YII2 Analysis of XSS attack prevention Strategy _php example

Source: Internet
Author: User
Tags form post html encode html tags urlencode alphanumeric characters smarty template yii

This article illustrates the YII2 's XSS attack prevention strategy. Share to everyone for your reference, specific as follows:

XSS Vulnerability Fixes

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>

① marks an important cookie as HTTP only, so that the Document.cookie statement in JavaScript will not get a cookie.
② only allows the user to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
③ HTML Encode Processing of data
④ Filter or remove special HTML tags, for example: script, IFrame, < for;, > for
⑤ Filters The labels for JavaScript events. such as "onclick=", "onfocus" and so on.

XSS Prevention in Yii

<?php Echo Chtml::encode ($user->name)?>

The source code for this method:

/**
* Encodes special characters into HTML entities.
* The [[\yii\base\application::charset|application CharSet]] is used for encoding.
* @param string $content The content to IS encoded
* @param boolean $doubleEncode whether to encode HTML entities in ' $content '. If false,
* HTML entities in ' $content ' won't be further encoded.
* @return string The encoded content
* @see decode ()
* @see http://www.php.net/manual/en/ function.htmlspecialchars.php
*
/public static function encode ($content, $doubleEncode = True)
{
  Return Htmlspecialchars ($content, Ent_quotes | Ent_substitute, Yii:: $app->charset, $doubleEncode);


Htmlspecialchars & htmlentities & UrlEncode The difference between the three:

http://php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
http://cn2.php.net/manual/zh/function.urlencode.php

Available Flags Constants
Constant Name Description
Ent_compat'll convert Double-quotes and leave single-quotes alone.
Ent_quotes'll convert both double and single quotes.
Ent_noquotes'll leave both double and single quotes unconverted.
Ent_ignore silently discard Invalid code unit sequences instead of returning a empty string. The Using this flag was discouraged as it»may have security implications.
Ent_substitute Replace Invalid code sequences with a Unicode replacement Character u+fffd (UTF-8) or & #FFFD; (otherwise) instead of returning an empty string.
Ent_disallowed Replace Invalid code points for the given document type with a Unicode replacement Character (U+FFFD) or & #FFFD; (otherwise) instead of leaving them as is. This is useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ent_html401 Handle Code as HTML 4.01.
ENT_XML1 Handle Code as XML 1.
Ent_xhtml Handle Code as XHTML.
ENT_HTML5 Handle Code as HTML 5.

Htmlspecialchars

Convert special characters to HTML entities

String Htmlspecialchars ( 
      string $string 
      [, int $flags = Ent_compat | ent_html401 
      [, String $encoding = Ini_get ("Default_charset") 
      [, bool $double _encode = True]
    ]
  ] 


The translations performed are:

& (Ampersand) becomes &
"(double quote) becomes" When ent_noquotes are not set.
' (single quote) becomes ' (or ") only if Ent_quotes is set.
< (less than) becomes <
> (greater than) becomes >

<?php
$new = Htmlspecialchars ("<a href= ' test ' >Test</a>", ent_quotes);
Echo $new; <a href= ' test ' >Test</a>
?>

Htmlentities

Convert all applicable characters to HTML entities

String Htmlentities ( 
      string $string 
      [, int $flags = Ent_compat | ent_html401 
      [, String $encoding = Ini_get ("Default_charset") 
      [, bool $double _encode = True]
    ]
  ] 
)

<?php
$str = "A ' quote ' is <b>bold</b>";
Outputs:a ' quote ' is <b>bold</b>
echo htmlentities ($STR);
Outputs:a ' quote ' is <b>bold</b>
echo htmlentities ($str, ent_quotes);
? >

UrlEncode

URL encoding is to conform to the specification of the URL. Because in the standard URL specification Chinese and a lot of characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: All non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)
This string is in addition to-_. All non-alphanumeric characters are replaced with a percent sign (%) followed by a two-bit hexadecimal number, and the space is encoded as a plus (+). This encoding is the same encoding as the WWW form POST data and is encoded in the same way as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from RFC1738 encoding (see Rawurlencode ()) for encoding spaces as plus signs (+).

<?php
Echo ' <a href= ' mycgi?foo= ', UrlEncode ($userinput), ' > ';
? >

<?php
$query _string = ' foo= '. UrlEncode ($foo). ' &bar= '. UrlEncode ($bar);
Echo ' <a href= ' mycgi '. Htmlentities ($query _string). ' > ';
? >

For more information on YII-related content, readers who are interested in this site can view the topics: Introduction to YII Framework and summary of common skills, "Summary of PHP Excellent development framework", "Smarty Template Introductory Course", "Introduction to PHP object-oriented programming", "PHP string" Summary of Usage , "Php+mysql Database operation Introduction Tutorial" and "PHP common database Operation Skills Summary"

I hope this article will help you with the PHP program design based on the YII framework.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.