Yii2 XSS attack prevention policy analysis _ php instance

This article mainly introduces Yii2's XSS attack prevention policies, analyzes in detail the XSS attack principles and Yii2's corresponding defense policies, for more information about Yii2 XSS attack prevention policies, see the following example. We will share this with you for your reference. The details are as follows:

XSS vulnerability repair

Principle: do not trust customer input data
Note: the attack code is not necessarily in script

① Mark important cookies as http only. in this way, the document. cookie statement in Javascript cannot get cookies.
② Only allow users to input the expected data. For example, in textbox of age, only users can enter numbers. Characters other than numbers are filtered out.
③ Html Encode processing of data
④ Filter or remove special Html tags, such as script, iframe, <for <,> for>,"
⑤ Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc.

XSS prevention in Yii

<?php echo CHtml::encode($user->name) ?>

Source code of this method:

/*** Encodes special characters into HTML entities.* The [[\yii\base\Application::charset|application charset]] will be used for encoding.* @param string $content the content to be encoded* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,* HTML entities in `$content` will not be further encoded.* @return string the encoded content* @see decode()* @see http://www.php.net/manual/en/function.htmlspecialchars.php*/public static function encode($content, $doubleEncode = true){  return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);}

Htmlspecialchars & htmlentities & urlencode:

Http://php.net/manual/zh/function.htmlspecialchars.php
Http://php.net/manual/zh/function.htmlentities.php
Http://cn2.php.net/manual/zh/function.urlencode.php

Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it» may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U + FFFD (UTF-8) or & # FFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U + FFFD (UTF-8) or & # FFFD; (otherwise) instead of leaving them as is. this may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
ENT_HTML5 Handle code as HTML 5.

Htmlspecialchars

Convert special characters to HTML entities

string htmlspecialchars (       string $string       [, int $flags = ENT_COMPAT | ENT_HTML401       [, string $encoding = ini_get("default_charset")       [, bool $double_encode = true ]    ]  ] )

The translations saved Med are:

& (Ampersand) becomes &
"(Double quote) becomes" when ENT_NOQUOTES is not set.
'(Single quote) becomes' (or') only when ENT_QUOTES is set.
<(Less than) becomes <
> (Greater than) becomes>

<?php$new = htmlspecialchars("Test", ENT_QUOTES);echo $new; // Test?>

Htmlentities

Convert all applicable characters to HTML entities

string htmlentities (       string $string       [, int $flags = ENT_COMPAT | ENT_HTML401       [, string $encoding = ini_get("default_charset")       [, bool $double_encode = true ]    ]  ] )

<?php$str = "A 'quote' is bold";// Outputs: A 'quote' is boldecho htmlentities($str);// Outputs: A 'quote' is boldecho htmlentities($str, ENT_QUOTES);?>

Urlencode

URL encoding is used to conform to the url specification. Because many characters in the standard url specification are not allowed to appear in the url.

For example, search for "test Chinese characters" in baidu ". The URL is changed
Http://www.baidu.com? Wd = % B2 % E2 % CA % D4 % BA % D7 % D6 & rsv_bp = 0 & rsv_spt = 3 & inputT = 7477

The so-called URL encoding means that all non-alphanumeric characters will be replaced with a semicolon (%) followed by two hexadecimal numbers, and spaces will be encoded as the plus sign (+)
All non-alphanumeric characters except-_. in this string will be replaced with a semicolon (%) followed by two hexadecimal numbers, and spaces will be encoded as the plus sign (+ ). This encoding method is the same as that for WWW form POST data and the same as that for application/x-www-form-urlencoded. For historical reasons, this encoding is different from RFC1738 encoding (see rawurlencode () in space encoding as the plus sign (+.

<?phpecho '';?>

<?php$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);echo '';?>