript cannot get a cookie.
② only allows users to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
③ HTML Encode Processing of data
④ Filter or remove special HTML tags such as: script, iframe, < for <, > for
⑤ Filters The tags for javascript events. such as "onclick=", "onfocus" and so on.

Prevention of XSS in Yii

<?php Echo Chtml::encode ($user->name)?>

Source code for this method:

/*** encodes special characters into HTML entities.* the [[\yii\base\application::charset|application CharSet]] 'll be US Ed for encoding.* @param a string $content the content to is encoded* @param boolean $doubleEncode whether to encode HTML en Tities in ' $content '. If false,* HTML entities in ' $content ' would not be further encoded.* @return string The encoded content* @see decode () * @s EE http://www.php.net/manual/en/function.htmlspecialchars.php*/public static function encode ($content, $ Doubleencode = True) {  return Htmlspecialchars ($content, Ent_quotes | Ent_substitute, Yii:: $app->charset, $doubleEncode);}

Htmlspecialchars & htmlentities & UrlEncode The difference between the three:

http://php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
http://cn2.php.net/manual/zh/function.urlencode.php

Available Flags Constants
Constant Name Description
Ent_compat would convert double-quotes and leave single-quotes alone.
Ent_quotes would convert both double and single QUOTES.
Ent_noquotes'll leave both double and single quotes unconverted.
Ent_ignore silently discard Invalid code unit sequences instead of returning an empty string. Using This flag is discouraged as It»may has security implications.
Ent_substitute Replace Invalid code unit sequences with a Unicode replacement Character u+fffd (UTF-8) or & #FFFD; (otherwise) instead of returning an empty string.
Ent_disallowed Replace Invalid code points for the given document type with a Unicode replacement Character u+fffd (UTF-8) or & #FFFD; (otherwise) instead of leaving them as is. This May is useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ent_html401 Handle Code as HTML 4.01.
ENT_XML1 Handle Code as XML 1.
Ent_xhtml Handle Code as XHTML.
ENT_HTML5 Handle Code as HTML 5.

Htmlspecialchars

Convert special characters to HTML entities

String Htmlspecialchars (       string $string       [, int $flags = Ent_compat | ent_html401       [, String $encoding = Ini_get ("Default_charset")       [, bool $double _encode = True]    ]  )

The translations performed is:

& (Ampersand) becomes &
"(double quote) becomes" When Ent_noquotes was not set.
' (single quote) becomes ' (or ') if only then Ent_quotes is set.
< (less than) becomes <
> (greater than) becomes >

<?php$new = Htmlspecialchars ("Test", ent_quotes); Echo $new; Test?>

Htmlentities

Convert all applicable characters to HTML entities

String Htmlentities (       string $string       [, int $flags = Ent_compat | ent_html401       [, String $encoding = Ini_get ("Default_charset")       [, bool $double _encode = True]    ]  )

Bold Bold BoldEcho htmlentities ($str, ent_quotes);? >

UrlEncode

URL encoding is intended to conform to the specifications of the URL. Because Chinese and many characters in the standard URL specification are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL code is: all non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)
This string is in addition to-_. All non-alphanumeric characters are replaced with a percent sign (%) followed by a two-digit hexadecimal number, and a space is encoded as a plus (+). This encoding is the same as the WWW form POST data, and is encoded in the same way as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from RFC1738 encoding (see Rawurlencode ()) in terms of encoding spaces as plus signs (+).

<?phpecho ';? >

<?php$query_string = ' foo= '. UrlEncode ($foo). ' &bar= '. UrlEncode ($bar); Echo ';? >

For more information on YII related content readers can view this site topic: "YII framework Introduction and common skills Summary", "PHP Excellent Development Framework Summary", "Smarty Template Primer Basic Tutorial", "PHP Object-oriented Programming tutorial", "PHP string (String) Usage Summary "," Introduction to Php+mysql Database Operation "and" PHP common database Operation Skills Summary "

It is hoped that this article is helpful to the PHP program design based on YII framework.

